October Issue 2007

With information technology spreading like wildfire, the advent of cyber crimes is hardly a surprise. Agencies the world over have been taking steps to fight these relatively new, yet fast-evolving offences by drafting pertinent legislation and signing conventions and treaties. In Pakistan, the Electronic Transactions Ordinance (ETO), 2002, was the first IT-relevant legislation created by national lawmakers. However, there has been no available legislation in the country that deals with burgeoning IT-related crimes. This year, though, the cabinet passed the Electronic Crimes Bill, 2007, with the hope of moving towards a more technology friendly society.

But the question is, does it?

“No,” says barrister Zahid Jamil, of Jamil and Jamil associates, who drafted the ETO as one of his pro bono involvements. “The entire legislation is defective.”

The Statement of Objects and Reasons, issued by the Federal Minister for Information Technology, Awais Ahmad Khan Leghari, outlines the need for a legislation that allows law enforcement agencies to “check electronic crimes ranging from damage to data and electronic systems, electronic fraud and forgery, unauthorized access to code and misuse of encryption, cyberstalking, spamming, spoofing, unauthorized interception and cyber terrorism.” However, with flawed drafting in the form of ill- and loosely defined terms, wrongly used IT-related terminology and technically incorrect legal language, conviction on the basis of the above crimes will be made very difficult and misuse will be rampant. In fact, the bill is not even in the right jurisdiction: the correct jurisdiction would be ‘cyber crimes,’ not ‘electronic crimes.’

In terms of definitions, most contain the words “includes but not limited to.” Such vagueness opens up the possibility of misuse and provides added ammunition in the hands of law enforcement agencies. Otherwise, some definitions, such as those for data damage, electronic forgery, electronic fraud, cyberterrorism and malicious code, are incorrectly defined. Whereas what is termed spoofing is actually phishing. In sub-section A of Section 13, cyberstalking is defined as the communication of any “obscene, vulgar, profane, lewd, lascivious, or indecent language, picture or image.” And in sub-section C, it adds that cyberstalking includes to “threaten any illegal or immoral act.” None of these terms are accurate. Cyberstalking is the repeated harassment of an individual through electronic means, particularly via messages sent over cyber space. Besides, terms such as lewd, obscene and immoral are not legal terms, and are highly subjective. Definitions such as those provided can only curb the dissemination of information and convict innocents while cyberstalkers go scot-free.

Further, the bill is so poorly thought out that innocent parties are likely to be wrongly caught in this new tangled web of laws. Section 18 states, “A corporate body shall be held liable for an offence under this Act if the offence is committed on its instructions or for its benefit.” The objectives outlined for the bill include “enhancing” the “confidence of bankers and their customers” with regard to “electronic transactions” and providing a “secure cyberspace” that will be “friendly and congenial” to the IT sector. But the above provision successfully puts an end to any such aims. “I am liable for any indiscretions of my employees,” says Jehan Ara, ex-president of Pakistan Software Houses Association (PASHA) and CEO of Enabling Technologies. “Therefore, I am not protected.” The bill’s general incompatibility with international standards may affect foreign investment in Pakistan.

The law also provides little protection for accused individuals. Faisal Chohan, the young CEO of Islamabad-based technology company Cogilent Solutions, found his equipment seized and himself in jail, after a raid on his office premises on December 5, 2006. The PTA had mistakenly traced Voice over Internet Protocol (VoIP) traffic to Cogilent’s Internet Provider (IP) address. VoIP is the use of phone tags on the internet and has been outlawed in Pakistan. The irony of the whole event was that the actual VoIP signals came from an IP address within the PTA itself.

While Chohan tried to exonerate himself by showing proof of Cogilent’s innocence, it was to no avail. Despite the apparent error, the case was prolonged over a month, during which Chohan suffered the loss of many clients while the company’s database remained seized. Once the case was revoked, there was no apology made or compensation given.

Does the bill ensure that there will be no more such cases? Unfortunately not. In fact, the bill perpetuates cases like his. “The warrant is not issued by an independent supervisory judiciary authority,” says Jamil, adding that there are no grounds specified under which the warrant can be obtained. Individual suspects or organisations can have their premises raided and, for the purpose of investigation, have their original data seized. There is no system by which data is copied, hence the suspect has no way to prove his innocence in case his data is subject to tampering after he is deprived of it. Also, in the case of a business, the business has to temporarily shut down until the data under investigation is recovered. There is no chain of custody, and no provision is made to preserve the integrity of the data involved. All in all, no effort to protect and uphold the basic civil rights of individuals and companies is made.

“The bill requires a structural overhaul,” says Jamil. “It is 80% non-compliant and cannot be fixed with surgical amendments.” While Jamil along with PASHA have been trying to create awareness about the defective bill, trying to approach the Ministry of Information Technology has been an impossible task. “I presented a 67-page report on the flaws in the bill,” says Jamil, adding that while some of his suggestions have been incorporated, it has been done in such a haphazard fashion that the end-product is “appalling.” During a consultative session, which incidentally was held after the bill was drafted, Jamil managed to obtain an interview with IT Minister Leghari who asked him to call him right after the session was over so they could discuss changes to the bill. However, to date, Minister Leghari has not responded to Jamil’s repeated phone calls.

“At this point the bill has been passed by the federal cabinet, but once it goes to the National Assembly we’ll lose control,” says Jamil. “Once the bill becomes an ordinance it is here to stay, like the Hudood Ordinance.”