For more than a decade, Pakistan has run one of the most aggressive telecom identity regimes in the democratic world. Every active SIM card must be tied to a citizen's Computerised National Identity Card (CNIC) number and verified against a National Database and Registration Authority (NADRA) biometric thumbprint scan. The Pakistan Telecommunication Authority (PTA) sold the policy as an anti-terror necessity after the 2014 Army Public School attack in Peshawar. What it has quietly built, however, is the most consequential surveillance precondition in South Asia: a population uniquely identifiable on every call, text, and mobile data session.
That precondition has now collided with judicial scrutiny. In a series of orders by Justice Babar Sattar of the Islamabad High Court, Pakistani citizens learned that intelligence agencies have access to a system called the Lawful Intercept Management System (LIMS), reportedly hosted on equipment placed inside the networks of major telecom operators. According to evidence cited in those proceedings and reported by Pakistani outlets including Dawn, LIMS is configured to allow the mass interception of calls and messages of up to four million subscribers at a time — a scale that bears no recognisable resemblance to anything that could be called “targeted” lawful interception.
From identity-binding to bulk interception
The two systems — mandatory biometric SIM registration and LIMS-style intercept infrastructure — are technically separate but politically inseparable. SIM rules ensure that every voice and data session can be attributed to a named human being. Lawful-intercept architecture ensures that the content and metadata of those sessions can be siphoned, in bulk, to state agencies. Combined, they convert a commercial telecom network into what former NSA architect-turned-whistleblower William Binney once called a “turnkey totalitarian” capability — an infrastructure whose appropriateness depends entirely on the restraint of whoever happens to hold the keys.
That framing is not hypothetical in Pakistan. The Islamabad High Court has previously held, in a separate audio-leaks judgment, that mass interception without statutory backing and judicial authorisation violates Article 14 of the Constitution, which guarantees the dignity of the person and the privacy of the home. The LIMS disclosures have re-opened that question with sharper facts: it is one thing to suspect a capability exists; it is another to see the architectural diagrams.
The proportionality problem
People of Internet's editorial position is unambiguous: states have legitimate interests in counter-terrorism, organised-crime investigation, and the prevention of serious harm. Targeted, judicially-supervised interception, on individualised suspicion, with logging and oversight, is a recognised feature of every functioning democracy's investigative toolkit. None of that is what LIMS, as described in court filings, appears to be.
Three problems stand out:
- Scale. A four-million-subscriber capacity is not interception; it is population-level monitoring. Pakistan has roughly 195 million cellular subscribers per PTA's own published indicators, meaning the configured ceiling is around 2% of the entire mobile base — orders of magnitude beyond what any credible threat model justifies.
- Mandate drift. The Telegraph Act of 1885 and Section 54 of the Pakistan Telecommunication (Re-organisation) Act, 1996 — the statutes typically invoked — were written for narrow, emergency-style intercepts. They were not designed to authorise standing bulk-collection infrastructure, and Pakistani courts have said as much.
- Operator coercion. Telecom operators face licence-revocation pressure to host intercept equipment they cannot audit or refuse. That is a governance design that privatises the costs and risks of surveillance while concentrating its benefits in agencies with limited transparency.
What proportionate reform looks like
The reform path is well-trodden in comparable jurisdictions and does not require Pakistan to disarm its security state.
First, interception should require individualised judicial warrants, granted by a designated bench, with defined duration limits, particularised targets, and mandatory post-facto disclosure to subjects unless an extension is independently authorised. India's Supreme Court laid down comparable principles in PUCL v. Union of India (1996), and the European Court of Human Rights' Big Brother Watch v. United Kingdom (2021) judgment is the global reference point for what bulk-interception safeguards must include.
Second, biometric SIM linkage should be re-examined against a proportionality test. Pakistan's regime is more intrusive than the EU's, which under the European Electronic Communications Code permits prepaid anonymity in several member states without measurable terrorism harms. At minimum, the CNIC-thumbprint requirement should be paired with statutory limits on how that biometric link can be queried by non-telecom agencies.
Third, LIMS-type systems should be subject to independent technical audit — by a parliamentary committee with cleared staff, an inspector-general, or an equivalent body. The model exists: New Zealand's GCSB and the UK's Investigatory Powers Commissioner publish redacted annual reviews. Pakistan publishes none.
Why this matters beyond Pakistan
SIM-registration mandates are spreading across Asia and Africa under counter-terrorism branding. Each, in isolation, looks administrative. Stacked together with intercept architecture and weak warrant regimes, they produce the same end state Pakistan has now glimpsed in its own courtroom: an always-on, identity-bound surveillance system that survives elections, governments, and the political fortunes of whoever ordered it built.
The Islamabad High Court has done the region a service by forcing daylight onto LIMS. The harder work — translating disclosure into statutory reform, judicial oversight, and operator protections — now falls to Pakistan's parliament. A pro-innovation, pro-rights digital economy needs reliable, encrypted, trusted networks. A four-million-line wiretap, hosted inside those networks by regulatory fiat, is not compatible with that future.