Digital authoritarianism is on the rise across the globe. In many countries, the rule of law is becoming rule by law, with executive priorities dictating legislative action and overriding judicial checks on government regulation of the internet, enabling widespread abuses that impact freedom of expression, privacy, and due process, among other fundamental rights.

In particular, expanded government authority and the aggressive online surveillance it enables are being coded into laws and public policies, allowing governments to overreach the garb of legality and require compliance by domestic and foreign internet service providers (ISPs) — is typically tied to the State’s deployment of intrusive tech tools to monitor and access user communications and data, usually without public oversight.

The upsurge in the use of these surveillance technologies has raised alarms about the erosion of privacy and the weakening of democratic norms. The Pegasus Project, for one, unveiled how governments — particularly authoritarian regimes — employ sophisticated spyware to infiltrate devices of journalists, activists, and political adversaries, extracting sensitive information without consent.

The Pegasus spyware can gather data, record video and audio, take screenshots and track location, all without the user’s knowledge. The infection occurs silently, without the target ever clicking on a link or answering a call. As of 2021, The Guardian reported that the technology had been sold to 40 governments around the world, ostensibly to combat terrorism and crime, though forensic analyses cast doubt on these justifications.

This was the same year the Pegasus Project revealed India as one of several countries utilising the spyware and released surveillance lists containing identities of prominent persons who were targeted. The data collected was not disaggregated, and individual searches were therefore not attributable to specific countries; nor could it be said with certainty whether any particular hack was successful.

Nevertheless, thousands of Indian citizens appeared on the surveillance list, including ministers, opposition leaders, journalists and activists. The surveillance list also included hundreds of Pakistani phone numbers, including one belonging to former prime minister Imran Khan.

Pakistan’s track record is no better; in fact, the country’s trajectory is a troubling example of this trend. From the deployment of a national “firewall” in recent years to the discovery of a “Lawful Intercept Management System”, user data and citizen privacy remain hostage to political ambitions and corporate collusion.

A 2013 report by Citizen Lab revealed the presence of command-and-control servers for FinFisher — a commercial network intrusion malware capable of intercepting communications, accessing private data, and recording audio and video from computers or mobile devices — in Pakistan. The server was employed on a network owned by the Pakistan Telecommunication Company Limited (PTCL), a now-privatised state-owned entity, with 62 per cent government shareholding.

Mass network surveillance has existed in Pakistan since at least 2005, with spying technologies obtained from both domestic and international companies, including Alcatel, Ericsson, SS8 and Utimaco, revealed a 2015 report by Privacy International.

It also documented Pakistan’s consistent cooperation with the US National Security Agency (NSA), exposing its participation in the NSA’s Fairview Program and SKYNET initiative. Pakistan has featured strongly in the NSA’s Fairview Program, which involves the mass surveillance of individuals within and outside the US, facilitated by a ‘highly collaborative’ partnership with AT&T, one of the largest telecommunications companies in the US.

The SKYNET programme, which algorithmises terrorist detection by harvesting cellular metadata from Pakistani telecom service providers, was used to identify thousands of alleged ‘extremists’ in Pakistan between 2004 and 2016, who were later killed through drone strikes.

In 2019, The Guardian reported that at least two dozen Pakistani government officials had been targeted using Israeli spyware, alongside lawyers, journalists, human rights activists, political dissidents, and diplomats. The malware reportedly exploited a vulnerability in WhatsApp, allowing operators to access encrypted messages and other sensitive data on the targets’ devices.

While these attacks were not initially credited to Pakistani authorities, in 2023, Israeli newspaper Haaretz reported that the Federal Investigation Agency (FIA) and various police units in Pakistan have been using the software since at least 2012. Local officials later confirmed that the spyware — a dated version of Israeli company Cellebrite’s Universal Forensics Extraction Device (UFED) — had been acquired indirectly, through foreign agents, despite the lack of diplomatic ties between the countries.

Around the same time, it was further revealed that Pakistan acquired the services of a controversial Canada-based company, Sandvine, through an $18.5 million contract, to help build a nationwide ‘web monitoring system’. This system would use Deep Packet Inspection (DPI) to monitor communications, as well as measure and record traffic and call data, on behalf of the country’s national telecommunications regulator, the Pakistan Telecommunication Authority (PTA).

This was seemingly pursuant to the Monitoring and Reconciliation of Telephony Traffic Regulations, 2010, issued by the PTA, which alleged that it discontinued its use of DPI services in mid-2023.

In 2024, Pakistan tested a national internet ‘firewall’, using Chinese technology, which allowed the government to bolster its web monitoring capabilities and regulate the use of popular platforms by blocking specific features within an app or a website. It was deployed at the country’s main internet gateways, as well as the data centres of mobile service and major internet service providers, and triggered numerous complaints of poor internet connectivity.

The Lawful Intercept Management System (LIMS) is yet another surveillance mechanism employed by the Pakistani state, and can be used to retrieve the unencrypted data of any consumer, eavesdrop on their calls, and read text messages. The tool recently came to light, following a series of leaked audios which resulted in litigation before the Islamabad High Court, and revealed a growing trend of politicised intrusion that now threatens the independence and integrity of key institutions, including that of the judiciary.

In a turbulent political and legal climate such as that of Pakistan, the impact of leaked audios is immediate, driven by a widespread presumption of truth.

They possess the power to coerce, damage reputations, and shape public narratives well before the facts come to light. By the time clarity emerges, the damage is done — hardened public opinion, suffered reputations. The perpetrators, on the other hand, remain elusive, while societal pressure descends upon the latest target.

To highlight the far-reaching consequences of such breaches of privacy, we explored a selection of audio leaks that have surfaced since 2022, implicating an array of influentials, including politicians and judges. By examining the legal, social, and political fallout of these audio leaks, we seek to establish how this strategically disseminated information functions not only as a tool of public embarrassment but as a means to exert pressure, undermine credibility, and influence institutional conduct and decision-making.

It also outlines the glaring shortcomings in the domestic legal framework that enable such intrusions, offering no meaningful recourse, with an aim to highlight the evolving risks posed to democratic accountability and judicial independence in an age where state surveillance operates with little transparency and even less restraint.

While this article is rooted in the Pakistani experience, its relevance transcends national borders. The tactics, technologies, and political incentives behind the weaponisation of data are not unique to any one country — they reflect a global trend in which digital surveillance, audio manipulation, and leak-driven smear campaigns are increasingly deployed to shape public perception and suppress dissent.

As democratic institutions around the world grapple with declining public trust and as constitutional frameworks struggle to keep pace with technological advancement, the Pakistani example serves as a cautionary tale. It emphasises the urgent need for international scrutiny, effective legal safeguards, and civic vigilance to protect the integrity of judicial systems, political discourse, and the private lives of citizens before fundamental freedoms become (fundamentally) fiction.

Here, we focus on a set of audio leaks that resulted in litigation before the Islamabad High Court (IHC), in what is commonly known as the ‘Audio Leaks Case’. It was a case that laid bare the state’s ability to undertake mass surveillance of citizens through LIMS and brought to the fore flaws in the domestic legal framework that enable the misuse of such spying technologies.

The revelations made during the case have reinforced long-standing suspicions of institutional manipulation and state complicity, heightening concerns over the integrity and independence of Pakistan’s democratic institutions, including the judiciary. The potential impact of such reputational warfare, both on the individual and institutional level, is evident from the aftermath of the numerous audio leaks surfacing in recent years, involving judges, politicians, and private individuals — many of whom are either directly affiliated with the PTI or perceived to be aligned with Imran’s political camp.

Once installed, the LIMS enabled the interception of consumer data by allowing designated agencies to directly tap into the network of service providers — which is done with just a click of a button — by initiating a track and trace request using a unique SIM, IMEI or MSISDN number associated with the consumer’s device. The subsequent process was then entirely automatic, with the SMS, CDRs and metadata associated with the consumer being reported into a monitoring centre established at the surveillance centre.

Through another server, the entire content of the consumer’s communications routed through the telecommunications service provider (TSP) — including audio, video and search histories — would be transmitted to this monitoring centre, and stored. Any encrypted material, generated from applications such as WhatsApp, that formed part of the transmitted data would also be shared. And while the LIMS itself could not automatically decrypt such data, requests for decryption could be made to the company owning the relevant application.

Moreover, TSPs were required to ensure that up to 2pc of their entire consumer base could be surveilled through the LIMS. The TSPs reiterated that they had no way to monitor which consumers were being surveilled. The designated agencies could therefore access the LIMS, a mass surveillance system exposing the data of over four million citizens, without any supervision, oversight or control.

In its consequent order — issued on June 25, 2024 — the IHC noted how, throughout the proceedings, the federal government, its divisions, law enforcement agencies, and the intelligence agencies denied that any agency or entity had been authorised to undertake surveillance pursuant to the Pakistan Telecommunication (Re-organization) Act, 1996 (PTRA), Investigation for Fair Trial Act, 2013 (IFTA), and/or the Telegraph Act — the only laws providing for lawful interception — or that any rules had been made for this purpose.

The court found that this gave rise to one of two possibilities: either the state, through its investigative and intelligence agencies, never deemed it necessary to conduct surveillance for any legitimate state purpose and therefore did not do so; alternatively, that these agencies do, in fact, engage in surveillance, albeit unlawfully, without any legal authority or oversight.

It referenced numerous instances of audio leaks, beyond the subject audios, in the recent past, including the leaks referenced earlier in this article. From this, the IHC stated it could be logically deduced that there are surveillance mechanisms in place, and in use, enabling the recording of the highest executive, legislative and judicial officeholders of the country.

The court further observed that this was both “frightening and damning for a rule of law democracy functioning under the Constitution”, noting that Article 14 guarantees the right to privacy, whereas the right to life and liberty under Article 9 also includes the right of citizens to be left alone in their private spheres. The freedom of speech, guaranteed under Article 19, also includes the freedom to speak freely, without the state prying into the conversation.

However, these constitutional guarantees had been undermined through the mass surveillance of citizens in Pakistan without any constitutional or legal backing or judicial oversight. Justice Babar Sattar of the IHC — who heard the case among other judges — likened this to George Orwell’s book 1984, observing that the mass surveillance system seemed to be inspired by the dystopian novel.

While it appears that the federal government and its extensions, including the law enforcement and intelligence agencies, may have succeeded in evading accountability this time, it is nevertheless important to examine the rather suspect claims made in the process and chart a course that leads to true progress.

The positions taken by the Pakistani government are not without precedent; rather, they reflect a broader global pattern, transcending the issue of surveillance, wherein national security imperatives are invoked to deflect scrutiny with respect to the use of broad discretionary powers, often at the cost of constitutional freedoms. This moment, therefore, offers a critical opportunity for all democratic societies to reflect more seriously on the legal and institutional safeguards we must advocate for to ensure that such powers are not exercised in ways that violate fundamental freedoms.

In Pakistan’s case, the federal government contends that it lacks the technological capability to surveil citizens, or to identify those doing so, and has not authorised any agency or body for this purpose. The contention is, however, clearly contradicted by publicly available data, such as Privacy International’s comprehensive special report on security and surveillance in Pakistan, which reveals that the country not only possesses a wealth of surveillance technologies but has also actively facilitated local intelligence agencies and foreign states in surveilling its own citizens.

And while it is acknowledged that the mere existence of surveillance capability does not, on its own, prove culpability, it does raise urgent questions about oversight, access controls, and the potential for abuse, whether by rogue officials, ‘hostile agencies’, or state institutions themselves.

In any jurisdiction, the unchecked capacity to collect and retain personal data opens the door to misuse, even when deployed to meet admittedly legitimate objectives, such as national security or criminal justice. Following the issuance of the July 8 notification, wherein the government granted the Inter-Services Intelligence (ISI) broad-based powers of surveillance, thereby increasing the potential for abuse.

Consequently, the ISI is left to determine the boundaries of vague terms such as “national security” and the “apprehension” of an offence.

What emerges from the audio leaks case, hence, is not necessarily a conclusive finding of state complicity but, perhaps, a deeper institutional failure: either to prevent abuse of power, or to ensure that objectives of national security and criminal justice are met proportionately and made subject to democratic oversight and legal accountability.

We have seen that in the absence of such safeguards, breaches of digital privacy stand to inflict irreparable harm on the reputations, liberties, and safety of individuals, from ordinary citizens to politicians, often without the procedural protections of due process. These harms reverberate throughout the democratic system, deterring the freedom of expression, quelling dissent, and undermining the integrity of core institutions, including the judiciary.

A society stricken by the fear of such harm can never truly be free.

To facilitate meaningful progress, we must therefore move beyond critique and commit to concrete, actionable reforms. What follows is an attempt to do just that, by proposing targeted legislation and amendments to the existing legal framework designed to minimise the risk of misuse, manipulation, or even negligent oversight of surveillance powers.

In Pakistan, the unresolved discord between key statutes governing the interception of information, particularly the PTRA and the IFTA, heightens the risk of Pakistan’s surveillance framework being abused, leaving loopholes that can be exploited by those for whom the lack of data security represents an opportunity, rather than a liability.

During the audio leaks case, Justice Sattar had commented that any rules made to regulate the authorising and conducting of surveillance under Section 54 of the PTRA would necessarily have to comply with the IFTA; however, this does not settle the matter. There is, therefore, an urgent need for the legislature or the superior judiciary to resolve this issue, as presently, Section 54 of the PTRA provides a means to circumvent and render redundant the elaborate procedure and safeguards laid out under the IFTA.

Empowering the ISI to conduct surveillance, while bypassing the need for a judicial warrant under the IFTA, is clear evidence of this glaring flaw in Pakistan’s legal framework.

There is also a need to narrow the boundaries of what constitutes ‘lawful’ interception or surveillance. In Pakistan, the IFTA achieves this goal through the use of clear language and provisions to prevent and punish the misuse of surveillance frameworks. However, as previously mentioned, the beneficial effects of the IFTA are neutered by Section 54 of the PTRA, which employs far broader language, including vague references to ‘national security’, and does not contain any mechanism to punish such abuse.

It is this disharmony that enabled the federal government to issue the July 8 notification, following which no individual warrants will have to be sought, and the government may authorise surveillance at its discretion without being bound by the provisions of the IFTA. The ISI, in turn, will have unfettered access to Pakistan’s surveillance infrastructure, likely with little to no oversight.

With no safeguards to mitigate excesses, it is impossible to predict the extent of intrusive surveillance Pakistani citizens will be subjected to under the guise of ‘national security’. This controversy can only be resolved through the legislative process, or by the judiciary, which can exercise its powers of judicial review to harmonise the PTRA with the IFTA, or, alternatively, to invoke Article 8 of the Constitution and strike down the portions of the PTRA deemed inconsistent with fundamental rights.

But, beyond this, there remains a dire need to supplement the existing legislative framework with a comprehensive personal data law. This is particularly crucial, given there is currently no legal framework to regulate the interception, use, collection, storage and disclosure of personal data by the government, organisations and other individuals and entities in Pakistan.

While the Ministry of IT&T proposed a Personal Data Protection Bill for this purpose in 2023, the latter was subjected to great criticism for ambiguities, lending themselves to exploitation. Despite the barrage of audio leaks seen in 2023, this Bill has yet to be debated or passed into law.

There is therefore a critical need to design effective legal mechanisms to detect and punish the misuse of personal data, both by domestic and foreign entities. The framework in the European Union (EU) provides a useful model, incorporating both reactive and pre-emptive measures for data protection, while empowering individuals to monitor the collection of their data.

Lastly, it is essential to ensure that unlawfully obtained digital content is not admissible in judicial, disciplinary, or administrative proceedings, or allowed to influence such proceedings, whether directly or indirectly, especially where it infringes upon the fundamental right to privacy. Institutions cannot operate with integrity when their internal dynamics are susceptible to manipulation through illegitimate digital disclosures.

Moreover, using such material to punish or discipline individuals sets a dangerous precedent: one which legitimises unlawful surveillance and encourages its use. This practice must be unequivocally rejected, not only by those targeted but by society as a whole.

While Pakistan’s failure to confront the fallout of its recent digital scandals represents a missed opportunity for reform, on a global scale, its experience demonstrates the urgent need for comprehensive data protection laws that both prevent and punish invasions of privacy and are insulated from political interference.

In both fragile democracies and mature legal systems, unchecked surveillance and politicised data breaches threaten to compromise institutional independence and derail accountability mechanisms and fundamental freedoms, striking at the very foundations of justice.

Upholding the sanctity of privacy is therefore not merely a matter of personal liberties, but a collective imperative to preserve the integrity of democratic institutions and uphold the rule of law. As digital intrusions grow more sophisticated and pervasive, the task for the global community is clear: to build resilient legal frameworks capable of withstanding manipulation and protecting the democratic values they claim to uphold.

However, our success in this regard presupposes the existence of a rule of law regime, one where the various branches of the state remain confined to their spheres and abide by both the letter and the spirit of the law.

It also requires meaningful compliance by private organisations and entities which are bound by international principles and obligations to safeguard consumer data, such as under the Universal Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR), and the International Covenant on Economic, Social and Cultural Rights (ICESCR).

These international instruments now stand enshrined in principles laid out by the Global Network Initiative, which was launched in 2008 to protect and advance the freedom of expression and privacy rights, by setting global standards in the information and communication technologies (ICT) sector to regulate decision-making in the face of government restrictions and demands. The GNI comprises internet platforms, telecommunication operators, equipment vendors and other entities playing a key role across the ICT sector.

The role of private organisations and entities is thus of great importance, as a refusal to comply with illegal surveillance requests has the potential to do grave damage to the existing surveillance framework in Pakistan and in other jurisdictions.

Lastly, as individuals, what we can do is to fulfil a more fundamental duty: to reject vague denials, institutional silence, and the normalisation of unchecked surveillance, wherever we may be. We must demand that our governments uphold their constitutional commitments and international obligations with respect to the freedom of expression, and the rights to privacy and due process, regardless of our personal affiliations or political leanings.

Ultimately, we must recognise that when the rights of even one individual are compromised, the rights of all are endangered.

In the battle to protect privacy rights, Information and Communication Technology (ICT) companies operating in Pakistan often find themselves in a bind — caught between the demands of an authoritarian state and their duty to uphold human rights.

Since 2022, a political barrage has been rattling Pakistan with a series of high-profile audio leaks that surfaced online involving senior government officials and opposition leaders. The leaks, widely suspected to have originated from government intelligence agencies, exposed private conversations and sensitive political strategies between political figures. The fallout was immediate and severe; public trust in the government was further eroded, opposition parties denounced the surveillance as unconstitutional, and civil society groups raised concerns about the growing encroachment on privacy.

The scandal underscored a longstanding and deeply troubling reality in the country: the prevalent use of highly intrusive surveillance technologies with little to no accountability. This situation raises a critical question: what are the responsibilities of ICT companies operating in regimes like Pakistan, when confronted by potentially unlawful government demands to deploy highly intrusive surveillance technologies against the public and political figures?

As conduits for the transmission of data and telecommunications, ICT companies are often beset by governments’ demands to engage in surveillance. When such governments demand access to user data or pressure companies to otherwise invade the privacy of public and political figures, ICT companies face complex legal, ethical, and operational challenges.

The situation in Pakistan thus reflects a broader global issue: how should private companies balance their legal obligations to host governments with their responsibility to protect user data and personal privacy — an internationally recognised human right?

Here, we argue that ICT companies should adhere to international standards that recognise their responsibility to respect human rights, including privacy, as outlined in the United Nations Guiding Principles on Business and Human Rights (UNGPs) and by the Global Network Initiative (GNI), a multi-stakeholder initiative that implements the UNGPs for the ICT sector.

The UNGPs, endorsed by the UN Human Rights Council in 2011, provide a global framework for businesses to prevent and address human rights impacts, emphasising accountability and due diligence. When operating in countries such as Pakistan, where digital rights are actively suppressed, this responsibility becomes even more urgent and morally significant.

ICT companies are not merely passive players; they are intermediaries with the capacity to shape the frontiers of digital rights and privacy protections.

Responsibility to respect human rights

This section examines the international legal normative framework governing the responsibility of ICT companies to respect human rights, with a particular focus on the right to privacy. The framework is primarily guided by the UNGPs and the GNI Principles — the latter commit ICT companies to uphold freedom of expression and privacy rights, while the former offer practical measures for conducting human rights due diligence and addressing government requests for data or censorship.

A. Under the UNGPs, ICT companies have a responsibility to respect the right to privacy as a human right.

1. ICT companies should enact policies to avoid infringing on the privacy rights of others, recognising that the right to privacy is an internationally recognised human right.

Under the UNGPs, ICT companies are called upon to respect the right to privacy as a fundamental human right. Principle 11 of the UNGPs states that companies should first adopt policies and practices to ensure they do not infringe on the privacy rights of others.

The right to privacy is an internationally recognised human right that companies should respect globally, regardless of state actions or national laws. They are expected to take proactive steps to prevent, mitigate, and remedy any harms to privacy rights, which includes enacting human rights policies and effectively implementing them in their business operations. Furthermore, companies should avoid undermining state human rights obligations or judicial integrity when addressing privacy concerns.

Similarly, under Principle 12 of the UNGPs, ICT companies are expected to respect the right to privacy as a recognised human right. Heightened attention should be given to individuals and groups most at risk of privacy violations in specific industries or contexts. Vulnerable groups, including journalists, women, religious minorities, and political opponents, warrant special attention.

These obligations, reinforced by GNI Principles, apply specifically to ICT companies that agree to adhere. According to the GNI Principles’ Preamble, ICT companies joining the initiative should respect and promote both freedom of expression and privacy rights as expressed therein. Companies under GNI are expected to support privacy rights through responsible business decisions, shared learning, and collaboration with other stakeholders.

While these companies are required to comply with local laws, they must also strive to uphold international human rights standards and minimise any adverse impacts arising from conflicting national legal frameworks. Although the GNI Principles apply only to member ICT companies, they provide expert normative guidance for the sector as a whole on how the UNGP should be applied.

GNI Principle 3 defines privacy as a fundamental human right that protects human dignity, security, and freedom of expression. All individuals have the right to legal protection against unlawful or arbitrary interference with their privacy. Accordingly, under the GNI Principles framework, ICT companies are responsible for safeguarding user privacy on a global scale, even when faced with intrusive government demands. Companies are expected to uphold international standards and resist pressures that conflict with these fundamental privacy protections.

2. ICT companies should conduct thorough due diligence and risk assessments to identify, prevent, mitigate, and address potential privacy rights violations arising from their business activities.

Under Principle 13 of the UNGP on Business and Human Rights, businesses must avoid causing or contributing to human rights harms and take action to address them when they occur. Even if a company is not directly responsible for a violation, it must still prevent or mitigate human rights harms linked to its operations, products, or services through business relationships.

The GNI Principles reinforce this obligation by requiring ICT companies to identify situations where privacy rights may be jeopardised or advanced and to integrate these findings into their decision-making processes. Section 3.4 of the GNI Implementation Guidelines specifically states that participating companies must assess the human rights risks associated with the collection, storage, and retention of personal information in the jurisdictions where they operate. This means companies need to evaluate how their data practices, including cross-border data transfers and government surveillance requests, could affect users’ privacy rights.

Principle 17 of the UNGPs further establishes that human rights due diligence should involve an ongoing process of assessing actual and potential privacy rights impacts, acting upon the findings, tracking responses, and communicating how these impacts are being addressed. Due diligence should not be a one-time exercise; it must adapt and conform to evolving risks over time and begin early in the development of new activities or business relationships, including mergers, acquisitions, and contractual agreements.

By implementing robust human rights policies and due diligence frameworks, ICT companies can ensure they meet international human rights standards while safeguarding user privacy.

3. ICT companies should be transparent about their human rights impacts, disclosing policies and practices related to government surveillance requests and user data protection.

ICT companies have a responsibility to be transparent about their human rights impacts, especially concerning government surveillance requests and user data protection practices. Under Principle 21 of the UNGPs, companies are expected to communicate externally about how they address human rights impacts, especially when affected stakeholders raise concerns.

For companies operating in high-risk contexts, this obligation extends to formally reporting on how they manage human rights risks and impacts.

Communication should be provided in a form and frequency that accurately reflects the company’s human rights impact and ensures accessibility for the intended audience.

The GNI Principles reinforce these transparency obligations by establishing a framework for governance, accountability, and transparency. According to GNI Principle 6, companies must operate under a collectively determined governance structure that clearly defines roles and responsibilities, ensuring that accountability is maintained.

Transparency should include public disclosure of human rights policies and practices as well as independent assessments of the company’s implementation efforts. By adopting transparent communication and governance structures, ICT companies can build trust with stakeholders and demonstrate their commitment to respecting privacy rights and broader human rights standards.

B. Obligations of ICT Companies in Responding to Arbitrary Surveillance Requests from Repressive Regimes

Further building on the framework established by the UNGPs as well as the GNI Principles and Implementing Guidelines, this section examines the obligations of ICT companies when responding to arbitrary surveillance requests from authoritarian regimes. It outlines key international standards that ICT companies should adhere to and the practical challenges they face when domestic laws conflict with global privacy norms. The suggested framework guides ICT companies with strategies to balance legal compliance, corporate responsibility, and human rights protection in authoritarian regimes.

1. ICT companies should encourage governments to establish legal regimes that comply with international standards on human rights, including privacy rights.

ICT companies have a broader responsibility to promote alignment between domestic regulations and international privacy standards. Section 3.1 of the GNI Implementation Guidelines advises companies to encourage governments to adopt specific, transparent, and consistent legal frameworks governing surveillance and privacy. Governments should be urged to harmonise their domestic regulations with international human rights standards, particularly those related to freedom of expression and the right to privacy.

To support this effort, companies should develop internal policies and procedures that guide how they anticipate, assess and respond to government demands for content restrictions or disclosure of personal information. Adopting a structured approach, companies can ensure that their own actions, as well as their responses to government demands, remain consistent with human rights obligations.

Encouraging governments to comply with international standards helps establish a more predictable and rights-respecting legal environment, even in politically restrictive jurisdictions.

2. ICT companies should require the government to follow established domestic legal processes that implement or reflect international human rights standards.

ICT companies should require governments to comply with domestic legal procedures when seeking to access user information or restrict communications. According to Section 3.2 of the GNI Implementation Guidelines, companies should ensure that any government demand for personal data, content removal, or communication restrictions follows established domestic legal processes.

The GNI Implementation Guidelines emphasise that companies should request clear written communications from the government explaining the legal basis for such demands. This ensures that the company’s response is based on a transparent and well-defined legal framework.

Moreover, Section 3.5 of the GNI Implementation Guidelines encourages companies to operate transparently when responding to government requests. Transparency includes informing users about government requests where legally possible and issuing public reports that summarise the nature and scope of such requests. This approach helps prevent governments from overstepping legal boundaries and ensures that companies uphold their commitment to protecting user privacy and freedom of expression.

3. ICT companies should challenge overbroad, arbitrary, or otherwise unlawful government restrictions.

When governments make surveillance requests that exceed legal limits, ICT companies are encouraged to push back. Section 3.3 of the GNI Implementation Guidelines urges companies to seek clarification or modification from authorised officials when surveillance requests appear overbroad or unlawful. If the government’s response remains unsatisfactory, companies should, for the purpose of seeking guidance and support, engage with relevant stakeholders, including government authorities, international human rights bodies, and non-governmental organisations.

In cases where the government’s actions would clearly violate domestic legal standards, companies are encouraged to challenge such measures through domestic courts. Such legal challenges not only protect the rights of individual users but also set important precedents that may influence future government conduct. Taking legal action demonstrates the company’s commitment to defending user rights and upholding global privacy norms even in difficult political environments.

4. ICT companies should move to uphold human rights and privacy when domestic laws and/or government conduct conflict with international standards.

ICT companies have a responsibility to uphold human rights and protect user privacy, even when domestic laws and/or government conduct conflict with internationally recognised standards. According to Principle 23(b) of the UNGPs, businesses must respect human rights regardless of the political or legal context in which they operate.

When domestic laws prevent full compliance with international human rights standards, companies should strive to honour these international standards and principles to the greatest extent possible and demonstrate their efforts to mitigate harm.

The GNI Principles reinforce the expectation that companies will protect user privacy. ICT companies will respect and work to protect the privacy rights of users when confronted with government demands, laws, or regulations that compromise privacy in a manner inconsistent with internationally recognised laws and standards. Companies should treat human rights risks as legal compliance issues and take steps to reduce potential harm.

ICT companies can take several steps to navigate these complex challenges. They can seek advice from internal cross-functional teams and external experts, including governments, civil society, national human rights institutions, and multi-stakeholder initiatives. Collaboration and consultation with stakeholders can help companies develop more effective strategies for responding to government demands while maintaining a strong commitment to human rights and privacy.

Moreover, ICT companies can challenge overbroad, arbitrary, or unlawful requests by demanding formal legal justifications and operating with transparency. They can report the nature and frequency of government requests for user data or surveillance, for example. Upholding these principles helps maintain user trust and ensures that ICT companies remain aligned with international human rights norms.

Picture this: the First Lady was on the phone discussing political party-related information. A number of political events cause friction and instability within the government. In the midst of this political turmoil, the First Lady’s phone conversations are strategically leaked to the press.

Sounds like the audio leaks case in Pakistan, specifically the audio recordings released of ex-prime minister Imran Khan’s wife, Bushra Bibi, and her private conversations. Surprise! It is actually a recent series of released audio recordings of Kim Keon Hee, the wife of former South Korean President Yoon Seok-yeol.

In February 2025, a phone conversation between Kim Keon Hee and a political broker was made public by a local weekly affairs magazine. Although the conversations occurred before President Yoon took office in May 2022, they were likely leaked in 2025 because of the pending impeachment trials of President Yoon.

First Lady Kim, speaking on behalf of the then President-Elect Yoon, and the political broker were allegedly discussing the ruling People Power Party’s candidate nomination process for the 2022 parliamentary by-elections. These recordings confirmed allegations against Kim and President Yoon that they were involved in illegal election meddling. Their release to the public further complicated the couple’s legal troubles, and since then, Korea’s highest court has affirmed the impeachment of President Yoon.

Similarly, in Pakistan, a number of private audio recordings of high-level political actors were recently made available online, a couple of which were the subject of litigation before the Supreme Court of Pakistan.

In April 2023, an audio recording of Mian Najamul Saqib, son of the former chief justice of Pakistan Saqib Nisar, was leaked; in November 2023, a recording of a conversation between Bushra Bibi, Imran, and her lawyer was released; and in November 2024, another of Bushra Bibi’s phone conversations discussing politics and strategies was made public.

These leaked conversations were scandalous because they touched on political and internal affairs. In particular, the recordings of Bibi’s conversations were all released within the period that Bibi and former Prime Minister Khan were fighting a legal battle against bribery allegations. The consequent audio leaks case, or ALC, as the joint litigation is known in Pakistan, is representative of the type of nefarious surveillance that has silenced political opponents, suppressed journalists from sharing information critical of the government, and put citizens in fear of repercussions from their online activities.

The joint case of Bushra Bibi and Mian Najamul Saqib has become the leading case symbolising the fight against state surveillance overreach in Pakistan, highlighting that no one is out of reach.

What can the parallel travails of former presidents and their spouses in Pakistan and South Korea tell us about government surveillance capabilities and the abuse of such power? The two countries have walked a similar path: starting from the end of military dictatorships, digital repressive policies of the government, the use of government surveillance of civilians to further the state’s interests, and now the public release of the private conversations of the wives of former heads of each state’s government.

Here, we will present a case study of state surveillance in South Korea and draw broad comparisons between that context and the Pakistani one, of which the ALC is emblematic. It will highlight the history of the South Korean government’s use of overly broad surveillance to set up a discussion of similar government surveillance practices in Pakistan.

The goal is to provide a foundation for readers to better understand the issue of state surveillance and draw insight into the readers’ own circumstances and needs. Specifically, the study of South Korea can help to illustrate where the ALC is headed within the Pakistani legal system, how it might be understood by Pakistani citizens, and how people can respond to a government that does not respect their privacy rights.

Global internet freedom has been declining as authoritarian governments continue in their efforts to repress the flow of news and information, centralise state control over internet infrastructure, and create barriers to cross-border transfers of user data.

Reflections on South Korean, Pakistani leaks

There are a number of parallels between Pakistan’s current surveillance practices and the history of state surveillance in South Korea. Notably, both countries face the recent issue of the public release of private conversations involving the wives of the former president or prime minister, as well as challenges to accountability for government malfeasance.

Some of the parallels between the obstacles faced in Pakistan and those described in the South Korean case study in this regard suggest significant insights that are explored below.

The scandal generated by the audio leaks case has highlighted several challenges that Pakistan must address to make similar progress in curbing the its abusive surveillance practices and policies, namely, (a) overly broad laws authorising or enabling virtually unlimited surveillance powers; (b) government agencies and other state actors exercising nearly unlimited surveillance powers with little to no effective oversight, judicial or otherwise; (b) the nonexistence of data protection laws; and (c) the susceptibility of ICT companies to surveillance and data requests by state actors.

Government agencies’ power of surveillance

Both South Korea and Pakistan have agencies with broad statutory authority to conduct intrusive surveillance. In March 2024, the Pakistan Telecommunication Authority (PTA), in response to the IHC’s inquiry into the role of the government in the ALC, asserted its national security authority to intercept calls by telecom operators.

This takes place through the PTA’s own licensing clauses, which permit the state to suspend or modify telecommunication systems and licenses over the preference of any licensee upon a broad declaration of emergency. Furthermore, the Prevention of Electronic Crimes Act (Peca) grants surveillance powers to agencies within Pakistan. There is no adequate oversight, and provisions grant powers to “law enforcement to seize digital devices and content.”

Similarly, 1980s legislation granted South Korea’s intelligence agencies broad authority to collect and compile information regarding public safety against communists and plots to overthrow the government. Despite transitioning to democratic rule, the Korean government has made no significant change to limit the scope of the power of surveillance permitted by this statute.

However, the South Korean judicial system no longer permits the broad scope of this legislation to allow intrusive surveillance of civilians. As seen above, South Korean officials who overreached in their surveillance of private citizens were subject to investigations and criminal convictions.

Legislation

Both countries have legislation granting the government expansive legal authority to surveil citizens.

The PTA draws its power to spy from the Pakistan Telecommunications (Reorganisation) Act (2010), the Investigation of Fair Trial Act (2016), and the Telecom Act (1996). In particular, Section 54 of the TRA grants the federal government power to intercept conversations or to trace those conversations through any telecommunication system.

The Investigation of Fair Trial Act then permits the interception of and direct access to all information upon the issuance of a warrant by a high court judge. There is also Peca, which “grants powers to law enforcement to seize digital devices and content.”

Peca — which penalises acts of cyberterrorism, hate speech, defamation, and the dissemination of false information — has been widely abused and lacks proper oversight. Such broad surveillance powers have resulted in allegations of intelligence agencies monitoring human rights defenders, journalists, politicians, and other dissidents or opponents of the current ruling political party.

With respect to the audio leaks case, while there is no identified source linked to Bushra Bibi and Saqib’s conversations, there is a widespread understanding that intelligence agencies had to have been involved. In court, government agencies have denied any liability by citing the aforementioned laws as the legal basis for collecting information from telecommunication companies.

Similarly, the Korean National Security Act (NSA) was passed in the mid-20th century to punish “those praising or sympathising with an anti-state group”. But the law has been most often used to imprison people who exercised their right to freedom of expression in the 20th Century.

Significantly, although other political and judicial limitations have evolved, the South Korean government has not reformed the statute to limit its broad scope; this, despite criticism from human rights organisations on how the law violates international human rights norms.

A key difference between the two case studies relates to data protection laws, emphasising their importance. While South Korea has enacted a robust data protection legal framework, in part to counteract widespread abuse of surveillance powers, Pakistan has no stand-alone data protection legislation. Despite some efforts to adopt such a law, there is currently no legislation in Pakistan that shields personal data from either private or government entities.

Role of government requests to private companies

Companies in both countries are susceptible to government requests for users’ private information. While it has not been ascertained yet as to how the audio leaks subject of the litigation occurred, the government’s position was that user devices could have been hacked or accessed by a third party, and that it was not the result of “lawful” interception.

The position taken by telecom operators in the case was that there are several laws and regulations that require the disclosure of user data, in particular their licenses issued by the PTA, due to which they are obligated to comply. Corporate telecom operators cited the same legal authorities as the PTA, specifically provisions that authorise government agencies to collect information from private companies, which is obligated through the PTA’s licensure requirement.

Similarly, South Korea permits government agencies to collect information from private companies through warrants and other legal government requests. Former President Park Geun-hye attempted to use this opportunity to monitor private messages sent through Kakao Talk — the main messaging app in Korea — to crack down on messages deemed as critical of her presidency.

As mentioned above, an ICT company’s susceptibility to the government’s request to pry into its users’ conversations led to the mass exodus of users, ultimately forcing the company to promise it would no longer respond to government requests for access to information. Most importantly, it was an encouraging example of a company willing to push back on government data requests and assume the possible legal consequences to retain its customers’ trust.

Lessons from South Korea

The foregoing makes clear a number of the similarities between the South Korean case study and the situation in Pakistan, as exemplified by the audio leaks case, in terms of government surveillance power and potential abuses of that power.

The key question thus remains: what are the differences between the two that might explain why government surveillance in South Korea has been scaled back, and is being held in check more effectively?

In short, the experience of South Korea highlights the importance of global and domestic media attention, widespread popular mobilisation, and the role of responsible ICT company conduct in combating state overreach, among others. When these factors converge, the case study suggests, abusive surveillance policies and practices can be reined in and wrongdoers held accountable, at least to some extent.

South Korea is an example of how factors like domestic and global media coverage, along with public mobilisation, can pressure governments to phase out abusive surveillance practices and even repeal repressive policies that violate constitutional and human rights.

The press and public backlash to the Chun government’s torture and killing of student activists Park Jong-chul in 1987; the negative coverage of government abuses in relation to South Korea hosting the 1988 Olympics; the scandals generated by the surveillance of political opponents during the administrations of Presidents Roh and Lee; and the huge outcry against President Park for spying on the families of the victims of the Sewol Ferry tragedy, as well as her political opponents, leading to her impeachment in 2016; these key moments in South Korea’s history all reflect the way in which democratic forces can positively influence public policies on state surveillance and respect for privacy rights.

In addition, even where government agencies have broad surveillance powers authorised by statute, these positive forces can motivate ICT companies to “do the right thing”, as Kakao Talk did in response to President Park’s unlawful surveillance of its messaging app and network.

Another key feature of the South Korean landscape that finds no direct corollary in Pakistan is the existence of a robust data protection legal framework that is strongly enforced; this acts to counterbalance at least some of the potential government overreach otherwise enabled by law. Indeed, ICT companies will be less susceptible to government surveillance and data requests when those powers are curbed by law in line with constitutional and human rights norms.

Such legal reform in turn can be enabled by international media and diplomatic pressure, which dovetail with domestic public backlash to positive change — a dynamic that altered the practice of state surveillance in South Korea.

It should be noted that surveillance by the South Korean authorities remains ongoing despite the positive evolution of public policies over the past several decades. Surveillance is still being used against citizens to silence political opponents and dissidents. However, the South Korean media and legal system continue to push back against the State’s overreach, fueled by the public’s decreased tolerance of abusive practices for the historical reason discussed.

And as technological advancements have made it faster and easier for South Korean citizens to access information, it has become harder for government officials to use surveillance powers against the interests of the people.

This article was originally published by The George Washington University Law School and an abridged version has been reproduced here with permission.
The Politics of Exposure: Audio Leaks and the Erosion of Privacy and Democracy in Pakistan by Faaiza Qazi
Surveillance, Scandals, and Secrets: The Relevance of South Korean Government Surveillance to the Audio Leaks Case in Pakistan by Yessica Chong
Saving Privacy Rights: ICT Companies, Government Surveillance, and the Battle for Privacy in Pakistan by Philip Paik