Dear all,
Today, PILDAT (www.pildat.org) arranged a seminar on PECO 2007 and was
attended by, among others, Ms. Marvi Memon, MNA, Mrs. Anusha Rehman, MNA,
some other Parliamentarians, Civil Society members, lawyers and FIA officers
(including DG FIA).
The Parliamentarians (mostly from opposition benches) were quite concerned
about this law which is at the verge of approval by the National Assembly
despite the note of dissents by members of National Assembly Standing
Committee on IT & Telecom. The draft Act is being placed for the session of
the National Assembly somewhere next week and there's little time left to
make final efforts.
Text of presentation delivered by Barrister Ejaz is enclosed.
It is the time for the industry to raise forcefully our voice so that we can
synthesize the Parliamentarians on sensitivity of this issue for present and
future generations of educated youth, IT, Software and Telecom Professionals
in the country. The target should be to involve media fully by arranging
press conferences, articles, letters to editor, talk shows, etc., so that
message gets across.
We'd be arranging press conference and other events in Islamabad jointly
with PASHA, ISPAK and others. Other concerned professionals and citizen are
also requested to take this to various forums before it's too late.
Kind regards..Wahaj
Look before you leap!
And please look deep!
Prevention of Electronic Crimes Ordinance, 2007
Overview
Cyber Offences
Investigation and Prosecution of Offences
Some illustrations.
Cyber Offences
17 New Offences
Of which 14 are already covered under Pakistan Penal Code
Only minor amendments to PPC required
4 pages of definitions for about 20 offences
The Budapest Convention has only 4 definitions
Requires experienced legislative drafting
Loosely drafted offences
Casts a very wide net
See examples at the end
Cyber Offences
} Serious potential of political, commercial or personal victimisation
} Cyber terrorism
} '.to act.alarm.frighten.disrupt.any segment of population, the Government
of entity associated with it
} An email by a citizen's rights group to hold a rally on a public street
can be 'cyber terrorism' since it can 'disrupt' or 'alarm' the users of that
street
} Cognisable offence
} Arrest without warrant
} Exclusion of jurisdiction of other courts (Section 44)
Investigation and Prosecution of Offences
PECO ignores international conventions and best practices
E.g. Article 15 of Budapest Convention 2001 on Cyber Crime - Conditions and
Safeguards
'Ensure.the powers and procedures.are subject to:
safeguards provided for under its domestic law .adequate protection of human
rights and liberties.other applicable human rights instruments.
Judicial or other independent supervision
Limitations on the scope and duration of such power and procedure
Consider the impact on third parties
Investigation and Prosecution of Offences
There is no requirement for mandatory grounds being given for obtaining a
search and seizure warrant
Impossible to verify or challenge the grounds
The law should provide for written grounds stating:
Information received being the basis for the application for the warrant
Scope of search - limiting it to relevant content or system
Method of search, leaving the larger operations intact
Investigation and Prosecution of Offences
IO can seek disclosure of:
any 'subscriber information' (Section 26(2))
You, me, any one.
No search warrant or other judicial permission required
If the IT company resists, its officers can be imprisoned for 1 yr
No right of privacy
All our communications can be spied upon
Other countries have sophisticated privacy regimes
E.g. Office of the Privacy Commissioner of Canada (MP reporting direct to
Parliament)
No legal recourse to prevent such spying
Investigation and Prosecution of Offences
CrPC has detailed procedural protections for investigation of crimes
FIR, police diaries, preservation of case property, accused and witness
statements, presentation of challan, right of bail, etc.
Over 100 years of case law preserving such protections
Courts are familiar, and preserve these protections
But Section 25 enables Federal Government to change these investigation
procedures.
WHY?
Why an accused of fraud, forgery, etc. under PPC has procedural protections
against abuse of investigatory powers but one accused of cyber crimes of the
same kind hasn't?
Investigation and Prosecution of Offences
CrPC applies to all offences under PPC
But ICT Tribunal can dispense with CrPC '.where it deems necessary."
(Section 39)
Why an accused under PPC has trial-procedure protections under CrPC but a
cybercrime accused hasn't?
Will the accused have a right to go in the witness box?
Will the principles of bail under Section 497 and 498 apply to a cybercrime
accused?
Can the ICT dispense with the CrPC's requirements to record an accused's
statement, witness statements, preserve case property (computer data),,
etc.?
Investigation and Prosecution of Offences
CrPC is a statute and requires Parliament's approval for amendments
But the Cyber Crime Cell's investigation procedure can be amended at will by
the Government
The ICT Tribunal can apply or disapply the CrPC at will
NO PARLIAMENTARY SCRUTINY OF INVESTIGATION, PROSECUTION AND TRIAL PROCEDURE
It is not sufficient to leave these to delegated legislation because these
are made by the Executive and are screened from Parliamentary scrutiny
OUR CIVIL LIBERTIES DEPEND ON THESE PROCEDURAL PROTECTIONS
Investigation and Prosecution of Offences
BUSINESS AND TRADE SECRETS ARE NOT PROTECTED
} The search and seizure of computers, IT Systems and Data can take place
} At any time and anywhere
} On any number of IT systems, irrespective of whether they also carry the
data of non-related persons
} Budapest Convention
} Maintain the integrity of the seized data
} Consider the impact on 3rd parties
Investigation and Prosecution of Offences
BUSINESS AND TRADE SECRETS ARE NOT PROTECTED
} IO can seize commercial data
} without assurance of confidential treatment
} copies of seized data can be made without any chain of custody
} no legal recourse to prevent unauthorised disclosure to competitors
Investigation and Prosecution of Offences
Valuable trade and business data can be lost
} e.g. an ISP, a data warehouse, or a telephone company's system (or part
thereof) is seized for investigation of a suspected crime is given no rights
under PECO:
} To retain a verified copy of the data / hard disk
} For protection of its Intellectual Property
} For security, confidentiality and integrity of its data
} Also, no legal guarantees that:
} the computers taken into custody will not later be implanted with
fabricated or false evidence
} The computers will not be damaged
} The data in the computers will not be lost or damaged
Potential Scenarios of Abuse (1)
Ahmed is a Professor in a University
His computer gets infected with a virus overnight which results in 'spam'
being generated from his computer
Under the present law, an IO can arrest him with warrant, seize his computer
and the University's main server
If the spam is received in the computers of a bank, or post office, or any
government's office:
Ahmed can be arrested without warrant
For a non-bailable offence
Any one of us can be in place of 'Ahmed'!
Potential Scenarios of Abuse (2)
Mr. Ali is a politician
His opponent asks a hacker to infect Ali's computer with a virus which
propagates itself to other computers
The virus results in emails being generated which incite the public to
attack a religious sect
Mr. Ali can be charged with "Cyber Terrorism"
Mr. Ali can be arrested without warrant
For a non-bailable offence
It can be years before Mr. Ali is released on bail
Potential Scenarios of Abuse (3)
} Mr. Ali is a politician
} His opponent lodges a false FIR that he received an email from Mr. Ali
asking the opponent to join in a public rally that will cause damage to
public property
} (it is easy to fabricate such a false email)
} Mr. Ali can be charged with "Cyber Terrorism"
} Mr. Ali can be arrested without warrant
} For a non-bailable offence
} His computer and all information and data can be seized by FIA without
warrant
} Later, at the police station, Mr. Ali's computer can be 'infected' by a
dishonest IO with various other 'cyber terroristic' emails!
} There is no protection in the law currently against such 'fabricated'
electronic evidence
} It can be years before Mr. Ali is released on bail
Potential Scenarios of Abuse (4)
} Coso is a data operations company with multiple servers in a data center,
which also include the data servers of a bank
} Coso's network is hacked, enabling access to the banks' data servers and
transferring millions of dollars to a fake account
} In the morning, FIA can:
} raid without warrant
} Arrest the CEO, CTO and other officers
} Seal and/or remove all data servers (grinding to a halt the operations of
other corporates who also have data servers at Coso)
} ALL data, business information, confidential information, etc. will
become exposed to the IOs
} There is no assurance under the law:
} that the business information of other companies will not be compromised
} The equipment and data in the data servers will not be damaged
} Which company will want to do business in this environment?
Potential Scenarios of Abuse (4)
Najma is a poor IT student
She belongs to a non-influential family
She is given a 'source code piece' by a friend who had stolen it from
University's archives
Najma incorporates it in her software program for her thesis, and markets
her program
Najma can be charged with
...
read more »
|
