In November 2016, I participated in a workshop organized at the University of Cardiff on the use of open source communications (OSC) in investigation of cybercrime.
Professor Martin Innes, director of the university’s Crime and Security Research Institute, shared his research analysing the working of Sentinel, a social media programme developed with funding from the European Union. The dataset informing the research was based on the incident of murder of a British Army solider in May 2013 and comprised 35 million data points collected by monitoring of various social media platforms following the murder till February, 2014.
From Pakistan’s perspective, the key observation made at the workshop was that the use of OSC in investigation of crimes in the country remains rudimentary at best. And this, the workshop was told, is not because of lack of technical expertise but due to inadequate legal framework.
The existing legal framework in the country primarily addresses the substantive side of the law, which is quintessentially conceptual and abstract. The gaps in procedural (and practical) side covering the working of investigative agencies often lead to bungled investigations, and in turn, to failed prosecutions.
Read more: Examining the Cybercrime Law
To fix this shortcoming, five areas needing revision were identified in the workshop. These were reporting of offences; identification of first responders; jurisdiction; registration of a criminal case; and digital evidence.
In reporting of offences, the most critical question from the point of view of a victim is regarding the appropriate forum. It may be noted that in Pakistan, prevention of crime, its detection, and maintenance of public order are provincial concerns. The areas in which the federation legislates and executes criminal laws usually are specific in nature and have extra-territorial jurisdiction and inter-provincial impact. Nonetheless, this distinction remains opaque. As a result, there is no singular criminal justice system in the country; in fact, the federal and provincial systems co-exist. The Prevention of Electronic Crimes Act of 2016 (the PECA) treats cybercrime as federal offences: the responsibility to register and investigate crimes, therefore, falls on the federal government. The PECA provides for extraterritorial jurisdiction and authorizes the federal government to establish or designate a law enforcement agency for investigation of cybercrime. The law also provides for an enabling provision for establishment of a joint investigation team (JIT) by the federal or provincial governments, as the case may be, containing an authorized officer. The restriction that only the authorized agency, and within it the authorized officer, can initiate investigation of cybercrime, narrows down avenues for victims seeking state help in dealing with cybercrime.
Against this backdrop, it is noteworthy that the country’s prevalent legal framework does not address the use of the OSC for investigation, prevention and detection of offences. The very concept of the OSC is not fully covered by the law. There is no exclusionary or inclusionary definition of the OSC in the law. As laid out in the Investigation for Fair Trial Act of 2013, the procedure to obtain warrants for surveillance and interception is highly centralized and cumbersome. Besides, cybercrime does not happen in isolation. For the sake of law enforcement, it may be beneficial to categorize it as cybercrime-exclusive and cybercrime-plus. The former may deal with crimes that take place in cyberspace only, and the latter to crimes where activities in both cyber and physical space are of concern. Accordingly, the former may fall in the domain of the federal government, whereas, the latter may concern provincial governments.
In view of these complexities, the process of reporting cybercrime and initiating legal processes becomes difficult. While the victims have their share of problems, the officers of law enforcement agencies also remain in a fix, finding it excessively difficult to use the OSC in a legal manner.
The problems with reporting mechanisms discussed so far lead to uncertainty and lack of clarity in identification of the first responder to deal with a cybercrime. The dual requirements of an authorized investigation agency and an authorized officer make it very difficult for any first responder to deal with ‘real-time’ issues related to OSC and the cybercrime. The first challenge, therefore, is to identify the most appropriate authorized agency amongst the various police forces in the country.
The next issue is regarding identification of jurisdiction. Just like physical space, all states try to exert ‘digital sovereignty’ when it comes to cyberspace as well.
Since the PECA links itself to the Code of Criminal Procedure of 1898 (the Code), the principles of territorial jurisdiction prescribed in the Code stand applied to offences identified in the PECA. Nonetheless, the principles of territorial jurisdiction do not easily reconcile with the contingencies offered by cybercrime and the working procedures of investigation agencies. As a result, victims frequently get confused and the accused may try to benefit through forum shopping in the sense that the latter, more often than not, is able to successfully challenge the jurisdiction of the investigation agency and courts concerned with the matter.
In Pakistan, the formal registration of a criminal case takes place through a document called the First Information Report (FIR). The courts usually give excessive legal weightage to FIRs. Extra efforts, therefore, are undertaken by complainants to carefully include necessary details in an FIR. Due to the exigencies of real time activity in cybercrime and the OSC, time at the disposal of a complainant may not always be sufficient to contemplate and array necessary details in an FIR such that it meets legal requirements. There have been claims made by successive police organizations that they can now register FIRs electronically, but these claims remain short of meeting legal requirements. Since there is no specific provision dealing with the matter in the PECA, the general law relating to the registration of a criminal case as contained in the Code becomes applicable. The provincial police forces and the Federal Investigation Agency (FIA) – the statutory federal police organization – sift reported matters for verification and inquiry processes before registering cases. A big percentage of reported matters do not convert into registered cases. The quantitative analysis of reports may be a moot point for further research for an informed policy choice in this regard.
Read more: The Debate on Cybercrimes Law
Collection of evidence by a police officer, according to Pakistan’s law, is the definition of ‘investigation’. The collection of evidence begins with identifying the crime scene, which is not easy to do in cybercrime cases as the cyberspace having international and all pervasive presence may be the spot of crime. Rules regarding securing, preserving, retrieving, collecting, packaging, storing, presenting and exhibiting of digital evidence have to be developed to ensure that the chain of custody and integrity of the evidence remains forensic; not much has been done to provide for detailed rules on these matters to ensure compliance and uniformity.
The issues highlighted at the workshop are by no means exhaustive. Other aspects in prosecution of cybercrime, especially with respect to offences involving children and women as victims, may also need examination. And besides improving the law on the procedural side, mandatory training courses on ethics, legality, and technical aspects of cybercrime should be considered for investigation officers all over the country. Efforts should also be made to expand the scope of forensic digital evidence beyond criminal matters, since technology is equally relevant in cases pertaining to family, civil, commercial, and business laws.
Kamran Adil has done his BCL from the University of Oxford. He is presently serving as Assistant Inspector General of Police, Legal Affairs Division in the Punjab Police.