THE authorities should not feign alarm: after all, they have been repeatedly warned against the compulsion to ‘keep files’ on all and sundry — guilty and innocent alike.

Invasive surveillance and data-gathering on citizens creates a massive liability because the state must assume all responsibility for the information it collects. There can be extreme consequences in case of failure, and this is precisely what has happened in the latest leak of citizens’ personal data, which not only compromises thousands of ordinary citizens, but government officials and federal ministers as well.

Peel back the headlines, and the questions left are why were such extensive details — including what mobile SIMs they own, what their CNICs look like, their call logs, identity documents, and even their international travel histories — being collected, and who was doing the collecting? More gravely, how did all this data leak into the open? Were those doing the spying also compromised?

The National Cyber Crimes Investigation Agency has now formed a special team to investigate the matter on the special directives of Interior Minister Mohsin Naqvi, whose own data is said to be among the caches being sold freely on the web, sometimes for as little as Rs500. The relevant press release issued by his ministry promises that those involved in the data leak will be identified and brought to justice. If, indeed, anyone is caught — and that is a big if — the damage may already be done by the time they are brought to justice, mainly because the government is not in any position to secure the leaked data and prevent it from falling into the wrong hands. All of the compiled information is now reportedly just a Google search away from cybercriminals. Therefore, instead of finding scapegoats, the authority would be better served with a bit of self-reflection.

Investigating how the data leaked will be important, but it would seem much more necessary for the state to ask itself why it needs such expansive surveillance of its own citizens.

Clearly, the premise it works on is that nobody can be trusted; however, as the repeated leaks of sensitive data continue to show, even security agencies cannot be trusted to be fully ‘secure’ themselves.

Secondly, why are our national cybersecurity capabilities so weak that massive breaches of sensitive data continue to occur with such alarming frequency? It may be recalled that, just a few months ago, the National Cyber Emergency Response Team warned that the login credentials and passwords of 180m Pakistanis were exposed online. Last year, it emerged that data on 2.7m citizens had been compromised due to weak cybersecurity controls at Nadra. When even citizens’ fingerprints can be put up for sale, what is safe? And what can the state be trusted with safekeeping?

Published in Dawn, September 9th, 2025