Three years ago, the Punjab government introduced an app that women falling victims to accidents or harassment in public places can use to report their plight to the government officials. To use it, they have to enter their name, address, location of the accident or harassment, their phone number and their national identity card number in it. So far, more than 10,000 people have downloaded the app but no official statistics are available on how many women have used it how many times.
The information collected through the use of this app is received and stored at the Punjab Safe City Authority's head office in Lahore.
Although the authority's privacy policy states that this information will not be accessible to any citizen, private group or organization, officials in many government agencies have unimpeded access to it. According to Kamran Khan, director general of the authority, intelligence agencies and the armed forces can also access this information as and when needed.
The Digital Rights Foundation, a Pakistani organization working to ensure public access to officially collected information and to protect the citizens’ personal information in digital world, is concerned about the situation. In a recent report, it pointed out that the Punjab Safe City Authority has not yet developed a transparent mechanism for accessing and protecting the personal information of women using the app.
This could help government agencies or officials to misuse the information they have access to, the organization stated.
The Punjab Safe City Authority is also monitoring the movement of millions of people and vehicles on a daily basis with the help of 8,000 closed circuit cameras installed across Lahore. It claims the information gathered with the help of these cameras is proving helpful in controlling crime and terrorism.
The method of collecting and analyzing this information is modeled on the public surveillance system installed in London but, unlike in Pakistan, the British government has established detailed rules and regulations in London for the protection and public access of the information being collected through this system. The UK Data Protection Act 2018 is a key part of this process. It gives British citizens the right to not only access their own information collected with the help of technology but, in the case of any misuse of this information, public can hold the government accountable and can also take the officials involved in this misuse to a court.
In the absence of any such law in Pakistan, the citizens do not know what kind of information is being collected about them, and under what circumstances, by the government agencies.
Kamran Khan, director general of the Punjab Safe City Authority, says providing this information to citizens could be dangerous. He says the nature of the information collected by the authority is “sensitive” because it relates to law and order and national security. “The citizens, therefore, should not have access to it”.
Jannat Ali Kalyar, a Lahore-based lawyer, describes this situation as “worrying”. According to her, a software called ‘Hotel Eye’ has also been installed in many big cities. This sends personal information of everyone staying in a hotel directly to the security and intelligence agencies. But, she says, “there are no legal restrictions on the misuse of this information”. According to her, there is also no law in Pakistan that allows the citizens to hold those officials accountable who have the power to use their personal information.
To fill these legal gaps, the government has recently drafted a law called the Pakistan Data Protection Bill. One of the main objectives of this law is to prevent the misuse of information collected by the government agencies. But as Jannat Ali Kalyar says, there are “many loopholes in the bill”.
Although the Data Protection Bill borrows a large number of provisions from the European Union’s General Data Protection Regulations (GDPR), it, nevertheless, grants many exemptions to the state institutions and considers the state interests above civil liberties. Media Matters for Democracy, an organization working on media freedom, states that its primary purpose is far from ensuring that citizens be able to hold the authorities accountable for the misuse of their information.
A preliminary report that the organization has compiled on the bill mentions that the law should apply to all the institutions of the state, society and market. These should include government departments, autonomous government agencies, parliamentary bodies, phone companies and banks since all these collect people’s personal information in some form or another.
The report also suggests that a citizen’s personal information should not be made public unless he or she allows it, and that additional checks should be adopted to protect the personal information of the minors and the mentally challenged.
An Islamabad based barrister, Yasir Latif Hamdani, has similar views. He has been a lawyer in various cases involving civil liberties and the free flow and distribution of information. He has also recently filed a writ petition in the Islamabad High Court, seeking legislation to protect the citizens’ personal information.
Citing the example of the abducted police officer Tahir Dawar and journalist Matiullah Jan from Islamabad, he says, several people have tried to gain access to the records of the cameras installed under the Islamabad Safe City project to solve the mystery of their kidnappings. “But they failed to obtain that information due to the legal exemptions given to intelligence agencies and security departments under the Access to Information Act,” he says.
Kamran Khan, director general of Punjab Safe City Authority, however, declines to answer if his agency is doing anything to prevent the misuse of information collected through close circuit cameras installed. He, though, acknowledges, that “there is still a long way to go to stop intelligence officials from interfering in the matters of the authority”.
Who can access your personal information?
In the last three years, the information collected by the Punjab Safe City Authority has been stolen several times.
The most important incident in this regard took place in 2019 when the data of thousands of citizens was stolen from Punjab Information and Technology Board computer server affiliated to the Punjab Safe City Authority. Later, it was sold through Facebook groups.
According to Tec juice, a Pakistani news organization working on the news related to technology, the stolen data contained the following details:
Computerized National Identity Card information
Family information
Crime record
Personal information for those staying in rented houses and hotels
All registered mobile phone usage information
Similarly, about a year and a half ago, many pictures and videos started circulating on social media in which men and women sitting in cars could be seen in intimate moments. According to reports in various newspapers, most of those visuals were taken from the Punjab Safe City Authority cameras in Lahore.
Immediately after its inception in 2018, the Punjab Safe City Authority also faced criticism for failing to take significant steps to protect the citizens’ data from the Chinese company Huawei which has installed closed circuit cameras in Lahore. This criticism was based on the revelations made in the authority’s own documents which stated that Huawei was obtaining information from the cameras without informing the Pakistani authorities and that it had inserted an additional card in the cameras while installing them through which it was receiving all the information directly.
Punjab Safe City Authority chief Kamran Khan does not want to comment on whether the authority has conducted any investigation into the allegations and whether any action has been taken against Huawei in this regard.
Independent sources have also not been able to confirm or deny these allegations but the Center for Strategic Studies, an American organization working on the Internet and social media freedom internationally, has also made similar allegations against Huawei.
According to it, the company has not only been able to access the citizens’ data by installing additional cards in closed circuit cameras in various African countries but it also has been involved in selling this information to the Chinese government.
This report was first published by Lok Sujag on 22 Feb 2021, on its old website.
Published on 4 Jun 2022