The Global Ambitions of Pakistan's New Cyber-Crime Act
Despite near universal condemnation from Pakistan's tech experts; despite the efforts of a determined coalition of activists, and despite numerous attempts by alarmed politicians to patch its many flaws, Pakistan's Prevention of Electronic Crimes Bill (PECB) last week passed into law. Its passage ends an eighteen month long battle between Pakistan's government, who saw the bill as a flagship element of their anti-terrorism agenda, and the technologists and civil liberties groups who slammed the bill as an incoherent mix of anti-speech, anti-privacy and anti-Internet provisions.
But the PECB isn't just a tragedy for free expression and privacy within Pakistan. Its broad reach has wider consequences for Pakistan nationals abroad, and international criminal law as it applies to the
The new law creates broad crimes related to "cyber-terrorism" and its "glorification" online. It gives the authorities the opportunity to threaten, target and censor unpopular online speech in ways that go far beyond international standards or Pakistan's own free speech protections for offline media. Personal digital data will be collected and made available to the authorities without a warrant: the products of these data retention programs can then be handed to foreign powers without oversight.
PECB is generous to foreign intelligence agencies. It is far less tolerant of other foreigners, or of Pakistani nationals living abroad. Technologists and online speakers outside Pakistan should pay attention to the first clause of the new law:
- This Act may be called the Prevention of Electronic Crimes Act, 2016.
- It extends to the whole of Pakistan.
- It shall apply to every citizen of Pakistan wherever he may be and also to every other person for the time being in Pakistan.
- It shall also apply to any act committed outside Pakistan by any person if the act constitutes an offence under this Act and affects a person, property, information system or data location in Pakistan.
Poorly-written cyber-crime laws criminalize these everyday and innocent actions by technology users, and the PECB is no exception. It criminalizes the violation of terms of service in some cases, and ramps up the penalties for many actions that would be seen as harmless or positive acts in the non-digital world, including unauthorized copying and access. Security researchers and consumers frequently conduct "unauthorized" acts of access and copying for legitimate and lawful reasons. They do it to exercise of their right of fair use, to exposing wrongdoing in government, or to protect the safety and privacy of the public. Violating website terms of service may be a violation of your agreement with that site, but no nation should turn those violations into felonies.
The PECB asserts an international jurisdiction for these new crimes. It says that if you are a Pakistan national abroad (over 8.5 million people, or 4% of Pakistan's total population) you too can be prosecuted for violating its vague statutes. And if a Pakistan court determines that you have violated one of the prohibitions listed in the PECB in such a way that it affects any Pakistani national, you can find yourself prosecuted in the Pakistan courts, no matter where you live.
Pakistan isn't alone in making such broad claims of jurisdiction. Some countries claim the power to prosecute a narrow set of serious crimes committed against their citizens abroad under international law's "passive personality principle" (the U.S. does so in some of its anti-terrorism laws). Other countries claim jurisdiction over the actions of its own nationals abroad under the "active personality principle" (for instance, in cases of treason.)
But Pakistan's cyber-crime law asserts both principles simultaneously, and explicitly applies them to all cyber-crime, both major and minor, defined in PECB. That includes creating "a sense of insecurity in the [Pakistani] government" (Ch.2, 10), offering services to change a computer's MAC address (Ch.2, 16), or building tools that let you listen to licensed radio spectrum (Ch.2, 13 and 17).
The universal application of such arbitrary laws could have practical consequences for the thousands of overseas Pakistanis working in the IT and infosecurity industries, as well for those in the Pakistan diaspora who wish to publicly critique Pakistani policies. It also continues the global jurisdictional trainwreck that surrounds digital issues, where every country demands that its laws apply and must be enforced across a borderless Internet.
Applying what has been described as "the worst piece of cyber-crime legislation in the world" to the world is a bold ambition, and the current Pakistani government's reach may well have exceeded its grasp, both under international law and its own constitutional limits. The broad coalition who fought PECB in the legislature will now seek to challenge it in the courts.
But until they win, Pakistan has overlaid yet another layer of vague and incompatible crimes over the Internet, and its own far-flung citizenry.