This article is part of Privacy in the Pandemic, a Future Tense series.
It started with a casual slip-up on April 23, during a two-hour-long telethon fundraiser broadcast live on national television. “Things in Pakistan aren’t as bad as they are in Europe or America. Maybe we have some sort of immunity against the virus,” Imran Khan, the country’s prime minister, said as the telethon began. Surrounded by a handful of aides and journalists, he meandered a bit in his remarks. He praised his friend Recep Tayyip Erdoğan, the Turkish president, and casually dropped details about a recent phone call with U.S. President Donald Trump. Wealthy overseas Pakistanis called in to donate large amounts of money as a koel chirped in the background. No one wore a mask.
Then came the unexpected revelation: “The ISI has given us a great system for track and trace,” Khan said, referring to the country’s military-run spy agency, the Inter-Services Intelligence. “It was originally meant for terrorism, but now it has come in useful against the coronavirus,” he added, chuckling.
Now, with the countrywide coronavirus lockdown lifted and cases surging past 252,982 as of Tuesday, the government’s reliance on the ISI’s track and trace technology is beginning to worry digital rights activists. They fear that this surveillance may extend beyond the pandemic. A spokesperson from the Digital Rights Foundation—a Pakistani digital rights group—noted that the government’s decision to enlist the support of its security agency to trace coronavirus patients is a “worrying development that impedes the right to privacy of its citizens.”
There is little transparency about the nature of the ISI’s track and trace technology itself, other than the fact that it uses a combination of a geofencing tracking system, which alerts authorities when someone leaves a specific geographic area, and call-monitoring mechanisms. (This ambiguity, of course, is part of the problem.) But we know that security and law enforcement officials are integral to the country’s response to the pandemic. In an interview with the BBC on April 28, the prime minister’s focal person on COVID-19, Faisal Sultan, said that the ISI, the police, and local intelligence agencies were working in tandem with the department of health. “Information will be collected [by the ISI] and passed on to the police, after which the health department and other agencies will be able to use it,” he said. According to a Pakistani public health expert, who asked to remain anonymous, “even provincial coronavirus task forces … have to send queries to law enforcement agencies and wait to get responses from them.” This collaboration can be seen in how the government burrows through people’s information. Since March, the government’s Digital Pakistan program has sent more than 500,000 text messages to suspected coronavirus patients, warning them to self-isolate. A government official has confirmed on Twitter that the call records of more than 250,000 people diagnosed with COVID-19 have been used to “identify close contacts” who may also have been infected.
The use of the ISI’s track and trace mechanism is just one example of how Pakistan has been taking advantage of the pandemic to gain more access to citizens’ information. On June 8, the Pakistan Telecommunication Authority released a circular instructing internet users to register their virtual private networks by June 30 or else face legal action. (The deadline has now been extended to July 31.) Three days earlier, on June 5, the government quietly entered into a contract with the Canada-based corporation Sandvine in order to monitor internet traffic in the country. Sandvine has a murky past. A March 2018 investigation by the University of Toronto’s Citizen Lab revealed that the company had helped deploy government spyware in Turkey. It’s not clear whether the government entered into the contract with Sandvine because of the pandemic—it’s possible it was in the works before. But it is clear that the government has become more emboldened in its approach to regulate online spaces. (Sandvine did not respond to my request for comment.)
“At the end of the day, what the government wants is access to all the data that is supposedly hidden from them,” said digital rights expert Hija Kamran. “The ISI’s involvement in track and trace, the lack of information regarding the technology or method they are using to monitor and track suspected patients, and the push to register VPNs are all interconnected dots pointing towards one large goal: the erosion of privacy and the ability to track all citizens.”
Pakistan’s impulse to control and monitor content online is coupled with the absence of data protection and privacy laws. Despite several major digital breaches, there are no laws requiring disclosures. “There are websites out there right now where you can get someone’s citizen ID number, legal name, address, and previous phone numbers simply by typing one of them,” said security researcher and web developer Amin Shah Gilani. “All these details about a person are either very hard or impossible to change, so once they’re leaked, they’re public.”
The coronavirus pandemic has made evident that Pakistani citizens don’t have the privilege of accessing good health care while maintaining privacy. On June 9, French security researcher Baptiste Robert uncovered a “horror story.” In a series of tweets, Robert dissected the Pakistani government’s COVID-19 Gov PK mobile application—which has been downloaded more than 500,000 times so far and is advertised as a coronavirus self-assessment app, not a contact tracing application—and noted that it was downloading exact coordinates of coronavirus patients’ locations. The government described Robert’s analysis as a “hacking attempt”—an allegation he was quick to deny. “ ‘A hacking attempt’ makes what I did sound malicious,” he told me over the phone. “But what I did was simply a detailed analysis of the application in order to find vulnerabilities.”
But the government’s allegation demonstrates that any security research in Pakistan may be construed as a felony. Gilani believes that if he had done exactly what Robert did—outlined flaws and privacy concerns in a government-developed app—he may have been incarcerated under the country’s Prevention of Electronic Crimes Act, 2016: a draconian provision supposedly enacted for the protection of citizens that ultimately criminalizes free speech.
With a crumbling health care system and rapidly rising coronavirus cases—Pakistan now stands at 12th in the world in terms of case density—it is likely that citizens may overlook the erosion of privacy in favor of health. Already, spy and surveillance companies across the world are capitalizing upon the unique situation created by the coronavirus, rebranding their products and selling them to governments. “When this is all over, [companies] are going to say, ‘Hey, we helped you during the pandemic—now we have this very fancy surveillance tool for you,’ ” Robert said. “At the end of the day, this is just business.”