A Critical Gaze At The Cyber Crime 2016

The latest Cyber Crime bill 2016, alternatively known as Prevention of Electronic Crimes Bill, falls short of expectation, although it is a much welcome initiative by the Federal Government to combat cybercrime which Pakistan has been facing off late. Without taking into consideration concerns regarding privacy and data protection, this piece of legislation seems like an incomplete approach to tackle the nuisances of cybercrime and yielding more power to authorities.

Firstly, there are many definitions in the preamble of the Bill which require a revisit by the drafters of this legislation. The definitions are mostly vague and at times completely wrong in terms of their technical use. I am not going to engage in legalese but I would like to see a few amendments to the bill. As far as definitions are concerned, I would like to point out to a few incomplete and vague definitions, which when interpreted would seriously undermine the objective of the Bill.

For instance, “content data” despite being defined as “any representation of fact, information for processing in an information system including source code or a program suitable to cause an information system to perform a function” fails to account for object code. Also, there is no provision aimed at defined defining source or object code and whether they might be protected under the Act for purposes of programming for commercial or personal use, where only provisions are provided for intentionally using them for purely criminal purposes. Both source and object code are being vaguely interpreted as information for the purposes of code under Pakistan Telecommunication and Reorganization Act 1996.

The ambiguity regarding the use of persons is not clearly delineated whether both legal and natural persons are to encompass the definition. Additionally, “biometrics” have not been dealt in the bill, presumably being considered as mere content or data, where the term for technological purposes is record of person’s physical characteristics and more, and quite readily being used for national identity cards, passports, mobile SIM authentication and so on.

Moreover, the definition of “critical infrastructure” is defined very broadly to include public order, which means offenses related to both public and private behavior. The inclusion of public order to critical infrastructure is in my opinion is included to make it a non-bail able offense in times of dissent and revolt against the continuation of the government and might be misused for sentencing dissidents and by no means qualifies as a “critical infrastructure.”

“Seize” is a term used to execute a warrant for a criminal offense against the information system used for the said purposes. Without providing redress for the owner of the suspected information system and the data included thereof, in case of the restitution of damages incurred, when no such offense could be proved even after a forensic investigation, must be provided. For instance, if an information system is infected by virus and/ or malware and it becomes a child system executing all code, by sending and receiving information which cannot be attributed to the bots and are very cumbersome for the purposes of authentication. In such a scenario protection must be provided to the owner of the compromised information system.

Furthermore, hacking and cracking are not stipulated and presumably meant to be comprehended as an “unauthorized access”; seems like broad generalization of the term. As regards, “glorification of an offense and hate speech, section (b) stipulates, anyone advancing religious, ethnic and sectarian hatred, are narrowly defined stipulations without the inclusion of offense against “minorities” to the clause. With reference to “cyber-terrorism”, the mention of “creating a sense of fear or insecurity to Government,” need to be sufficiently addressed. More so, individuals or institutions involved in whistle-blowing may feel stifled in their ability to inform the public about officials or institutions involved in commercial espionage, extortion, money laundering and other such offenses, which may result in quelling “free speech” which is protected under the constitution.

Tempering etc. of communication equipment, must be allowed for research and development purposes and mustn’t be only the purview of state agencies. “Blocking access” and “preventing transmission of such information’ for the purposes of mere defamation is what is against the free flow of information and I take issue with that. Blanket bans on websites that are not inflammatory or involved in propagating terroristic activities, should not be allowed. Rather, a fair public discourse must be had before enlisting them to: black and white lists. Also, appropriate technical measures can be taken such as delisting from online search repositories and so on.

Clause 21 on Cyber stalking is well-meant, however the preamble fails to delineate the proper definitions of obscene, vulgar or immoral act, which seems to be left to the courts or the enforcing agency to ascertain. This might result in false negatives against both the perpetrator and the victim. Moreover, it isn’t clear whether moral values shall be defined according to Islamic principles or rather as an evolutionary social value.

The clause defining “spoofing”, must be elaborated further, since the term encompasses more than the stipulation addressed. “Property” defined in clause 24, entails both information and data. It is unclear who is the holder of the data? Data subject or the law enforcement agencies in can of an offense committed but yet not convicted by the courts. Recourse must be had to innocent use of data by minors as well majors without prejudice to either, when for instance, say a malicious code is sent as an email to the receiving party without prior knowledge of its effects.

Neither: The Investigating agency and Enforcement agency; should be allowed to work with impunity and for purposes of trust must be obligated to transparency and audit standards as any legal person. “The power to manage online information” clause is arbitrary and narrowly construed as yielding unnecessary and disproportionate powers to the authorities. Although, the inclusion of “friendly relations with foreign states” is drawn from the constitution, is of consequence to the activist or blogger who may have divergent interests or conflicting opinion, regarding the state policies and thereby may be construed as an offense in ever evolving political, social, economic, cultural scenarios and regarding fragile geopolitical relations with adversarial states and seems to undermine the very core of democratic values.

Data retention by service providers for an “x” amount of days, weeks or months have not been delineated, which is direct contravention to the privacy of persons and their data. Extradition of cyber criminals have also not been touched upon and a very vague attempt at “International Cooperation” has been specified. The issue of jurisdiction of data is also missing from the legislation. There is no mention of Electronic Transactions Ordinance 2002. The antiquated “Qanoon-e-Shadat Order 1984 and Code of Criminal Procedure 1898 have been added for prosecutions of offenses regarding cybercrimes and may not suffice with regards to the dynamic nature of evolving technologies.

A critical gaze on the Cyber Crime Bill 2016, establishes that it needs a lot of improvement, thus consultations must be sought from the Information and Technology industry and it must also be harmonized with the UN model laws of Cyber Crime. Also, without providing adequate safeguards regarding data protection the exercise would be futile and may open floodgates of complaints without adequate redress mechanism.