Poorly constructed laws are being built atop other poorly constructed laws without awareness.
As it stands, the present law only will lead to the further destabilization of Pakistan’s already fragile IT industry. It also will further threaten the privacy and security of the common man. And it will alienate potential and existing international clients.
When the United States Justice Department sought judicial relief to extract data from an iPhone owned by a gunman involved in a December terrorist attack in California, attorneys for Apple Inc., which is based in the same state, argued that such “methods for achieving its objectives are contrary to the rule of law, the democratic process and the rights of the American people.”
In our country, Section 29 of the Pakistan Cyber Crime Bill 2015 (PCCB) mandates that service providers shall retain traffic data for at least a year. This affirms the Electronic Transaction Ordinance of 2002. Such retention would be for at least one year — obviously much longer than 90 days envisaged in an earlier provisional draft. Nuances lead to uncertainty, which actually could mean service providers would need to retain their data indefinitely.
Neither version offers the slightest affirmation of an individual’s right to privacy. And in Pakistan, a tidal erosion of other rights is happening without regard to will of the people.
CheckMarx, based out of Tel Aviv, Israel, is leading information security publication. It has featured Rafay Baloch, a young Pakistani as one of the world’s Top 5 ethical hackers. But in his own country, Baloch can be jailed because PCCB Section 3 states, “Whoever intentionally gains unauthorized access to any information system or data shall be punished with imprisonment for a term which may extend to three months or with fine up to fifty thousand rupees, or with both.”
But what constitutes access?
The definition to be found within Section 3 means “gaining control” — or [the] ability to use any part or whole of an information system — whether or not there is infringement upon any security measure.
A “glorification of an offense and hate speech” provision within Section 9 is especially irksome. It now inexplicably criminalizes a person merely accused of a crime, reversing the principle that an individual should be presumed innocent until proven guilty.
And critiques of judgments, which have been quite commonplace, now can be criminalized, as are adding voices that highlight a miscarriage of justice. Somehow these loose lips can now be misconstrued as ‘glorifying’ an accused or convicted person.
And to advocate for a person wrongly accused or convicted of a crime would not only be illegal but it would be punishable by five years in prison or ten million rupees — or both.
More evidence of the aforementioned tidal erosion can be found within Section 15’s “Unauthorized issuance of SIM cards” and Section 16’s “Tempering etc of communication equipment.” Mostly duplications of Pakistan Telecommunication Act 1996, they have made telecom operators criminally liable.
It was needless to add this section within PECB and to threaten the operators who already have been required to implement the government’s SIM-verification policy to the tune of millions of dollars.
PTA, under the Telecom Act, already has tremendous powers to penalize telecom operators for non-compliance of any license conditions. Giving the PTA, FIA and other law-enforcement agencies more power to harass telecom operators is incomprehensible and discourages foreign and local investment.
Without overburdening you with existing double-speak, let’s attempt to delve deeper.
Section 18 takes on “Offenses against the dignity of a natural person. This section actually is a poor copy of the Defamation Ordinance, 2002 and Defamation (Amendment) Act, 2004. This already is penalized under Section 500 and 501 of PPC.
Section 22 tackles “Spamming,” which can easily be curtailed through the likes of filters in email inboxes, number-blocking options in mobile phones, do-not-call lists etc. Something that is mostly as source of irritation need not be criminalized.
This nuisance should be dealt with by policy guidelines and within a regulatory framework. Data-protection laws need to be introduced to create parameters so lists of numbers cannot be swiftly shared or misused in this manner. In this era of call centers, online marketing and SMS promotions, such “spamming” is used to harass small-business enterprises, who use these comparatively cheaper means of communication to their potential customers. And should the law be applied to deal with the Board of Intermediate and Secondary Education recent “selling” the phone numbers of the students who have passed SSC and HSSC examinations for colleges and universities?
Section 34 deals with “Power to Manage intelligence and issue directions for removal of blocking of access of any intelligence through any information system.” This clause gives the government/PTA unfettered powers to block access or remove speech not only on the Internet but transmitted through any device, of its own determination. Not only does this infringe upon fundamental rights of citizens and curb media freedoms, but it has huge implications where privacy is concerned.
And Section 43 addresses “Prevention of electronic crimes.” This allows the government to issue new guidelines from time to time and makes lack of corresponding compliance a punishable offense. Such “guidelines,” which could be is- sued without technical expertise or knowledge, could place an unrealistic burden on service providers to act in a manner that may or may not be practical or possible. And, it negates the intermediary liability protection that is offered to service providers within Section 35.
An in-depth analysis of the Cyber Crime Bill would require reams of paper that would fill a book, but as the bill is before the Upper House (Senate) for approval, experts in the IT and Telecom Sector seek following amendments to ensure that its focus is on combating real crime and not tripping up an unassuming and overburdened public.
When this bill was presented before the National Assembly Standing Committee, strong opposition was voiced by reputable interests, including:
- Internet Service Providers Association of Pakistan (ISPAK).
- Pakistan Software Houses Association (P@SHA).
- Human Rights Commission of Pakistan (HRCP).
- Pakistan Federal Union of Journalists (PFUJ).
- Reporters Without Borders (RWB).
- Bolo Bhi.
- Digital Rights Foundation (DRF).
- Bytes For All (B4A).
- Media Matters for Democracy (MMFD).
- Institute for Research, Advocacy & Development (IRAADA).
Together, they asked the committee to strike down the law, or make desired changes, to help differentiate between legitimate business and criminal activities. Unfortunately, their deafening recommendations fell on deaf ears, and another duplicative law was inexplicably passed. Talking on the issue, now when the bill is already in the Senate for the final approval Wahaj us Siraj, Convener, Internet Service Providers Association of Pakistan (ISPAK), Farieha Aziz, Director, Bolo Bhi, Asif Luqman Qazi, Executive Director, Center for Discussions and Solutions (CDS) and Khawaja Saad Saleem, Vice President ISPAK recommended the following amendments in the bill.
- The definition of critical infrastructure should include private businesses as well, not just government infrastructure.
- The definition of service provider needs to be amended. as it is extremely vague.
- Within Section 10: Cyber Terrorism, a clause references ‘whoever threatens to commit any offense.’ This section carries an imprisonment term of 14 years. While the commission of an offense certainly should be punishable, almost anything can be construed as a threat. This section also requires a proviso for ethical hacking/white-hat hackers, hobbyists who conduct activities to identify security breaches within systems. It also should protect teenagers from being implicated as cyber terrorists — and jailed for 14 years — for activities that might have occurred because of boredom. Yes, they may need to be reprimanded but nowhere near as harshly.
- Clause [2] in Sections 18, 19 and 21 delegates too much power to the PTA through the determination of the offense and required action has been left to its discretion. This should be subject to a court process.
- Section 21: Cyber Stalking; sub-sections (a) to (c) within contain vague terms such as ‘obscene, vulgar, contemptuous, indecent and immoral. These sub-sections should be omitted. The language in subsection (d) needs to be tightened so it can be applied more broadly to public events (covered by the media or political parties).
- Section 28: Expedited preservation and acquisition of data gives an “authorized officer” the unilateral and unchecked power to order the provision of data or the preservation of data whenever the officer believes it is “reasonably required for the purposes of a criminal investigation.” With risk that data could become inaccessible, the authorized officer should be required to make a court aware of such requests.
- Section 35: Service providers should not be required to indefinitely keep real-time collections and data recordings.
- Section 38: Currently, bail is not an option for offenses as outlined in Sections 10 and 19. The latter most certainly should not be in this category and given a dismal track record of security agencies. Section10 should be eliminated.
- Section 42 addresses the right to an appeal. But an appeal should not be limited to only the final judgment of a court; the provision for a legitimate appeal before a high court certainly should exist.
Syed Ahmad, Spokesman, Pakistan Software Houses Association of Pakistan while talking to MORE highlighted some other important shortcomings and proposed that if accepted, following additions would go a long way toward making the bill more meaningful and somewhat palatable.
- The definition of “unauthorized access” requires elaboration, especially when read together with Sections 3 & 4 on unauthorized access to system or data and copying or transmission. In what form authorization would be required is not made clear. Consider this: If someone verbally “authorizes” another person to use their laptop — a common practice among peers and colleagues— then maintain that authorization never was given, where is the proof either way? Is punishment an intended consequence of a possible misunderstanding?
- Section 11: Electronic Forgery, and Section 12: Electronic Fraud. Given the technical nature of these offenses, these sections should contain explanations — or have accompanying illustrations — that would assist a court needing to establish if a crime was committed. There also should be an assessment process to determine the degree of damage so that the punishment when meted out is proportional to the offense.
- Section 20: Malicious Code. A proviso/exception needs to be created for this clause. What may be deemed as ‘malicious codes’ or ‘viruses’ often are taught and written as part of academic disciplines.
- Section 27: No warrant, search, seizure or other power should land indefinitely in the hands of authorized officer. The officer should have to go to court and require a warrant for search, seizure and arrest and provide detailed reasoning, in writing, for why it is required.
- Section 33: Dealing with seized data. This has been left to the discretion of the federal government and its rule-making powers, but the procedure should clearly be stipulated here. Data is sensitive information and how it is seized, handled and preserved needs clear and stringent guidelines.
- Section 37: International Cooperation. The Act gives the federal government unregulated, arbitrary powers to share information with international governments/agencies without any oversight. In sub-section (3) the Act attempts to limit international governments to keep the information confidential, or to use it subject to some conditions. International governments are neither bound by this Act nor by any such conditions that Pakistan’s government may subject the information to.
Clearly, the law as constructed is technically unsound. At its worst, it is unfiltered, unfair and potentially cruel.
As it stands, the present law only will lead to the further destabilization of Pakistan’s already fragile IT industry. It also will further threaten the privacy and security of the common man. And it will alienate potential and existing international clients.
Left unchecked, the annihilation of the telecom and IT industries as we know them will be almost certainly assured.
Let’s consult with renowned experts within various reputable Information Technology communities to help draft such laws (if deemed truly necessary) so that basic needs and realities are top of mind. But the previous such practice was horrible as NA Standing Committee secretly modified the bill that was earlier prepared by Pakistan Software Houses Association for IT and ITEs (PASHA), Internet Service Providers Association of Pakistan (ISPAK) and other stakeholders, making the whole bill non-transparent and non-consultative.
Without such fixes, which are highly unlikely, then let’s go the whole mile. Having witnessed poorly constructed laws built one upon one another for far too long, the only way to actually stem the pervasive erosion of our rights is to call for the immediate repeal or abolishment of this troubling black hole, er, law.
Will Senate consider the industry before it is too late? Question Remains …..