Blog Archives

Archives for May 2016

May 17, 2016 - Comments Off on Senators Commit to Stopping The Cyber Crime Bill

Senators Commit to Stopping The Cyber Crime Bill

L-R: Farieha Aziz (Bolo Bhi), Senator Farhatullah Barbar (PPP), Senator Afrasiab Khattak (ANP), Nighat Dad (Digital Rights Foundation)

L-R: Farieha Aziz (Bolo Bhi), Senator Farhatullah Babar (PPP), Senator Afrasiab Khattak (ANP), Nighat Dad (Digital Rights Foundation)

ISLAMABAD: Digital Rights Foundation and Bolo Bhi held a consultation today on the Prevention of Electronic Crimes Bill 2015, on the day that it was set to be discussed by the Pakistani Senate, in Islamabad.

Legislation that protects citizens from cybercrime and terrorism is needed more than ever, provided that a fair and progressive balance is struck between security and liberty. The Prevention of Electronic Crimes Bill does not meet that balance - rather than protect the rights of Pakistani citizens as its authors and supporters claim, its passage will in effect criminalise freedom of expression, and put the privacy of Pakistani citizens at risk.

The aim of the consultation was to provide Senators, parliamentarians, members of civil society organisations and the media with the context of the process behind the PECB, and to discuss the problematic provisions and amendments that have been suggested in the most recent versions. Senators and Members of the National Assembly gave their thoughts on the process, and expressed their concerns and opinions on how the Senate would treat the PECB when it would be debated in the Senate. Senators Farhatullah Babar (Khyber Pakhtunwa-PPP), Shahi Syed (KP-ANP), Chairman of the Senate Standing Committee on Information Technology and Information, and Rubina Khalid (KP-PPP), also a member of the Senate Standing Committee on IT, participated in the discussions on the PECB, as did other lawmakers.

Senator Farhatullah Babar reiterated that the PECB should be subject to a true public hearing, to allow for experts in IT and law to discuss and examine the Bill. Senator Babar also stressed that proper public oversight is necessary, as is a strong balance between security and civil liberties.

L-R: Senator Rubina Khalid (PPP), member of the Senate Standing Committee on IT; Senator Shahi Syed (ANP), Chairman of the Senate Standing Committee on IT

L-R: Senator Rubina Khalid (PPP), member of the Senate Standing Committee on IT; Senator Shahi Syed (ANP), Chairman of the Senate Standing Committee on IT

Senator Rubina Khalid expressed the concern that the language of the PECB as it currently exists would be used for not just political victimisation, but religious victimisation. Senator Khalid also recounted how the PML-N government had taken advantage of the National Assembly walkout by the PPP in order to push through the PECB. Senators Khalid and Babar also stressed that the PPP has a clear stance that they will not pass the Bill in its current form, and that the Bill was in such a state that it did not deserve to be amended, but to be rebuilt from the ground up, with proper input from multi-stakeholders.

Senator Shahi Syed said that the Senate would not pass the PECB in its current form, and that a public hearing on the Bill would be organised, to allow the public to take part in the process.

MNA Syed Ali Raza Abidi (MQM)

MNA Syed Ali Raza Abidi (MQM)

Raza Ali Abdi (MQM) echoed these sentiments, saying that all efforts to push for change in the National Assembly by MQM have been exhausted, and now the responsibility lies with the Senate to scrap the PECB and start over.

All lawmakers present at the consultation agreed that rather than one faulty bill like the PECB, separate coherent and thought-out bills are required that focus on cybersecurity, cybercrime and cyberterrorism independently. It was also agreed upon that the development and implementation of strong privacy protection mechanisms – to protect Pakistani citizens, their privacy and freedom of expression – was urgently required. Iqbal Khattak, a journalist and member of Reporters San Frontieres (Reporters With Borders) echoed this statement, criticising the current lack of legal protections of legal protections regarding personal data, if said data is handed over to the authorities for any reason.

Senator Farhatullah Barbar reading the latest legal analysis of the PECB, prepared by DRF, Privacy International and Article 19 DRF

Senator Farhatullah Babar reading the latest legal analysis of the PECB, prepared by DRF, Privacy International and Article 19 DRF

Saroop Ijaz of Human Rights Watch agreed, making the important point that to date the PECB has been framed in the context of security – when we look at the Bill, he said, its failings regarding privacy and human rights must be flagged and urgently discussed.

Participants agreed that while comprehensive and well-researched cybercrime legislation is required, the PECB is not that legislation, not as it currently exists. The Bill needs to be redrafted from scratch, subject to a public hearing, and then legislation that truly reflects the concerns and input of multiple civil society stakeholders can be crafted that protects the citizens of Pakistan, but not at the cost of their privacy and freedom of expression. Digital Rights Foundation hopes that the Senate fulfils the commitments that they had made today, to ensure that any future cyber crime legislation reflects these concerns, and will working with Senators to ensure that this is the case.

IMG_2191

May 15, 2016 - Comments Off on Stop The Bill! DRF + Bolo Bhi Consultation on the Prevention of Electronic Crimes Bill

Stop The Bill! DRF + Bolo Bhi Consultation on the Prevention of Electronic Crimes Bill

The PECB is now on its way to the Senate. Stop the Cyber Crime Bill!

With the onset of the digital age, legislation that protects citizens from cybercrime and terrorism is needed more than ever, provided that a fair and progressive balance is struck between security and liberty. The Prevention of Electronic Crimes Bill does not meet that balance - rather than protect the rights of Pakistani citizens as its authors and supporters claim, its passage will in effect criminalise freedom of expression, and put the privacy of Pakistani citizens at risk. The Bill has attracted criticism from Pakistani and international observers and rights organisations, including the UN Special Rapporteur on freedom of expression, and from members of the opposition in the Pakistani National Assembly. This has not stopped this flawed legislation from being passed by the NA Standing Committee on IT, however, on April 13, 2016, with more than 90% of MNAs not present. The fate of the PECB now rests with the Senate.

On Tuesday, May 17, 2016, Digital Rights Foundation and Bolo Bhi will hold a consultation with the Senate of Pakistan, on the Prevention of Electronic Crimes Bill, to tackle the bill and stop it from being law. Join us!

 

May 10, 2016 - Comments Off on Pakistan: A top malware destination?

Pakistan: A top malware destination?

% of Malware Infections Worldwide in 4Q2015. Courtesy of Microsoft.

% of Malware Infections Worldwide in 4Q2015. Courtesy of Microsoft.

Microsoft released its annual Security Intelligence report in the first week of May, covering the last half of 2015, from June to December. This report, now in its 20th volume, examines and breaks down what the Seattle-based tech company calls the “threat landscape of exploits, vulnerabilities, and malware using data from internet services and over 600 million computers worldwide”. According to the company, Microsoft looks as upwards of at least “10 million attacks” a day – nearly half of which originate in Asia.

To gauge which countries are the biggest targets for malware, Microsoft gathers the data from global computer systems that run its security software in real-time, reporting all incidents of malware attacks, regardless of success penetration or not – this metric is referred to Microsoft as the "encounter rate". Another metric used is the "Computers Cleaned per mile" or CCM, which is defined as the number of “computers cleaned for every 1,000 unique computers executing the Malicious Removal Tool (MRST)”, a free tool Microsoft uses to clean or remove over “200 highly prevalent or serious threats from computers.

Infection & CCM Graphs, indicating malware attacks in 4Q2015, regardless of success or otherwise

Infection & CCM Graphs, indicating malware attacks in 4Q2015, regardless of success or otherwise. Courtesy of Microsoft.

Utilising the "encounter rate" and CCM metrics, what Microsoft found was that the countries that were most under threat from attempted malware attacks last year were Bangladesh, Palestine, Nepal, Indonesia, and Pakistan. They found that while the worldwide encounter rate and CCM by the end of the last quarter of 2015 were 20.8% and 16.9% respectively, Pakistan experienced a 63% encounter rate, and a CCM rate of 71.3%. The three most common forms of malware attacks that Pakistani computer systems were experiencing by the end of the last quarter of 2015 were:

  • Worms, “encountered by 35% of all computers”, marking an increase from 25.6 in the third quarter of 2015;
  • Trojans “encountered by 25% of all computers”, marking an increase from 23.3 in the third quarter of 2015;
  • Viruses “encountered by 11.6% of all computers”, marking an increase from 8.5 in the third quarter of 2015.

The Microsoft Security Intelligence (MSI) report on Pakistan, which breaks down what these numbers mean for users, can be downloaded here.

PLATINUM Threat

In addition to malware, the MSI report also covers the history and activities of a targeted activity group (TAG) that it has codenamed PLATINUM – a group that has garnered concerned interest due to its “aggressive, persistent tactics and techniques as well as its repeated use of new zero-day exploits to attack its targets.”

TAGs are generally opportunistic, with no fixed geographic target profile or attack strategy per se, looking globally. Much like other TAGs, PLATINUM shares an interest in stealing very sensitive intellectual property “related to government interests”. Where PLATINUM differs, however, is that unlike many other groups, it appears to have a specific geographic focus, in this case South and South-East Asia. Making use of “zero-day exploits” (where an attacker makes use of vulnerabilities in a computer system to exploit the system and networks) and “spear phishing” (target-specific phishing attacks), PLATINUM has targeted “governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers.”

According to the MSI, PLATINUM has been able to carry out several “espionage campaigns” going back to 2009, making use of custom software tools and techniques to access their desired data, and then in turn make efforts to delete any trace of their “infection tracks.” The length and breadth of their activities, not to mention their focus on state data, could indicate either funding and support from a state actor, or a private group funding for the same reason. More information can be found on PLATINUM, and its troubling implications for national security mechanism in South Asia and South-East Asia, can be found here.

Keeping the entire blog in account, the best practice for everyday internet user would be stay safe in every way possible. Basic human practices such as changing passwords frequently and not clicking unknown links would benefit in a larger scale

There are concerns that we have with this report by Microsoft, however, which users should note: the report does not make mention of malware attempts on other major operating systems such as Apple's OSX, or Linux. The lack of mentions of Linux is especially important, as a growing number of governments are looking to move away from proprietary OSes such as Windows, and towards open source alternatives – usually modification of Linux distributions - that can be tailored to be more stringent and with less bloat present.

Microsoft itself has come under fire in recent years, due to its heavy retention of, and demand for user data – which this report is itself is heavily reliant on – present in Windows 10, gathered via data collection from a number of input devices and services, such as: location, camera, microphone, speech, inking, typing, account info, contacts, calendar, messaging, radios, devices, feedback, diagnostics, and background apps. These demands, as well as the keylogger built into Windows 10, put the private data and security of users at risk, and conversely make systems running on Microsoft products much more appealing to malware operators.

The findings of the report, however, do have merit: to be as safe as possible, it is important that all internet users implement best practices to safeguard their security, especially at a time when malicious attacks are evolving. Simple techniques such as changing passwords frequently, not clicking on unknown and suspicious links, and keeping systems up to date are just some of the small steps that users can take to defend themselves.

Written by Adnan Chaudhri

May 7, 2016 - Comments Off on The peculiar timing of NA’s decision to release Cyber Crime Law’s final draft

The peculiar timing of NA’s decision to release Cyber Crime Law’s final draft

Despite having passed the Cyber Crime Bill on April 13, 2016, the National Assembly made little to no efforts to disseminate the document anywhere. The Bill did not make an appearance on the official website and had till now eluded the general public.
May 7th, 2016 was chosen as the lucky day when the document was finally released - and the decision to pick this date is no accident. By stalling for this long the NA has ensured that no actual criticism or debate could take place within public domains. Why the NA felt the need to hide the bill from public scrutiny is a question that really needs to be asked right now. Had it been released before there would have been a healthy debate for a long enough time before the next Senate session which begins on May 9th and ends on May 20th.
Had an actual debate taken place it would have really helped the cause of the public and civil society organizations. The Bill still has the potential of being stopped when it goes to the Senate floor. Why the government is hell bent on approving a version of the bill that will be problematic for years to come is another question that we must ask. It has become painfully obvious that the government has no interest in investing any of its time in ensuring transparency when it comes to the process of law making - or any other process for that matter.
A law is no joke, undoing, repealing or amending parts of any law is a herculean task. Such efforts have historically not gone over well. If this Bill is allowed to go through then we can welcome in a new era of censorship and tyranny.
To take a better look at what the law entails and how it's about to hit the public hard, go to the following link: National Assembly's approved Cyber Crime Bill