A Deeper Look Inside the PECB, Pakistan’s Terrible Cyber-Crime Bill
The Prevention of Electronic Crimes Bill (PECB) has received harsh criticism inside and outside of Pakistan since its radical re-drafting in April of this year. A coalition of Pakistan’s leading online rights groups and businesses warned the current version, written with no input from legal experts or technologists, would “adversely impact the IT industry…. and [the] constitutional rights and safeguards guaranteed to citizens”. Human Rights Watch went further, saying it constitutes “clear and present danger to human rights”. But it took one of Pakistan’s leading legal experts on computer crime jurisprudence, Zahid Jamil, to call the bill “by far the worst piece of cybercrime legislation in the world.”
A close look at the latest text, due to be presented for a vote in Pakistan’s National Assembly soon, demonstrates just why the bill has everyone so worried.
Originally introduced in January 2015, the PECB was ostensibly intended to combat common digital threats such as fraud, online stalking, and harassment. Instead, through a combination of poor drafting and politicized additions, it has ended up as a sweeping and arbitrary mess of law: criminalizing free expression and innocent technology uses, while handing a largely unsupervised set of censorship and surveillance powers to the Pakistani authorities. Here’s our rundown of the very worst of a terrible bill.
Turning Innocent Internet Users into Cyber-Criminals
Writing new law explicitly targeting crimes that are committed with new technology is notoriously challenging. A lack of technical knowledge tempts lawmakers to use vague language that sweeps up innocent or commonplace behaviour, and leads them to invent drastic new punishments for offences that are already covered by existing statutes. Zealous prosecutors then use these weaknesses to unfairly pursue the innocent, while courts impose unreasonable punishments for what would otherwise be minor offenses or perfectly harmless behaviour.
In the United States, for example, the vagueness and breadth of the Computer Fraud and Abuse Act (CFAA) has led to some prosecutors defining as crimes acts that are merely violations of a website’s terms of service. Some U.S. courts have rejected this interpretation, but prosecutions along these lines continue to waste police and court time and devastate innocent users’ lives—including that of Aaron Swartz, the prominent Internet writer, coder and activist, whose prosecution under the CFAA preceded his suicide. (EFF has joined lawmakers and other groups in advocating for Aaron’s Law, which would rein back these interpretations of the CFAA in the United States.)
Astoundingly, Pakistan has doubled down on the CFAA’s mistakes.
Sections 3 and 4 of the bill include CFAA-style language, stating that anyone who intentionally gains unauthorised access to any information system or data, or copies or otherwise transmits or causes to be transmitted any data, will be punished with three year’s imprisonment or a heavy fine. The bill’s definition of “unauthorised access” (2(1)(dd)) includes language that could easily be interpreted as including violations of terms of service or conditions (it specifically includes access “in violation of the terms and conditions of the authorisation”). Other definitions are equally broad. An “information system” is defined earlier in the bill as “[any] electronic system for creating, generating, sending, receiving, storing, reproducing, displaying, recording or processing any information”, and “information” is defined in Section 2 (1) (r) as including “text, message, data, voice, sound, database, video, signals, software, computer programs, any form of intelligence […] and codes including object code and source code.”
Between these two broad definitions, an information system might be anything at all.
The bill includes no language to limit prosecutions to those who gain unauthorised access for malicious reasons, and no exemptions for those who might transmit “unauthorised” data in the public interest, such as whistle-blowers and journalists.
Regular Internet users could be caught up in Section 3 and 4’s definitions too. As Article 19 and Pakistan’s Digital Rights Foundation have noted, these sections could be used to target and prosecute any Internet user accessing a government-censored Web page via a VPN or Tor.
Despite nearly thirty years of evidence of the damage of overly broad computer abuse law, the PECB authors have managed to extend its reach even further into innocent and positive endeavours. If PECB passes without reform, Pakistan can expect to see more unjust prosecutions and persecution of innocent citizens.
Software developers and hackers risk imprisonment
As with the CFAA, security researchers and technically-sophisticated Internet and mobile phone users are particularly at risk from the PECB.
Section 16 says that whoever changes, alters, tampers with or re-programs the unique device identifier of any communication equipment and starts using or marketing such device for transmitting and receiving “information” can be jailed for up to three years, a fine up to one million rupees (around 9,500 USD) or both. The provision is overly broad and targets those who use such tools for legitimate purposes. Changing the WiFi MAC address on your laptop to limit tracking should not be a crime. Under the PECB, it would be.
Section 17 prohibits any “unauthorised interception” of “electromagnetic emissions from an information system that are carrying data,” essentially criminalizing much of the practice of modern radio hams: not to mention transforming scanning for open wifi into a jailable offence. Section 20 creates a crime, punishable by two years in prison, of writing or distributing “malicious code.” While this section manages to contain a requirement of harmful intent, its unclear scope could lead to a chilling effect on legitimate security research by Pakistan nationals. Section 23 invents a new offence of “spoofing,” which involves “dishonestly establish[ing] a website or send[ing] any information with a counterfeit source.” There are almost no limits on this vague definition—but if you “spoof” in Pakistan, you could be facing three years in jail, or a fine of 500,000 rupees (4,750 USD).
Attacks on free expression
It’s not just high tech crime that PECB targets, however. Section 9 and 10 together pose a serious threat to free expression to everyone online. Section 9 states that anyone who “prepares or disseminates information, through any information system or device” with the intent to “glorify an offence or the person accused or convicted of a crime and support terrorism or activities of proscribed organizations” and “advance religious, ethnic or sectarian hatred” shall be punished with imprisonment up to five years, a fine up to ten million rupees (around 95,000 USD) – or both. In a note below the provisions, glorification is defined as “any form of praise or celebration in a desirable manner.”. The former UN Special rapporteur on Freedom of Expression Frank LaRue has previously noted that the term “glorification” fails to meet international human rights standards; the PECB’s vague definition does nothing to lift the PECB over this bar. Section 9 could easily be used, for example, to target lawyers discussing the merits of a case or the legality of charges against an accused client.
The punishment for Section 9’s glorification is severe (five years imprisonment, or 95,000 USD), but grows even more harsh in Section 10, where glorification is coupled with what the bill describes as “cyber-terrorism” – the intent to “coerce, intimidate, overawe or create a sense of fear, panic or insecurity in the Government or the public or a section of the public or community or sect or create a sense of fear or insecurity in society” or “advance religious, ethnic or sectarian discord”. “Cyber-terrorism,” can lead to imprisonment for up to fourteen years, a fine up to fifty million rupees (around 474,000 USD) – or both.
Data retention and worse
Many countries have fought laws and directives designed to force service providers to log the actions of their users: Pakistan’s lawmakers have chosen to smuggle it in with a single clause. Section 29 requires internet service providers (ISPs) to retain all “traffic data” for a minimum period of one year, or any period of time that the Pakistan Telecommunication Authority requests, and “provide that data to the investigation agency or the authorised officer whenever so required.” This means that all personal information and communications of individuals residing within the borders of Pakistan will be retained for at least one year, and may be shared with any investigation authority— including, as we will see, those of foreign governments.
But the PECB goes even further than requiring data retention. Section 28 states that if an “authorised officer” is satisfied that any data is “reasonably required” for the purposes of a criminal investigation and that there is a risk or vulnerability that the data may be “modified, lost, destroyed or rendered inaccessible,” then the officer may require the person in control of the data to hand it over or ensure that it be preserved for a period not exceeding ninety days. Sub-section (2) goes on to stipulate that the officer can request the court to extend the 90-day period without limit. The provision does not define what “reasonably required” might mean. No warrant or judicial authorisation is required with a Section 28 order: in effect, the authorised officer decides for him or herself what is reasonable, and what is required.
The bill does suggest (but does not mandate) that the officer notify a court of the acquisition after the deed has been done. Even with notice, there is no provision made for the court to consider the merits of the officer’s actions, and no procedural safeguards or guidelines as to how and whether the officer could obtain the information.
Section 32 (1) (g) also grants authorised officers the power to require any person in possession of decryption information of “an information system, device or data under investigation” to hand over decryption information necessary to decrypt any data required for the investigation. This means that regular users would be required to hand over their own decryption keys, or face prosecution. As with other requirements to decrypt data, it’s unclear how an individual can show that they do not possess the key or access to the unencrypted data.
Warrants with no protections
Section 30 allows an “authorised officer” to apply for a warrant with the court to “enter the specified place,” “search the premises and any information system, data, device or storage” and “access, seize or similarly secure” the data. There are several problems with this provision, which seemingly attempts to place a check on data acquisition. First, the warrant provision is not mentioned in the rest of the bill, rendering it an empty shell in procedural protection. Second, the threshold for obtaining a warrant is dangerously low – an officer need only show that the data is “reasonably required for the purpose of a criminal investigation”. There is no defined legal standard to ascertain what is reasonable and what is unreasonable. Third, and again with ambiguous language, there is no clear definition of “seize”; the law fails to outline any sort of mechanism or process for how the data is retained, copied, or taken possession of.
Censorship without oversight or limit
Section 34 grants the Pakistan Telecommunication Authority the power to “manage information” online and remove and/or block content on the web. The information subject to censorship includes text, messages, data, voice, sound, database, or video. Content may be censored if “necessary in the interest of the glory of Islam or the integrity, security or defence of Pakistan or any part thereof, friendly relations with foreign states, public order, decency or morality, or in relation to contempt of court or commission of or incitement to an offence” in the bill itself. Excessively sweeping, Section 34 enables the government to censor any content available through any electronic device (including video game consoles, phones, and anything that might connect to the Internet) that it considers unacceptable.
There is no requirement for the Pakistan Telecommunication Authority (PTA) to obtain court approval before ordering ISPs to censor content. Sub-section (3) peripherally mentions that the PTA has the power to consider complaints, it does not outline any appeal mechanism for any rejected complaints that it handles.
Section 36 authorises a court to order ISPs to “collect or record such information in real-time in coordination with the investigation agency” when “reasonably required” for the purpose of a criminal investigation. The live data collection can initially only be authorised for a total of seven days, but the period can be extended with court approval with no time limit. This means that an individual could be placed under indefinite, perpetual surveillance. The section does not provide any guidance as to what grounds the court should consider when considering a time extension.
Sub-section (4) also states that a court may require the agency to “keep confidential” the existence of the investigation, or the execution of real-time data collection and any information relating to it. In short, the provision allows for an investigation agency to order ISPs to perpetually track individuals and requires them to deny that they are doing so.
Foreign governments can have access to everything
Finally, Section 38 (2) permits the Pakistani government to unilaterally forward to a “foreign government, 24x7 network, any foreign agency or any international agency or organization” any information that it obtains from its own investigations through this bill. The government need only consider that the disclosure of such information “might assist” the other entity.
There is, as Privacy International notes in their legal analysis, no oversight mechanism for this sharing of sensitive and personal data with foreign governments and spy agencies.
It’s hard to imagine how Pakistan could have sabotaged more of its digital future in the fourteen pages of the Prevention of Electronic Crimes Bill. The legislation is a grab-bag assortment of abusive provisions that violate the most basic of human rights. Through censorship, surveillance, and the stifling of free speech, the Prevention of Electronic Crimes Bill gives new meaning to the word draconian.
If you’re a Pakistani voter, tell your legislators to oppose PECB now. There’s not much time to prevent the “worst piece of cybercrime legislation in the world” from becoming law.