The Asian Human Rights Commission (AHRC) has initiated a series of articles on the proposed Prevention of Electronic Crime Act, 2015; this is the third article in the series. The Bill has draconian provisions that seek to muzzle the freedom of expression and speech over the Internet to discourage dissent and stifle intellectual discourse. The Bill has been presented in Parliament for consideration after being passed by the Standing Committee on Information Technology and Telecommunication. This is the 3rd part of the series.
Section 24 of the Prevention of Electronic Crime Bill provides that other than the investigating officer of the special investigation agency (the Federal Investigation Agency (FIA) is not specified) no other officer will be allowed to investigate any crime deemed to be committed under this proposed law.
- No warrant, arrest, search, seizure or other power not provided for in the Act.-
(1) No person whether a police officer, investigation officer or otherwise, other than an investigating officer of the special investigation agency shall investigate an offence under this Act:
Provided that the Federal Government or the Provincial Government may, as the case may be, constitute joint investigation team comprising of the officers of special investigation agency and any other law enforcement agency including Police for investigation of events involving commission of offences under this Act and any other law for the time being in force.
(2) No person other than a prosecutor designated as such by the special investigating agency shall prosecute any offence under this Act
This Section, by virtue of the proviso, is creating multiple investigative authorities. The result can only be greater confusion with respect to jurisdiction, power, and authority over the matter. Moreover, if multiple agencies, like the intelligence, police, FIA, etc., are involved, given the current air of distrust amongst these agencies, it will be extremely difficult to collect irrefutable evidence and frame charges that will stand up in court. Also, the Section is silent on the duties of The Joint investigation Team (JIT) that may be formed by the government, providing no description of the qualification of its members. Since cyber crimes are specialized crime, the investigating team should have cyber forensic experts and other technical experts to handle such cases; police and FIA personnel are not well trained to handle cyber crime.
Next, Section 25 reads as follows:
- Expedited Preservation of data – (1) If an investigating officer is satisfied that-
(a) data stored in any information system or by means of an information system, is reasonably required for the purposes of a criminal investigation; and
(b) There is a risk or vulnerability that the data may be modified, lost, destroyed or rendered inaccessible,
the investigating officer may, by written notice given to a person in control of the information system, require the person to ensure that the data specified in the notice be preserved and the integrity thereof is maintained for a period not exceeding ninety days as specified in the notice.
(2) The period provided in sub-section (1) for preservation of data may be extended by the Magistrate if so deemed necessary upon receipt of an application from the investigating officer in this behalf.
Why is the power to require preservation left to the “satisfaction” or whims of the investigation officer? What are the parameters to justify his or her satisfaction? The initial draft of the Bill had suggested 7 days as the retention period. However the duration has been increased to 90 days. Moreover, the Section does not elicit how the officer will ascertain that data has been or risks being modified? People who are involved in cyber crime are often technical experts who know how to circumvent orders; on the other hand, law enforcement officials are generally not trained well on technical matters. It is unlikely the officer will be able be detect modification or destruction of data by seasoned cyber criminals.
Section 26 pertains specifically to ISP. It states:
- Retention of traffic data.—(1) A service provider shall, within its existing or required technical capability, retain its traffic data for a minimum period of ninety days or such period as the Authority may notify from time to time and provide that data to the special investigating agency or the investigating officer whenever so required.
(2) The service providers shall retain the traffic data under sub section (1) by fulfilling all the requirements of data retention and its originality as provided under sections 5 and 6 of the Electronic Transaction Ordinance, 2002 (LI of 2002).
(3) Any person who contravenes the provisions of this section shall be punished with imprisonment for a term which may extend to six months or with fine which may extend to or with both
The Section burdens the ISPs with the retention of traffic data for 90 days by the “Authority”, which, according to subsection c of Section 2, is the Pakistan Telecommunication Authority (PTA). The provision does not articulate whether any reason requiring the retention of data is to be provided along with the notification of retention or whether the investigating officer must satisfy the Authority that the specific traffic data is required in the investigation. Not elucidating the parameter on data retention might prove problematic for the ISP as the refusal to oblige by the notification for the said retention may result in six month imprisonment and fine. Not elucidating the parameter might prove problematic for the ISP as the refusal to oblige by the notification may result in six month imprisonment and fine. Interestingly, the limit of fine is not prescribed. Does this showcase the true intent of the PTA: to fleece non-compliant ISPs?
In Pakistan there are a number of cable operators that provide internet to small towns or localities. These ISPs hardly have the structure or capacity to store real time traffic data of their users. Even for a medium scale ISP it would amount to incurring great cost to retain large amounts of data. The cost would obviously be borne by the service provider, as there are no provisions requiring the government to cover the cost so incurred. The requirement of retention, as envisaged in subsection 2 of Section 26 of the PEC Bill, are also extensive and burdensome for small ISPs.
(To be continued)
About the Author: Javeria Younes is an advocate and legal researcher. Her research work titled “Custodial Torture its ramification and failure of institutions” has been published under the auspice of AHRC. She has also written a handbook on torture for the victims of torture to help them seek medical, psychiatric, and legal aid. She can be reached at javeria.younes@live.com
Related link:
