bolo bhi's comments on cybercrime bill 2015
DESCRIPTION
This cybercrime bill was tabled before the National Assembly's Standing Committee on Information Technology on February 4, 2015. A sub-committee of this committee has been tasked to review and approve it, after which it will be tabled before Parliament before moving on to the Senate. In this note, we highlight some areas that require attention still, before it is written into law.TRANSCRIPT
Preliminary feedback on PECB 2015
Chapter 1: Offences and Punishment:
Section 3 & 4: Illegal access to information system: This includes description that would
make access to a system or part of the system a punishable offence, thereby making hacking
a punishable offence of 6 months. However, this includes nothing about whistleblower
protection, an individual can gain access to a system to report widespread corruption or
gather evidence to report such incidents. There should be exceptions to this clause.
Example: An employee of United States’ National Security Agency’s contractor Allen Booze,
used his access to the system to gather and make public information about the widespread
economic espionage and surveillance or ordinary citizen’s around the world. Snowden’s
revelations exposed the insecurity of national systems around the world and pushed for better
protections. Another example is that of Kamran Faisal, a NAB employee, found dead in his
room. Faisal was investigating a high level case, had he been able to securely gather and
release documents to the judiciary he would have been able to assist the inquiry. But instead
he died in suspicious circumstances and all information that he may have had vanished with
him.
Section 6: This makes no mention of white hat hacking. How can we expect to secure
government systems or keep improving them if not for white hat hacking or crowdsourcing
security issues. Governments around the world recruit white hat hackers who expose security
lapses.
Definition: White hat describes a hacker (or, if you prefer, cracker) who identifies a security
weakness in a computer system or network but, instead of taking malicious advantage of it,
exposes the weakness in a way that will allow the system's owners to fix the breach before it
can be taken advantage by others (such as black hat hackers).
Section 8: This prescribes a punishment for up to 7 years but there is no whistleblower
protection.
Chapter 2: Establishment investigation agencies and prosecution and procedural
powers for investigation
This should not be left to the discretion of the federal government nor should an executive
body be arbitrarily set up and endowed with powers. Any body the government wishes to
establish, it should do so through an Act of parliament so that it has statutory backing and in
its constituting Act its scope and functions are narrowly defined to ensure accountability and
prevent against misuse and abuse of power. Furthermore, if any existing agency is being
endowed with additional functions, this too should be done through an amendment to their
existing Acts and should pass through a parliamentary process. No powers should be
arbitrarily conferred and a mechanism for recourse needs to exist.
Example: If the language and process is not defined, we will end up with an IMCEW-like
scenario except with an authority endowed with investigation and prosecution powers.
1 Bolo Bhi
Chapter 3: International Cooperation
Currently, there is no indication as to which authorities will be in charge of what, how the data
will exchange hands, what kind of record will be maintained and what safeguards there are.
Typically, for international cooperation, treaties are signed, example MLATs (Mutual Legal
Assistance Treaties). This is something the Ministry of IT is aware of too. This is signed
through the Foreign Office and countries cooperate on the basis of corresponding laws.
Processes and safeguards are generally built into these treaties or are derived from existing
law.
Right now this section is too broad and vague. Exchange of data needs to be defined through
a process – especially when Pakistani citizens’ data is being exchanged with other countries.
We do not have data protection laws and processes through which investigating agencies can
lawfully while respecting rights, carry out their functions. Adequate processes with protections
must then be built in.
Recommendations
In going forward, we must bear in mind not to take a light view of excesses that can or may be
committed. Faisal Chouhan’s case should be imprinted in memory. Falsely charged under
the then Pakistan Electronic Crimes Ordinance, he languished in jail for a crime he did not
commit. Turned out, it was a mistake on part of the investigating agencies but one no one
wanted to own up to. During this time, his wife miscarried. It was not until collective pressure
was applied and a hue and cry raised, that Chouhan was released.
Therefore, nothing should be left open-ended, duties and functions, especially powers
conferred on any authority or agency should be specifically stated, a redress mechanism
should exist and there should be judicial/parliamentary oversight – at least in the initial phase.
An implementation watch committee should be set up that monitors the application of this law
for at least a period of two years. This committee should also be responsible for the training of
investigating officers, magistrates, and judiciary to better understand and apply the law.
Moreover, there will need to be awareness-raising with citizens to inform them about the law.
For this, the government can and should join hands with experts from the industry and
members of civil society.
2 Bolo Bhi