Cyber Crime Law or Freedom to Block Internet Content?

Bolo Bhi, an independent Internet freedom and electronic privacy watchdog based in Pakistan, has published what they believe is an amended version of Pakistan government’s new cybercrime act.

Superficially, the Prevention of Electronic Crimes Act, 2015 (PECA), is being devised to help fight electronic crime; however, it seems to be an ill thought out amalgam of various sections copy pasted from other documents, unclear terms and one main aim: the ability to block Internet content unhindered by any laws about the rights of individuals.

Bolo Bhi says:

“Section 31 is our biggest concern. The government is adding this so they can justify their blocking and censoring powers – since the court has found they exercise these powers under no law.”

Let’s take a look at some of the main concerns about this proposed new act.

Broad and unclear language

When creating an important legal document such as PECA, it is essential that the language be clear and very specific when describing the various aspects of its theme. The language used in PECA is, however, quite broad in various places thus leaving a lot open to interpretation which could lead to disputes in understanding the laws when someone is charged with a cybercrime.

For example, “content data” is defined as:

“(g) “content data” means any representation of facts, information or concepts in a form suitable for processing in an information system, including source code or a program suitable to cause an information system to perform a function;”

The important sub-sections detailing the definition of “content data” have been removed. One important aspect that must be re-inserted is:

“Provided further that the content data shall only include and be limited to content data related to identified subscribers or users who are the subject of an investigation or prosecution and with respect of whom any warrant under this Act has been issued:”

Without this description, the government will get a free hand to target anyone and everyone that they deem worthy of being spied upon.

“Service Providers” are defined as:

“(iv) any person who provides premises from where or facilities through which the public in general may access information systems and the internet such as cyber cafes.”

Now this definition is, again, too broad because it does not mention how places that provide open WiFi access, for example restaurants, coffee shops etc, will be classified. Their primary form of business is NOT providing internet services, however, under the present modified definition, they will all be classified as “service providers” regardless of their primary business. Bolo Bhi points out that this leaves places like T2F, Kuch Khaas and The Nest defined as service providers which could cause problems.

Section 8, which deals with cyber terrorism, is very vague and unclear about how it defines terrorism and acts that constitute it leaving it wide open to whatever interpretation lawyers and cybercriminals wish to read into it.

Undefined Terms

The draft of PECA mentions many terms that have not been defined at all. For example,  the use of words like “injury”, “damage” and “crime” have been left open to interpretation. Section 12 details what constitutes “identity crime” as:

“Whoever obtains, sells, possesses or transmits another person’s identity information, without lawful justification shall be punished with imprisonment for a term which may extend to three months or with fine which may extend to fifty thousand rupees, or with both.”

The term “lawful justification” is unclear. Telcos, ISP providers and other third parties often hold information that is necessary for their services. Will those also be prosecuted under this law?

These undefined terms need to be defined clearly and unambiguously to avoid misuse of the laws.

Unclear delegation of responsibilities and Removal of Safeguards

PECA mentions a number of law enforcement jargon when detailing who will be responsible for seizing, holding and prosecuting criminals, however, these are all undefined or defined poorly leaving them open to interpretation by the government to define as they please depending upon the person being charged.

A number of safeguards which were included in previous versions have been removed or amended to provide the government with a free hand in dealing with whoever they choose to define as a “cybercriminal”.

Unlimited Blocking on Internet Content

Section 31 states:

“31. Power to issue directions for removal or blocking of access of any intelligence through any information system:

  1. The Authority or any officer authorized by it in this behalf may direct any service provider, to remove any intelligence or block access to such intelligence , if it considers it necessary in the interest of the glory of Islam or the integrity, security or defence of Pakistan or any part thereof, friendly relations with foreign states, public order, decency or morality, or in relation to contempt of court, commission of or incitement to an offence.
  2. The Federal Government may prescribe rules for adoption of standards and procedure by the Authority to monitor and block access and entertain complaints under this section. Until such procedures and standards are prescribed, the Authority shall monitor and block intelligence in accordance with the directions issued by the Federal Government.”

As pointed out by Bolo Bhi,

“This needs to be taken out. It has been inserted for the simple reason to amass blocking powers to exert control over content on the Internet.”

In summary, it seems the new act is an attempt to cloak the government’s intention to achieve unhindered control over what content is available to the public and what is not.

Granted that the act does have some much-needed steps that must be taken to curb criminals, however, the removal of sections providing the government with unlimited freedom to control your access must be stopped. And please don’t say “proxies FTW”; wake up and smell the coffee before it is too late.