KARACHI: Pakistan’s new tax profiling system has raised widespread fears of data security breaches, with citizens saying sensitive data uploaded on the portal may be misused and legal experts calling it unconstitutional and in violation of the fundamental right to privacy.
The two online portals, unveiled on Friday by the Federal Board of Revenue, hold information regarding the bank accounts, properties, travel history, and other data of at least 53 million Pakistanis, collected from Pakistan’s primary citizenry database, the National Database and Registration Authority (NADRA).
The tax portal comes on the back of the annual budget announced earlier this month which targets a sharp hike in tax revenues for the new fiscal year to June 2020. Ending a culture of rampant tax evasion is also high on the list of conditionalities attached to a $6 billion International Monetary Fund bailout package (IMF) that cash-strapped Pakistan agreed to last month.
Pakistan’s history is littered with statements by incoming governments announcing crackdowns and pledging tax reforms that fizzle out because of a lack of political will to force the rich and powerful to pay taxes.
As of last year, only 1.6 million people filed tax returns in a country of 208 million. Out of them, 400,000 showed income below the levels that tax cuts in, another 200,000 had minimal tax, and only 950,000 paid tax of any significance.
“Just checked it out. Security is too weak. Should require payment by a card in the name of the payer — as email verification possible if mobile not in taxpayer name,” marketing consultant Assad Ahmad said on Twitter. “Just got my data without giving a phone number registered in my name and answering simple questions about family.”
Experts are similarly alarmed.
“When over 100 million Pakistani citizens were disclosing their private data to NADRA, the understanding was that NADRA would use it only for issuing them an identity card, and not betray them to the tax-man,” Umer Gilani, a lawyer who campaigns for the protection of privacy, told Arab News. “NADRA’s decision to merge its database with FBR’s database is unconstitutional. It violates the fundamental right to privacy guaranteed by Article 14 of Pakistan’s Constitution,” he said, adding that Pakistan’s courts had consistently ruled that the right to privacy extended to the privacy of people’s data.
Sharing NADRA data with tax authorities and uploading it on what he called “a low security online portal” breached confidentiality, and was unsafe, Gilani said.
The FBR insists the data is safe.
“We will ensure the security of the data,” FBR chief, Syed Shabbar Zaidi told reporters on Friday. “The data will be kept centralized at FBR headquarters, even away from regional tax offices,”
Few are not convinced.
“The concerns are that in the absence of data privacy laws, the data the government is collecting through different sources... where will it be utilized and who is authorized to use it?” Dr. Umair Javed, a professor of politics at Lahore University of Management Sciences (LUMS), told Arab News.
According to Javed, the new Pakistan system has borrowed heavily from the blueprint of the United States’ Internal Revenue Services (IRS) which also employs different sources to collect data about citizens.
“Is the government prepared to guarantee its (data’s) security and privacy is the biggest question despite their good intentions and purpose,” he said.
A draft law for personal data protection is pending legislation since October last year, while the government has launched a huge online portal packed full of accessible citizen data with effectively no data privacy laws in place.
“In case of any security lapse, (there) would be dire consequences,” Badar Khushnood, Vice Chairman of the award-winning Pakistan Software Houses Association for IT and ITES (P@SHA), told Arab News. “The law should have been passed before launching the system for the clarity of data privacy,” he said.
Dr. Ikram ul Haq, a legal and taxation expert agreed.
“Security review by independent agencies renowned for awarding certifications is missing... There is no guarantee that data would not be misused or abused by the staff with access to it,” he said.
“It (profiling system) is a good thing, but it must be ensured that the information is not leaked and misused for extortion or... blackmailing,” said Dr. Mirza Ikhtiar Baig, Senior VP at the Federation of Pakistan Chambers of Commerce and Industry. “Our concern is that it could be leaked and harm any concerned individual.”
Fears of a massive data leak are not unwarranted. In 2018, a cyber-security services provider, the Pakistan Computer Emergency Response Team (PakCERT), reported 1,340 cases of website defacement and hacker attacks on Pakistani web domains (.pk).
“The .pk domain was attacked all over the world where it is being hosted or operated. The data only shows that websites were attacked and not necessarily reflect that the inside of the organizations’ systems were attacked,” Qazi Mohammad Misbahuddin Ahmed, CEO of PakCERT told Arab News. “If the security of the system is properly audited then there (is) no breach,” he said, adding that he assumed the government would have put security controls in place for the tax profiling portal.
There are additional concerns including that it might not take a sophisticated software hacker to break into the system, and that anybody with access to another person’s identity card could get hold of the information by paying a Rs.500 (approx $3) fee.
“The government has made it a source of making money by charging us for our own information,” P@SHA’s Badar Khushnood said. “By using NIC (national identity card) of any other person, anyone can get registered with the portal and get information,” he said, adding that the system could be useful in the documentation of the country’s vast informal economy only if its security protocols were made foolproof.