Criticism and controversy immediately erupted when the details of the Prevention of Electronic Crimes Bill 2015 went public. Is this bill really as flawed as everyone makes out? And if it is, what direction should we be heading in?
There is nobody on this planet with a greater capacity for surveillance than the NSA, but they argue furiously that they aren’t doing anything nefarious. Snowden’s revelation took the form of terabyte upon terabyte of data relating to the surveillance capabilities and activities of the National Security Agency in both a foreign and domestic capacity. Many saw this as a scary affirmation of something that we’ve always known but were praying wasn’t true. Chats, emails, videos, social media activities, music, credit card activity, online browsing and transactions; you name it and the NSA has access to every iota of Internet traffic which goes in and out of the USA. Because of the uniqueness of the Internet, major companies such as Facebook and Google shuffle around their data between different servers which are located across the globe. By doing this all the emails sitting in our in boxes, irrespective of whether they are in Quetta or Islamabad, become the US governments property; yes really! To be honest, this doesn’t bother any of us too much as if you enjoy looking at pictures of pretty girls on your Spotify account or post more pictures of your dog on Facebook than is normal, the US government isn’t interested; but Pakistan’s government is. Well, we say government, but it’s actually the PTA; Pakistan Telecommunication Authority, the MoIT; Ministry of Information Technology and a handful of murky government departments and committees which currently have the power to decide what you can and can’t access over the Internet. They also possess the power to intercept every kind of online communication, be it a text to wish your crush a happy birthday or a photo of your parrot to a friend. Nothing will ever again be sacred, privileged or private……..
If everything you have read so far sounds like the most recent Dystopian thriller you had by the side of your bed then sorry but that’s exactly what it probably is. Thanks to the ever raging war against terrorism, our country has been forced to take some very radical measures, one of the major ones being NAP. The National Action Plan, aimed at countering extremism and terrorism. The PECB, Prevention of Electronic Crimes Bill 2015, plays a pivotal role in NAP and a recent report which the interior ministry prepared noted that the bill was actually one of the governments cornerstones in their plan to fight the every growing online activities of militants and terrorists. In a recent televised interview Anusha Rehman, the State Minister for Information Technology, was questioned about such terminology as spamming and cyber stalking. Rehman said that the Prevention of Electronic Crimes Bill 2015 drew on masses of existing material including the 2003 Australian Spam Act and the Budapest Convention. She insisted that the government had no intention of reinventing the wheel in terms of the legal terminology which is used within the PECB 2015. This is a cogent argument that actually makes sense. The other countries who have had way more experience dealing with online crime and associated safety mechanisms have, invariably, had much longer to evolve. An example of this is the Australian law that contains a whole host of exceptions to its anti-spamming rules that take almost as long to read as the actual text of the law. Within the Budapest Convention are a range of definitions which are internationally recognised including interception, illegal access, misuse of devices, data and system interference, computer related fraud and forgery and offences which related to copyright, intellectual property rights and child pornography. It defines the universal laws for such procedural issues as data preservation, seizure, disclosure of traffic, searches, data interception and real time collection.
However, such explanations and footnotes are missing from the current bill which the standing committee has cleared. According to Ali Raza Abidi from MQM, the committee seemed to be in a mighty hurry to get the bill sent to the house floor. According to insiders, this was due to the MoIT being under pressure to provide the government with some ammunition with which to pursue the NAP objectives within the online realm. However, whether their need to both pursue and then prosecute terrorists actually outweighs their needs to ensure that the fundamental rights of their citizens are safeguarded is the $64m question that almost every government in the world has lost sleep over at some time. Another thing that is troubling is the very real possibility that the government isn’t just drawing inspiration from the Internet governance models within liberal democracies. During the now infamous YouTube hearing in the Lahore High Court, a government counsel told the court that the Saudi Arabian and Chinese models were the ones they were looking to replicate in terms of censorship which would enable the government to sanction the return of the world famous video sharing site minus the blasphemous content. This flies in the face of every established principle of freedom of expression but lines up alongside those models where basic civil liberties have been sacrificed in the name of ‘national security’ or classed as being for ‘the greater good’.
The need for a framework of technical concepts within the boundaries of the law in order to govern online lifestyles ans which can be used to either prevent or punish wrongdoings online can’t be argued against by anyone with an iota of common sense. We are all too quick to forget that, despite the memories we have of the cyber crime ordinance which was introduced into our country during the Musharraf years, Pakistan currently has no laws that specifically deal with electronic or cyber crime. For that respect alone, the PECB 2015 needs to be passed, and sooner rather than later. You can, of course, contest the competency of the current law enforcement when it comes to dealing with the new and previously unseen threats which cyber crime brings to a very overcrowded table. This bill stipulates the power the federal government has in that they can establish or designate any law enforcement agency as their investigation agency for the purpose of investigating offences under the banner of the act. The smart money seems to be on the Federal Investigation Agency to take up its former role thus revitalising the cyber crime trail, the most popular alternative is the utilisation of their existing NR3C; National Response Centre for Cyber Crime to open up investigations into the criminal activities occurring within the electronic realm. There will, of course, be an element of sharing responsibility within the Pakistan intelligence community. Both the Fair Trial Act and the Protection of Pakistan Act describe the possible use of data capture and electronic surveillance as evidence in cases involving terrorism. There is also much speculation that one agency will be handed the responsibility of data analyses whilst real time monitoring could be another agency’s domain. Whoever gets these jobs, or job should the powers that be decide to combine the surveillance, the general consensus is that these law guardians will have to be way smarter than the cyber criminals they are in pursuit off as well as being bang up to date on the laws that they’re enforcing. In terms of questionable capability, the Digital Rights Foundation pulled no punches when she spoke of her fight against the government’s attempts at policing the Internet. She said that we have seen clear evidence in the past of the government using Finfisher in order to spy on users, and as they have both the capacity and the resources to employ and use such tools, but never offer accountability or transparency, these tools are potentially both invasive and dangerous. Ms Dad went onto say that there are no reassurances within this bill regarding controlling access to any information which had been acquired or preserved under S28 which covers the acquisition and expedited preservation of data which effectively provides power without control, thus meaning that this bill is a serious threat to every Pakistan citizens right to privacy. This is a criticism that was also raised by Edward Snowden against the NSA. The fact that a sole behemoth will be responsible for storing all the communications between private individuals, and that the employees of that company have access to these private communications is a pretty frightening thought.
Safeguards, or rather the lack of them
As expected, there are huge question marks hanging over this aspect of the bill. A key government figure who was involved with the bills preparation has said that, in relation to the anonymity condition, safety valves should be in place to ensure that the fundamental rights of citizens were upheld and their privacy be protected within the prevailing laws. He also voiced his scepticism about the ability of the FIA and other agencies to handle the crimes that came to light under PECB 2015 and stressed that officers and judges needed extensive training. The concerns are shared by Awais Khan Leghari, the former MNA and IT minister, who’s been insisting that special courts be created as he believes that the current judicial system simply can’t handle cases of cyber crime and any which are brought to court will cause havoc. He voiced these concerns during the National Assembly Standing Committee on IT’s deliberations. Another in agreement with this way of thinking is Sana Saleem from Bolo Bhi who said that none of the government installed systems are in any way sophisticated and there isn’t one of them which can both analyse data effectively or maintain its integrity while being used for mass surveillance due to the involvement of human bias’ and it doesn’t help either that there are no data protection laws in place. Another problem that keeps coming up is that of definition. An example of this is the definition within the bill of a service provider. We both know that this is the term used to describe a company which provides access to the Internet, but in the bill the net far exceeds the boundaries of this explanation. The NGO, Bytes For All in the infamous YouTube case, said that under the bills definition every restaurant, cafe or hotel is classed as a service provider which is going to become ever more problematic as they could be called upon to collect the data on who is using the Internet within their premises.
One thing is for certain, whilst the Prevention of Electronic Crimes Bill 2015 may not be perfect, and may have many problems that need ironing out, we need some kind of bill in place to protect the people of Pakistan and can only hope that common sense prevails in terms of the issues above before it becomes law.
Update as of August 11 , 2016
Quite a few disturbing things have come up as the Cyber Crime Bill Has become law as of this week (11 August, 2016).It has been pointed out that the following clauses/provisions (As mentioned by a news item in Dawn News) should have had the legislature put more thought in them:
‘Recruitment, funding and planning of terrorism’ is punishable with up to seven years in prison and/or a fine, or both. Section 10B criminalises the preparation or dissemination of information that invites or motivates funding, or recruits people “for terrorism or plans for terrorism”.
“ Parody or satire-based websites and social media accounts can be proceeded against under section 23 on ‘Spoofing’, which makes it an offence to run a website or send information with a “counterfeit source”. This is punishable with up to three years in prison, a fine of up to Rs500,000, or both”
“ Internet service providers (such as PTCL or Nayatel) are required to retain usage data for a minimum of one year. This includes the physical address (in case of fixed broadband connections) or the mobile number (for 3G/4G customers); the customer’s name and date and time of Internet usage”
“The law does not specify which law enforcement agency will enforce it, but that responsibility currently lies with the FIA’s National Response Centre for Cyber Crime (NR3C)”
“Authorised officers’ of the agency can require anyone to unlock any computer, mobile phone or other device that may be required for the purpose of investigating a crime or offence”
“Courts can order real-time collection or recording of information for a period of not more than seven days, unless an extension is granted by the court.”
“ Defamation, under sections 18 and 19 of this law, is treated as a criminal offence in the online realm and has harsher punishments than prescribed under the Defamation Ordinance 2002, treats it as a civil matter”