Preliminary feedback on PECB 2015 Chapter 1: Offences and Punishment: Section 3 & 4: Illegal access to information system: This includes description that would make access to a system or part of the system a punishable offence, thereby making hacking a punishable offence of 6 months. However, this includes nothing about whistleblower protection, an individual can gain access to a system to report widespread corruption or gather evidence to report such incidents. There should be exceptions to this clause. Example: An employee of United States’ National Security Agency’s contractor Allen Booze, used his access to the system to gather and make public information about the widespread economic espionage and surveillance or ordinary citizen’s around the world. Snowden’s revelations exposed the insecurity of national systems around the world and pushed for better protections. Another example is that of Kamran Faisal, a NAB employee, found dead in his room. Faisal was investigating a high level case, had he been able to securely gather and release documents to the judiciary he would have been able to assist the inquiry. But instead he died in suspicious circumstances and all information that he may have had vanished with him. Section 6: This makes no mention of white hat hacking. How can we expect to secure government systems or keep improving them if not for white hat hacking or crowdsourcing security issues. Governments around the world recruit white hat hackers who expose security lapses. Definition: White hat describes a hacker (or, if you prefer, cracker) who identifies a security weakness in a computer system or network but, instead of taking malicious advantage of it, exposes the weakness in a way that will allow the system's owners to fix the breach before it can be taken advantage by others (such as black hat hackers). Section 8: This prescribes a punishment for up to 7 years but there is no whistleblower protection. Chapter 2: Establishment investigation agencies and prosecution and procedural powers for investigation This should not be left to the discretion of the federal government nor should an executive body be arbitrarily set up and endowed with powers. Any body the government wishes to establish, it should do so through an Act of parliament so that it has statutory backing and in its constituting Act its scope and functions are narrowly defined to ensure accountability and prevent against misuse and abuse of power. Furthermore, if any existing agency is being endowed with additional functions, this too should be done through an amendment to their existing Acts and should pass through a parliamentary process. No powers should be arbitrarily conferred and a mechanism for recourse needs to exist. Example: If the language and process is not defined, we will end up with an IMCEW-like scenario except with an authority endowed with investigation and prosecution powers. 1
Chapter 3: International Cooperation Currently, there is no indication as to which authorities will be in charge of what, how the data will exchange hands, what kind of record will be maintained and what safeguards there are. Typically, for international cooperation, treaties are signed, example MLATs (Mutual Legal Assistance Treaties). This is something the Ministry of IT is aware of too. This is signed through the Foreign Office and countries cooperate on the basis of corresponding laws. Processes and safeguards are generally built into these treaties or are derived from existing law. Right now this section is too broad and vague. Exchange of data needs to be defined through a process – especially when Pakistani citizens’ data is being exchanged with other countries. We do not have data protection laws and processes through which investigating agencies can lawfully while respecting rights, carry out their functions. Adequate processes with protections must then be built in. Recommendations In going forward, we must bear in mind not to take a light view of excesses that can or may be committed. Faisal Chouhan’s case should be imprinted in memory. Falsely charged under the then Pakistan Electronic Crimes Ordinance, he languished in jail for a crime he did not commit. Turned out, it was a mistake on part of the investigating agencies but one no one wanted to own up to. During this time, his wife miscarried. It was not until collective pressure was applied and a hue and cry raised, that Chouhan was released. Therefore, nothing should be left open-ended, duties and functions, especially powers conferred on any authority or agency should be specifically stated, a redress mechanism should exist and there should be judicial/parliamentary oversight – at least in the initial phase. An implementation watch committee should be set up that monitors the application of this law for at least a period of two years. This committee should also be responsible for the training of investigating officers, magistrates, and judiciary to better understand and apply the law. Moreover, there will need to be awareness-raising with citizens to inform them about the law. For this, the government can and should join hands with experts from the industry and members of civil society.