Amidst all the Google/FTC reaction, my Twitter board lit up today with some fascinating traffic from online privacy advocates in Pakistan about their National Database and Registration Authority. It seems NADRA launched a service in 2009 which, thanks to an agreement with three mobile network operators in the country, makes it possible for any citizen to text a CNIC Computerised National Identity Card (CNIC) number to the number 7000. In return they will get a text message containing the first name, last name and father’s name of whoever that card is registered to. Another of NADRA’s announcements about the service adds that they may disclose “any other content they deem appropriate” – and that law enforcement agencies have a separate “7001″ number for their own requests.
Interestingly, beyond that split across two numbers, the scheme has no concept of a ‘valid requester’; anyone is entitled to check any CNIC number via the 7000 code. If you, as a subscriber to one of the three mobile networks, want to send random CNICs in and see who you get, nothing will stop you. It will cost you something – though I can’t be precise about how much. In principle, the charge is 15 rupees (about 12 UK pence or 18 US cents) per message. In practice, one local privacy advocate has so far received 42 text messages, all about his own CNIC number, in response to a single request. He is a little miffed…
Billing issues aside, you might wonder why it’s appropriate for every citizen to have access to such a mechanism. Although it was launched as a ID Card validation service, it somehow manages to go beyond that (in the sense that you can enquire against the database even if a card is not present) while at the same time falling short (it doesn’t actually validate the card, if a card is present… it just tells you what name is associated with that CNIC).
If I have no legal or contractual right to ask you for your CNIC, why should I have the ability to check your CNIC and be told your name (let alone your father’s name)? I regret I am unable to ansewr that question on NADRA’s behalf – though if I find out, I’ll be glad to let you know.
There is a slightly more pernicious side to this, apparently. I’m told that some forms and registration processes intentionally just ask Pakistani citizens for their CNIC number (but not their name or other personal details), just as a general indication of citizenship. That seems like a nice, privacy-respecting step – unless it is trivial for the collector of that number to ping the central database and fill in the blanks.
It’s tempting to sit back and say “well, something like that could never happen in the UK, could it?”. Couldn’t it? To my mind, this example just goes to show how things that are technically straightforward can give rise to the need for a large and potentially complicated governance layer, including not just technical controls to establish properly authorised access, but also procedural and legal controls to ensure that those who do have authorised access cannot abuse that access, intentionally or otherwise.
Category: Uncategorized Tags: