Nearly a year has passed since the Parliament of Pakistan promulgated a law to regulate electronic crimes.
The Prevention of Electronic Crimes Act of 2016 covered an array of offences related to cyberspace. In all, it listed 23 offences: unauthorized access to information system or data; unauthorized copying or transmission of data; interference with information system or data; unauthorized access to critical infrastructure information system or data; unauthorized copying or transmission of critical infrastructure data; interference with critical information system or data; glorification of an offence; hate speech; recruitment, funding and planning of terrorism; electronic forgery; electronic fraud; making, obtaining, or supplying a device for unauthorized use of identity information; unauthorized issuance of subscriber identity module (SIM) card, reusable identification module (R-IUM) or universal integrated circuit card (UICC) etc; tampering of communication equipment; unauthorized interception; offences against dignity of a natural person; offences against modesty of a natural person and minor; child pornography; malicious code; cyber stalking (criminal intimidation); spamming (transmission of harmful information for wrongful gain); and spoofing (dishonest display of website/information).
The law provides for two types of punishments: imprisonment and fine. The quantum of punishment is usually high, but there is no sentencing limitation to regulate judicial decision making at the time of conviction of an offender.
Read more: The Debate on Cybercrimes Law
By defining offence as an act committed by a person over the age of 14, the law excludes juvenile justice regime from its domain. Conversely, the Pakistan Penal Code – the master criminal law of Pakistan – defines ‘offence’ independent of the age consideration. The permissive and inclusionary language of the definitions of offences leaves them open to be misapplied irrespective of privacy and safeguards enshrined in the Constitution of Pakistan.
The architecture of the law is confounded insofar as the adjective provisions are concerned. For neat and conceptual presentation, the following areas may be examined:
No investigation agency was specified to investigate cybercrimes in the draft of the law. The federal government was given the mandate to ‘establish’ or ‘designate’ an agency for the purpose. The power was delegated to the executive in a manner that not only created opaqueness but also shields the investigation agency concerned from meaningful oversight by the Parliament.
The Federal Investigation Agency (FIA) was eventually designated as the investigative agency. It has expertise and specialization to deal with cybercrimes. Its National Response Center for Cyber Crimes (NR3C) is a dedicated facility to deal with cybercrimes.
Evidence and Forensics
The meat of any investigation is evidence. In Pakistan’s case, despite all the inefficiencies, distrust and difficulties, in every new legislation, the threshold for collection of evidence gets raised. The cybercrime law is no exception. On the one hand, it requires investigators to obtain warrants for search, seizure and disclosure of content data. On the other hand, it makes forensic reports generated by the investigation agency admissible evidence. In the same breadth, the law ordains that the federal government shall establish an independent forensic laboratory.
Though all provinces now have prosecution departments separate and independent from police departments, no such separation exists at the federal level. Federal agencies investigate and prosecute crimes, including cybercrime and do not seek an independent federal prosecution department.
The court system envisioned by the law is top heavy as it treats the sessions judge as the court of first instance. It gives a right of appeal in the High Court against the order of the sessions court. It also provides that the federal government shall arrange trainings for judges to acquaint them with the law.
Read more: The Role of Technology in Justice Delivery
Internet regulation and liability of service providers
Internet service providers have no criminal or civil liability under the law. The onus of proof regarding failure of service provider to comply with the law has been placed on the complainant. Ideally, the liability of service providers should be a subject of regulation in laws related to regulators that issue licenses to service providers (Pakistan Electronic Media Regulatory Authority, or Pakistan Telecommunication Authority).
Nonetheless, the cybercrime law is concerned with internet content. This is against its design and objectives. The PTA has been given authority to block undesired material on electronic media and internet. Such content management of media through a criminal law needs reconsideration.
The law authorizes the federal government to extend international cooperation to any foreign government or agency. This blanket power to extend cooperation without a well-defined role for the Ministry of Foreign Affairs may need further deliberation.
The federal government has been tasked with framing of rules to determine the manner of coordination between the investigation agency concerned and intelligence agencies. The rule, whenever framed, will be useful in adding transparency to the operations of the security apparatus of the country.
Computer Emergency Response Teams
There is no anticipatory preventive power under the law, however, it provides for computer emergency response teams comprising experts to deal with any cyber threat or attack.
Oversight by Parliament
The law also requires the investigation agency concerned to submit half-yearly reports to both houses of the Parliament. This report may become the source of consolidated and authentic flow of information to the Parliament to enable it to exercise effective and meaningful oversight.
The introduction of a dedicated cybercrimes law is a step in the right direction. The implementation of the law, however, remains a challenge as law making and budget making have yet to be correlated in Pakistan. This leaves us with frequent situations where priorities of the legislature and the executive do not converge to create synergy in governance and public policy.
Kamran Adil has done his BCL from the University of Oxford. He is presently serving as Assistant Inspector General of Police, Legal Affairs Division in the Punjab Police.