The two online portals, unveiled on Friday by the Federal Board of Revenue, hold information regarding the bank accounts, properties, travel history, and other data of at least 53 million Pakistanis, collected from Pakistan’s primary citizenry database, the National Database and Registration Authority (NADRA), Arab News (Pakistan) said in a report.
Salam Sufi, former DG of Strategic Reforms Unit, had criticised the idea on the very day the initiative was launched.
https://twitter.com/SalmanSufi7/status/1142088425924943872
A citizen Assad Ahmad, marketing consultant by profession, is one of the perturbed citizens who are worried about the security issues. He complained about week security and said he obtained his data without giving a phone number registered in his name and answering simple questions about family.
https://twitter.com/assadahmad/status/1141970867758538752
“When over 100 million Pakistani citizens were disclosing their private data to NADRA, the understanding was that NADRA would use it only for issuing them an identity card, and not betray them to the tax-man,” Umer Gilani, a lawyer who campaigns for the protection of privacy, told Arab News.
“NADRA’s decision to merge its database with FBR’s database is unconstitutional. It violates the fundamental right to privacy guaranteed by Article 14 of Pakistan’s Constitution,” he said, adding that Pakistan’s courts had consistently ruled that the right to privacy extended to the privacy of people’s data.
“The concerns are that in the absence of data privacy laws, the data the government is collecting through different sources... where will it be utilised and who is authorized to use it?” Umair Javed, a professor of politics at Lahore University of Management Sciences (LUMS), said.
A draft law for personal data protection is pending legislation since October last year, while the government has launched a huge online portal packed full of accessible citizen data with effectively no data privacy laws in place.
“In case of any security lapse, (there) would be dire consequences,” Badar Khushnood, vice-chairman of the award-winning Pakistan Software Houses Association for IT and ITES (P@SHA), said.
“The law should have been passed before launching the system for the clarity of data privacy,” he said.
Similarly, Dr Ikram ul Haq, a legal and taxation expert, said, “Security review by independent agencies renowned for awarding certifications is missing... There is no guarantee that data would not be misused or abused by the staff with access to it.”
Fears of a massive data leak are not unwarranted. In 2018, a cyber-security services provider, the Pakistan Computer Emergency Response Team (PakCERT), reported 1,340 cases of website defacement and hacker attacks on Pakistani web domains (.pk).
“The .pk domain was attacked all over the world where it is being hosted or operated. The data only shows that websites were attacked and not necessarily reflect that the inside of the organizations’ systems were attacked,” Qazi Mohammad Misbahuddin Ahmed, CEO of PakCERT told Arab News.
There are additional concerns including that it might not take a sophisticated software hacker to break into the system, and that anybody with access to another person’s identity card could get hold of the information by paying an Rs 500 fee.