Pakistan's Federal Board of Revenue (FBR) has spent the past two years quietly conducting one of the world's most instructive experiments in regulatory function creep. Through Income Tax General Order No. 1 of 2024, the FBR directed the Pakistan Telecommunication Authority (PTA) to block the mobile SIMs of over half a million identified income-tax non-filers — repurposing biometric SIM-registration infrastructure originally built to fight terrorism into a general-purpose tool of fiscal coercion. After initial resistance from the PTA and the country's major telcos — Jazz, Telenor Pakistan, Zong, and Ufone — citing licence conditions and due-process concerns, phased blocking has proceeded through 2024 and into 2026, with updated non-filer lists continuing to roll out and a parallel track of litigation winding its way through the Islamabad High Court.
For tech policy, this matters far beyond Karachi or Islamabad. Pakistan is now the cleanest case study yet of a warning that privacy researchers and the GSMA have been issuing for a decade: SIM-registration mandates designed for one narrowly framed purpose almost never stay in that lane.
How a counter-terror tool became a tax tool
Pakistan's mandatory biometric SIM verification was rolled out in 2015, in the aftermath of the December 2014 Army Public School attack in Peshawar. Under the National Action Plan, the PTA required every SIM to be linked to a citizen's NADRA-issued national identity card and verified by fingerprint at the point of sale. The framing was emphatic and narrow: this was an emergency measure to stop terrorists from acquiring anonymous phones used to detonate IEDs and coordinate attacks. Civil-society warnings that the resulting database — biometric identity bound to every active mobile number in the country — would inevitably attract non-security uses were dismissed as alarmist.
Ten years later, the FBR has demonstrated precisely how prophetic those warnings were. The bureaucratic logic is seductive: the state already has a verified, fingerprint-bound list of every adult phone user. Why not flip a switch and disconnect anyone the tax authority lists as non-compliant? No new infrastructure, no new legislation, no court warrant. A single general order does the work.
The due-process problem
The legal objections raised by the telcos were not trivial. Pakistan's mobile operators argued, correctly, that their licence conditions oblige them to provide service to paying customers and that the FBR's lists were administrative determinations made without judicial oversight, individual notice, or a meaningful appeal mechanism. Tax non-filing is a civil dispute between a citizen and the revenue authority; it is not — in any rule-of-law tradition — grounds for severing access to the modern equivalent of a dial tone.
This matters because in 2026, mobile connectivity is no longer just a communication channel. It is the gateway to banking apps, government services, ride-hailing, two-factor authentication, healthcare appointments, and the entire informal-economy livelihood of hundreds of millions of South Asians. Blocking a SIM does not merely silence a phone — it can lock a person out of their salary, their hospital portal, and their ability to prove who they are. The proportionality calculus for that kind of penalty cannot reasonably be satisfied by an administrative list with no hearing.
A global pattern, not a Pakistani peculiarity
The temptation to dismiss this as a quirk of Pakistani governance should be resisted. The GSMA has documented that mandatory SIM-registration regimes now exist in more than 150 jurisdictions, the overwhelming majority of them justified at adoption on anti-terror or anti-fraud grounds. Once the database exists, the pressure to reuse it is structural:
- Nigeria tied SIMs to its National Identification Number (NIN) and, in 2021-2024, repeatedly disconnected tens of millions of subscribers in compliance sweeps that doubled as a coercive enrolment drive.
- India attempted to link Aadhaar biometric IDs to mobile numbers; the Supreme Court's 2018 Puttaswamy judgment ultimately struck down mandatory linkage on proportionality grounds — a rare judicial check.
- Kenya, Tanzania, and several Gulf states have at various points used SIM-registration data for purposes ranging from electoral roll cleansing to deportation of undocumented workers.
Pakistan's innovation is not the function creep itself — that was always going to happen — but the speed and breadth with which it has been normalised, and the fact that it is being defended in court as a routine exercise of inter-agency cooperation rather than a constitutional question.
What a proportionate regime would look like
None of this argues against the legitimate state interest in reducing anonymous criminal use of mobile networks, nor against improving tax compliance — both are reasonable goals. The pro-innovation case is for sharper instruments, not blunter ones:
- Purpose limitation in primary law. SIM-registration data should be statutorily ring-fenced to the narrow purposes that justified its collection, with cross-agency access requiring fresh legislative authorisation and individualised judicial review.
- Independent oversight. An empowered data protection authority — Pakistan still lacks a fully operational one despite the long-pending Personal Data Protection Bill — must be able to audit and block disproportionate uses.
- Proportionality in penalty. Tax enforcement has well-established tools: liens, bank-account freezes, travel restrictions, criminal prosecution with due process. Cutting connectivity should not sit on that menu at all, let alone above the others.
- Operator pushback as a feature. The telcos' initial resistance is the system working as it should. Licence conditions that require operators to challenge unlawful directions are a vital check; regulators should reinforce rather than override them.
The cautionary tale here is not that Pakistan is uniquely careless. It is that any country with a biometric SIM mandate is one administrative order away from this outcome. The architecture, once built, is too useful to leave unused. Policymakers across APAC, Africa, and Europe contemplating similar regimes — or expanding existing ones via digital-identity wallets — should study the FBR's order closely, and ask themselves which agency in their own bureaucracy will eventually pick up the same lever.