REPORTS of the government installing the Web Monitoring System (WMS) first came to prominence when questions relating to its set-up were raised in the Senate regarding the type of company that has been tasked to supply the technology.
The WMS is, on the face of it, being installed by the Pakistan Telecommunications Authority to monitor, analyse and curb grey traffic, apart from monitoring communications for the purposes of national security, measurement and recording of traffic, call data record, and quality of services “as specified by the PTA”. In other words, it is an all-encompassing surveillance system of internet traffic in Pakistan, under the pretext of commercial as well as security-related reasons.
According to PTA’s definition, the use of illegal gateway exchanges to bypass legal gateways and terminate/originate international traffic, through VoIP gateways, GSM gateways, WLL phones, mobile SIMs or other related equipment so as to avoid applicable taxes and/or regulatory fee, is termed as grey trafficking usually done to evade taxes and higher calling rates. In Gulf countries such as the UAE, Qatar, and Saudi Arabia, VoIP services like WhatsApp calls, Messenger calls and Skype do not work due to similar licensing restrictions so as to enable telecom companies and the government to earn more revenue through cellular and phone network calls.
The WMS has been set up under the Monitoring and Reconciliation Telephony Traffic Regulations, 2010, Regulation 4 of which states that “subject to mutual consent in writing of all … the authority may allow deployment of such system collectively on the basis of a cost effective solution”. This means that all the licensees of the PTA — including long-distance and international licensees, cellular mobile operators and submarine cable landing station licensees — have to contribute funds in proportion to their total revenue, amounting to millions of rupees.
If surveillance is to be carried out, there should at least be safeguards against abuse.
However, national security has also been cited as a reason for the WMS, which means that citizens’ internet traffic will also be under surveillance — though the PTA has clarified that this is not “intended to curtail freedom of use of internet by legitimate users”. While this statement of intent merits welcome, concrete steps to ensure the veracity of this claim remain to be seen.
Whereas the Prevention of Electronic Crimes Act, 2016, is used to block content online, the PTA has still not provided an appeal and review avenue for those whose websites or online content have been blocked under Section 37 of Peca, which clause 4 of the section guarantees and outlines the process for.
Furthermore, there is no mention of due process and judicial oversight in the WMS. If surveillance is to be carried out to protect national security, there should at least be safeguards against the abuse of this process in the form of a warrant being issued by a competent court.
Yet again, the WMS highlights the need for a data protection and privacy act, an issue that has been reiterated over the years. It would be another matter if we had strong rule of law and accountability, but there have been so many instances of misuse and abuse of official data by those who are supposed to protect citizens that a legal mechanism to protect such access is imperative. It is not sufficient to assume that employees of the state and its institutions always act in good faith to fairly uphold the law.
The current onslaught in the form of censorship and social media campaigns against journalists as well as human rights groups makes such technologies in the hands of the state all the more suspect, and hence requires oversight.
Then there are the concerns about the company supplying the technology itself. There has been much confusion about the deployment of Sandvine Inc’s technology for the WMS. Senators have raised concerns about the company being based in the US, where data security concerns are legitimate, keeping in mind the NSA’s internet surveillance, including on Pakistani citizens who were the second-most spied on group of people as per leaked official documents. The PTA has responded that a security audit of the company has taken place, but the process begs transparency considering how the system impacts all mobile phone and internet users in the country.
It is also worth noting that under a campaign undertaken by Bolo Bhi in 2012, Sandvine was one of the five companies that had confirmed its intent not to apply for a tender for Pakistan’s URL filtration system for censorship, and the company’s stance was celebrated in several reports as a case study of a business standing up for human rights.
The defence (expressed to implicitly evade accountability) in the Senate that no public money was used to deploy this technology is incorrect. It is the public that pays the telecom companies millions for services provided, and if they are contributing funds to the government for deployment of a monitoring system, the public has a right to know how it will function. Companies have a corporate social responsibility, as well as a requirement to not only abide by local laws but also international instruments such as the UN guiding principles on business and human rights, and, in the case of member companies, the Global Network Initiative principles of freedom of expression and privacy rights.
In sum, it is imperative that the public’s interests and rights are respected and upheld when the government is undertaking measures that impact citizens directly. There must be due process, confirmation of reasonable suspicion with oversight from the judiciary for an authority to undertake surveillance of web traffic, with clear-cut consequences for misuse and abuse of this authority. Further, there must be transparency of the process rather than confusion over how such a vast system is to operate. When protecting security of citizens and upholding laws, the state must not forget it is accountable to all citizens.