The United States Justice Department recently sought judicial relief to extract data from an iPhone owned by a gunman involved in a December terrorist attack in California. But, the attorneys for Apple Inc., which is based in the same state, argued that such “methods for achieving its objectives are contrary to the rule of law, the democratic process and the rights of the American people.”
In our country, Section 29 of the Pakistan Cybercrime Bill 2015 (PCCB) mandates that service providers shall retain traffic data for at least a year. It affirms the Electronic Transaction Ordinance of 2002. Such retention would be for at least one year — obviously much longer than 90 days envisaged in an earlier provisional draft.
Nuances lead to uncertainty, which actually could mean service providers would need to retain their data indefinitely. Neither version offers the slightest affirmation of an individual’s right to privacy.
Moreover, in Pakistan, a tidal erosion of other rights is happening without regard to the will of the people. CheckMarx, based out of Tel Aviv, Israel, is leading information security publication. It has featured Rafay Baloch, a young Pakistani as one of the world’s Top 5 ethical hackers.
However, in his country, Baloch can be jailed because PCCB Section 3 states, “Whoever intentionally gains unauthorized access to any information system or data shall be punished with imprisonment for a term which may extend to three months or with a fine up to fifty thousand rupees, or with both.”
But, what constitutes access?
The definition to be found within Section 3 means “gaining control” — or [the] ability to use any part or the whole of an information system — whether or not there is an infringement upon any security measure.
A “glorification of offense and hate speech” provision within Section 9 is especially irksome. It now inexplicably criminalizes a person merely accused of a crime, reversing the principle that an individual should be presumed innocent until proven guilty.
And critiques of judgments, which have been quite commonplace, now can be criminalized, as are adding voices that highlight a miscarriage of justice. Somehow these loose lips can now be misconstrued as ‘glorifying’ an accused or convicted person.
And to advocate for an individual wrongly accused or convicted of a crime would not only be illegal but it would be punishable by five years in prison or ten million rupees — or both.
More evidence of the aforementioned tidal erosion can be found in Section 15’s “Unauthorized issuance of SIM cards” and Section 16’s “Tempering etc. of communication equipment.” Mostly duplications of Pakistan Telecommunication Act 1996, they have made telecom operators criminally liable.
It was needless to add this section within PECB and to threaten the players who already have been required to implement the government’s SIM-verification policy to the tune of millions of dollars.
PTA, under the Telecom Act, already has tremendous powers to penalize telecom operators for non-compliance of any license conditions. Giving the PTA, FIA, and other law-enforcement agencies more power to harass telecom operators is incomprehensible and discourages foreign and local investment.
Without overburdening you with existing double-speak, let’s attempt to delve deeper.
Section 18 of the Cybercrime bill takes on “Offenses against the dignity of a natural person. This section is a poor copy of the Defamation Ordinance, 2002 and Defamation (Amendment) Act, 2004. It is already penalized under Section 500 and 501 of PPC.
Section 22 of the Cybercrime bill tackles “Spamming,” which can quickly be curtailed through the likes of filters in email inboxes, number blocking options in mobile phones, do-not-call lists, etc. Something that is mostly as a source of irritation need not be criminalized.
This nuisance should be dealt with by policy guidelines and within a regulatory framework. Data-protection laws need to be introduced to create parameters so lists of numbers cannot be swiftly shared or misused in this manner.
In this era of call centers, online marketing, and SMS promotions, such “spamming” is used to harass small-business enterprises, who use these comparatively cheaper means of communication to their potential customers. And should the law be applied to deal with the Board of Intermediate and Secondary Education recent “selling” the phone numbers of the students who have passed SSC and HSSC examinations for colleges and universities?
Section 34 of the Cybercrime bill deals with “Power to Manage intelligence and issue directions for removal of blocking of access to any data through any information system.” This clause gives the government/PTA unfettered powers to block access or remove speech not only on the Internet but transmitted through any device, of its determination. Not only does this infringe upon fundamental rights of citizens and curb media freedoms, but it has huge implications where privacy is concerned.
And Section 43 of the Cybercrime bill addresses “Prevention of electronic crimes.” It allows the government to issue new guidelines from time to time and makes the lack of corresponding compliance a punishable offense.
Such “guidelines,” which could be is- sued without technical expertise or knowledge, could place an unrealistic burden on service providers to act in a manner that may or may not be practical or possible. And, it negates the intermediary liability protection that is offered to service providers within Section 35.
An in-depth analysis of the cybercrime bill would require reams of paper that would fill a book. But as the bill is before the Upper House (Senate) for approval, experts in the IT and Telecom Sector seek following amendments to ensure that its focus is on combating real crime and not tripping up an unassuming and overburdened public.
Strong opposition was voiced against Cybercrime bill
When the cybercrime bill was presented to the National Assembly Standing Committee, strong opposition was voiced by vital interests, including:
Together, they asked the committee to strike down the law or make desired changes, to help differentiate between legitimate business and criminal activities. Unfortunately, their deafening recommendations fell on deaf ears, and another duplicative law was inexplicably passed.
- Internet Service Providers Association of Pakistan (ISPAK).
- Pakistan Software Houses Association (P@SHA).
- Human Rights Commission of Pakistan (HRCP).
- The Pakistan Federal Union of Journalists (PFUJ).
- Reporters Without Borders (RWB).
- Bolo Bhi.
- Digital Rights Foundation (DRF).
- Bytes For All (B4A).
- Media Matters for Democracy (MMFD).
- Institute for Research, Advocacy & Development (IRAADA).
Talking about the issue, now when the cybercrime bill is already in the Senate for the final approval Wahaj us Siraj, Convener, Internet Service Providers Association of Pakistan (ISPAK), Farieha Aziz, Director, Bolo Bhi, Asif Luqman Qazi, Executive Director, Center for Discussions and Solutions (CDS) and Khawaja Saad Saleem, Vice President ISPAK recommended the following amendments to the Cybercrime bill.
The definition of critical infrastructure should include private businesses as well, not just government support.
The definition of service provider needs to be amended as it is extremely vague.
Within Section 10 of the Cybercrime bill: Cyber Terrorism, a clause references ‘whoever threatens to commit any offense.’ This section carries an incarceration term of 14 years. While the commission of an offense certainly should be punishable, almost anything can be construed as a threat.
This section also requires a proviso for ethical hacking/white-hat hackers, hobbyists who conduct activities to identify security breaches within systems. It also should protect teenagers from being implicated as cyber terrorists — and jailed for 14 years — for activities that might have occurred because of boredom. Yes, they may need to be reprimanded but nowhere near as harshly.
Clause  in Sections 18, 19 and 21 delegates too much power to the PTA through the determination of the offense and required action has been left to its discretion. It should be subject to a court process.
Section 21: Cyber Stalking; subsections (a) to (c) within contain vague terms such as ‘obscene, vulgar, contemptuous, indecent and immoral. These sub-sections should be omitted. The language in subsection (d) needs to be tightened so it can be applied more broadly to public events (covered by the media or political parties).
Section 28: Expedited preservation and acquisition of data give an “authorized officer” the unilateral and unchecked power to order the provision of data or the protection of data whenever the officer believes it is “reasonably required for a criminal investigation.” With the risk that data could become inaccessible, the authorized officer should be necessary to make a court aware of such requests.
Section 35: Service providers should not be required to keep indefinitely real-time collections and data recordings.
Section 38: Currently, bail is not an option for offenses as outlined in Sections 10 and 19. The latter most certainly should not be in this category and given a dismal track record of security agencies. Section 10: should be eliminated.
Section 42: addresses the right to an appeal. But an appeal should not be limited to only the final judgment of a court; the provision for a legal appeal before a high court certainly should exist.
Syed Ahmad, Spokesman, Pakistan Software Houses Association of Pakistan while talking to MORE highlighted some other significant shortcomings and proposed that if accepted, following additions would go a long way toward making the bill more meaningful and somewhat palatable.
The definition of “unauthorized access” requires elaboration, especially when to read together with Sections 3 & 4 on unauthorized access to system or data and copying or transmission. In what form authorization would be required is not made clear.
Consider this: If someone verbally “authorizes” another person to use their laptop — a common practice among peers and colleagues— then maintain that authorization never was given, where is the proof either way? Is punishment an intended consequence of a possible misunderstanding?
Section 11: Electronic Forgery, and Section 12: Electronic Fraud. Given the technical nature of these offenses, these articles should contain explanations — or have accompanying illustrations — that would assist a court needing to establish if a crime was committed.
There also should be an assessment process to determine the degree of damage so that the punishment when meted out is proportional to the offense.
Section 20: Malicious Code. A proviso/exception needs to be created for this clause. What may be deemed as ‘malicious codes’ or ‘viruses’ often are taught and written as part of academic disciplines?
Section 27: No warrant, search, seizure or other power should land indefinitely in the hands of authorized officer. The officer should have to go to court and require a warrant for search, seizure and arrest and provide detailed reasoning, in writing, for why it is needed.
Section 33: Dealing with seized data. It has been left to the discretion of the federal government and its rule-making powers, but the procedure should clearly be stipulated here. Data is sensitive information and how it is seized, handled and preserved needs clear and stringent guidelines.
Section 37: International Cooperation. The Act gives the federal government unregulated, arbitrary powers to share information with international governments/agencies without any oversight.
In sub-section (3) of the Cybercrime bill, the Act attempts to limit foreign governments to keep the information confidential, or to use it subject to some conditions.
International governments are neither bound by this Act nor by any such conditions that Pakistan’s government may subject the information to. Clearly, the law as constructed is technically unsound. At its worst, it is unfiltered, unfair and potentially cruel.
As it stands, the present law only will lead to the further destabilization of Pakistan’s already fragile IT industry. It also will further threaten the privacy and security of the common man. And it will alienate potential and existing international clients.
Left unchecked, the annihilation of the telecom and IT industries as we know them will be almost certainly assured. Let’s consult with renowned experts within various reputable Information Technology communities to help draft such laws (if deemed truly necessary) so that basic needs and realities are top of mind.
But the previous such practice was horrible as NA Standing Committee secretly modified the bill that was earlier prepared by Pakistan Software Houses Association for IT and ITEs (PASHA), Internet Service Providers Association of Pakistan (ISPAK) and other stakeholders, making the whole bill non-transparent and non-consultative.
Without such fixes, which are highly unlikely, then let’s go the whole mile. Having witnessed poorly constructed laws built one upon one another for far too long, the only way to stem the pervasive erosion of our rights is to call for the immediate repeal or abolishment of this troubling black hole, er, law.
Will Senate consider the industry before it is too late? The question remains unanswered!