Profile picture
, 39 tweets, 12 min read
My Authors
Read all threads
Some thoughts on the COVID-19 Telehealth Portal.

These are personal observations/comments and are (primarily) intended to seek answers from authorities concerned.

Also, they are meant to foster a debate.

[Thread]
What's apparent is that one needs to login using his Facebook and/or Google account to benefit from a government-facilitated initiative. Personally, I find this a turn-off. There must be an option to register normally without having to associate any social media or web accounts.
Secondly, from a legal standpoint, the forced involvement of Facebook and Google automatically elevates my data security rights to an international forum (since both tech giants are US based and bound to US laws). Which brings us to the question of 'Whose law is it anyway?'
I'll now dissect the Privacy Policy for this portal, a copy of which has been archived here (for future reference): archive.vn/34Rx3
It is gleaned from this paragraph that there are two basic entities responsible for Telehealth's operations (core stakeholders):

(1) Federal Ministry of National Health Services, Regulations and Coordination.

(2) Digital Pakistan project.
Health info held by Telehealth is "also subject to" the HIPAA, a US law enacted in 1996 by then President Bill Clinton. Does the use of 'also' indicate that citizens data is transferred to US-based entities, hence the legal cover? HIPAA cannot be applicable within Pakistan.
The term 'state law' is taken from US legislative lingo. In Pakistan, we either use the term 'provincial' or 'federal' to clearly distinguish between different constituent components of the federation. Which one is being referred to this in this para?
Telehealth (Ministry of Health/Digital Pakistan) cannot guarantee the confidentiality of information i.e. if your data gets compromised, the federal government cannot be held responsible. Ideally, the state should act as a guarantor/guardian of citizen data from its portal.
Telehealth cannot guarantee data confidentiality whereas the types of personally-identifiable data they collect and also associated Facebook/Google accounts makes it a prized dataset for cyber criminals. Details of who retains this data (Telehealth/Facebook/Google) not clarified.
Regarding the first point, it needs to be ascertained whether citizen health data is treated as proprietary data by Telehealth or those enabling their services? Nothing clarified.
Teleheath is just a 'brand name' as specified earlier on in the policy; it isn't a department or section as such. Who are its employees and designees? The IT officers in NITB, staff at Ministry of Health, members of Digital Pakistan...who?
Concerns on 'Disclosures'.
Which law/'state law' helps us prohibit the use/disclosure of our personal data? We don't have a Data Security Law. We could invoke Section 16 of PECA but since we did in fact authorise Telehealth to obtain/transmit our info in the first place, its application is nullified here.
Reference to Pakistan as 'there' suggests this para was drafted keeping overseas users in mind; suggests data is held within Pakistan. How does it explain the relevancy of HIPAA which is a US law? Does it bind Facebook and Google to abide by Pakistani law also? Utter confusion.
Another question in the preceding context is: Who processes this data? Ministry of Health, Digital Pakistan, third-party contractors...?
This is what baffles me. When the federal authorities know fully well that we don't have a Data Security law, why introduce such a facility in the first place and risk compromise? We can't even hold Telehealth liable in present circumstances, they won't tell you that.
This para confirms that personal information (not anonymised data) is shared with third-parties. How is Telehealth sure that Facebook, Google, other service providers will not disclose our data say, for example, to US national security authorities, if ordered to do so?
The given email address for updating/correcting information mentioned in the policy is operated by the central Crisis Communication Centre (CCC) at Federal Health Ministry (Source: archive.vn/icNOP). One assumes it is the ultimate data controller.
A more blunt statement from Telehealth's End-User License Agreement (EULA) that they will NOT be held liable in case your login credentials are compromised. You're on your own. Also nullifies applicability of PECA Section 16, if there was any space!
The Government of Pakistan will not take BASIC responsibility for your data security on its OFFICIAL PORTAL against 'unauthorised third-parties' which could include state/non-state actors and maybe even additional third-parties employed by Facebook and Google!
The Government of Pakistan doesn't give a hoot if, God forbid, malicious foreign actors (state/non-state) inject the Telehealth website with viruses or trojans. Or if there's insider sabotage or mishandling involved.

'We govern you, but you can't hold us liable'.
What if the origins of any misuse are traced to a third-party based overseas? Will they comply to a local Data Security law which doesn't yet exist...? Where does HIPAA (US) fit into all this?
Question: To what extent is VentureDive (registered in US and Pak) involved in Telehealth?

Data analytics, platform integration...?

Source: archive.vn/9DJwm
Question: Was the NITB (@NationalITBoard) incapable of single-handedly developing and maintaining the Telehealth portal without involvement of third-parties?
Question: Is it ensured that mobile numbers fed to eOcean's SMS gateway will not be used as a proprietary commodity besides Telehealth?
Question: To what extent is Infobip involved?
In the overall context, I'll recommend you read an informative article by Syeda Uzma Gardazi (Women University AJ&K) published in the Compliance & Ethics Professional (July 2018 edition). Source: academia.edu/37096695/Role_…
Gardazi writes: "In its summary of the HIPAA Security
Rule, the Department of Health and Human Services noted that “the rise in the adoption rate of these technologies [electronic health records] increases the potential security risks.”
Gardazi: "We should enhance the awareness level and compliance within the Pakistani healthcare industry,
including information security. There is a need for compliance professionals in the Pakistani healthcare industry to review and prevent patient record breaches..."
Gardazi: "The proposed Electronic Data Protection Act was a drafted and proposed in 2005 and so far not published. There is no law regulating the protection of data in Pakistan to this date."

(Zaki adds: Neither has the draft Personal Data Protection Bill been reviewed).
Gardazi: MoIT "proposed the Foreign Data Security and Protection Act 2004 to support US and EU companies outsourcing data within Pakistan. In the absence of a Pakistani data protection law...introduction of a cybercrime law would be overwhelming for civil rights and businesses"
Gardazi: "The Pakistani Data Protection Act draft was created to beneft the citizens of the country. The draftspersons of this bill seem to have forgotten to address anticipation of future technological development."
Gardazi: "The fact that the Pakistani Data Protection Act has
still not moved forward on the floor of the assembly is incredibly worrying".
These and similar concerns must be addressed on war-footing by the Government of Pakistan. It is incredibly dangerous and irresponsible that such adhoc e-services are being promoted for political projection in absolute disregard for a massive legal vacuum.
Unless lawmakers gather together to approve a consolidated data protection law, it is ill-advised for the federal govt to partake in such e-services. If the govt cannot even take basic responsibility for citizens' data, it shouldn't collect it in the first place.
As law-abiding citizens living elsewhere, we look up to our federal government to give us an all-encompassing shield against threats of various types while ensuring provision of e-services. 'Digital Pakistan' should not be treated as a PR exercise for a handful of PTI elements.
It is deeply insulting that the federal government is promoting a pandemic-related e-service while completely absolving itself of any and all liabilities. As in all countries elsewhere, the incumbent political leadership WILL have to take full ownership of its initiatives.
I hope to have my concerns addressed. I have full confidence on our leadership but 'leaders' are supposed to carry heavy burdens of responsibilities. Also, I request political/bureaucratic elements not to think of ordinary citizens as idiots. We can read between the lines. [End]
@threadreaderapp unroll
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Zaki Khalid

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @misterzedpk see all

Profile picture
Zaki Khalid
@misterzedpk
1/ Whatever 'good intentions' there may be, the launch of another PITB app integrating NADRA's database (Relief Management System) could be another data security disaster in the making. Dashboard link found through promo video shared by Governor Punjab's team. Won't mention here.
2/ Access to NADRA databases from an Android app which, among other things, allows for CNIC verification as well as uploading photo of hardcopy raises serious data security concerns. Observations from the promo video by Governor Punjab.
3/ An example of past PITB-NADRA data mishandling is an app for Punjab Police which was exploited/distributed in various forms by data sellers. Screenshots attached.
Read 20 tweets
Profile picture
Zaki Khalid
@misterzedpk
1/ In early 2012, I used to go to a house in G-Block Johar Town, Lahore (few alleys behind Doctors Hospital) for 5-6 months to give tuitions from 4:30 to 8pm every week day.
2/ I taught French, Geography, Pakistan Studies, Mathematics, General Science and English to students of Class 2 till O-Levels, mostly Aitchisonians. Most of them were from privileged families.
3/ I'd take a bus from Moon Market, Allama Iqbal Town till Campus Stop (Punjab University), from where I would take another bus till Doctors Hospital stop.
Read 20 tweets
Profile picture
Zaki Khalid
@misterzedpk
Sharing extracts from an interesting opinion piece by Mr Hu Bo, Director of the Peking University Centre for Maritime Strategy Studies titled 'US military threatened by COVID-19 still insists on showing off might' [Thread]
"The US Pacific Fleet and US Indo-Pacific Command Headquarters are most vulnerable to the coronavirus"
"As the most powerful military force in the world, with the highest level of combat readiness, the US military's failure to contain the virus has been disappointing"
Read 11 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!