Electronic Crimes Bill 2015: Big brother (and his brothers) are watching you

ISLAMABAD ( MEDIA REPORT )

The NSA has the greatest surveillance capabilities that we’ve ever seen in human history. What they will argue is that they don’t use this for nefarious purposes … That’s something like saying ‘I have a gun pointed at your head, but I’m not going to pull the trigger. Trust me’.

Edward Snowden says he didn’t trust them, and that’s why he did what he did: revealing literally terabytes of data about the National Security Agency’s surveillance activities and capabilities, both foreign and domestic.

For some, it was a frightening affirmation of something we’ve known all along, but hoped to God wasn’t true. e-mails, chats, social media activity, video, photo and music as well as online transactions and credit card activity and every other thing in between; the NSA has access to literally anything and everything that passes (in the form of internet traffic) in and out of the United States of America.

Because of the unique way the internet works, major internet companies such as Google and Facebook shuffle their data around between servers that are located all around the world. In doing so, all the emails in your email account, or mine, become the property of the US government.

This doesn’t bother us very much. If you look at cat photos and listen to Taylor Swift on your cousin’s Spotify account that you run via a $25/year web proxy and post too many pictures of your pet cactus on Facebook, the US government has no quarrel with you.

But the government of Pakistan does. Specifically, the Pakistan Telecomm­unication Authority (PTA), the Ministry of Information Technology (MoIT) and the handful of other shadowy government committees and departments that currently hold sway over what you can and cannot access on the internet.

Imagine that they not only have the power to intercept all forms of online communication; from your text to your grandmother to a photograph sent to a loved one. Nothing will be privileged. Nothing will be sacred. Nothing will be private.

If this account sounds too much like the last dystopian thriller you read, it probably is. Thanks to the raging war against terrorism, Pakistan has had to take some radical measures, the chief amongst which is the National Action Plan (NAP) to counter terrorism and extremism.

The Prevention of Electronic Crimes Bill (PECB) 2015 is a key pillar of NAP. A recent implementation report prepared by the interior ministry notes the bill as one of the cornerstones of the government’s plan to fight the spread of terrorists’ and militants’ activity online.

Not re-inventing the wheel

When asked about the terminology used to define terms such as ‘cyber-stalking’ and ‘spamming’ in a recent televised interview, State Minister for Information Technology Anusha Rehman said that the PECB 2015 drew on a lot of existing material, such as the Budapest Convention and the Australian Anti Spam Act of 2003. She was insistent that the government did not want to reinvent the wheel with regards to the legal terminology used in the PECB 2015.

It is a cogent argument, one that makes sense. Other countries have had far more experience in dealing with online crime and their safety mechanisms have had a longer time to evolve. The Australian law, for instance, contains a list of exceptions to the anti-spamming regulations that is nearly as long as the text of the law itself. The Budapest Convention offers internationally recognised definitions for concepts such as illegal access, interception, data and system interference, misuse of devices, computer-related forgery and fraud and offences related to child pornography, copyright and intellectual property rights. It also defines universal laws for procedural issues such as preservation of data, disclosure of traffic, search, seizure, real-time collection and interception of data.

However, these footnotes and explanations are missing from the bill as it has been cleared by the standing committee. According to MQM MNA Ali Raza Abidi, the committee seemed to be in a hurry to send the bill to the house floor. Insiders say that this is because the MoIT was under pressure to give the government some teeth with which to pursue NAP objectives in the online realm. But whether the need to pursue and prosecute terrorists outweighs the need to ensure that citizens’ fundamental rights are safeguarded, is a question that has troubled nearly every government, anywhere in the world, at one time or the other.

What is also troubling is the possibility that our government is not just drawing inspiration from internet governance models in liberal democracies. At a hearing of the YouTube case in the Lahore High Court, the government counsel submitted to the court that they were looking at the Chinese and Saudi Arabian model in the context of censorship that would enable the government to bring back the video sharing website, sans blasphemous content. This flies completely in the face of all established principles of freedom of expression, but do line up with models where civil liberties are sacrificed for the sake of ‘national security’ or the ‘greater good’.

Question of competence

The need for framing of abstract technical concepts into a legal framework that can govern life online and be used to prevent or punish misdemeanours arising from online activity cannot be argued with. We keep forgetting that despite having memories of the erstwhile cybercrime ordinance that was introduced during the Musharraf regime, our country currently has no law that deals specifically with electronic crime per se. In that respect alone, the PECB 2015 is a document that needs to pass.

One can contest, however, how competent our current law enforcement capabilities are of dealing with the new and unique threats that cybercrime brings to the table. The bill stipulates that the federal government “may establish or designate a law enforcement agency as the investigation agency for the purposes of investigation of offences under this act”. Most observers put their money on the Federal Investigation Agency to regain its former role and revitalise the cyber crime circle or utilise the existing National Response Centre for Cyber Crime (NR3C) to open investigations into criminal activity in the electronic realm.

Of course, there will be responsibility-sharing within the intelligence community. The Protection of Pakistan Act and the Fair Trial Act both describe the possibility of electronic surveillance and data capture for use as evidence in terrorism cases. There is speculation that the responsibility of data-analysis will be passed on to one agency, while real-time monitoring may be the domain of another. Whoever gets the job, the consensus across the board seems to be that these guardians of the law will have to be smarter than the criminals they are pursuing and well-versed in the law that they are enforcing.

Safeguards, or the lack thereof

There are, as expected, question marks over this. A key government functionary involved with the preparation of the bill said, on condition of anonymity, that there should be `safety valves` to ensure that citizens` fundamental rights were upheld and that their privacy was protected as enshrined under prevailing laws. He was also sceptical about the FIA and other agencies’ ability to handle crimes under the PECB 2015 and stressed the need for judges and officers to be extensively trained.

These concerns are also shared by former IT minister and MNA Awais Khan Leghari, who has been insisting on the formation of special courts. “The present judicial system cannot handle cybercrime cases and it will lead to havoc,” Mr Leghari said during the deliberations of the National Assembly Standing Committee on IT.

Then there is the question of capability. Nighat Dad of the Digital Rights Foundation has been fighting against government attempts to police the internet. She says, “In the past we have seen solid evidence that the government used Finfisher to spy on people. They have resources and capacity to use and employ but there is never any transparency and accountability in the purchase and use of such potentially dangerous and invasive tools.”

This is one of the criticisms that Edward Snowden raises against the NSA as well. The fact that a behemoth will be storing all communication between private individual and that employees in that organisation will have access to private communication between individuals is a very scary thought.

Ms Dad complains: “There are no assurances within the bill about control of access to information that has been preserved or acquired under Section 28 (Expedited preservation and acquisition of data). By providing the power but not the control, the bill seriously threatens Pakistanis’ right to privacy across the country.”

Sana Saleem of Bolo Bhi agrees. “None of the systems installed by the government are sophisticated, and there’s no system that can effectively analyse the data and maintain its integrity as long as it is operated for mass surveillance, because human biases are involved. It also doesn’t help that there’s no data protection law in place.”

In addition, there are problems of definition. For example, the bill’s definition of ‘service provider’ – a term usually used to describe companies that provide internet access – casts a very wide net. According to Yasser Latif Hamdani, who was Bytes For All’s counsel in the YouTube case, says that under the new definition, “Every hotel, every restaurant or cafe is also a service provider. It is problematic because tomorrow these individuals may be called upon to collect data on the users using their platforms.”

Published in Dawn, Sunday Magazine, April 26th, 2015