After a long delay and repeated rounds of consultations, the much-awaited draft of a law to tackle cyber crime is there. The draft once approved will be called ‘Prevention of Electronic Crimes Act of Pakistan 2014’. Prepared by the Ministry of Information and Technology in consultation with a reputed law firm and different IT consultants and experts, this draft law will soon be presented in the Parliament for discussion and approval.
The purpose of this draft is simple, as described in the law’s statement of objectives and reasons. It states: “Currently, Pakistan has no comprehensive or even marginally adequate laws to deal with the growing threat of cyber crime. The centuries old criminal justice legal framework is inadequate and ill-equipped to address the sophisticated online threats of the 21st century cyber age.”
The legislation, the statement adds, provides new investigative powers hitherto unavailable such as search and seizure of digital forensic evidence using technological means, production orders for electronic evidence, electronic evidence preservation orders, partial disclosure of traffic data, real time collection of data under certain circumstances and other enabling powers which are necessary to effectively investigate cyber crime cases.
The draft law establishes specific computer crimes and procedural rules for the investigation, prosecution and trial of these offences. It criminalizes illegal access to and interference with programmes, data or information systems, cyber terrorism, electronic forgery and fraud, the making of devices for use in these types of offences, unauthorised interception of communication and other similar acts.
What concerns rights groups the most is that the draft proposes extraordinary powers for investigating officers/authorities who can have access to a person’s computer data, internet usage history, online communications carried over a period of time and private information. Besides, they want due oversight and curtailment in intelligence agencies’ powers to intrude into people’s privacy. They also find many definitions vague and call for their explanation.
In an apparent bid to pre-empt misuse, rights bodies — especially those working for people’s right to digital privacy and freedom of expression — are calling for the revision of draft before it is brought for discussion. They are also worried about framing of serious charges against semi-literate people who may commit a loosely defined cyber crime inadvertently.
The architects of this law are also aware of this issue and they have hinted towards it as well. The statement of objectives and reasons states, “The very technical and invasive nature of the new powers that are necessary to investigate and prosecute these crimes requires their exercise to be proportionate with the civil liberty protections afforded to citizens under the Constitution.”
Though they state they have incorporated safeguards especially against abuse of these new and invasive powers, there are those who believe a lot more has to be done to strike a balance.
Nighat Dad, Director Digital Rights Foundation, Pakistan, states a number of definitions in the draft law are unclear, notably the definition of ‘content data’. This is confusing as computer data and content data are separate concepts. In other instances, it fails to define important terms such as ‘information systems’ or ‘programme or data.’
Besides, the law criminalises unauthorised access to information systems, programmes or data. While the draft law is presumably aimed at criminalising ‘hacking’, it fails to provide a public interest defence when this type of conduct takes place for legitimate purposes, such as investigative journalism or research.
Nighat adds too many acts are listed as cyber-terrorism offence. Her point is that cyber-terrorism should be more clearly linked to the risk of harm or injury in the real world, and in particular harm against the welfare of individuals.
Article 19, an organisation based in UK and working on freedom of expression and access to information around the globe, has also taken notice and issued a statement in partnership with Digital Rights Foundation, Pakistan.
It has highlighted lack of procedural safeguards against surveillance activities carried out by intelligence agencies. Although efforts have been made to provide effective procedural safeguards against unchecked surveillance by law enforcement agencies (e.g. section 30), it believes the same is not true for intelligence services, which remain subject to the provisions of the Pakistan Telecommunications (Re-Organisation) Act 1996, it adds.
The International Covenant on Civil and Political Rights (ICCPR) states that extreme care must be taken in crafting and applying laws that purport to restrict expression to protect national security. Whether characterised as cyber crime laws, treason laws, official secrets laws or sedition laws, they must conform to the strict requirements of Article 19(3) of ICCPR.
On the other hand, the supporters of the draft state that the law has a provision of oversight which makes it people-friendly. For example, it says “no person shall be arrested or detained with respect to or in connection with any offence under this Act unless a warrant for arrest has been issued by the Court under this section.” Besides, the drat states that all offences under this Act shall be compoundable, non-cognizable and bailable except the offences under section 7 (cyber-terrorism).
There are further arguments that introduction of this legislation will not only help prevent Pakistan from becoming a safe haven for cyber criminals, but shall also contribute to the national security and provide an enabling and secure environment for investment in IT, E-commerce and E-payments.
Another major feature is special protection of women under Section 13 which prescribes punishments for transmission of any electronic communication that harms the reputation of a woman, threatens any sexual acts against a woman; superimposes a photograph of the face of a woman, any sexually explicit images etc.
While response from local rights organisation has started to come though slowly, the international rights orgnaisation are quick to respond.
Privacy International, a registered UK charity founded in 1990 which was the first to campaign at an international level on privacy issues, identifies certain loopholes in Pakistan’s draft law on cyber crime.
In a statement shared with TNS, it states: “In particular, we reiterate that the lack of procedural safeguards against surveillance activities carried out by intelligence agencies poses a serious threat to human rights, especially the right to privacy. We also emphasise the importance of establishing a competent independent oversight mechanism that has the ability to access all potentially relevant information about state actions.”
The organisation says information-sharing with foreign governments and entities should be regulated by specific laws and subject to independent oversight. Draft section 33, it says, would allow for cooperation between the federal government and foreign governments, foreign agencies and others. Specifically, draft subsection (2) would permit the federal government to forward information obtained from investigations under the Act to foreign agencies or international agencies. A prior request from the foreign entity would not be required to exercise this power.
It fears that requiring mandatory data retention by service providers threatens the users’ right to privacy. Draft section 31, it says, would require a service provider, which is defined in broad terms, to “within its technical capability, retain its traffic data minimum for a period of 90 days.”
All said, one can reach a conclusion that a law on cyber crime is need of the time but it should not come at the cost of people’s freedom of expression, their right to privacy and their ability to defend against false accusations.