‘Every citizen’s data vulnerable under cybercrime bill’
ISLAMABAD: As the Prevention of Electronic Crimes bill (PECB) is laid before the National Assembly on Monday, many of the bill’s failings will need to be addressed through separate legislation. One major gap is the lack of any data protection clauses in the bill – essential in a country that also lacks data protection legislation.
During one of the several meetings of the Senate Standing Committee on Information Technology – where the bill was discussed threadbare – industry stakeholders and lawmakers discussed the need for separate legislation on data protection.
Senator Farhatullah Babar, who was the most vocal of the lawmakers in those meetings, told Dawn: “We insisted that it was meaningless to pass a cybercrime bill without first enacting a data protection act. Around the world, comprehensive laws are put in place before enacting cybercrime legislation.”
He explained the government’s reasoning, saying: “They thought that predicating the cybercrime bill on a data protection law would delay the matter for years, and during this period our cyberspace would be open to misuse by militants and criminals of all hues.”
For them, it was enough to just add clauses pertaining to data protection to this bill, he said.
But the bill itself lacks safeguards for individuals’ data.
The version of the law amended by Senate kept the minimum period for data retention at one year, despite arguments from civil society that laws with similarly long retention periods had been struck down in various other countries.
The Senate also added a sub-clause that imposes punishment on those who violate section 29, which requires ISPs to retain traffic data. “Although we made some amendments – including stripping the investigation officer of immunity – to safeguard data, I remain apprehensive,” Mr Babar admitted.
“Many senators were not only supportive of this suggestion, but also insisted on enacting a data protection law first. However, the [government] was not receptive.”
He said lawmakers had asked for a proviso to be added to the relevant clause, which would make its applicability dependant on the enactment of a data protection act, and that provisions of the Fair Trial Act should be applicable until then.
“But the government however refused to accept this, insisting that the cumbersome and time-consuming procedures set out in the Fair Trial Act did not apply to cyberspace and would defeat the purpose of a legislation aimed at preventing cybercrime. This was one of the major sticking points.”
Civil society activists had also called for data protection mechanisms to precede the PECB.
Nighat Dad, executive director of the Digital Rights Foundation, said she believed every Internet user in Pakistan should be worried about the lack of data protection legislation.
But while she appreciated that senators could see the need for data protection laws, she said this wasn’t nearly enough. “There are no protections in place, but at the same time the authorities are going to conduct this massive data retention exercise for all Internet users.”
The data retention Ms Dad is talking about is mandated under section 29 of the PECB, which calls for retention of “data relating to a communication indicating its origin, destination, route, time, size, duration or type of service”, for the minimum period of one year, subject to change by the authority.
According to Wahajus Siraj, convenor of the Internet Service Providers Association of Pakistan (ISPAK), “Traffic data for ISPs means the tracking down of physical address in case of a fixed line service and mobile number in case of 3G/4G customers; the customer’s name, date and time of usage. ISPs don’t have a record of which websites any user is visiting, what searches he/she is making on the Internet and similar content. ISPs also don’t have any record of customer’s emails if he/she is using webmail servers such as Gmail, Yahoo, Hotmail etc.”
Mr Siraj added that the definition of traffic data under the PECB is “irrelevant” for Internet service providers, saying that while retaining the origin, destination, duration, route, time were all appropriate for telephonic communications, only time and duration were possibly relevant to ISPs.
“If we don’t have that data and have no means to collect that data, how can they force us to provide it?”
But Ms Dad said the retention of traffic data would entail that Internet users’ IP addresses are retained.
“By retaining the IP addresses of Internet users, they can know the exact location of an Internet user. One of the arguments they are using is that this is meant to locate criminals or terrorists. But why do they have to retain [data from] all Internet users in Pakistan – we are not all terrorists, nor are we all criminals,” she said.
This section has also been criticised by the United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression. In a letter, dated July 8 and addressed to Tehmina Janjua, Pakistan’s permanent representative to the UN, David Kaye argued that section 29 “facilitates state surveillance that potentially undermines the exercise of the right to freedom of opinion and expression”.
He said that while third party data retention laws may be necessary for national security and public safety, “mass retention orders raise serious proportionality concerns”, and instead advocated targeted retention orders of specific individuals based of an investigation or proceeding.
Legal technicalities Of course, the PECB will not introduce the retention of traffic data, since this is something that is already in vogue. But it will legitimise the practice. According to IT industry stakeholders, as well as the IT ministry itself, ISPs are already required to retain their users’ traffic data.
Mr Siraj explained that this is carried out under the Pakistan Telecommunication Authority’s rules and regulations for licensees, which require licensees to maintain data for 90 days.
However, Ministry of IT Director (Legal) Nasir Ayyaz said PTA’s licensees are obliged to retain data under the licence’s terms and conditions for a period of one year.
But when asked to comment, a PTA representative told Dawn, “ISPs are Class Value Added (CVAS) data licensees and they use access network of Local Loop (LL), Long Distance & International (LDI) licensees and Cellular Mobile Operators (CMOs).Therefore, ISPs are not required to retain any data under their licence.”