1/ Whatever 'good intentions' there may be, the launch of another PITB app integrating NADRA's database (Relief Management System) could be another data security disaster in the making. Dashboard link found through promo video shared by Governor Punjab's team. Won't mention here. 
2/ Access to NADRA databases from an Android app which, among other things, allows for CNIC verification as well as uploading photo of hardcopy raises serious data security concerns. Observations from the promo video by Governor Punjab.
3/ An example of past PITB-NADRA data mishandling is an app for Punjab Police which was exploited/distributed in various forms by data sellers. Screenshots attached.
4/ Another example of PITB's mishandling of user data is Driving License Info Management System (DLIMS) through which you can access anyone's photo and driver license records if you know their CNIC number. You don't need a 'black app' for that. Won't share the process here.
5/ PITB has a criminal past record in mishandling data due to a combination of casual oversight, lack of adequate data security protocols during app development/integration and/or sabotage by unknown current/former employees.
6/ PITB's 'Privacy Policy' says they 'vow' (not 'take responsibility') to protect user data. If someone outside Pak misuses your data using their apps, nothing can be done. Also, there are no existing laws to protect your personal data.
Source: pitb.gov.pk/privacy_policy
Source: pitb.gov.pk/privacy_policy
7/ PECA is deficient, limited in scope, does not hold data controllers responsible for infosec. Unless the Personal Data Protection Bill is reviewed by all stakeholders and approved by lawmakers, all our personal data is a free-for-all and no one can be legally held responsible.
8/ Question for authorities concerned:
Does PITB have an international-standard Data Management Policy?
Does PITB have an international-standard Data Management Policy?
9/ Question for authorities concerned:
Are project managers and core software developers at PITB bound to sign NDAs? If not, why?
Are project managers and core software developers at PITB bound to sign NDAs? If not, why?
10/ Question for authorities concerned:
Is there a vigilance mechanism in place to ensure that PITB staff does not keep copies of official data or recklessly upload entire source codes online?
Is there a vigilance mechanism in place to ensure that PITB staff does not keep copies of official data or recklessly upload entire source codes online?
11/ Question for authorities concerned:
Has PITB ever conducted external/third-party digital forensic analyses of their critical information infrastructure, including data centre and computer systems/laptops/devices used by core developers?
Has PITB ever conducted external/third-party digital forensic analyses of their critical information infrastructure, including data centre and computer systems/laptops/devices used by core developers?
12/ Question for authorities concerned:
Have lawmakers in Punjab (government/opposition) ever discussed data security issues with PITB?
Have lawmakers in Punjab (government/opposition) ever discussed data security issues with PITB?
13/ Question for authorities concerned:
Will NGOs that are members of the Punjab Development Network (PDN) have login-enabled access to this new Relief Management System app? If yes, have appropriate security guidelines and liabilities been shared with them?
Will NGOs that are members of the Punjab Development Network (PDN) have login-enabled access to this new Relief Management System app? If yes, have appropriate security guidelines and liabilities been shared with them?
14/ Question for authorities concerned:
To what extent is NADRA responsible for contributing to the integrity of this new PITB app?
To what extent is NADRA responsible for contributing to the integrity of this new PITB app?
15/ Question to authorities concerned:
Who is the Chief Information Security Officer (CISO) or equivalent in PITB?
Who is the Chief Information Security Officer (CISO) or equivalent in PITB?
16/ Last question for authorities concerned:
Who is that ONE person/entity to be held responsible if the new Relief Management System app leads to another sensitive data spill?
Who is that ONE person/entity to be held responsible if the new Relief Management System app leads to another sensitive data spill?
17/ As a resident of Punjab, I seek answers to the genuine questions I have posed, most of which have been framed in lieu of historical incidents.
18/ Distorting or questioning the bona fide intent behind these questions, by any or all concerned, will be perceived as attempts to circumvent accountability and transparency. Looking forward to detailed answers. Thank you.
[End]
[End]
@threadreaderapp unroll
@threader unroll
