On a cold January morning, newly graduated Waheeda took off her shoes and entered a data centre for the first time in her life. The small but heavy door could only be opened by data centre staff, with a security code to be entered into a machine mounted on the wall.

Inside, it was freezing cold, and a man with knee-length, bright yellow rubber boots explained the dos and don’ts of being in a data centre of TechM*, an internet service provider (ISP) located in Korangi, Karachi. No shoes, because dirt can’t enter a data centre, stay away from all racks where the servers are placed; observe from a distance.

That was not a problem for Waheeda, who was exhilarated at finally seeing in action what she had only studied in theory at her local engineering university.

The excitement withered when, two days into her job, she got yelled at on the phone by representatives of an international bank, who had hired the data centre’s services. A technical fault had disrupted the company’s services, and had gone unnoticed by TechM.

Workers of the Karachi Metropolitan Corporation (KMC) had, without any intimation, cut underground cables laid down by the ISP, and were carrying out some repair work there. Waheeda learned that TechM has over a dozen international clients that use its data centre to provide services to their Pakistani clients.

While politicians paint rosy pictures of a digital Pakistan, those on the ground decry the lack of infrastructure, constant headaches in doing business, overweening censorship, a lack of consultation and haphazardly designed tech policies. Meanwhile, government attempts at protecting citizens’ data may be geared more towards giving the state access to that data…

Though low in number, they had a disproportionately high number of complaints registered with the customer support centre, and TechM had lost quite a lot of money in adjustments to these companies over disruption of service. Many of the disconnections happened because of power blackouts in the country, city administrations cutting internet cables at random, or due to cyber-attacks.

This was nine years ago, but Waheeda says, not much has changed how outside infrastructure in Pakistan affects the everyday operations of ISPs and tech companies.

TECH HEADACHES

“Every day we had a barrage of problems, and everyday employees wondered out loud if it was worth working there,” she tells Eos in between tending to her toddler. She scoffs when asked about Pakistan trying to force international companies, every now and then, to establish their data and technical services here.

“Running basic operations in the country is difficult — why would an international company bother with establishing their physical infrastructure here. Our state seems to have no idea about how ISPs and network services work here,” she says.

During the Pakistan Democratic Movement (PDM) government’s tenure, the Pakistan Muslim League-Nawaz (PML-N) had proposed multiple amendments to existing cybercrime and media laws, and planned to introduce a data protection law, a longstanding demand of digital rights advocates in Pakistan.

The Personal Data Protection Bill (PDPB), 2023 was approved by the federal cabinet, along with an e-safety bill and proposed amendments to the Pakistan Electronic Crimes Act (Peca), 2016. The PDM tenure ended before these could be placed before the parliament.

Soon after the news of the draft approval by the cabinet, activists, industries and investors spoke out against the data protection law, citing vague legal language and impractical demands from businesses. It was in stark contrast to what activists had been advocating for.

If passed into law, it would require local and international companies, including Big Tech (the largest global information technology companies), which deal with data of Pakistani citizens, to store and process data at IT infrastructure physically located in the country.

A similar demand was made in the social media rules approved by the cabinet in 2020, during the government of the Pakistan Tehreek-i-Insaf (PTI).

In both instances, social media companies have refused to abide by it, saying it is not viable for them. But why does Pakistan keep pushing it?

Various annual reports by Facebook and X (formerly known as Twitter) show that Pakistan is among the countries with one of the highest requests for user data, taking down or blocking content. Between January and July 2019, Pakistan had the highest — 31 percent — of all complaints regarding content restrictions by Facebook, its quarterly Transparency Report had said.

DOING BUSINESS IN PAKISTAN

Successive Pakistan governments have flaunted increased IT exports, investment by venture capitalists in Pakistani start-ups, and the establishment of technology parks and zones with minimal taxes. However, on the question of repeated internet bans and demands of data localisation, and their effects on businesses, neither the IT ministers nor the government has much to say.

Pakistan increasingly started using visible and discreet ways to monitor citizens’ internet activity in the past decade. The Pakistan Telecommunication Authority (PTA) said, in April 2022, that it had installed a web monitoring system, a “mechanism to curb pornographic content” on the internet.

A central DNS (Domain Name System) had been introduced to supplement the powers given to the PTA under section 37 of the Peca, which enables it to block unlawful online content and to “ensure the automated effective and seamless blocking of unlawful content in real-time.”

But it creates losses for ISPs. Sitting in the customer care centre with glass walls, with an interactive voice response (IVR) system mounted on the front wall that showed incoming and outgoing calls, a manager at an ISP tells Eos that the mechanism leads to blocking of customer IPs at random, and angry customers refuse to accept this justification and ask for compensation.

PTA blocks the IP without informing the ISPs in writing or otherwise. “We know once the customer calls the ISP, and the ISP writes to the PTA which, upon checking, unblocks the IP, conditionally or unconditionally, depending on why it was blocked in the first place.” He adds: “The whole process leads to a headache for my staff, who are underpaid and do rotating shift work. They are engineers from top Pakistani universities.”

While small businesses ignore such hiccups, major organisations create a fuss with the ISPs. “Blocking of an IP means an entire business unit is without access to the internet, unless it has a back-up,” says the manager.

Field issues are sometimes more complicated. The ISPs spend millions on laying down underground internet cables, and routine maintenance and repair work. But navigating Karachi’s underground terrain is as difficult and haphazard as its roads.

“KMC or K-Electric cut our cables at random, and without intimation, if they have to carry out repair work, despite the ISP complaining to them,” says Waheeda. Despite a sizable number of field workers, TechM found it difficult to deal with these issues. The customer would understand a couple of times, “because everyone knows how things work in Pakistan” but, after three or four times, they would get angry and demand a solution and ask specifically what the ISP was doing about it,“ she continues.

It is not just Karachi, though. One day, Waheeda finished a call with a client, and raised her head to check the clock on the wall, to see if it was time for her evening tea. Instead, she saw the red double-digits on the IVR flashing right into her contact lenses, telling Waheeda there was no time for a break.

During the installation of closed-circuit cameras for a city surveillance project in Lahore, the city administration had cut dozens of cables of TechM. “We had two or three dozen calls lined up, angry customers yelling at us,” says Waheeda.

The contact centre resorted to pleading force majeure, which means unforeseeable circumstances that hamper provision of a service. Force majeure is invoked in contracts when there is a natural or man-made catastrophe but, in Pakistan, the ISPs are having to invoke it due to city administrations cutting their cables.

The force majeure invocation led to multiple disputes between clients and the ISP, Waheeda says. Some clients absolutely refused to budge, costing the ISP millions. While local ISPs have learned to survive, will international social media and ecommerce giants be willing to?

MAKING A DATA CENTRE

Data centres are usually large purpose-built spaces, which house multiple equipment interconnected to each other, such as servers, routers, switches and other supporting network equipment.

Servers are the computers that hold and store a large amount of data and processes, and clients are computers that request access to this data to be able to perform a task, such as our desktop computers. ISPs have designated data centre staff and unauthorised personnel cannot enter the premises. It takes millions of dollars to construct and operate them annually.

A company such as Facebook, with millions of users in Pakistan, requires a considerable investment, a purpose-built space, uninterrupted internet speeds, says Sophia Hasnain, who runs a company providing ‘internet of things’ (IoT) solutions. Or international companies can opt for local partners, which are plagued with the issues described above. Moreover, a server would roughly cost 30,000 dollars to import for a local company, if they decide to take on international clients.

“Do we even have electricity? The servers need electricity and back-ups to remain online 24/7,” explains Hasnain. And if an international company would want to establish their own data centre, how would it do it with such issues?

TechM is one of the biggest ISPs in Pakistan, located in Korangi, where the industries are supposed to be provided with relatively uninterrupted power supply. But that changes in summer, where the electricity demand is overall high. A Dawn report, dated July 2020, said that the K-Electric had increased loadshedding to industrial areas to seven to eight hours.

“More importantly, data centres need 24/7 cooling systems. There have been cases where back-ups of ISPs have run out,” continues Hasnain. “How will servers operate without cooling in a hot and humid city like Karachi? Their life expectancy decreases.”

International companies, especially banks, mostly use data centre services of local ISPs in Pakistan. TechM, for example, had clients from top international banks and companies. These accounts are given top priority in terms of customer service, and dedicated network connections to ensure uninterrupted and high service speeds and network security.

This does not, however, ensure these companies get seamless service and, if and when services are disrupted, the under-paid technical support and network engineers get the short end of the stick by the client as well as the company.

The data protection bill, approved by the PDM cabinet, asks businesses to ensure sensitive customer data is stored and processed in a cloud or network infrastructure, which is physically located within Pakistan, so that it is protected from hackers. But physically restricting the data does not necessarily ensure its protection from hacking; it only increases the likelihood of the state having greater access to sensitive customer data.

These localised servers can still be hit by cyber-attacks, such as through ‘distributed denial of service’ (DDos) attacks or hackers creating a backdoor to the network. In Pakistan, government and private infrastructure, too, has faced several physical attacks by militants, anti-state actors, political party workers, etc.

“Although certain data is not reachable by other nations’ legal authorities, it is still reachable by hackers, intelligence officers, and unethical competitors,” according to the report Does Localization Adequately Balance Privacy and Security, published by the Columbia University in May 2023.

“This restriction creates a high risk of a single attack, taking out all data when there is only one data centre within the same jurisdiction,” it states. This means that, if the localised data centre goes down, most of the internet and internet services will become inaccessible to Pakistanis.

This is similar to how attacks on the national electric grid plunge major parts of the country into darkness, or issues with under-sea internet cables affect the entire country’s connectivity to international websites. Except, unlike these scenarios, localised infrastructure for tech and banking businesses is not a necessity.

In addition, not only is Pakistan ranked among the lowest in national cyber security rankings by the International Telecommunication Union, but government departments routinely have their websites and data leaked and dumped on the internet.

Until some years back, if you opened the website of the Federal Investigation Agency (FIA), which investigates cybercrime, you would get a notification that the website does not have a security certificate, which is an essential IT security requirement to ensure surfing that website is safe for the user.

Even if you have only a basic antivirus on your computer, you will be warned by it from visiting some other major government URLs as well. Why should then these companies establish data centres inside Pakistan?

COST OF DATA LOCALISATION

Start-ups in Pakistan, in the past decade, have raised millions in investments from international and local venture capitalists. Many have shiny, modern offices, employees who are paid significantly more than legacy organisations, and have the smarts to get the necessary authorisation and approvals, in no time, from regulatory and finance authorities in Pakistan to operate their businesses.

While our political parties claim the success is due to their policies, it is also because of low-cost international, open-source tech, which does not require start-ups to invest in complicated tech infrastructure.

Pakistan, however, has in various data protection law drafts over the years, asked companies, including Big Tech, to store data locally. This increases the cost of business, Hasnain says.

She explains that several start-ups and small to medium companies in Pakistan employ the services of international cloud services companies. They are cheaper and offer a range of services, such as data storage, management and processing. This is why it has become relatively easier to do business.

“Pakistan has only a few suppliers of such services. We don’t have enough demand. And businesses cannot be expected to import infrastructure for such services to be implemented locally. They do not have the dollars.”

According to the Pakistan Data Protection Landscape, a report published by the Atlantic Council in 2023, the industry says that, “When it comes to data protection, disproportionate responsibilities are being placed on companies and businesses, leading to a potential increase in compliance costs… [which can] act as barriers to potential investment in the country.”

Pakistan also seems to talk more and more about locally made solutions to everything tech, as internet penetration and opinions critical of the state on social media increase. But this did not start now. In a PTA report in 2011, it talks about “indigenous” solutions to “offensive” content on the internet and that these indigenous solutions are “preferred” for a country like Pakistan. But claims like these simply do not take into account the situation on the ground.

“We do not even have a local email service provider,” says Hasnain. Businesses these days also do not employ multiple service providers; a business will look for services that ideally provide complete products for their various tech and business needs, she adds. Therefore, companies cannot be expected to purchase or arrange infrastructure to only accommodate Pakistan’s request to restrict storage and processing of data locally. Her business also uses international cloud services.

Data localisation affects the overall economy and increases import costs. A 2022 report by the Information Technology and Innovation Foundation, a US nonprofit public policy think tank, warns that vague data localisation requirements by countries like Pakistan could cost its economy.

“After five years, restrictive data policies will reduce Bangladesh’s volume of trade by 6 percent, Hong Kong’s by 5.7 percent, Indonesia’s by 5.8 percent, Pakistan’s by 3.7 percent, and Vietnam’s by 9 percent.”

After the cabinet approved the data bill, various industry groups expressed concern. “This could adversely affect start-ups, which heavily rely on cloud-based services offered by tech giants like Amazon, Google, and Microsoft… Such restrictions could impede the growth of local enterprises and limit consumers’ access to valuable online resources,” the Venture Capitalist Association of Pakistan said in a statement in July 2023.

Even if Pakistan wants to introduce a data localisation law, it should find a flexible approach. “A trusted geography approach and compliance with rules in those trusted geographies is a better approach than data localisation,” says Uzair Younus, who leads The Asia Group, a strategy and business advisory group based in Washington DC.

“Rather than recreate the wheel, Pakistan can look around at countries that are best in class, such as [those in the] EU, Singapore, etc, and can ask companies to use infrastructure in those countries and comply with cybersecurity norms that are the global gold standard.”

Compare this to other countries that have introduced policies on how data is stored and handled. The EU, for example, has regulations on personal data transfers, while others allow international transfer of data, but ask for a copy of the data to be stored locally in order to boost the economy. Others ask companies to ensure protection of the personal and financial data of its citizens, without forcing them to establish their data centres locally.

BEYOND CONTENT CONTROL

The Digital Rights Foundation (DRF) has worked with Big Tech for several years to curb hate speech and dangerous content against women and marginalised groups in Pakistan. Not only do they and other digital rights activists have to chase Pakistan lawmakers to include them in policymaking, they also take up the responsibility of guiding Big Tech on how to go about moderating content in the ‘Global South.’

For such activists, data localisation is the least of their worries. The immediate and serious challenges are tracking and reporting hateful content against women, children and religious minorities, and for the Pakistan government to address these issues.

“Pakistan bans platforms citing hate speech, but has any platform been banned for hate speech against women and religious minorities?” asks Shmyla Khan, a lawyer who was previously associated with DRF as research director.

Khan says there is increasing awareness in the West regarding the governments’ need to move beyond only content and hold these companies accountable from a human rights perspective. “Content bans are just a symptom,” she adds.

Activists say that data localisation in Pakistan is aimed at the state having access to its citizens’ data, and not out of concern to hold Big Tech accountable on human rights concerns or to secure a user’s data.

“The EU carries out human rights audits that are aimed at protecting users and their data,” continues Khan. “Ours is primarily focused on controlling speech and the state wanting access to its citizens’ data.”

Cyber and data protection laws in Pakistan show that the state looks to other countries that routinely limit or ban internet access. The government and the PTA sometimes deny any bans, claim “system updates” are behind slow speeds, or simply stay mum despite widespread criticism. Internet bans, which became widespread in the PTI government, continued in the caretaker setup, and on the day of Election 2024, too. The platforms X (formerly known as Twitter) and TikTok are under an unannounced blockage and degradation for the past two weeks.

Various annual reports by Facebook and X show that Pakistan is among the countries with one of the highest requests for user data, taking down or blocking content. Between January and July 2019, Pakistan had the highest — 31 percent — of all complaints regarding content restrictions by Facebook, its quarterly Transparency Report had said. This was the period of the PTI government, during which Pakistan saw the start of a relentless clampdown on freedom of speech on the internet.

Digital rights activists and IT business representatives say the state is less and less receptive to feedback and suggestions on policy and legislation on internet access. Most of the efforts are concentrated on content bans, instead of cybercrime and abuse against women and children through social media platforms and digital means, threatening social media and international tech companies with bans and unreasonable legislation, instead of having productive coordination with them that goes beyond content.

Farieha Aziz, who closely follows legislative and judicial issues related to Peca, says the main issue is this cybercrime law.

“The stated aim of Peca, 2016, was twofold: a security state narrative drawing cover from the [2014] National Action Plan — its purported agenda was to curb terrorism and hate speech online — and the second intent was to save women from harassment,” she wrote in an Human Rights Commission of Pakistan report. “It has failed to achieve both.” Instead, the law has been used to persecute dissidents and enable censorship, and further entrench a patriarchal system to silence women, concludes Aziz.

Even regarding content moderation, Pakistan does not have any productive and reasonable measures on policy level or with Facebook. Interviews with various digital rights activists suggest that the government is not serious about engaging with Big Tech on content moderation, data protection and data localisation.

“We have come to know that investigation agencies or regulatory authorities send Facebook and X incomplete complaints that do not follow procedure,” one researcher tells Eos. “Basic details will be missing or the reason won’t be clear why a post should be taken down. In some cases that require court orders or warrants, such documents are not provided.”

The FIA, on the other hand, in various interviews with this writer, has complained that Facebook does not take action against its complaints in a timely manner. The quality of requests and the faulty complaint procedure signals non-seriousness of our state towards these tech companies, says Shmyla Khan.

Tech and business groups, as well as the US-Pakistan Business Council, released similar statements separately. “While private sector participants are, at times, positively engaged by key stakeholders, civil society actors highlight that their recommendations are frequently ignored or dismissed,” the Atlantic Council report added.

Much of the legislation regarding cybercrime and tech platforms reads like it is hurried, and is not aligned with a holistic cyber and tech policy. “In a certain draft, they simply copy-pasted sections from another country’s law, and when they released the draft, that country’s name was still in that draft,” an activist tells Eos. “We still don’t have copies of these laws — we have two copies of data protection drafts, but are unsure which one was approved,” activists told Eos a week after the laws were approved by cabinet in 2023.

Pakistan needs a national-level cybercrime and tech policy, which is detailed, coherent and includes input from all stakeholders. Without a policy, successive governments will continue to bring legislation and regulation that does not take into account ground realities, with consequences for its economy, businesses and the average tech and online-employed worker.

The Election 2024 manifestos of major political parties, however, either do not include tech policy or promise to, yet again, simply increase IT exports. As for Waheeda, she has decided that underpaid work in the IT industry, in a country with regressive laws, is not worth it after all. “I would rather enjoy my evening tea.”

*** Name changed for privacy reasons**

The writer is a freelance journalist and researcher. A former computer engineer, she reports on cybercrime, disinformation and human rights

Header image: Illustration by Sarah Durrani

Published in Dawn, EOS, March 3rd, 2024