Pakistan Aims To Take Home 'Worst Cybercrime Legislation In The World' Trophy With Prevention Of Electronic Crimes Bill
from the pak-it-up/pak-it-in dept
Pakistan is pushing forward its version of CISPA/CISA, the PECB (Prevention of Electronic Crime Bill). Much like here in the US, legislators have put this together without the input of legal or technical experts and, to make matters worse, this one is being pushed under a regime already notorious for censorious actions and intrusive surveillance.
Everyone (except the bill’s supporters) finds the proposed (and rewritten… for the worse) bill to be terrible.
A coalition of Pakistan’s leading online rights groups and businesses warned the current version, written with no input from legal experts or technologists, would “adversely impact the IT industry…. and [the] constitutional rights and safeguards guaranteed to citizens”. Human Rights Watch went further, saying it constitutes “clear and present danger to human rights”. But it took one of Pakistan’s leading legal experts on computer crime jurisprudence, Zahid Jamil, to call the bill “by far the worst piece of cybercrime legislation in the world.”
Much like other “cybersecurity” bills, it’s ostensibly aimed at criminal activity but is being used to give the government (even more) censorship and surveillance powers. It also will create a whole new set of criminals by turning security research and hardware/software modding into punishable offenses. In other words, it’s the CFAA, but much, much worse.
One section forbids “changing, tampering with or altering a device identifier,” which makes altering a router’s MAC address a criminal act. Another broadly-worded section seemingly makes scanning for open WiFi signals illegal. (“unauthorised interception” of “electromagnetic emissions from an information system that are carrying data”)
But the worst aspects are those that enable the government to further censor and surveil its citizens.
Section 9 states that anyone who “prepares or disseminates information, through any information system or device” with the intent to “glorify an offence or the person accused or convicted of a crime and support terrorism or activities of proscribed organizations” and “advance religious, ethnic or sectarian hatred” shall be punished with imprisonment up to five years, a fine up to ten million rupees (around 95,000 USD) – or both.
Section 29 requires internet service providers (ISPs) to retain all “traffic data” for a minimum period of one year, or any period of time that the Pakistan Telecommunication Authority requests, and “provide that data to the investigation agency or the authorised officer whenever so required.” This means that all personal information and communications of individuals residing within the borders of Pakistan will be retained for at least one year, and may be shared with any investigation authority— including… foreign governments.
There’s a supposed warrant requirement in the bill, but it’s only mentioned once and never brought up again. And the small hurdle the government is required to leap wouldn’t tax an infant.
[T]he threshold for obtaining a warrant is dangerously low – an officer need only show that the data is “reasonably required for the purpose of a criminal investigation”. There is no defined legal standard to ascertain what is reasonable and what is unreasonable.
Also left unexplained during the warrant requirement’s brief appearance in the draft bill? Any explanation of what a data “seizure” entails, how long it lasts or if there are any restrictions placed on searches of seized data/devices.
When instructed to, ISPs must provide the government with “real-time” access to subscribers’ data. It’s “limited” to a period of seven days but this order can be renewed an indefinite number of times. The proposed bill also grants the government completely secrecy for these collections, allowing it to perform real-time surveillance of any Pakistan resident without ever having to inform them of this fact.
Finally, the bill grants the Pakistani government’s Telecommunications Authority the power to remove or block anything on the web, all without having to ask permission. No court orders are required and the agency can censor pretty much anything it wants to.
Content may be censored if “necessary in the interest of the glory of Islam or the integrity, security or defence of Pakistan or any part thereof, friendly relations with foreign states, public order, decency or morality, or in relation to contempt of court or commission of or incitement to an offence” in the bill itself.
And this doesn’t limit the Telecommunications Authority to blocking websites. It can also censor content flowing to phones, video game consoles or anything else that might connect to the internet, thanks to the bill’s expansive wording, which sweeps up everything from websites to texts to video to “databases.”
The EFF has provided a form for Pakistan citizens to use to protest this horrendous legislation. It’s worth a shot, but considering the government’s historical enthusiasm for expanded censorship and surveillance powers, it doesn’t seem as though it will be very receptive to the complaints of its citizens.