surveillance In Search of Utopia  

The author of this post spent a countless amount of time staring at the screen, contemplating a possible topic for a post, his mind wandering from Edward Snowden to Robin Williams to Krispy Kreme to Red Alert: Yuri’s Revenge. Having unsuccessfully decided on a topic, the author instead decided to pen his thoughts on why, as a nation, which rests of a precipice of political unrest bordering on a complete disintegration of the political and infrastructural fabric, has overlooked the issue of digital and cyber privacy.

Perhaps it is for the reasons stated above which is why as a nation, we feel that issues such as the classification of certain content as, “objectionable” and its subsequent blocking, are not issues worthy of much thought. The country hangs from a thread as political pundits are locked in a vicious battle of words and displays of strength, marching from one city to another, picking up supporters as a snowball rolling down a hill, as the whole country, starves for a semblance of effective leadership. However, we disagree. Presence on a social media platform, or for that matter, being active on the global internet forum automatically implies that an individual must have adequate security tools employed within their systems to ensure that their personal data is not compromised.

Every person who has access to the internet currently has two identities. Their physical identity and their cyber profile which is a series of numbers and now with the advent of social media, a real-life profile. These identities must be protected by both security tools and government legislation to prevent agencies within the Executive fold from abusing the existing infrastructure to conduct surveillance activities. It is not just surveillance that is the cause of concern, but the perspective with which individuals perceive digital security. With the increased presence of social media and online commerce, identities of individuals are at constant risk of theft. Within United States of America itself, identity theft caused $24bn in losses in 2013 alone. Kickstarter, the global fundraising website for entrepreneurial startups was hacked with usernames, mailing addresses, contact details and other sensitive information being obtained by a third party. Kickstarter maintained that credit card information was left untouched which implies that the hackers may have obtained information to users credit card information, but chose not to access it. Tesco, the British multinational retail chain, was forced to suspend more than 2000 customer accounts of its online portal after hackers posted user data online. Snapchat, the picture sharing application suffered a massive security lapse when a website by the name of posted usernames and contact details of over 4.6m users in a bid to spread awareness regarding Snapchat’s evidently weak security infrastructure.

These few examples speak volumes on how lax perspectives towards security and the democratically protected rights towards access to content is being exploited. Coming back towards the not so democratic state of Pakistan, internet activists are neck deep in trying to spread awareness pertaining to how their fundamental human rights are being infringed upon. The fact of the matter remains that the general populace is nonplussed about these rights being denied to them. After all, in the face of the unavailability of the basic amenities of life such as electricity, security and health, questions on whether their activities on Facebook is being catalogued is the most probably the last in the hierarchy of concerns an ordinary Pakistani may have. However, agreed that yes, perhaps given the vast plethora of problems which an ordinary citizen faces, cyber privacy must be given adequate attention. The reason for that is very simple: Pakistan does not have any legislative tools in place for citizen privacy and protection of their activities online. Moreover, with the passage of the Protection of Pakistan Act where any citizen is now being perceived as guilty until proven innocent (a gross violation of the rules of natural justice) and with wide ranging powers being conferred to the law enforcement personnel, a citizen’s online activity may be presented to the Court as evidence substantiating the State’s case.

Why this is startling is simply due to the reason that ordinary citizens feel that their activity online is sacred and without a person’s login details, no person can access sensitive information. However, as was witnessed during the Arab Spring, citizens of different states were convicted simply due to their activity on the social media sphere. What is of utmost important is not the wide ranging tools that a citizen can employ, but our attitudes towards cyber security and the ease with which the Executive is exploiting a citizen’s lax behaviour towards protecting their activities online, a gaping chasm which the Executive is enjoying widening.

I am reminded heavily of the term, “being completely off the grid”. I cannot ignore the overwhelming need to perhaps disable all my social media profiles and have no cyber footprint at all. Perhaps that is the only remedy available to me to protect myself on the web. But alas! Even deactivating my profile on Facebook or my Twitter handle or my Instagram feed is not guaranteed to erase my presence. Under Facebook’s terms and conditions, once i upload data onto their servers, I relinquish my rights of that particular content; It rightfully belongs to Facebook as soon as I click, “Upload.” Once I delete my profile, that content will remain available on Facebook’s servers. Though users to Facebook will not have access to that information, but perhaps Facebook will make that content available to any third party if requested.

It is imperative to change not just the existing data usage policies but our beliefs and our perceptions towards internet security. In the face of political instability and wide disregard of essential freedoms, it is time we take back the internet, a forum which was engineered around the core concept of being a user-governed platform, not a tool for multinational corporations and states to spy. What does indeed scare me, perhaps even more than the security shortcomings of the web, is the relative ease with which the government exploits the fundamental right to privacy. If the government does indeed carry out such blatant violations of the Constitution with such ease, how soon is it that other such violations are carried out by the Government, and the populace remains silent? That day, I fear, may be right around the corner.

Privacy is a core concern in a world where social media and mobile phone apps are the main focus for people. Sadly, most people do not realize the fact that the only privacy social media or apps leave them with is either non-existent or a miniscule amount. This is especially true for apps that target teenagers and young people specifically, such as Snapchat, Whisper, Kik Messenger, Instagram, etc. The lack of privacy and security becomes more dangerous when it concerns applications popular amongst the youth.

Take Snapchat for example. The app is marketed as a secure app for sharing self-destructing images with friends; you set a time limit for the app, ranging from 2-10 seconds, at which point it disappears and “self-destructs,” Mission Impossible style. Sounds too good to be true, right? And it is too good to be true. The reality is that the app was insecure to the point that it was hacked in a data breach in the beginning of 2014.

Over 4.5 million usernames and numbers were leaked by white hats or ethical hackers, whose goal was “to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” and pointed out that “Security and privacy should not be a secondary goal. Security matters as much as user experience does.” Not that Snapchat didn’t pay the price for unethical practices; in May 2014, it settled with the Federal Trade Commission (FTC) over charges regarding the Snapchat guarantee to customers in terms of privacy and security. The basis for the case is quite alarming; not only was Snapchat collecting usernames and numbers without notification or consent, but they also promised privacy despite the presence and usage of third party apps that can be used to save the supposedly self-destructive images. And we do mean “supposedly” self-destructive; recent claims by forensics experts revealed that the photos are actually saved on your phone, and can be retrieved if needed. And this is the lengthier process; anyone can take a picture with a camera or camera-phone of a Snapchat picture on their mobile screen; unlike the notification you receive if someone has taken a screenshot of your Snapchat image, this act has no notification (obviously!) and you may never know who is collecting your pictures.

Similar problems plague the “secret-sharing” app Whisper; marketed as an app where people can share their secrets anonymously and find support, but one man used it to lure a 12-year-old girl into a hotel and raped her. A similar situation occurred with Kik Messenger, a texting app that allows users to send pictures and browse online while texting. Since you can share your Kik username with anyone, it is easy to befriend strangers and that’s a definite privacy and security risk, as seen in a recent case where a teen was making child pornography and blackmailing minors into sexual acts through the app.

So what, many would say, unconcerned by a mobile phone app collecting their name and cellphone numbers, or “a few” cases where the app has been misused by predators. So plenty, in a post-Snowden world; if someone is collecting your name and number in a database without your consent, it is a matter of your privacy being violated, and this is a concern that people do not take seriously. It’s a non-consensual violation, and consent is the key word here. No one should have any right to do anything to you, whether it is physical harm, abuse, or surveillance, without your explicit consent. The fact that people do not understand the significance of such violations or even see them as violations, is a victory for those that surveil, collect data, spy, and keep track of our entire lives. This complacency leads to everything conspiracy theorists would warn us against; we are passively participating in the violation of our civil rights. We at Bolo Bhi say, no more.

Any web or mobile phone app that promises security and privacy is lying. There is no such thing as a private, secure app. There are various loopholes that allow apps to exploit users and collect personal information. There are two options to proceed with; boycott using the apps altogether, or use with caution. Since the corporations have succeeded in their capitalist agenda to enslave people through addictions to social media, a mass boycott of such apps is highly unlikely. So how do you use such apps with caution? Don’t share anything you don’t want people to know about. Whether it is gossip about a mutual friend, admission of activities that may be viewed as immoral, any kind of secret, images you don’t want made public, images of a personal nature, in short, anything that is personal and private, does not belong on social media or mobile phone apps.

If you have children or minors using mobile phone apps and social media, ensure that you monitor their activity and more importantly, engage with them on the dangers of the internet. Rather than adopting the typical Pakistani parent/adult approach of bullying and “do as I say because I am older!” build a relationship on trust, so that children and minors know that whatever you say, truly is for their own good. Explain to them how they are at risk with their activities, and how they can protect themselves online. Keep track of who they are friends with online and through apps, not to pry into their private conversations with friends, but to make sure that they are not befriending strangers or anyone that you do not know.

Above all, be aware of security and privacy concerns related to such apps, and remain vigilant about future apps and websites as well. Nothing will ever be as private and secure as marketed, and we are responsible for ensuring that we remain unexploited, and our privacy remains just that; private.

Social media now forms an integral part of our life. We trust our intimate secrets to a faceless server and expect that our content, be it pictures, text, or anything else will be protected by the strictest privacy firewalls. We expect that the individual for whom the content is intended, the “audience”, will only be the people we choose to share information with, and no other person or party will be able to view that content. However, the recent Snowden revelations only reaffirmed that our content is far from secure. There had been considerable criticism that Facebook, entrusted with the data of millions of individuals around the globe, was selling user data to advertising companies to make targeted advertising campaigns. Our lives were and continue to be documented, behavioral patterns decoded and other such information being deduced from our online activity. Mark Zuckerburg himself stated in an interview with TechCrunch founder, Michael Arrington, “People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time.” The social norm being that privacy is now an outdated concept.

The above notion is debatable as Edward Snowden unleashed a barrage of information which defeated the aforementioned statement regarding privacy. Though the NSA remains the main culprit, have we ever cast the light of the interrogation lamp onto an organization which allows the NSA access to data, organized, efficient, and ripe for spying? A quick reading of the Facebook Data Use Policy confirmed my worst fears. Not only is our content accessible to the organization and stored, but the information we would ordinarily choose not to give out is ‘received’ by the social media giant. The Data Use Policy (which can be accessed here) clearly states:

When you post things like photos or videos on Facebook, we may receive additional related data (or metadata), such as the time, date, and place you took the photo or video.”

Being a law student, I must applaud the apparent ambiguity and the clever draftsmanship of the above statement. The condition does not say with absolute certainty that Facebook will receive the information and that it will be stored. Just that it MAY receive background information pertaining to the content I upload. Moreover, Facebook does not concede that the information that it does receive will be stored and used for an advertising stream, tailored to your activity on the social platform. But for now, I feel a bit at peace knowing that extremely personal information such as my location or my electronic devices is still in my control.

Oh wait.

“We receive data from or about the computer, mobile phone, or other devices you use to install Facebook apps or to access Facebook, including when multiple users log in from the same device. This may include network and communication information, such as your IP address or mobile phone number, and other information about things like your internet service, operating system, location, the type (including identifiers) of the device or browser you use, or the pages you visit. For example, we may get your GPS or other location information so we can tell you if any of your friends are nearby, or we could request device information to improve how our apps work on your device.”

Before I comment on the apparent breach of privacy which this policy entails, I would like to convey my gratitude to Facebook. Thank you for being clear on one aspect: Facebook does indeed collect information, store it and extends the same information to advertisers and vendors to advertise products and services. Facebook has now become a massive catalogue of identities, but a collection of whole individuals whose lives are on social media. This begs the question as to why Facebook must collect this information. By using our location, time, date and other intrinsic information attached to any content that we upload onto the social media platform, we are unknowingly conceding to information that we may not feel comfortable in knowing that we are providing. Perhaps we must read the Terms and Conditions of Facebook before we accept them blindly to succumb to the pressure of having a presence on social media.

It is imperative to note that Facebook receives information every time someone logs onto their profile, the device from which they log in, their IP address and if their device has GPS enabled, their location. But the GPS location is not as important as a person’s exact location can be triangulated by using the IP address from which a person is on Facebook. The social media giant brazenly mentions that through this information, they can tell you if any of my friends are nearby and other information which they’ve categorized as necessary for “the general improvement of Facebook”.

The one thing which caught my eye was the manner in which third parties have the capability to view data. The Data Use Policy clearly states that they sometimes receive information from third party organizations and advertising partners. Essentially, what this implies is that if I were to click on a Facebook ad which lead me to a different website advertising a certain product or service, the data pertaining to me clicking that ad includes, but is not restricted to time and date of the clicking, the location of the ad, and outlay. This information, once received by Facebook is then doctored to ensure maximum clicks.

Some may argue that Facebook is well within their rights to advertise products and/or services depending upon our search history. After all, they are not a charitable organization providing a service. They are in this business to make themselves self-sustaining and to reap profits and the only manner in which they can do that is by leasing out space on their servers to advertisers. However, I personally would feel uncomfortable knowing that every keyword I’ve ever searched with is documented and used to advertise products and/or services. I do not feel comfortable knowing that a nameless and faceless individual within the scores of Facebook employees is aware that I have logged in on my Facebook and am currently reading a colleague’s status on his timeline. I do not feel comfortable with the knowledge that every time I click, “Login”, my IP address and my exact location is stored on the Facebook servers. Perhaps it was through this mechanism of storing IP addresses that individuals preaching anti-state propaganda was apprehended and persecuted in Egypt during the Arab Spring. Perhaps it is through the scores of information available on Facebook servers that the NSA can keep tabs on individuals and their activities online, as their activities on the web are a reflection of their day to day tasks.

The general populace is unaware of something which is completely black and white. I do not feel comfortable knowing that my content, my location and other increasingly personal information is free to be pursued by individuals to whom I have not given consent. Perhaps by agreeing to their terms and conditions and their Data Use Policy, I have conceded to that. However, it was only for the purpose of this article that I bothered to read Facebook’s policies and Community Safety Guidelines. How many other individuals have made the conscious effort to do so? The answer to that would be startlingly few. And that thought, that individuals around us are now being treated as numbers and as data in cyberspace is, quite frankly, scary.

Benjamin Franklin, who is regarded as one of the Founding Fathers of the nation that proudly sings the Star-Spangled Banner, once said, “Those who surrender freedom for security will not have, nor do they deserve, either one.”   Moving the clock ahead by about three hundred years, we have the current President of the United States, Barack Obama, who said, “in the years to come, we will have to keep working hard to strike the appropriate balance between our need for security and preserving those freedoms that make us who we are.”

The convolution of the “American dream” and what it implies, has wrought havoc in the socio-political landscape, which has continually evolved. May be, a few within the American political fold would refute Mr. Franklin’s statement by stressing on the volatile political and security landscape. Perhaps, Mr. Franklin did not take into consideration that magical boxes of light with a keyboard in front of them would constitute the gravest threat that the land of the free and the home of the brave would face. However, it is immaterial to discuss the volatility of changing political perspectives, what must be constant and an overriding force to dictate how a government operates is the element of law. The legal implications of a state defying its own or internationally ratified doctrines of legal principle.

In June of 2013, a person of whom the world had never heard of, an employee of the National Security Agency, by the name of Edward Snowden shook the world and the US Government by revealing that the foremost security agency in the developed world, was keeping tabs on, for the lack of a better word, everyone.

Pakistan, according to reports, was the second most surveilled country by the NSA, this came as a rude shock given the amount of existing “data-sharing” between the American Government and its ally. However, Pakistan itself prides on being the last in implementing the latest technology and ensuring the essential freedoms guaranteed by the Constitution of 1973. But the core crux remains how the theory of American exceptionalism in regard to international laws has allowed the State to willfully disregard the validity of international law and is unperturbed about the violations its own government agencies are now committing.

After September 11, 2001, the US Congress felt that the US was grossly ill-equipped to tackle terrorist threats on domestic soil. The restrictions placed on agencies to conduct domestic “spying” which included, but was not restricted to wiretapping and other surveillance methodology were subsequently removed, though the agencies had to obtain court orders to conduct such surveillance, giving the judicial arm of the State supreme authority to condone such acts. The Patriot Act, a piece of legislation that worried Congressmen due to the blatant manner in which it stripped civil liberties, remained intact and was renewed. However, this post does not refer to national legislation, but the manner in which the US is violating international law.

The United States of America ratified the International Covenant on Civil and Political Rights in 1992, giving the Human Rights Committee the authority to review human rights violations which are either taking place with the legal jurisdiction of the US or violations which US agencies are committing. In the light of evolving technology, the UN High Commissioner Navi Pillay at the opening session of the Human Rights Committee meeting stated, “Powerful new technologies offer the promise of improved enjoyment of human rights, but they are vulnerable to mass electronic surveillance and interception. This threatens the right to privacy and freedom of expression and association” reaffirming the notion that the American breach of citizen and noncitizen privacy is a major breach of international law.

Turning the interrogation lamp onto the Foreign Intelligence Surveillance Act of 1978, Section 702 of which gives US Security agencies broad, sweeping powers to conduct surveillance is in gross violation of the ICCPR which provides the following four principles to gauge whether such power is within the realm of human rights:

  • Limited by statute and clearly defined in nature and scope
  • Narrowly tailored to address legitimate governmental objectives, such as threats to national security
  • Subject to independent oversight systems to prevent abuse
  • Applied equally irrespective of nationality

Section 702 of the Foreign Intelligence Surveillance Act, under which the PRISM program falls, fails each of the above requirements. The Report and Recommendations the President’s Review Group on Intelligence and Communications Technologies states, “The United States must protect, at once, two different forms of security: national security and personal privacy”. Moreover, the report also states, “The United States should be a leader in championing the protection by all nations of fundamental human rights, including the right of privacy, which is central to human dignity”.

Such statements made by the President’s advisory group stand in stark contrast with the practice of the US Government. Such disregard for international doctrines are at polar opposites with US rhetoric and global policies. The Snowden revelations have already created ripples through the cyber sphere, stifling choices made by citizens on the services they connect to, what they make publicly available and the activities they engage in online, restricting their freedom of choice, which is also a violation of international law. What the US must realize is that internet security is a two way street: By giving legislative effect to collect, indiscriminately, personal information of non citizens,  can give other Governments the incentive to do the same with American citizens. In order to protect the rights, interests and information of its own citizens, the US administration must ensure the same of citizens which do not salute the star spangled banner. The there is also a significant debate about the NSA spying on it’s own citizens as well, an issue that has grabbed the attention of all of US media.

The United States of America is widely considered the sole global power: It must be the harbinger of peace, stability and the protection of fundamental freedoms, the very idea upon which the US Declaration of Independence was penned. The US must be the very example of adhering to global policies and laws, and not be the one violating them if it doesn’t want to be seen as hypocritical.

All of us, at some stage or the other, have typed our names into various search engines. Some have been met by a wall of fame meticulously archiving all their wonderful achievements. Others, including myself, have been met by a chronicled horror show of teenage angst and a laundry list of things we wish we hadn’t said or done. For the latter we all desperately wish we could erase all evidence of our naïve past from the vast cosmoses of the Internet.

The debate on the privacy of one’s information online has stretched on for a very long time now, yet it is no closer to a conclusive, accepted standard than it was when it first started. However, a recent EU ruling suggests it has settled on a standard – acceptable or not is up for debate.

EU Ruling

The debate over the right to be forgotten, at least in the European Union culminated on the May 13, 2014, when the European Court of Justice, in a lengthy decision in the case of Google Inc v Mr Costeja González, ruled that any individual could demand that a search engine remove all unwanted information about the individual from its index – regardless of whether it were accurate, lawful, or publicly available elsewhere.

In the case itself, a legally published article from a newspaper in 1998 detailing Mr González’s non-payment of his mortgage had been archived online and searching for his name on Google brought up the article as one of the results. Mr González sought to have Google remove the archive as he believed it acted to his detriment and infringed upon his privacy.

Given the reaction and criticism the ruling has elicited, the case is not as straightforward as the ruling may suggest. One of the questions being asked is why must onus to remove data be on a search engine when it is not responsible for the publication of that data (and that it is the user who chooses to publish). With regards to this, judges opined that the indexing of pages on the Web fit the definition of “processing” data as per the Data Protection Directive 95/46/EC, which Google was under a legal duty to abide by. The Court felt that by aggregating a vast amount of data on an individual, a search engine creates a larger illustration of the individual that would otherwise “not have been interconnected or could have been only with great difficulty.”

The ruling however creates an exception to the rule. The court held that the right to be forgotten could not be applied if there was an “interest in the public having that information… [and] the role played by the data subject in public life.” This is vastly open to interpretation. What satisfies the threshold of an individual playing a substantial role in public life? Is the threshold satisfied if he/she is a politician? If he/she has five-figure Facebook friends /Twitter followers? What about a circumstance in which an individual is not a “public personality” at that point in time and successfully manages to have data on him/her removed from search engines, only to later become the Prime Minister of the country? Will the onus be on a company/search engine to restore all data on the individual that they previously expunged?

To further illustrate the complexities of such a threshold, how it is to be determined and by whom, here is a list of individuals who have requested Google to have data on them removed from its indexes. A list ranging from politicians, celebrities, doctors, to convicted sex-offenders.

Prior to the ruling by the European Court of Justice, Google policy dictated it would remove any information from its index if it made individuals susceptible to certain harms. The ruling however goes a lot further and allows individuals to erase their digital footprint even in cases where it may be highlighting previous misdemeanours. It is therefore no surprise that both Google and Wikimedia – the parent company of Wikipedia – have deemed the EU ruling to be “astonishing.”

It is interesting to review the impact of this ruling in the context of a on recent case in local German courts. Wolfgang Werlé and Manfred Lauber’s claim to fame was their murder of a German actor in 1990. They sued Wikimedia to “forget them” and remove all mention of their past act. Under German law, a criminal’s name can be suppressed in news accounts once he/she has served his/her sentence. The German courts, in line with precedent, did order Wikimedia to suppress all content related to the two, however, as Wikimedia had no local operations in Germany, it was not jurisdictionally obligated to abide by a decision of a German court.

If jurisdiction were not a barrier, the outcome in the above-mentioned case would boil down to a question of whether the public has an interest in knowing the past actions of Werlé and Lauber. That is a criteria easy to stretch to fit any narrative, for example, one could put forth the argument that the convicted individuals had a better chance of rehabilitation if their history was expunged. If such an argument succeeded, it would be akin to individuals erasing an integral part of their past, and denying their future associates access to information that perhaps should be known to them before embarking on a mutual endeavor.

Requiring intermediaries to alter – and as viewed by some, censor – data on the Internet could, in the long run, stifle intermediaries, restricting them from providing services that afford free and easy access to information. Also, if legally obtained and published information about individuals starts being removed, neutrality of data and the Internet would be further diminished.

Quoting Orwell, “He who controls the past, controls the future,” said a statement on the case issued by the Electronic Frontier Foundation, an online civil liberties group. In this case, the lines are blurred and who has the authority to do what is unclear.

Divergent views on the ‘right to be forgotten’

The right to be forgotten is a dangerous path to tread upon, argues Jeffrey Rosen, professor of law at George Washington University. If unfettered permission is granted to expunge people’s past, ideals of free speech and a neutral Internet can quickly be forgotten, and corporations and powerful individuals will have greater authority to control the flow of information online.

Proponents of the ‘right to be forgotten’ argue that every individual deserves the right to privacy. The vast picture of our stories that is painted across the internet can be collected by people and used in order to commit a vast range of misdeeds, ranging from identity theft to stalking individuals. On the other hand, opponents of the ‘right to be forgotten’ claim all information available on the Internet is published legally – and often voluntarily self-published by an individual online. Their view on the ‘right to be forgotten’ is that is just another way enabling governments, companies and individuals to exert control over what may and what may not be published online. On the flip side, if one is not allowed to remove their digital footprint under certain circumstances, there can be a very real threat to the security of their person. Striking a balance between the two extremes is imperative.

The cultural juxtaposition between the respective approaches of the EU and US towards this issue, poses an interesting reading. While the EU has acted to limit the scope of information that is publicly accessible citing privacy laws, the US and its First Amendment stand in direct opposition. Accurate or not, what the two divergent positions have been defined as are privacy vs censorship.

What the debate really boils down to is a question of individual liberties: does the liberty to either express oneself or access legitimate information outweigh the need to protect one’s privacy? Is it even valid to deem acts legitimately published in the public domain as private? Is this polarity reasonable to begin with? The answers to these questions require also are not straightforward and call for complex reasoning and, at a glance, consideration that this is anything but a simplistic matter and requires further deliberation is found missing in the European Court’s decision.

The majority view on the decision is that it is sweeping in nature and seemingly fails to address the balance between public and private data. According to the Stanford Law Review, it is imperative to draw up a comprehensive policy that provides a clearer framework of data that ought to be protected, and data that need not be. However, such policies must ensure that the right to free expression and access to information are construed widely and only subverted where there is legitimate harm being caused to an individual not to hide a ‘wrongdoing’ on their part.

Edit: Since this article was published Google has launched a portal wherein European citizens can request that links containing information about them are removed from search result pages.This is the first step to comply with a court ruling affirming the “right to be forgotten”.


The Stanford Law Review

The European Journal of Law and Technology

The New York Times

The Guardian


Chilling Effects Clearinghouse, a  collaborative venture by law school clinics and the Electronic Frontier Foundation that collects and analyzes legal complaints about online activity, posted online five requests made to Twitter by the Pakistan Telecommunications Authority (PTA). 

The requests were made between May 5-14, 2014 and cite the Pakistan Penal Code as legal justification for content removal. These requests were entertained as per Twitter’s ‘Country Withheld Content’ tool , which entertains requests from government and law enforcement agencies to have potentially illegal content and accounts removed or restricted in the country making the request.

The question that then must be asked is of the legitimacy of the requests forwarded by Pakistan Telecommunication Authority (PTA). The PTA, in accordance with Section 5 of the Pakistan Telecommunication Authority Re-Organization Act 1996 (amended 2005) is a body established to regulate licenses and workings of telecommunication services and systems. The Act does not in any form give PTA the authority to arbitrarily restrict content on the Internet. Section 8 of the Act allows the Federal Government to authorize the PTA to take or implement certain policy decisions; however, content removal, whether by itself or through another, is beyond the ambit of powers of the PTA or of any government authority for that matter.

PTA has gone on record to say previously – in court and the media – that it is the IMCEW’s (Inter-Ministerial Committee for the Evaluation of Websites) directives it follows vis a vis restriction of access or content online. As a regulator, it says it does what is directed to do.

If there was federal authorisation for these requests, then in the interest of transparency, the relevant bodies should make public the legal process followed to route these requests. Who initiated the complaint, where was the complaint made, who forwarded it and what law specifically was cited for removal.

It is pertinent to highlight that Pakistan does not have cyber laws or any clearly defined policy that applies to the Internet. No specific protections exist in law that support user privacy and citizens’ right to information.  In the past, content has been blocked in an ad hoc manner. A lot of political dissent has been blocked under the garb of blocking anti-religious or anti-national content, disregarding citizens’ right to information and the need for transparency and accountability.

Twitter’s ‘Country Withheld Tool,’ while seeking to facilitate the manner in which governments make requests, is worrisome for citizens in countries where no transparent and legal processes exist for access and content on the Internet. Over the last few years, various authorities have arbitrarily blocked and censored the Internet, not over ‘illegal’ content, but to suppress political dissent. The process by which requests from governments are entertained by Twitter must also be made public knowledge. What is considered a valid complaint, through what process and policy?

Speedy compliance without this information being placed on public record sets a dangerous precedent and hampers efforts of those seeking to limit censorship on the Internet in Pakistan.  Government authorities have routinely cited Facebook’s speedy compliance with take down requests as a justification to continue the ban on YouTube, and it appears as though Twitter is joining that league requiring little in way of due process to comply with requests.

Watch Barrister Babar Sattar’s Legal Analysis regarding Internet Policy, Law & Fundamental Rights



Mr. Mohsin Shah Nawaz Ranjhahas, the Parliamentary Secretary of Information & Broadcasting, recently made an all too popular  statement regarding social media, and problems that are common for users worldwide. Commenting on the misuse of social media by “online miscreants”, Mr. Ranjhahas said that the government would formulate a policy to deal with ‘false information’ spread online through ‘fake identifications.’ The name ascribed to those who pose such  a problem is an internet troll. It is important to understand that there is a difference between harmless, good-humored trolling and vicious, abusive trolling. Friends and acquaintances may tease each other or joke in good humor, but on the darker end of the spectrum, there are individuals whose sole intention is to create an environment of hostility and discrimination. This kind of troll is someone who will use a fake identity online to harass people, spread rumors as facts, or relentlessly criticize someone in order to provoke an emotional response. Trolls will often operate with multiple identities, so if you block one social media profile, another will take its place. It may sound like there is no way to thwart a troll, but in actuality, there are several.

Trolls always want an audience to witness their abuse and bullying, because they crave attention in one form or the other. That is why they will often congregate on social media websites, where many people can see them engaging people in their banalities. They either attempt to publicly humiliate others, or they believe a large audience should hear their opinions, which is why, especially on political issues, an online troll will say the same thing to different people, mostly opinion leaders such as talk show hosts and news anchors, seeking approval from authority figures.

In cases where trolls attack political or public figures, the intention is almost always to cast negative light upon the individual; the troll may dislike the person’s political affiliations, public opinions, or in some cases, even aspects of their personal life. However, as wrong and mentally distressing as the deeds of online trolls are, that cannot serve as an excuse to limit, censor, or ban social media in any way. There are many ways to deal with this particular nuisance, and we, the good folks at Bolo Bhi have enlisted a number of efficient ways that work much better than policing the internet.

Understand the difference between trolling and expressing opinions: This is especially important when you occupy a position that frequently places you in the public eye, such as working for a media group, the state, or a public sector organization. Even if the expression of the idea conveyed an aggressive tone, it is still covered under free speech, and unless there is an explicit threat to your personal safety, or of your friends and family, there is no cause for any action at all. You can either a) choose to ignore the criticism, or b) address it by engaging in civil, polite discussion, or c) if you do not wish to engage in a lengthy debate, only tell the person that you understand what they’re saying and that you can just agree to disagree.

Block & Report as spam: All social media platforms provide the option for users to block unsolicited commentators and report them as spam. This is not a permanent fix, you block one account and others may pop up. Despite the fact that this will act as a temporary deterrence, it is an important one, as we will go on to explain in step 4.

Do not feed the trolls: A common phrase on how to deal with online bullying is “do not feed the trolls.” When someone is harassing and/or threatening you, there is certainly a serious issue, but when an online troll is only trying to provoke a response out of you, it may  be better to simply ignore the troll. Online bullies and trolls feed on other people’s rage, discomfort, and unhappiness; by making jokes and comments to upset people. Reacting with discomfort and annoyance to trolling is giving trolls what they want. We are not asking you to make light of threats or to not deal with harassment, deal with it, but do not exhaust yourself by engaging with an aggressive troll.

Report abuse: Remember in step two when we asked you to report individual’s statements as spam? Well, this is precisely why. All social media platforms flaunt an abuse policy and a method to report abusers. We have made a list of email addresses to reach out to in case you are facing abuse on social media. When writing the email, remember to provide all necessary details, screenshots of the accounts’ tweets, the screenshots reporting spam and lastly, a list of all accounts that are involved in harassing/trolling should be included.

Investigate the troll’s identity: Sometimes, it is easy to understand a troll’s ideology by reading the content they share on social media, or the tweets or comments they may be making in public, or they might even write on a blog. By investigating public content that is not a violation of the troll’s privacy, you can understand their ideology, which may be against your own opinions, political affiliations, or beliefs. Armed with this knowledge, you can then inform the social media public about how you’re being harassed by someone because of your opinions and views, thereby exposing the troll to criticism, rather than becoming the target of criticism yourself by reacting poorly to trolling attempts.

Block IPs yourself when possible, or through external sources: If you’re being trolled on a website or blog such as WordPress, there are numerous options that allow you to block the IP Address of a troll, so they cannot make various fake identities and harass you. In cases where IPs are not identified such as social media, the websites in question cannot release information such as IP addresses to a civilian, and can only do so when an official request is made by authority figures. In such a case, you can take a screen capture of the content that is harassing or threatening you, and get in touch with CPLC  who can help you take steps to ensure your personal and online safety.

Protect your privacy online: The content we share through social media connects us to friends and family, but it can also be used against us. It is essential to familiarize yourself with whatever social media platform you are using, and know your privacy settings from status updates to your photos. Make sure that your close friends and family protect their privacy too, as trolls will often target what they perceive to be your weakness, such as your nearest and dearest. Bolo Bhi has a list of resources for maintaining your digital security, and ensuring that personal, sensitive information cannot fall in the hands of anyone who means you harm.




How to report abuse on Facebook

Facebook Safety Center

Report a Violation of Facebook Terms

How to report harassment or abuse if you’re not on Facebook

Privacy rights: Photo removal request

Report a privacy rights infringement

Report a convicted sex offender

Report blackmail

Report suicidal content

Report abuse at:


How to report an abusive user

Report account for impersonation

Report account for spam

Report a problem to the support team


Report a profile

Report spam or inappropriate content

Report abuse in public video hangouts

Report abuse on events

Contact a Gmail user abusing Google’s Terms of Service (TOS)

Compromised Gmail account

Learn about suspicious activity on your Google account

Gmail security checklist

How to delete your Google Plus profile


Reporting spam, phishing, or scams to Yahoo

Report an inappropriate comment or abuse on Yahoo

What to do if your account is sending spam

What to do if you’re being harassed on Yahoo

Form for contacting Yahoo


Facebook just published its second transparency report, revealing requests it receives from governments around the world for user data and content removal. The report introduces Facebook’s policy of dealing with government requests as “We respond to valid requests relating to criminal cases. Each and every request we receive is checked for legal sufficiency and we reject or require greater specificity on requests that are overly broad or vague”.

Between July and December 2013, the Government of Pakistan made a total of 126 requests for user data relating to 163 users or accounts, and Facebook fulfilled 47% of these requests. Moreover, access to content on 162  pages and profiles was restricted.Facebook describes Pakistan’s content restrictions as “content primarily reported by the Pakistan Telecommunication Authority and the Ministry of Information Technology and Telecommunications under local laws prohibiting blasphemy and criticism of the state.” Since Facebook states that they check every report for “legal sufficiency”, it is alarming that “criticism of the state” is being listed as prohibited content in Pakistan.

facebook transparency report  1024x559 Facebook Transparency Report: Since When Is Criticism of the State Illegal in Pakistan?

In the past, Facebook pages of groups talking about secularism have reportedly been taken down by Facebook, including the widely read Urdu page “RoshniPK”. Given the history of content removal on Facebook, the recent report raises the following questions:

  • What criticism does the Government of Pakistan consider illegal and prohibited?
  • What laws are being cited by the authorities in Pakistan to make content takedown requests?
  • Regarding account information request, what law is being cited to demand such information?

Pakistan does not have laws that protect privacy of an individual on the internet. Even though the Constitution states privacy as an inviolable right, this is routinely overlooked under the pretext of “national security”.  There is currently no judicial oversight for wiretaps, surveillance and monitoring of content. Moreover, a significant number of Facebook pages inciting violence and hate speech targeted towards non-muslims, certain sects of Islam, atheists, and the military remain accessible. Therefore, it is even more important to ask that precisely what type of content are the authorities targeting? More importantly, the lack of transparency and accountability of the Ministry of Information Technology and Telecommunications must be scrutinized.


Over the last few years, Internet censorship and surveillance have been on the rise in Pakistan. International reports have pointed to the alleged presence of FinFisher (espionage and surveillance equipment) and Netsweeper (filtering and blocking equipment) in the country.  In recent months, Internet users have faced service disruptions – slow Internet speed as well the inability to access several websites.

Very recently, as  a result of an investigation into customer complaints,popular VPN service Spotflux officially announced that their data centers had been blocked by the government of Pakistan. Since 2012, when access to YouTube was blocked in Pakistan, Spotflux became one of the popular methods of circumventing the blockade.

The decision to block VPNs was first made in 2010 under the Monitoring & Reconciliation of International Telephone Traffic Regulations 2010 (MRITT).  An official notification of blocking VPN in Pakistan was issued  in July 2011.  The notification, issued by the Pakistan Telecommunication Authority (PTA),  cites “prohibition to use all mechanisms which conceal communication to the extent that prohibits monitoring”.

The regulation mandates the monitoring and blocking of any traffic (encrypted or not), including voice and data, originating or terminating in Pakistan. This includes all encrypted VoIP services. If followed strictly, the MRITT could legitimize blocking of Skype and other VoIP services like Viber [Read about Sindh Interior Ministry’s attempt to block Skype, Viber & Whatsapp]. Since the regulation requires Internet monitoring on a massive scale, it allows the blocking of VPN services as they are considered an interference with the ability to monitor Internet  traffic.

The implementation of this clause raises several concerns. It has the potential to hamper online businesses in Pakistan and violate the privacy rights of Pakistani citizens. Sub clause (6d) of clause 4 of Part II “Establishment, administration and features of the Monitoring System” mentions that licensee that deploy the monitoring system are responsible for providing data to the Authority when it is required.” This data includes a complete list of Pakistani customers and their details is included.

In 2011, the official announcement to ban VPN services was met with severe criticism from the business community, specially the banking sector.  Despite warnings by the PTA, a blanket ban on VPNs was never implemented. Instead, the regulation was only applied to commercial connections, where users were told to  register their IPs with PTA so that it could be added to the whitelist. If they were using VoIP or VPNs, it had to be with the explicit permission of the Authority.

A press release published in 2007 on PTA’s website, provides details of the agreement signed between Inbox Technologies,  developed  by NARUS, to acquire a system that enabled the authorities to monitor and block “grey traffic” at the IP level. Last year, PTA acquired new  filters to monitor grey traffic in an effort to boost the “anti-terror” fight. This was the result of the International Clearing House (ICH) Policy Directive issued by Ministry of in August, 2012.  The system, which is officially called Grey Traffic Mitigation System (GTMS) became operational in October 2013, as reported to the National Assembly.

It now appears that the ISI (Inter-Services Intelligence), and not ISPs or PTA, are managing these filters to monitor and block grey traffic. But what legal mandate does the ISI have to operate the filters?

IP-level blocking and the manner in which it is being implemented is posing several problems for Internet service providers, businesses and Internet users alike. The recent surge in blocking of websites and service disruption  has been reported by Internet users. PTA Chairman’s statement to the press suggests that the regulator is currently working on fixing the issues and reportedly working on getting the filtering equipment back under PTA’s control. However, housing the system under one authority vs another is not going to be enough. Acknowledging the importance of encryption, user privacy,  and the integrity and security of the banking sector and business and financial transactions, is essential.

Update: The Pakistan Telecommunications Authority (PTA) published an ad in the newspaper announcing the process of registrations of VPNs. The ad states that all VPN users are required to register before the 25th of May or face blocking.

photo 3 300x211 Now Blocking in Pakistan: IPs and Grey Traffic

Read ISPAK’s (Internet Service Providers Association of Pakistan) letter to the Ministry of Information Technology & Telecom regarding IP blocking below:



No. 5(8)/2013-ISPAK

02 December 2013

Ms. Anusha Rahman Ahmad Khan

Minister of State for Information Technology

Ministry of IT

Government of Pakistan


Subject:          IP Blocking Issues for Broadband Operators, Call Centers and Internet Users

Dear Madam,

        Under the recently established system by the Government of Pakistan to curb grey traffic, IP addresses blocking on Internet backbone has been started. While the intentions for having such a system may be good, the Government has unfortunately done another experiment this time at the risk and cost of Internet users and broadband operators of the country by giving this systems in the hands of Inter Services Intelligence (ISI), an organization that has a different mandate altogether and has no mechanism in place to address various issues faced by the industry.

2.      Broadband operators and call centers are prime victim of this mechanism. Legitimate and even whitelisted IP addresses of operators are getting blocked without any reason. In last week, IP addresses of DNS, Authentication Servers and Core Routers of Qubee, a leading a WiMax operator, got blocked twice on the same day, resulting in jamming of country wide network and leaving thousands of customers screaming. IP addresses of the other operators including WiTribe, Linkdotnet, etc., are also getting blocked. Many customers use VPNs (virtual private networks) on Internet to connect to their proprietary and secure networks for various business applications. These VPNs, which are now integral part of any Internet connection, are also getting blocked left, right and center with no solution in place to allow legitimate users and filter grey traffic.

3.      Leading call centers and software houses of the country, including TRG, Ovex, Shellby and so many others are running from pillar to post to get their IPs whitelisted. PTA officials seem helpless because the system is not in their control and their requests for IP whitelisting are apparently not handled by the ISI in a timely manner. ISI is also reportedly dependent upon the vendor who have supplied this system. So the red-tape circle of whitelisting on IPs is extended from the customer to the operator, from the operator to PTA, from PTA to ISI and ISI to the vendor, and same return path. It is taking weeks to resolve the issues that should have been addressed in minutes.

4.      The whole Internet traffic of the country has been left at the mercy of a system that is being operated in an amateur manner and at snail pace in totally disregard to the agony faced by the operators, call centers and Internet users. Call centers are loosing huge foreign exchange revenue and Pakistan is getting bad publicity in international business community.

5.      The media has previously reported that US$27 million were unofficially diverted from controversial ICH Agreement to enable the purchase of IP Blocking system in total disregard to Public Procurement Rules and bypassing competitive bidding. The Internet industry has thus been kept hostage to a system whose origin is illegal and design and operations totally non-professional. The grey traffic is now reportedly being shifted to Ku band satellite dishes and legitimate Internet routes are being blocked.

6.      We request you to kindly look into the matter personally and get a proper standard operating mechanism in place where IPs are whitelisted and such lists are implemented within 48 hours with no whitelisted IPs subject to blocking. There should be no limit on the number of IPs got whitelisted by a licensed operator Complaints of operators should be addressed on 24 x 7 basis with resolution time and escalation levels defined. In case of blocking of whitelisted IPs of the operators, financial compensation should be given to the operators by the Ministry of IT as operators are now being asked by their customers for compensation.

With kind regards.

Yours sincerely,

Wahaj us Siraj


c.c.   Mr. Akhlaq Ahmad Tarar, Secretary, Ministry of IT, Government of Pakistan, Islamabad.

        Chairman PTA, Pakistan Telecommunication Authority, Islamabad

        Member Telecom, Ministry of IT, Government of Pakistan, Islamabad

        Member IT, Ministry of IT, Government of Pakistan, Islamabad

See timeline of encryption blockade in Pakistan:

With  legal research assistance from Nighat Dad, Digital Rights Foundation 

Taking cue from the brilliant team at Electronic Frontier Foundation, the Bolo Bhi team has come up with a scorecard for State Minister for Information Technology & Telecom, Ms Anusha Rahman Khan. The scorecard is based on the performance of key duties by the Minister in her first six months in office.  The collective score is based on input by industry and civil society members.


Criteria For Each Duty:

0-3: Showed effort

4-7: Followed through

8-10: Led to outcome



AnushascoreCardfinal 395x1024  State Minister Anusha Rahmans First Six Months in Office: A Performa



1. Fulfilled promises made as a member NA standing committee on IT

In the previous government, Ms Anusha Rahman Khan, was one of the most vocal members of the National Assembly’s Standing Committee on Information Technology. During her tenure as a parliamentarian, Ms Rahman spoke for the need to increase access to information, unblock YouTube and issue 3G licenses.

She was also involved in a series of discussions on proposed amendments to the Pakistan Electronic Crime Ordinance (PECO). Despite displaying an understanding of information technology issues, then, Ms Rahman’s time in office has hardly been reflective of the same zeal to resolve issues effectively.

2. Accessibility as a public official

Speak to people within the industry, and they will tell you the Minister just doesn’t respond to letters or emails. We’ve found that to be true as well. According to them, the few meetings that were held initially led to no results as their input was never considered seriously. It has become very apparent since, that input of stakeholders is of little or no importance. Instead, handpicked experts and their input carries more weight. Surprisingly, this has not only been noted by people within industry or civil society, but also fellow politicians and parliamentarians, who also say they’ve been given the cold shoulder.

3. Restoration of YouTube

Beginning with the announcement that we can block Google on her first day of office (allegedly misreported), to introducing filters to block content and eventually trying to go the localization route, the Minister has made various speeches in the Senate on this subject and issued press statements. However, to date no concrete measures have been taken to resolve the issue. All proposed solutions have been out of line with the direction the court has taken on the issue. In fact, despite being summoned multiple times, the Minister did not appear in court. Initially, even Google officials were given the cold shoulder, by the Minister and Ministry, with refusals to talk or meet. As for independent input, it has been completely shunned. Repeated attempts to apprise the Minister of the intricacies of the issue have been met with a stony silence.

4. Adoption of 3G Technology

Recent reports suggest that the government will hold the 3G auction in March 2014. The auction and issuance of 3G licenses is a matter that has been pending since 2008. Other than discussions and field visits since the beginning of the term at the Ministry, not much has been done. It was only after the Supreme Court, hearing a writ petition for early auctioning of 3G licenses, issued directions to the government to be quick about the appointment of PTA officials, that this matter moved along. Whether the Information Memorandum will be completed in time, and the auction held in March, now remains to be seen.

5. Increase Internet Penetration in underserved areas

In a surprise move, rather than utilizing National R&D (Research and Development) Funds and USF (Universal Services Fund) money to increase telecommunications and Internet penetration in the country, these funds – amounting in billions of rupees – were consolidated and moved out of accounts maintained separately for them. While these funds had been lying unused for quite a while, industry personnel argue the right thing to do was to utilize and spend them in underserved areas to improve infrastructure, etc. as opposed to housing them under the Ministry of Finance and putting them towards the paying off of circular debt. It must be noted that no efforts to better the existing infrastructure, either through policy or otherwise have been made.

6. Disclosure on filtering & surveillance equipment

Ever since the announcement that PTCL was ‘loaning’ the Ministry filters to block content, followed by a statement maintaining filters were not the solution, there has been no disclosure by the Ministry as to what has happened to these filters that were acquired. Not only that, but through what process they were acquired, at what cost, and what has been done with them; all these questions remain unanswered. There remains also no acknowledgment or clarification to date of the alleged presence of FinFisher control and command servers and Netsweeper in Pakistan.

7. Headway on Stakeholder Draft of E-crime Legislation

For quite some time now, there has been a fair amount of back and forth between the Ministry and stakeholders on the amendments to what was previously PECO (Pakistan Electronic Crimes Ordinance). Through multi-stakeholder input, various meetings with the previous Standing Committee on IT and even more meetings with the current Minister and Ministry officials, the PECB (Pakistan Electronic Crimes Bill) 2014 still has a long way to go it seems. After near unanimous approval of the draft by stakeholders, the Ministry allegedly decided to dish out some $20,000, it is said, to appoint an international expert to point out why the proposed legislation would not work.

Will this piece of legislation see the light of day, or will a government draft make it into law, remains to be seen. The Prime Minister’s office commissioned its own version of a cybercrime law – which has been criticized heavily for lack of safeguards and knowledge of technology. Why the wastage of funds and efforts when there already exists a piece of legislation that has been debated to no end?

What kind of coordination is there between the Ministry of IT and the PM’s office?

8. Headway on Privacy Legislation

According to the Constitution of 1973, the right to privacy is an inviolable right. Despite that, Pakistan still lacks laws that protect citizens’ right to privacy. An effective legislation that will help minimize monitoring by the government, regulate surveillance by corporates and ensure that personal information of citizens’ is properly protected remains missing. Despite Snowden revelations, the authorities have not shown any commitment to protect personal data of citizens. In the past year, legislations such as the ‘Investigation for Fair Trial Act’ have been given a clean chit by the National Assembly and the Senate, further increasing the risk of legitimizing blanket surveillance by law-enforcement agencies, without accountability.

Comments: As someone everyone had high hopes from, the Minister has only disappointed. A month or two ago, many were still willing to give the Minister a chance. Yet, with every statement and action, the Minister only sunk their hopes of betterment. Bring up the Minister in conversation now, and there is a decided tone one hears, of utter frustration and anger. As a public official, she is expected to be more approachable.

It is pertinent to mention that be it over the blocking of YouTube, issuance of 3G licenses, spectrum allocation and use or relocating of USF/R&D funds, the government has been dragged into court for either non-responsiveness or contestable policies. A clear indication that nothing is right with policy-making or the approach towards it in this sector.

Going forward, what is expected of the Minister is to take seriously those outside the immediate bureaucratic and political circles. There is a lot of valuable input that has and can be provided further on issues of vital importance to industry and citizens. They deserve a hearing, and that input  needs to be factored into policy.