Why Pakistan’s cybercrime bill is ‘worst in the world’

Ray Walsh

Ray Walsh

December 10, 2015

Pakistan’s Prevention of Electronic Crimes Bill (PECB) is a complete human rights nightmare. It was recently described by Zahid Jamil (one of the nation’s top computer crime lawyers) as “by far the worst piece of cybercrime legislation in the world.” Jamil, who has helped several countries draft cybersecurity bills, says that it was ‘drafted for political gain,’ and no one could deny that it is a hugely invasive and frightening piece of legislation.

On the one hand, Pakistan was this year awarded the GSMA Spectrum for Mobile Broadband Award for 2015 – the most prestigious telecommunications award in the world – because of its dynamic embrace of next-generation mobile technologies. On the other hand, its progressive telecoms policy is perversely backed by a draconian, privacy-invading surveillance bill, which has become so commonplace on the contemporary-world-stage that you would be forgiven for contemplating conspiratorial thoughts about an oppressive emerging new world order.

The radically heavy-handed bill – definitely the worst of its kind – is receiving criticism from industry experts as well as human rights activists. A coalition of Pakistan’s top technology authorities, for example, have said that the bill (which was made without any oversight from legal proponents or technology specialists) would ‘adversely impact the IT industry…. and [the] constitutional rights and safeguards guaranteed to citizens.’

Human Rights Watch, the international NGO that conducts research and advocacy on human rights has been more severe in its criticisms, commenting that the bill is a ‘clear and present danger to human rights’. So what is it about the bill that is making everyone so concerned?

Firstly, the job of writing laws for crimes committed on new technologies is not easy, and if the proper experts are not involved it is easy for ordinary, lawful actions, to be swept up with the legislation’s untechnical and unspecific language. Subsequently, prosecution lawyers are able to target innocent computer users for things that should never have wasted a court’s time. In the US, it is for precisely this reason that the Computer Fraud and Abuse Act (CFAA) has on a few occasions led people to be prosecuted for violating a website’s terms of service – ridiculous.

Sections 3 and 4 of Pakistan’s PECB (latest text PDF) suffer from an extreme version of the CFAA problem. According to those sections, innocent computer users could find themselves imprisoned for 3 years for gaining ‘unauthorised access’ to an ‘information system’. The problem is that information is described in Section 2 (1) (r) as any “text, message, data, voice, sound, database, video, signals, software, computer programs, any form of intelligence […] and codes including object code and source code,.’  while an information system is described as any,

‘Electronic system for creating, generating, sending, receiving, storing, reproducing, displaying, recording or processing any information.’

Wafa Ben Hassine, from Electronic Frontier Foundation (EFF), rightly points out that ‘between these two broad definitions, an information system might be anything at all.’

Pakistan’s Digital Rights Foundation (DRF) has also pointed out that the language used in these sections could see ordinary internet users prosecuted for using Tor or VPNs to access blocked web pages. For that reason, DRF is worried (rightly so) that the PECB would make Pakistan the first nation to actually outlaw unblocking government censored content – radically totalitarian.

Zahid Jamil also sees other absolute problems with the wording of the legislation, which he says has been specifically designed to stop people from criticising the government. ‘Through this bill, they want to see how they can criminalise actions or words against them,’ he says.

EFF’s Hassine concurs with Jamil’s opinion commenting that,

‘Section 9 states that anyone who “prepares or disseminates information, through any information system or device” with the intent to “glorify an offence or the person accused or convicted of a crime and support terrorism or activities of proscribed organizations” and “advance religious, ethnic or sectarian hatred” shall be punished with imprisonment up to five years, a fine up to ten million rupees (around 95,000 USD) – or both. In a note below the provisions, glorification is defined as “any form of praise or celebration in a desirable manner.’

The problem is that terrorism can often be broadly described as a disagreement with the current administration’s viewpoint, meaning that anyone who ‘glorified’ any anti-government rhetoric could be imprisoned for five years. EFF points out that section 9 could even be used to target ‘lawyers discussing the merits of a case or the legality of charges against an accused client.’ Hardly good news for the rule of law, and its ordinary proceedings.

Section 10 is even worse, with its definitions on ‘cyber-terrorism’ penned to land dissenters in prison for a whopping 14 years. In this section, the PECB criminalises the actions of anyone who attempts to ‘coerce, intimidate, overawe or create a sense of fear, panic or insecurity in the Government or the public or a section of the public or community or sect or create a sense of fear or insecurity in society’. Pretty clear then, that Jamil’s concern about speaking out against Pakistan’s government is indeed a clear and present danger in the PECB.

Section 17 says that it is criminal to make ‘unauthorised interceptions’ of ‘electromagnetic emissions from an information system that are carrying data.’ Hilariously, that is so vague that simply scanning for a public WiFi service could be considered a crime, and using ham radios definitely fits the definition.

Internet Service Providers are forced to retain all user metadata for a year in section 29. Section 28 allows police enforcement agencies to firstly choose what data they require without any oversight whatsoever, and also to extend the period that it wants to retain any information indefinitely. This means that the ‘authorised officer’ in question is entirely in control of the process of data retention. EFF does point out that the bill tries to justify those powers, and attempts to make them seem unexceptional, but also reveals that it completely fails to do so,

‘The bill does suggest (but does not mandate) that the officer notify a court of the acquisition after the deed has been done. Even with notice, there is no provision made for the court to consider the merits of the officer’s actions, and no procedural safeguards or guidelines as to how and whether the officer could obtain the information.’

Section 32 makes it a legal requirement to hand over encryption keys to law enforcement. Failure to do so would, of course, see the target prosecuted – no specifics are mentioned, however, as to how law enforcement would prove that a target still had access to that decryption data.

Section 30 allows police officers to apply to enter any space and seize any equipment they deem necessary. Sadly, despite requiring a warrant, there is no particular language to ascertain what is a reasonable reason for that permission to be granted, meaning that courts could simply be granting access every time they are asked.

Section 34 gives the Pakistani government the ability to censor just about anything it wants, which when coupled with the earlier section outlawing any means of unblocking said content (via Tor or VPNs) becomes a huge concern for freedom of speech.

Lastly (but hugely concerning), section 38 (2) allows the government of Pakistan to forward to any ‘foreign government, 24×7 network, any foreign agency or any international agency or organization’ any information that it requires simply under the provision that it ‘might assist’ that foreign body. No oversight whatsoever is mentioned as to the protection of the private and sensitive data of Pakistan’s civilians – instead that data will just be handed over to the foreign organisation without a second thought.

The PECB’s abject failure to set out clear attainable rules, which comply with international human rights laws, make it clear why Jamil has called it the ‘worst piece of cybercrime legislation in the world’. EFF is urging anybody from Pakistan to contact their local representative to have them oppose the bill before it is too late. Sadly, with the bill so close to being enacted into law, it appears that the significant decisions have already been made and that the people of Pakistan had best prepare themselves for a massive breach of their human rights.


Exclusive Offer
Get NordVPN for only
Get NordVPN for only