by Waqas Ahmed
In 2010-11, Wikileaks released a trove of classified US govt data which consisted of communications between Washington and her embassies worldwide – this was called Cablegate. Cablegate consisted of more than 250,000 US diplomatic cables – an overwhelming amount of data. In the same year (2011) Pakistani journalists published a story about one cable of particular interest: #09ISLAMABAD1642_a, classified ‘secret’ by US govt.
There was some noise about this cable back then, but the public quickly forgot it and it remained forgotten till a few days ago when Wikileaks tweeted about it and reminded us.
This particular cable details a series of meetings held in 2009 between the then Interior Minister of Pakistan, Rehman Malik, the President of Pakistan, Asif Zardari, and the Prime Minister of Pakistan Yousaf Raza Gilani with US Department of Homeland Security (DHS) Secretary Janet Napolitano. The purpose of these meetings, from the US side at least, was to “Offer DHS assistance to enhance Pakistan’s border security and [seek] GOP views on an arrangement under which DHS would provide the Government of Pakistan (GOP) with technology to access and analyze Advance Passenger Information (API) and Passenger Name Record (PNR) data on passengers flying to and from Pakistan, in return for DHS getting access to the data.”
What is API and PNR?
Advance Passenger Information is, in simple terms, information about the passenger who is travelling overseas. Suppose you are travelling to UAE, a country that requires API from Pakistani passengers, you will need to provide the following data about yourself prior to boarding your flight:
- Full name
- Passport number, issuing country, and expiration date
- Date of birth
This information will be connected to your PNR, which is a unique ID identifying you as a passenger on a flight. This information will be received by your destination country so they could investigate your past criminal history (if any) before they allow you in that country. To do that, they will use your API information to search their own country’s database and check if you are clean or not. Without connecting API to the database of a host country, API is useless.
United States DHS, in the cable under discussion, wanted to provide us with such a tool which would connect API to NADRA database for the purpose of analysis, and in theory give us a heads-up if a terrorist was travelling to or from our country. United States, it seems benevolently, wanted to give us this technology for free – with only one catch: they would be able to access the data from our side. And not just the data of passengers travelling from US to Pakistan or vice versa, they would be able to access data of passengers from all countries going to and from Pakistan. To make it all useful, the API technology would have to be connected to NADRA database, therefore, in a way US would also get an interface to NADRA database.
Why was US pushing for API technology?
US was pushing Pakistan to install this technology for the obvious reason that they wanted the data. It is a good rule-of-thumb to remember that if something supposedly valuable is being given to you for free, you must be doubly suspicious.
But there was something else that was going on at that time.
At that time Pakistan was in the process of phasing out an old system provided to NADRA by an American company for a similar purpose. That system was called ‘Personal Identification Secure Comparison and Evaluation System (PISCES)’. NADRA aimed to phase out that system by 2011 and instead install a new indigenously made one: Integrated Border Management System (IBMS).
PISCES was installed in 1999-2002, when Lt Gen (r) Moinuddin Haider was the interior Minister under Musharraf’s govt. But listen to this: While IBMS cost us around Rs421 million to implement, PISCES was free. Why?
Here is a clue: PISCES was made by US firm Booz Allen Hamilton. Booz Allen Hamilton was Snowden’s employer for those of you who can’t recall where you heard that name. Booz Allen Hamilton was an NSA contractor and that is enough to reach the conclusion that PISCES had a backdoor that allowed US to access all Pakistani data connected to it. Moinuddin Haider rubbished, at that time, any claims that PISCES had a backdoor – but in hindsight after Snowden leaks, it is highly improbable that PISCES was clean. Another clue is that US State dept wanted to give us $42 million (free) to upgrade and maintain PISCES and abandon all attempts to make something similar on our own. Here is an Express Tribune article (which was affiliated with New York Times at that time) telling us why IBMS sucks in comparison to PISCES.
The shady dealings with PPP govt
When US was pushing API on us, we were getting rid of PISCES, and I suspect, it was because of this exact reason API was being pushed on us.
How did the PPP-led govt react to that? While the behavior of PPP govt remains highly suspect, we can see in the same cable that Rehman Malik was being very slippery in his dealings with Ms. Napolitano.
According to the cable: On API/PNR, Interior Minister Malik assured the Secretary privately that the GOP wanted to be helpful, but in the meeting with his subordinates asked for information on model agreements, legal frameworks and precedents the Ministry could use to persuade those in the GOP worried about privacy rights and possible legal challenges in the courts to API/PNR data sharing. The GOP agreed to host future DHS visitors to continue discussions on API/PNR and border security. It is obvious that while Rehman Malik was being cooperative in front of US govt, he also wanted to protect his own behind and was trying to be extremely careful.
Not only that, the PPP govt at every turn tried to get something out of the US in return and in a way put a price on the private data of Pakistani citizens. In every meeting they tried to couple PNR/API issue with: Pakistani textile exports to US, non-stop PIA flights to US, and a few hundred Pakistani students receiving scholarships in the US. Rehman Malik also tried to make excuses by saying that overreaching Pakistani judiciary would never allow such a thing.
On the other hand Napolitano was even more stubborn:
Secretary Napolitano responded that the United States now wishes to deal with non-stop flights separately from the issue of API/PNR data exchange, and explained that enhanced access to API/PNR data is of direct benefit to Pakistan as well as to the United States. Prime Minister Gilani echoed Zardari’s comments on PNR, stating that, although the Interior Ministry is considering the U.S. request, to “do the whole world” will be difficult. To Gilani’s statement that Pakistan had been promised non-stop flights in return for buying Boeing aircraft in 2004, Secretary Napolitano was clear that flights will be dealt with as a separate issue, not as an exchange.
While in all these discussions the pretext is Pakistani border security, it is obvious that both parties know exactly what is going on: That US wants Pakistani data, and Pakistan, while not unwilling to provide access to that data, wants a ‘consideration’, i.e something in return. And without any potential political blowback.
Make no mistake, at no point did Rehman Malik or Gilani or Zardari say an outright “NO”. They wanted to put some sort of price on this invaluable data, something that would protect them from political repercussions. However, it seems that these discussions did not bear any fruits at that time. We don’t know the reason – there is no cable that follows up on this one.
Enter another shadowy company: International Identity Services (IIS)
On September 6, 2011 The News published a report that NADRA was out sourcing its UK operations to a private company. This news in itself would’ve been outrageous but the details were even more so: IIS was headed by an unnamed person with a criminal history. Not only that, but NADRA officials maintained that NADRA was working with the company since 2009, when in fact IIS was created the very same year, and maybe for the very same purpose.
There could be two reasons for such a discrepancy: Either some officials at NADRA or Interior Ministry were planning to receive kickbacks from that company made by someone close to them, or this company was a front for NSA/CIA/GCHQ. IIS, even more suspiciously, stopped its operations in 2014 – in just 5 years and disappeared off the face of this earth.
Is NADRA data safe?
In short: NO, NADRA data is not safe. Even one outsourced company or country that can access NADRA database through any interface can potentially steal the whole database. They might not even have to steal because we have people in our government, supposedly custodians of our national interests, willing to sell such invaluable national asset such as the database of the whole populace in exchange for pennies then all bets are off. We do not know, and we may never know, how much of our data has been compromised. But one thing we know for sure is that we cannot trust our government, elected or otherwise.
One thing we see in the cable is that Rehman Malik and Co, were afraid of public outrage. When this cable first surfaced, there was little to no great public backlash. If there is no adverse reaction, future governments may get bold. Let’s make sure that there is no such misunderstanding between public representatives and the public. Wikileaks has given us another chance to consider our reactions against those who claim to represent us but actually do not. Let’s give it to them.Share: