from the oh,-look,-another-one dept
Recently we've been reporting how some countries seem to be trying to play catch-up with the NSA and GCHQ when it comes to surveillance. Here's the latest aspirant to the club -- Pakistan:
The government of Pakistan is proposing a new law that significantly threatens privacy rights, in a blatant attempt to establish a legal regime containing broad powers when it comes to obtaining, retaining, and sharing data obtained through criminal investigations, including communications data.
The Privacy International post quoted above goes on to spell out the details of the proposed Pakistani law. Naturally, there's data retention to obtain the data. The new law:
would require a service provider, which is defined in broad terms, to "within its technical capability, retain its traffic data minimum for a period of ninety days" (a requirement may already be in place under the Electronic Transaction Ordinance, 2002). The definition of traffic data includes information "indicating the communication's origin, destination, route, time, data, size, duration or type of underlying service".
But alongside this affirmation of older powers, there are plenty of new ones setting out some of the things the Pakistani government can do with data it acquires:
The draft law contains a troubling provision that would allow the Federal Government of Pakistan to forward information obtained from investigations under the Act to foreign agencies or international agencies. A prior request from the foreign entity would not be required to exercise this power.
Presumably this will allow Pakistan to offer to swap data with the security agencies of other nations in order to obtain information on people of interest. And as Privacy International points out, once it's gone, it's gone:
The information at stake is expansive: "text, message, data, voice, sound, database, video, signals, software, computer programs, codes including object code and source code". The information shared could include particular sensitive information about individuals or large quantities of data involving significant numbers of people. Once this information has left the hands of the Federal Government, it would no longer be subject to national law and could be used by foreign entities as they see fit.
The new law would also authorize data-flows in the other direction:
Another section, on "trans-border access", would permit the Federal Government or investigation agency to access data that may be "located in a foreign country or territory, if it obtains the lawful and voluntary consent of the person who has the lawful authority to disclose it". This could include personal data held by foreign corporations. This opens up the possibility of abuse, as "trans-border access" could be used to circumvent the safeguards established in other parts of the draft law.
It's easy to see how global companies like Google and Facebook might be persuaded that it would be in their best interests -- if they wish to continue to operate in Pakistan -- to hand over information about their users, stored outside the country's borders. And of course, once some or all of this proposed law is passed, other countries will feel even more entitled to follow suit.