In a bid to progress digitally, the government of Pakistan has introduced digitisation of many different tools for the general public. One example is City Islamabad, an application that allows online tax payment, among other features. However, behind the narrative of digital progress lies a dark reality: state-backed apps are increasingly being used as instruments of surveillance and control rather than genuine public service platforms.
An example is the Safe City application (Islamabad and Karachi), which reportedly holds the capability to tap into device sensors to provide live feeds and reportedly asks the user to give permission to contacts, gallery and their device’s camera. Investigative organisations such as Privacy International and Amnesty have flagged Safe City apps as a method of data collection.
During this rapid digitalisation, Pakistan has no clear data privacy or protection laws. Simply put, there is no legal limit to the data being collected by the government, nor any transparency about what data is being collected. These aspects were vaguely mentioned in the Prevention of Electronic Crimes Act (PECA) 2016, but the Act does not fully ensure data privacy. Additionally, there is no independent body to audit or regulate how government institutions collect, store, or use user data. Most importantly, these apps collect user information — including biometrics such as CNIC numbers, fingerprints, and facial scans — without offering users an alternative or even the ability to opt out. Most users are also unaware of the extent of data that is being collected. Furthermore, there is no requirement as to how long user data is stored by government agencies. This means personal data, once submitted, can be stored indefinitely.
The biometric data collected by NADRA is stored in a centralised database that can be accessed by third parties or other state institutions without any restrictions or user consent. According to digital rights groups such as the Digital Rights Foundation and Amnesty International, these biometrics can be used to track the movement of citizens, and this surveillance is disproportionately targeted at minorities such as the Baloch and Afghan refugees. Afghan refugees, in particular, face ongoing profiling and are frequently denied access to essential services like SIM card registration due to their biometric status. Data leaks also often occur in NADRA databases. According to a government-sanctioned joint investigation team, 2.7 million citizens’ data had been compromised between 2019 and 2023. Additionally, in 2022 there were reports of citizens’ data being sold on the dark web.
When concerns about surveillance are raised under the PECA Act, government officials often dismiss them as “security necessities”. There is no public accountability or independent audit of how surveillance data is collected or used, creating a climate of secrecy and unchecked power. This fear of being surveilled online can also deter citizens from expressing their opinion online or from even engaging in political activism. This surveillance creates a climate of fear, undermining citizens’ political participation.
In comparison, European nations have adopted different legal frameworks to protect their citizens’ data, such as the General Data Protection Regulation (GDPR), adopted by the European Union. It makes sure that both public and private institutions are held accountable for user data they store. Under GDPR, citizens have the right to access, modify, or delete their data and demand to know how their data is being used. At the same time, GDPR violations can result in heavy fines and lawsuits. In Europe, citizens have protections — Pakistani citizens have no legal recourse if their personal data is leaked or misused.
Although legal reforms such as the Personal Data Protection Bill (PDPB) have been proposed, they lack meaningful enforcement methods. According to the Digital Rights Foundation Pakistan, the bill uses vague terms, much like PECA, and requires clarity. Another concern in this bill was the autonomy of the National Commission for Personal Data Protection (NCPDP), which is under the administrative control of the federal government, thus making the bill ineffective.
Another less discussed but critical concern is the purchase of foreign surveillance technology from opaque or unaccountable foreign vendors. In recent years, Pakistan has obtained a wide range of such equipment, including facial recognition systems and biometric scanners. Multiple watchdog organisations, including Amnesty and Privacy International, have raised alarms about the mass surveillance equipment being purchased by Pakistan. These systems are often installed in transport terminals, city centres, and protest-prone areas.