ISLAMABAD: An eye-opening report by Amnesty International has lifted the veil from just how deeply the mass surveillance system deployed in Pakistan allows authorities to sift through citizens` private data and communications.

Thanks to technology provided by foreign companies, the system has evolved into a tool of constant monitoring, with the ability to access citizens` emails, phone calls, and internet history.

According to the report, the author-ities only need a person`s phone number to initiate surveillance.

Titled Shadows of Control, the report is the result of a year-long investigation in collaboration with seven other organisations, including Paper Trail Media, DER STANDARD, Follow the Money, The Globe and Mail, Justice For Myanmar, InterSecLab and the Tor Project.

`This censorship machine is fuelled by Chinese, European, Emirati, and North American companies,` the global rights watchdog said in its expose.

According to Amnesty, Pakistan obtained technology from foreigncompanies through a covert global supply chain of sophisticated surveillance and censorship tools, particularly the new firewall (the Web Monitoring System or WMS) and a Lawful Intercept Management System (LIMS).

`While both technologies enable mass surveillance by harvesting vast amounts of personal data or allowing the authorities to zoom in on someone`s browser habits, the WMS 2.0 also allows authorities to block VPNs or any website deemed to be `unlawful` content by the authorities, Amnesty said in a statement released alongside the investigation.WMS 2.0 can block both internet access and specific content, with virtually no transparency and no judicial oversight, it said.

The software can retain email, VoIP, sessions and real-time logs, `indicating that the Geedge Networks products might be storing data on who is calling whom, email content if no secure communication is used, session recordings of which websites are being visited and realtime logs of the deployed system`.

Watchtowers Amnesty describes the WMS and LIMS systems as `watchtowers, con-stantly snooping on the lives of ordinary citizens` `In Pakistan, your texts, emails, callsandinternetaccessare allunder scrutiny. But people have no idea of this constant surveillance, and its incredible reach. This dystopian reality is extremely dangerous because it operates in the shadow, severely restricting freedom of expression and access to information,` said Agnès Callamard, secretary general at Amnesty International, in a statement shared with Dawn.

`LIMS and WMS 2.0 are funded by public money, enabled by foreign tech, and used to silence dissent, causing severe human rights harms against the Pakistani people,` said Jurre van Bergen, technologist at Amnesty International.

According to the report, the combination of WMS 2.0 and LIMS allows for deep packet inspection (DPI). In simple terms, information transmitted over the internet is not linear and is usually encoded in the form of data packets that travel between the user`s device and other systems it connects to via the internet. While users may believe that password protection secures their information against possible interception, DPI technology allows authorities to intercept and open these information packets, as long as they are unencrypted.

This system is deployed across all telecom providers in Pakistan even at the landingpoint of the internet cable that connects the country to the rest of the world.

Intelligence agencies and the military use LIMS to surveil a significant portion of the population`s digital activity through telecommunications providers, who are required to cooperate with LIMS in order to operate in the country.

According to Amnesty, due to a lack of technical and legal safeguards in the deployment and use of mass surveillance technologies in Pakistan, the LIMS is in practice a tool of unlawful and indiscriminate surveillance that allows the government to spy on more than 4 million people at any given time.

Money trail Behind this surveillance system is a nexus of foreign companies, the report said, citing its commercial trade databases on subscription-based platforms.

It traces the origin of WMS first installed in 2019 using tech-nology supplied by Canadian company Sandvine (which has now become AppLogic Network) that later morphed into a sophisticated mass surveillance machine in 2023.

Citing various media reports, Amnesty said the WMS project was approved in 2019, but could not be implemented at the time due to funding constraints and there still was no clarity where did the funding for this project came from. An Amnesty analysis of trade data found that Sandvine had shipped equipment to at least three Pakistani companies as early as 2017.

The subsequentupgrade was carried out primarily with help from China-based Geedge Networks, utilising hardware and software components supplied by Niagara Networks from the US and Thales from France.

The report described the WMS 2.0 as a `commercialised version` of China`s Great Firewall surveillance system.

In November 2023, Amnestysaid Rs5 billion were redirected for utilisation by the ICT R&D Fund, also referred to as Ignite National Technology Fund, as bridge financing utilised for the firewall as part of the Digital Information Infrastructure (DII) initiative.

It also quoted a report that claimed Rs5 billion was diverted from the Universal Service Fund to the social media firewall project. In February 2024, the ECC approved Rs10 billion for the DII initiative. LIMS, meanwhile, uses technology from the German company, Utimaco, sourced through an Emirati company called Datafusion, it said.

The LIMS first came to light after the Pakistan Telecommunication Authority (PTA) submitted a report to the Islamabad High Court, admitting the interception of data and records of telecom customers on a mass scale.

According to Amnesty International, a German company, Utimaco, and an Emirati com-pany, Datafusion, supplied most of the technology that enabled LIMS to operate in Pakistan.

`Utimaco`s LIMS allows the authorities to sift through the telecommunications companies` subscriber data, which is then made accessible through Datafusion` Monitoring Center Next Generation (McNG).

Using the McNG system, `operators can see [who has] been calling whom, when this happened, what websites were browsed, if someone might`ve used WhatsApp or a VPN and their location`.

LIMS allows the interception of phone location, phone calls and text messages and even lets the authorities see website content if accessed over HTTP by any Pakistani resident (the nonencrypted way to access a website), the report said.

`If accessed through HTTPS, the operator will only see which website was accessed through metadata but not encrypted content,` it added.