MMFD calls for an immediate investigation into the alleged breach of NADRA citizens’ data and the involvement of Punjab government officials

On April 07, 2018, on a tip-off provided by a group of ethical hackers, multiple news outlets including Pro Pakistani and Tech Juice reported the alleged ongoing “sale and purchase” of citizens’ data from the National Database Registration Authority (NADRA) via Facebook pages for as low as Rs.100.

Media Matters for Democracy expresses deep concern over this violation of citizens data and the right to privacy and demands immediate action against those involved in compromising the NADRA data.

According to ProPakistani and Tech Juice, the NADRA database was compromised after the provision of access to the servers of Punjab Information Technology Board, a body set up by the Punjab government to contribute to “innovation economy” of Pakistan, in particular, Punjab. The access, it was reported, was provided to help integrate NADRA data with the datasets of government departments including education, health, police, and land registry.

As a part of this integration process, several officers within the Punjab government departments were provided access to NADRA data. However, it was alleged, that some of the authorised officers misused their authority by sharing their credentials with unauthorised persons, thereby allowing them illegal access to citizens’ data.

As a result, number of profiles on Facebook and WhatsApp are openly offering to provide information against any Computerised National Identity Card number in exchange for as low as 1$. The information allegedly being sold include names, addresses, driving licenses associated with CNIC numbers, criminal records, and details about consumer finance products (such as ongoing loans etc).

This is not the first time NADRA database was breached. A few months ago, a sting operation conducted by ARY news team revealed not only illegal access to the database, but complete physical replicas of NADRA being sold on external storage devices.

Earlier last year, it was also reported that vulnerability within PITB systems made it possible for people to access information including copies of CNIC, CVs, and educational degrees. However, there was no evidence or information of misuse of such data.

Meanwhile, it is worrying to note that instead of being more accountable and calling for a thorough investigation of the matter, Chairman Punjab Information Technology Board Dr. Umar Saif threatened to pursue legal action against those who reported the incident, calling the news “false, unfounded and malicious content against government IT systems on WhatsApp, Facebook, and Twitter.”

In another tweet, he said: “If you are producing content, uploading content or sharing content that deliberately spreads false information about government systems or personnel, you are liable under the Pakistan Cybercrime Law 2016 with a prison sentence of 6 months”.

“This is not the first time we have seen government officials threatening journalists of dire legal and physical consequences”, noted Asad Baig, the founder of MMFD. “However, this reaction coming from the tech head-honcho of Punjab shows an acute intolerance of free journalism even by those who claim to believe in technology and progressiveness”.

While the immediate effect of this threat forced the group of ethical hackers to remove the blog post about this incident from their website, correspondents of ProPakistani and Tech Juice confirmed to Media Matters for Democracy that they stand by their story.

It is important to note here that in the absence of a data protection framework in Pakistan, its difficult to bind corporates and government departments to be liable and accountable in case of a data breach.

Despite the fact that the PML-N government made tall claims of moving towards a ‘digital Pakistan’ and made commitments to introduce a data protection framework multiple times, including in the Action Plan of the Open Government Partnership, Pakistan still doesn’t have a citizen-friendly data protection law.

Given the rising incidents of data breaches and misuse of data, Media Matters for Democracy once again urges the stakeholders to devise a data protection framework at the earliest. In the absence of such a framework, its impossible to provide protection to citizens data, and privacy and make the departments and corporates using and abusing our data, accountable.