By Verda Munir
The Federal Investigation Agency (FIA) apprehends one Fahad Bari. He is accused of harassing women on Facebook. The raiding team finds objectionable content on his computer and confiscates it as evidence. News report of February 11, 2016, ARY News TV.
On August 17, 2015, two students, Muhammad Ali and Suhail, get arrested by the FIA for running a blackmail and extortion racket on social media. These two students allegedly ran a Facebook page called Edwardian Girls, using a pseudonym Gandageer Khan. They were posting ‘personal information, phone numbers and photographs’ of young women without their consent on this page. They would only remove this information for a fee. The blackmail and extortion scheme went on for four years before they were caught. News report of August 26, 2015, Voice of Journalists.
- If you have a Wi-Fi or an internet connection, and you own a smart phone, a smart TV or any other type of smart device with a possible connection to the internet – you are vulnerable.
- The world itself becomes a big courtroom when cybercrimes across geographic boundaries take place. Because of the global nature of the Internet, the clarity as to which court would have the exclusive jurisdiction to try the case is missing.
- Litigation and the legal systems in different countries are different and can be extremely expensive and threaten to wipe out millions of legal entities into oblivion. There is considerable doubt relating to the efficacy
of decisions given by the courts of one jurisdiction on a global level and the sanctions are questionable.
FIA arrests two men, Noor Azizuddin and Farhanul Arshad, in Karachi. They are on the list of the Federal Bureau of Investigation’s (FBI) list of 10 most-wanted cybercriminals in USA. Three additional young men are picked up at the same raid. All the men are moved to an undisclosed location. An FIR No 10/15, under sections on banking law, money laundering and electronic transactions ordinance, gets registered on behalf of the state against them.
They are accused of being involved in a conspiracy to commit wire fraud, gain unauthorized access to computers and steal identity information. The FBI is also offering a reward of $50,000 for any information leading to their arrest, (as per the FBI website). They are further accused of their alleged involvement in an international telecommunications scheme to commit fraud against unsuspecting individuals, companies, and government entities. Between November 2008 and April 2012, the two men allegedly compromised computer systems and committed fraud amounting to over $50 million. This fraud involves members of a criminal organization that has links within Pakistan, Philippines, Saudi Arabia, Switzerland, Spain, Singapore, Italy, and Malaysia.Interestingly, in spite of being arrested in Malaysia by Interpol and questioned by the FBI there, Azizuddin gets released back in 2012 for lack of evidence.News report of February 15, 2015, The Express Tribune.
The Cybercrime Circle of the FIA arrests a chap masquerading as “Tiger Memon” on the Facebook. He is accused of harassing a young woman. The accused’s real name turns out to be Furqan Hassan – a case gets registered against him under the section 25/2015. Apparently, he is “threatening her of dire consequences besides, sending her immoral and unethical messages.” FIA confiscates his cell phone and computer as evidence and starts further investigation. News report of September 2, 2014, Daily Pakistan.
The Cybercrime Circle of the FIA arrests a 30-year-old Pakistani citizen, Babar Zafar, for his alleged involvement in blackmailing a dual national of Pakistan and Britain, through the social networking website Facebook.Apparently, he had been blackmailing the complainant to marry him. He was also defaming her and threatening her further by posting private, explicit photographs (that he had taken of her at a prior holiday in Dubai) with her family and friends via a false account on Facebook.News report of June 8, 2014, The Express Tribune.
This is only the tip of the iceberg. There are many cybercrimes so minor that they do not even get reported. For example, majority of folk in Pakistan are probably familiar with these two types of telephone scams – “Benazir Income Support Program ki taraf se,” “Tum Jo Koi bhi ho,” and “Saba.”
One Usman Ghani, a 15- year-old at the time, of Lahore, got a text from Benazir Income Support Program a few years ago, telling him he had won PKR one million. (Nowadays, it’s PKR 25,000 only). He was supposed to call a certain number which he duly did. He was advised to deposit PKR 10,000 against a specific national identity card number (NICN)over the phone. He ignored these instructions but the scammers were persistent. They kept calling him exhorting him to take action and collect his reward.
“Aap koi bhi ho” entreats the recipient of the text message to load some balance against a specific number. “Saba” is another one of those. The caller is apparently a ‘genuinely’ needy person who needs you to send emergency balance to their cell phone, as it’s a matter of life or death or some equally dire situation that is forcing them to make this request.
And then there are scams over the email. For example, one Sheharyar Rizwan writes a funny tale of woes for Dawn’s September 7, 2014 Sunday magazine edition titled Cybercrimes: Scam, Bam, Thank you Ma’am, involving a banking scam from Nigeria. “There’s one particular kind of email that lands in your inbox, addresses you by your full name, contains a long, emotional, catchy story and ends up offering you a hefty amount if you help the sender (who’s almost always in trouble) withdraw a few million dollars stuck somewhere. The sender will mention his name, address, phone number and maybe bank details also just to make it all sound legit. Only it is not,” he writes.
This is, by no means, the only type of email scam around. Nowadays, cybercriminals have become more sophisticated and have developed a new technique called ‘phishing.’ Email accounts are consistently targeted to steal your personal information, for example, banking information, account names, passwords and credit/debit card information. “Phishing attacks are typically associated with email,” states one North Carolina State University Communication to its students. “Most are implemented when you click on a link to malicious online content – often a web-form designed to trick you into thinking you are entering information into a trusted website such as Facebook, PayPal or an NC State site. These attacks will often perform reconnaissance (via a simple Google search) on a specific target (person) and then craft a sophisticated pretext to increase the likelihood of their success,” it concludes.
The list goes on.
There are matrimonial scams, for example, a hot matrimonial prospect on a matrimonial website, an American citizen, is stranded in Africa. He needs his potential bride, (after she is hooked of course), to rescue him with wire transfer of sometimes as low as $200 cash and as high as she can comfortably manage to send to his bank account. Majority of such scams for some strange reason originate from Africa.
Then, there are lottery scams, fake university degree scams for example, the famous ‘Axact’ case with its origin in Pakistan but there are many one-room universities operating from Canada and USA too that are famous as degree mills but you might not know of their reputation sitting in Pakistan, and online shopping scams, (many online retailers like the Target Stores or Walmart are regularly targeted by hackers and their customers’ credit card information stolen or compromised overseas. Pakistan is lucky as E-commerce has not really taken off in our country so we are relatively safe).
This is not all. Your debit cards or credit cards can get compromised. Your money can get stolen from ATMs, for example, according to one news report, hackers broke into some Standard Chartered accounts held by Pakistanis early last year and stole a lot of cash. “Some Standard Chartered account holders in Pakistan have apparently discovered that their bank accounts are now empty thanks to the work of hackers who attacked the bank’s ATMs. The bank sent text messages or emails to the affected. However, others only discovered the breach when their debit cards were denied or when they attempted to take money out of an ATM. Standard Chartered officials confirmed the hack to ValueWalk and said they take such incidents ‘very seriously.’ Additionally, they said they’re continually monitoring and upgrading their ATMs for the safety of their clients and have taken measures ‘to further minimize skimming attempts’ on their ATMs.” News reported by Michelle Jones, on Feb 10, 2015, ValueWalk.com.
The HBL debit cards’ case is another case in point and a very recent example. News reported by MTRPK, March 7, 2016.
Your intellectual property or important information or data files on your computer/server can get copied, damaged or stolen, for example, the famous “Sony Pictures” hack back in 2014, you can get denial of service notices from your favorite online vendors, your computer can be turned into a ‘bot’ without your knowledge and your friends’ email addresses can be infected through your data breach.
If you have a Wi-Fi or an internet connection, and you own a smart phone, a smart TV or a desktop computer or a laptop or any other type of smart device with a possible connection to the internet – you are vulnerable. “Cybercrime continues to escalate in a hyper-connected business ecosystem – jumping to second most reported economic crime,” states PwC’s Global Economic Crime Survey 2016. “Notably, it was the only economic crime to have registered an increase in that category. Over a quarter of respondents told us they’d been affected by cybercrime. Ominously, another 18 percent said they didn’t know whether they had or not,” the report maintains.
“Today, all industries are at risk – including some which may have considered themselves unlikely targets in the past. According to PwC’s Global State of Information Security Survey 2016, the sector registering the most significant increase in cybercrime activity in 2015 was retail, while financial services – still one of the most attacked sectors – had leveled out, with very little growth in terms of number of attacks over the last three years,” continues the report.
Obviously this report was published before one of the world’s biggest banking heists took place this year. “A spreading scandal over the mysterious electronic theft of $81 million from Bangladesh’s official account at the Federal Reserve Bank of New York prompted the governor of that country’s central bank to resign, and three of his subordinates were fired,” reports Rick Gladstone for New York Times on March 15, 2016.
“They were the first political casualties since the theft came to light this month, when news reports from the Philippines said unidentified hackers using official electronic bank messaging technology had diverted the money in early February. Most or all of the stolen money, one of the biggest electronic heists in history, is thought to have been transferred to accounts in the Philippines,” it continues.
“The New York Fed said in a statement that the transfer of the money had been ‘fully authenticated’ by an international financial messaging system, known as Swift, suggesting that there may have been a security breach in Bangladesh. The Fed statement said its systems had not been compromised,”maintains the NY Times news report.
“The insidious nature of this threat is such that of the 56 percent who say they are not victims, many have likely been compromised without knowing it,” states the PwC’s Global Economic Crime Survey 2016. “A concerning trend we have observed, is that of, hackers managing to remain on organizations’ networks for extended periods of time without being detected,” it adds further.
“Attackers are also known to stage diversionary attacks to conceal more damaging activity,” the PwC report states. “Diversionary techniques include the use of distributed denial of service attacks as a means of distracting and creating a lot of noise while the real focus of the attack unfolds in a slow and undetected manner. Typically in such a scenario attackers would launch attacks against systems which provide no value to them – this is done simply to misdirect incident response teams whilst in the background attackers are accessing the actual information they were seeking,” claims the PwC cybercrimes report.
“Over half of our survey respondents (53 percent, up 10 percent over 2014) see an increased risk of cyber threats, perhaps, due to intensifying media coverage,” the PwC report continues. “But our survey suggests that companies are nonetheless inadequately prepared to face current cyber threats,” it affirms.
The real problem is, cyberspace has no geographic borders. A hacker sitting in United Kingdom (UK) can, for example, hack into your smart device and eavesdrop on your private conversations without your knowledge. “Former US intelligence contractor Edward Snowden revealed…the UK government acquired vast amounts of communications data from inside Pakistan by secretly hacking into routers manufactured by the US company, Cisco. In an interview with BBC’s Panorama program, the whistle blower said British spies can hack into phones remotely with a simple text message and make audio recordings or take photographs without owners knowing. ‘They want to own your own phone instead of you,’ Snowden said, referring to Britain’s Government Communications Headquarters (GCHQ) agency,” states a news report by AFP, published on Oct 6, 2015, The Express Tribune.
“Only 37 percent of respondents – most of them in the heavily regulated financial services industry – have a fully operational incident response plan,” states PwC Global Economic Crimes Survey 2016. “Three in ten have no plan at all, and of these, nearly half don’t think they need one. Should a cyber-crisis arrive, only four in ten companies have personnel that are ‘fully trained’ to act as first respondents, of which the overwhelming majority (73 percent) are IT security staff,”claims the PwC cybercrimes report.
“There has been a rise in cybercrime,” agrees Superintendent Phil Ward, of Humberside Police, in charge of the force’s cybercrime unit in the UK. “But it is not an unexpected rise,” he asserts. “The rise is not necessarily an increase in offences, but (a case of) people being more educated and the public being more aware of cybercrime. I believe it’s just the tip of the iceberg with what offences are being committed. Most cybercrimes are traditional offenses that used to happen all the time, but are now done by using a computer to help them commit that crime. Bullying has always existed, harassment has always existed, but now people can use social media and other devices to assist in that type of offences,” says Superintendent Ward. He was talking to Hull Daily Mail. News reported by Lucy Leeson, March 15, 2016.
Pakistan fares no better when it comes to combating cybercrimes. “Cyber disputes are complex in nature due to the following reasons,” says Zibber Mohiuddin, in a paper presented on ‘Cyber Laws in Pakistan: a Situational Analysis and the Way Forward,’back in 2006. He was the president and CEO of Ericsson Pakistan Private Limited at the time.“The world itself becomes a big courtroom when cybercrimes across geographic boundaries take place. Because of the global nature of the internet, the clarity as to which court would have the exclusive jurisdiction to try the case is missing.Thirdly, litigation and the legal systems in different countries are different and can be extremely expensive and threaten to wipe out millions of legal entities into oblivion.And there is considerable doubt relating to the efficacy of decisions given by the courts of one jurisdiction on a global level and the sanctions are questionable.”
Even though, there are extensive laws present to deal with conventional crimes like blackmail, extortion, defamation, fraud and money laundering, Pakistan needs separate cyber legislation to deal with the complexities of cybercrimes. “Even though the bureau registered 150 cases during 2015, most of the accused got benefit of absence of comprehensive laws,” states The Nation’s news report, February 23, 2016.
“This also affects the conviction rate of FIA,” says a spokesperson for FIA. “At present, the FIA Cybercrime Circle is taking action under Electronic Transaction Ordinance (ETO) which was framed to deal with banking transactions only. Now when cybercrimes have expanded to the level of social networks like the Facebook and Twitter which have billions of users, the laws need to be amended,” claims the Nation’s news report.
According to FIA statistics, the National Response Center for Cybercrimes (NR3Cs) received some 2100 complaints during the year 2015 while 434 were pending from 2014 out of which 371 were converted into enquiries and 1604 were disposed of and 559 were still pending.
Similarly, the NR3Cs received 298 enquiries brought forward from 2014.Some 460 enquiries were registered and out of total 758 enquiries, 46 were converted into cases and 441 were disposed of, or closed, or transferred or merged and 271 remained pending.
Over 150 cases were brought forward while 128 were registered during 2015.Out of total 270 cases, 142 accused were presented in court (challaned), while five cases were disposed of and 123 are still pending.
The NR3Cs had 44 proclaimed offenders (POs) on its list while two were added during the year 2015, and out of total 46, only six accused were arrested and 40 POs are still at large.Nine court absconders were forwarded and they are yet to be arrested, shows the data provided by FIA. Published in The Nation on 23-Feb-2016.
Prevention of Electronic Crimes Bill, 2015
A major issue with cybercrime is its detection and prosecution, as it is faceless and borderless.
Unfortunately, Pakistan doesn’t have comprehensive cyber laws in place to prosecute cybercriminals – be they of domestic or international origins. There is one piece of legislation under consideration – ‘Prevention of Electronic Crimes Bill, 2015’ (PECB 2015), dated September 17, 2015. This is a revised draft of the bill which can be accessed on the Ministry of Information Technology (MoIT)’s website. The original draft dated April 22, 2015, is also available under the section ‘draft policies.’
Making sense of the bill is indeed hard for a layperson like me. Vague terms and expressions are used to describe crimes, for example, section 3 of the bill states, “Whoever intentionally gains unauthorized access to any information system or data shall be punished with imprisonment for a term which may extend to three months or with fine up to fifty thousand rupees or with both,” or this gem from section 4, “Whoever intentionally and without authorization copies or otherwise transmits or causes to be transmitted any data shall be punished with imprisonment for a term which may extend to six months, or with fine up to one hundred thousand rupees or with both.” These words could apply to practically anyone. Copying your friend’s homework and transmitting it online could practically become a criminal offense if you take the words at face value. Obviously, you won’t get prosecuted for stealing your friend’s homework but the fact remains the words are open to misinterpretation and abuse in the hands of the unscrupulous.
“There’s almost no change in the bill since it was shelved and was put on hold after severe criticism,” says Zubair Kasuri, for Flare magazine’s cover story, published on October 2015. “It was said that the bill will be represented after incorporating public input and proposals from the general public. Standing committee made following changes in the bill that was approved. The minor age is now 13 years instead of 10. ISPs exclude cafes and places which provide internet. Previously, internet cafes and even Wi-Fi hotspot providers were termed as ISPs and were bound to keep usage data and logs for one year before discarding them. Cyber stalking punishment is reduced to one year, previously it was for two years. The rest of the bill is the same. In the revised draft, another section is added for the persons involved in selling or dealing in illegal SIMs will get a penalty of two years imprisonment. Approved bill by standing committee proposes a maximum punishment of 14 years in prison and PKR 50 million fine cyber terrorism and as young as a 13 year old can be jailed for committing a cybercrime,” confirms Kasuri.
This bill consists of seven chapters and applies on “every citizen of Pakistan wherever he may be, and also to every other person for the time being in Pakistan.”
The main purpose of the bill is to introduce a policy framework and procedures for dealing with the growing cybercrimes within the country. The cyber bill is composed of many aspects of cybersecurity. Here is a microscopic view on the main issues discussed in the cyber bill. Currently the bill is pending approval from the Senate.
Chapter 1 covers the definitions of words being used in the bill and their legal boundaries. For example, it defines “access to data” as having control to read, use, copy, modify or delete any data held in or generated by any device or information system.
Chapter 2 defines the offenses and subsequent punishments. The offenses include unauthorized access to information system or data, unauthorized copying or transmission of data, glorification of an offence and hate speech, cyber terrorism, electronic forgery, electronic fraud, unauthorized issuance of SIM cards and cyber stalking etc. In order to punish the law-breaking individuals, the bill states to apply “Unless context provides otherwise, any other expression used in this Act or rules framed thereunder but not defined in the Act, shall have meanings assigned to the expression in the Pakistan Penal Code, 1860 (XLV of 1860), the Code of Criminal Procedure, 1898 (V of 1898) and the Qanoon-e-Shahadat Order, 1984 (X of 1984), as the case may be.”
Chapter 3 details the formation ofinvestigation and prosecution teams and procedural powers. This portion of the bill talks about warrants, seizure of data for investigation, warrants to disclose the data, power to inspect, copy demand or even a person for interrogation of data or case. The service providers can also be interrogated if suspected of positive criminal activity.
Chapter 4 is about international cooperation under which the Federal Government shall be responsible for sending and answering requests for mutual assistance. The government may refuse to accede to any request made by a foreign government, agency or any international organization if the request concerns an offense which may prejudice its national interests.
Chapter 5 highlights the offence trials, their prosecution, declaration of fine, payment of compensation and in case of an expert opinion a partial adviser to court “amicus curiae” can be appointed. And in case of an appeal, it has to be made 30 days from the date of the case’s provision.
Chapter 6 explains necessary precautionary measures against cybercrimes. The authorities will be held responsible for issuance of guidelines in order to prevent offences under this act. An emergency response team is to be established to counter threats and attacks. The team might comprise of experts from both the government and the private sector.
Lastly, the cyber bill caters to various uncategorized matters under Chapter 7. It states that the Federal government has the power to make rules which includes officer’s training, powers and authorities of investigation agency, Standard Operating Procedures (SOPs), joint investigation teams, teams working in real-time intelligence and so forth.
The usual garden-variety type of cybercrimes involve the following broad categories of online activities: theft (of data, money, documents, intellectual property, software piracy, copyright infringement, trademarks violations etc.,), fraud, money laundering, sale of illegal or counterfeit items over the internet, pornography, gambling, email spoofing (sending e-mails that appear to originate from one source but actually have been sent from another source), forgery, propaganda, defamation, publishing and distributing defamatory materials, cyber stalking (victimizing someone online), unauthorized access to computer systems or networks, hacking, theft of information contained in electronic forms, stealing information on computer hard disks, removable storage media, etc., email bombing (sending a large number of emails, crashing email accounts or servers), data diddling (altering data), spread of malware, viruses, worms, Trojan attacks, web jacking (stealing control over websites), so on and so forth.
This is, by no means, a definitive list of typical cybercrimes, however, our bill, PECB 2015, goes one step further and criminalizes totally innocent or nuisance-value online activity too. For example, spamming is a crime now, “Whoever with intent, transmits harmful, fraudulent, misleading, illegal or unsolicited information to any person without the express permission of the recipient, or causes any information system to show any such information commits the offence of spamming,” states section 22 of the bill. The only folk excluded from this clause are direct marketers, however, they need to offer “unsubscribe” option with their marketing material. Spamming is punishable offense, the offender can be fined for “an amount not exceeding PKR 50,000 and for every subsequent violation shall be punished with imprisonment for a term which may extend to three months or with fine up to one million rupees or with both.”
The bill infringes on our freedom of speech rights by giving Pakistan Telecommunication Authority (PTA) sweeping powers to censor the internet. “The Authority is empowered to manage information and issue directions for removal or blocking of access of any information through any information system. The Authority may direct any service provider to remove any information or block access to such information, if it considers it necessary in the interest of the glory of Islam or the integrity, security or defense of Pakistan or any part thereof, friendly relations with foreign states, public order, decency or morality, or in relation to contempt of court or commission of or incitement to an offence under this Act,” states section 34 of the PECB, 2015. It further states, “(2) The Authority may prescribe rules for adoption of standards and procedure to manage information, block access and entertain complaints. (3) Until such procedure and standards are prescribed, the Authority shall exercise its powers under this Act or any other law for the time being in force in accordance with the directions issued by the Federal Government not inconsistent with the provisions of this Act.” Hmmm.
Section 38 (2) is a personal favorite. “The Federal Government may, at its own, forward to a foreign Government, 24 x 7 network, any foreign agency or any international agency or organization any information obtained from its own investigations if it considers that the disclosure of such information might assist the other Government, agency or organization etc., as the case be in initiating or carrying out investigations or proceedings concerning any offence.”
“It’s hard to imagine how Pakistan could have sabotaged more of its digital future in the fourteen pages of the Prevention of Electronic Crimes Bill,” says Wafa Ben Hassine in her article titled ‘A Deeper Look Inside the PECB, Pakistan’s Terrible Cybercrime Bill,’dated November 30, 2015. She is working with EFF’s international team to research counter-terrorism and cybercrime laws in select Arab countries—Tunisia, Jordan, Saudi Arabia, and Egypt—and their impact on various human rights online such as privacy and free expression. “The legislation is a grab-bag assortment of abusive provisions that violate the most basic of human rights. Through censorship, surveillance, and the stifling of free speech, the Prevention of Electronic Crimes Bill gives new meaning to the word draconian,” she adds further.
Nighat Dad and Adnan Chaudhry seem to concur. “The reality is the PECB contains such broad legal provisions that that it would criminalize everyday acts of expression while undermining the right to privacy of Pakistani citizens,” says Dad and Chaudhry in their article, ‘The Sorry Tale of the PECB, Pakistan’s Terrible Electronic Crimes Bill,’ dated November 30, 2015. Nighat Dad is a Pakistani lawyer and Internet activist who founded the not-for-profit organization Digital Rights Foundation.
However, last year the State Minister for Information Technology Anusha Rehman while responding to the criticism had explained to the National Assembly Standing Committee on Information Technology that the picture was not ‘as gloomy as painted by the anti-bill lobby.’
“The bill protects the interests of foreign investors and offers local businesses a bail out option. It does not hold them responsible for objectionable content placed on the Internet by an individual. It does not criminalize an individual until intent is proven and the bill permits law enforcement agencies to confiscate data and equipment as evidence,” Rehman explained.
The debate on cybercrimes bill goes on and the right balance needs to be found before passing the PECB 2015 as a definitive law of the land for cybercrimes. One can hope that once fine-tuned in a comprehensive manner we will get an effective legislation which actually comes down hard on cybercriminals and respects privacy and civil liberties of individuals who use the Internet to improve their personal or professional lives.
Verda Munir graduated from Cardiff University with a Masters’ degree in Information Security and Privacy.