Nasir Khan Jan is a social media celebrity and v-logger who rose to fame because of his off-key covers of songs and awkward photo shoots. However on 8th February, 2017 he was arrested by the KPK Police on charges of “obscenity”.

His home was raided, and he was humiliated in front of his family and neighbours. He was subjected to the fear and distress of finding himself suddenly labelled a criminal, and grappling with the threat of judicial proceedings. It was not until his bail was posted by the admin of another Facebook page that the ordeal ended, at least for the time being. Meanwhile, another nightmare awaited him as he returned home only to find someone had photographed him while he was handcuffed in police custody and the pictures had gone viral, leading to another barrage of derogatory and mocking attacks, adding to the psychological burden of this trauma. Nasir was further told by both the detaining authorities and commenters on social media that if he wishes to avoid a repeat of the same incident, he should stop making videos in which he does “immoral” activities such as “dancing” and singing.

But who decided what constitutes obscene and immoral? The Prevention of Electronic Crimes Act (PECA)  gives authorities broad powers to remove content that is against “decency or morality” (refer to section 37 of the Act)  but what is the objective, legally-applicable definition of such subjective terms? It is unclear exactly which section was used to arrest Khan Jan, however section 294 of the Pakistan Penal Code could possibly have been used. Section 294 states that:

“Obscene acts and songs: Whoever, to the annoyance of others, -- (a) does any obscene act in any public place, or (b) sings, recites or utters any obscene songs, ballad or words, in or near any public place, shall be punished with imprisonment of either description for a term which may extend to three months, or with fine, or with both.”

How do we decide the limits of morality and immorality? Whose narratives of the same are imposed through the criminalisation of activities such as singing, dancing, and personal v-logging? Why are these types of content prompt punitive action while pages promoting hate speech, sectarianism, violence against women and various minorities, or increasing religious extremism are tolerated?

DRF is unequivocally against the actions taken by these law enforcement authorities supposedly at the behest of an as-yet unknown complainant and stands in support of Nasir Khan Jan as well as all digital citizens engaged in the creating content that empowers the growth of New Media. We see these actions as a clearcut part of an ongoing and disturbing pattern of criminalising, harassing, and silencing individual voices online.

Our stance is fourfold:

• Nasir Khan Jan's arrest and subsequent events are a grievous act of cyberbullying crossing the boundary between “digital” and “physical” by permitting harassers to have their victim arrested, publicly humiliated online as well as offline, and threatened with court proceedings for posting videos that they personally found “immoral”. This sets a dangerous precedent for the extent and seriousness of cyberbullying and must not be allowed to slip by without resistance. All citizens are entitled to the same protections from the state; moral policing negates this right by making the state a stakeholder in upholding certain moral codes above others.

• The contrast between Nasir Jan’s arrest and the impunity of pages belonging to banned terrorist outfits and violent sectarian groups highlights that this is a struggle for the right to public space that is ever shrinking and that must not ceded further.

• The fact that Nasir’s privacy was further compromised and his leaked pictures continued to force him to relive this event even though he was granted bail, and even though his “alleged crime” was in the nebulous and legally ill-defined territory of “obscenity”, and despite the fact that in the eyes of the law we are all deemed innocent until proven guilty. This infers that the government of Pakistan is not adequately equipped to handle arrested suspects’ right to privacy while in police custody. It also points towards a lack of sufficient oversight on part of the state to ensure the responsible implementation of its own laws. This casts a shadow over its commitment to uphold the digital safety and rights of its citizens, ostensibly one of the primary reasons why the PECA was passed.

• The members of the law enforcement authority that supposedly received this complaint also decided Nasir Khan Jan was guilty, and enacted punishment accordingly. This is a gross violation of human rights as well as digital rights. It cannot and must not be tolerated at any cost.

Nasir Khan Jan ’s arrest represents a violent escalation of threats to citizens’ post-PECA’ digital rights in an increasingly interconnected world. It raises deep issues of the breaking divide between “online” and “offline” and shows us clearly how non-normative personalities, presentations, and people are disproportionately at risk from not only online vigilantes but also organs of the state.

Harassment as a legal concept finds its origins in, and is deeply embedded in, the context of the workplace. This is not to say that harassment only takes place in those spaces, but simply because the concept was first articulated legally in the context of workplace discrimination and is thus finds its first formal articulation in the Protection against Harassment of Women at Workplace Act, 2010. This conception of harassment takes it as a form of sex discrimination. There are other articulations of harassment as well, such as a breach of privacy or an affront of dignity.

Harassment, unfortunately, is a fact of life for many women in spaces other than the place of work. Most public spaces are hostile environments for women. It is for this reason that street harassment is also criminalised under section 509 the PPC in Pakistan. It comes as no surprise that cyber spaces are no different when it comes to the experience of women and minorities. Out of the 3027 cybercrime cases reported to the FIA during August 2014- August 2015, 45% involved electronic violence against women (e-VAW).

Given the relative newness of online spaces and platforms, and their ever-evolving nature, cyber harassment as a concept has not been as well defined as its other counterparts in other spaces. Prior to the passing of the cybercrime bill, much of the anti-harassment work was being done by section 36 of the Electronic Transactions Ordinance, 2002 (ETO) relating to privacy of information. Privacy is an interesting jurisprudential lens to view anti-harassment legislation through. This currently is the approach taken in US jurisprudence through the developing field of the right to sexual privacy. However in order for cyber harassment to be effectively tackled through this legal paradigm, there needs to be developed jurisprudence around the right to privacy.

Under the Prevention of Electronic Crimes Act 2015 (PECA, or the Cybercrime Act), section 21 (offences against modesty of a natural person or minor) and section 24 (cyber stalking) deal with the issue of online harassment. These laws, while a step in the right direction towards talking online violence seriously, are both overboard in their reach and inadequate in effectively tackling harassment in online spaces when taken at face value.

The laws have been widely criticised for the vague, and often careless, language that they contain. The definitions relating of modesty of natural persons are meant to capture non-consensual pornographic content. However over-reliance on concepts such as modesty and the explicit absence of the legal requirement of consent leaves something to be desired. Furthermore, cyberbullying legislation have faced many constitutional challenges in many other jurisdictions around the world—challenges being mounted mainly from a free speech and censorship point of view.[1] It is up to the interpreters of these laws, by cybercrime lawyers and designated judges, to develop jurisprudence that benefits the victims of these crimes without impacting free speech. The broad language of the sections can be reined in by thoughtful interpretation and reasoned discussion on the contours of free speech in a democratic society.

The definition of “cyber stalking” under section 24 of PECA covers a wide range of activity. Since this is a criminal statute, interpretations of the section need to guard against actions which do not rise to the level of criminal reprimand—a threshold that the text of the Act does not lay out itself. Furthermore, judges need to interpret the section with the true spirit of consent jurisprudence. This is particularly important when it comes to section 24(d) where even if the initial photograph or video was made with consent, it is the non-consensual distribution that needs to be criminalised. While non-consensual capturing of images should also be penalised in and of itself, the illegality of non-consensual distribution should operate independent of and decoupled from the capturing of the images.

When it comes to online harassment, there is a particular element of urgency given the reputational damage at stake and the possibility of duplication of information. This is where the procedural aspects of the law play a significant role in taking down content in a timely manner. Getting images removed from the internet is the immediate need of many complainants, and the PECA does not speak to this urgency. The aggrieved person can apply to the Pakistan Telecommunications Authority (PTA) to remove images implicated by sections 21 and 24, however there is no mechanism in place to ensure that this happens before the reputational damage is done.

In the United States, removal of images is done through the Digital Millennium Copyright Act of 1998 through a notice of copyright infringement. This is an interesting method to tackle online harassment, one not without its demerits. However again, given the dearth of case law and legal work around concepts of property in digital spaces it is unclear if such a mechanism is even feasible in Pakistan.

Returning to the concept of harassment in general, it would be useful to see the phenomenon of online harassment from the perspective of the right to equality. Just like harassment at the workplace is a form sex discrimination, it can be argued that given that harassment in cyber spaces mostly effects women and marginalised communities, it is a violation of their right to equal access to and enjoyment of the internet.[2] This conceptualisation is not found within the PECA, which is primarily a criminal statute, but a rights-based approach to digital rights needs to view online harassment as an issue of civil rights.

Lastly, another aspect of the law that is particularly egregious for victims of online harassment is the lack of anonymity in reporting instances of such activity. The humiliation of reliving the experience that the victim has been through and the indignity of turning in evidence, sometimes involving sexually explicit material, to predominantly male police officers and judges can be a traumatic process. Law enforcement agencies and the subsequent court system needs to be cognizant of these social and psychological aspects when investigating and adjudicating such cases—a consideration that should inform their legal analysis and judgment.

This legal note originally appeared in "Three Pillars" law magazine (January, 2017).

[1] Section 66A of the Indian the Information Technology Act, 2000 was struck down on grounds of violating free speech in the 2015 case of Shreya Singhal v. Union of India.

[2] Danielle Citron, “Hate Crimes in Cyberspace”. Harvard University Press (2014).

Protest against internet shutdowns.

A population and territory that already belongs in the fringes of our imagination has receded from our digital spaces without most Pakistanis noticing. It may come as a shock to most of us that internet services in Federally Administrated Tribal Areas (FATA) have been suspended since June 12, 2016.

Meet Rahim Shah Shinwari, he tweets about the internet blackout in FATA nearly every day, compensating for the silenced digital voices from FATA. He highlighted the problems that the residents of FATA face in the face of this ban.

Digital spaces are increasingly coming under scrutiny and regulation all over Pakistan, however the complete shutdown of internet services in FATA points towards a different and worrisome form of policing and regulation.

We spoke to local journalist Rahat Shinwari as well who said that the ban has put “FATA back in the stone age”. He advocates for internet rights and has written about the issue in the Daily Ausaf:

The summer without Internet

The internet shutdown began on June 12, 2016 following the closing of the Pak-Afghan border after an incident of firing from the Afghan side on June 11, 2016. The authorities took immediate and disproportionate action by suspending mobile-based internet services in all the agencies of FATA: this includes 3/4G and portable internet devices—which constituted the primary sources of internet access in FATA given its availability and the fact that it was cheap (both in terms of rates and the lack of setting up costs: you only need a basic smartphone to use mobile internet). In wake of this shutdown, the only source of internet is PTCL broadband. According to our research, broadband connections formed less than 5% of the internet access in the area.

DRF has learnt that the process of shutdowns preceded June, 2016 and had begun intermittently as early as March of the same year. The shutdown was first experienced by the citizens of Bajaur and the regions bordering Afghanistan.

A short history of the internet

The internet arrived in FATA in 2005, but it proliferated properly after 2014. This is not the first time that the residents of FATA faced an internet shutdown. During the military operations in South Waziristan and other agencies in FATA, internet access was blocked from 2010 to 2012. In fact, during those years, even PTCL services were shutdown. However the sting of the shutdown has been felt more this time around given the explosion of the internet and introduction of 3/4G services by 2016.

An overwhelming majority of the users of internet in FATA are the younger generation. Nevertheless, based on interviews, internet usage was widespread in other age groups. Women were also using the internet in huge numbers on their mobile devices.

The internet was used to communicate with family members in other countries, such as workers in the Gulf States and students in Europe and the US. Businessmen were also taking advantage of the internet as a means of promotion and sales.

Importantly, the internet was also used for political engagement and awareness campaigns. FATA was not immune to trends all over the world, and the rise of citizen journalism and accessibility to e-newspapers meant that people were starting to question conventional narratives and hold public authorities accountable. The political campaign and mobilization against the Frontier Crimes Regulations (FCR) took on a renewed fervour because of the internet. The political consciousness in digital spaces was such a concern that some political agents threated to take away internet privileges from the population if criticism of corruption by the authorities did not abate.

The internet was also the sole source of entertainment for much of the population. Owing to the fact that access to electricity is limited and subject to frequent shutdowns, many households run on solar panels where they do not own television sets and prefer to watch broadcasts on easy to charge mobile devices. Often times, the only way to watch a live cricket match—a national obsession—is through internet streaming services. It is a real tragedy that the residents in FATA are not able to watch live cricket matches in 2017!

Silence from the state

Since the shutdown there has been no official explanation for its persistence or any satisfactory justification regarding the denial of internet services to a significant portion of Pakistan’s population. The residents of FATA and youth groups such as the Khyber Youth Forum have raised questions, but their protests have been met with complete silence.

When individuals have approached the government, they have been told that the shutdown is a result of security concerns. This nebulous defence of “security” is a familiar one in Pakistan, particularly to the residents of FATA. Under the blanket rationality of security, internet services have been denied to all the agencies in FATA. Furthermore, the particular incident that led to the shutdown has long been addressed as peace was restored within a month of the shutdown.

It has also been asserted by the authorities that internet services have been banned because the internet was being used as a tool of propaganda by militants and terrorists. This reason employs the warped logic of heavy-handed governance. If the internet is used for propaganda, the solution is not a complete ban on the entire medium of communication and expression. If the government wants to counter extremist narratives, there are other ways to go about it rather than denying speech to an entire population. Furthermore, the internet can be used a propaganda tool in other parts of Pakistan as well, it is peculiar that FATA have to bear the brunt of this misuse. Furthermore, it is worrying that the entire region of FATA being seen as a homogenous with a uniform threat level, which echoes the logic of the FCR and colonial practice of collective punishment.

These reasons given by the government makes sense only when one considers this shutdown in the context of the history of FATA as a periphery region that has been denied equal rights under the Constitution of Pakistan and made subject to a repressive and colonial legal and political system since partition.

Alternates

In wake of the internet showdown there is a gaping hole in terms of access to information and news. While the local media is working to fill in the gaps, even journalists in the area are seriously hindered in their ability to stay up to date and access sources without proper access to the internet.

The “internet café” culture from the 90s and early 2000s is returning to FATA, out of necessity rather than nostalgia. Enterprising dhabas have started to invest in internet broadband infrastructure, where one can use the internet at the rate of Rs. 50 per hour. This hefty amount means that internet access, when rarely available, is too expensive for a majority of the population. Furthermore, given the culture of public spaces and dhabas, these facilities are largely accessible exclusively to men given the cultural and gender norms of the area. Often times people have to travel great distances to simply use the internet; some students have to travel all the way to Peshawar just to fill out a job or university application. The burden of this internet shutdown is falling disproportionately on the young, women and financially disadvantaged.

Conclusion

With demands for the repeal of the FCR gaining momentum and the headway made by the FATA Reforms Committee, there is a definite push towards extending fundamental rights under the constitution to FATA. Digital rights need to be included as part of the proposed package of reforms for FATA. It is odd that on one hand that the government seeks to eliminate the oppressive regime of the FCR, and on the other is still denying basic internet services to FATA.

Digital rights activists also need to keep the regions on the periphery in mind when advocating for internet rights. While suspension of internet and mobile services for a single day in urban areas raises outrage, the continued and unjustified denial of services to the people of FATA has largely gone ignored by mainstream discourse.

With the onset of the digital age, legislation that protects citizens from cybercrime and terrorism is needed more than ever, provided that a fair and progressive balance is struck between security and liberty. The Prevention of Electronic Crimes Bill does not meet that balance - rather than protect the rights of Pakistani citizens as its authors and supporters claim, its passage will in effect criminalise freedom of expression, and put the privacy of Pakistani citizens at risk. The Bill has attracted criticism from Pakistani and international observers and rights organisations, including the UN Special Rapporteur on freedom of expression, and from members of the opposition in the Pakistani National Assembly. This has not stopped this flawed legislation from being passed by the NA Standing Committee on IT, however, on April 13, 2016, with more than 90% of MNAs not present. The fate of the PECB now rests with the Senate.

On Tuesday, May 17, 2016, Digital Rights Foundation and Bolo Bhi will hold a consultation with the Senate of Pakistan, on the Prevention of Electronic Crimes Bill, to tackle the bill and stop it from being law. Join us!

% of Malware Infections Worldwide in 4Q2015. Courtesy of Microsoft.

Microsoft released its annual Security Intelligence report in the first week of May, covering the last half of 2015, from June to December. This report, now in its 20^th volume, examines and breaks down what the Seattle-based tech company calls the “threat landscape of exploits, vulnerabilities, and malware using data from internet services and over 600 million computers worldwide”. According to the company, Microsoft looks as upwards of at least “10 million attacks” a day – nearly half of which originate in Asia.

To gauge which countries are the biggest targets for malware, Microsoft gathers the data from global computer systems that run its security software in real-time, reporting all incidents of malware attacks, regardless of success penetration or not – this metric is referred to Microsoft as the "encounter rate". Another metric used is the "Computers Cleaned per mile" or CCM, which is defined as the number of “computers cleaned for every 1,000 unique computers executing the Malicious Removal Tool (MRST)”, a free tool Microsoft uses to clean or remove over “200 highly prevalent or serious threats from computers.

Infection & CCM Graphs, indicating malware attacks in 4Q2015, regardless of success or otherwise. Courtesy of Microsoft.

Utilising the "encounter rate" and CCM metrics, what Microsoft found was that the countries that were most under threat from attempted malware attacks last year were Bangladesh, Palestine, Nepal, Indonesia, and Pakistan. They found that while the worldwide encounter rate and CCM by the end of the last quarter of 2015 were 20.8% and 16.9% respectively, Pakistan experienced a 63% encounter rate, and a CCM rate of 71.3%. The three most common forms of malware attacks that Pakistani computer systems were experiencing by the end of the last quarter of 2015 were:

• Worms, “encountered by 35% of all computers”, marking an increase from 25.6 in the third quarter of 2015;
• Trojans “encountered by 25% of all computers”, marking an increase from 23.3 in the third quarter of 2015;
• Viruses “encountered by 11.6% of all computers”, marking an increase from 8.5 in the third quarter of 2015.

The Microsoft Security Intelligence (MSI) report on Pakistan, which breaks down what these numbers mean for users, can be downloaded here.

PLATINUM Threat

In addition to malware, the MSI report also covers the history and activities of a targeted activity group (TAG) that it has codenamed PLATINUM – a group that has garnered concerned interest due to its “aggressive, persistent tactics and techniques as well as its repeated use of new zero-day exploits to attack its targets.”

TAGs are generally opportunistic, with no fixed geographic target profile or attack strategy per se, looking globally. Much like other TAGs, PLATINUM shares an interest in stealing very sensitive intellectual property “related to government interests”. Where PLATINUM differs, however, is that unlike many other groups, it appears to have a specific geographic focus, in this case South and South-East Asia. Making use of “zero-day exploits” (where an attacker makes use of vulnerabilities in a computer system to exploit the system and networks) and “spear phishing” (target-specific phishing attacks), PLATINUM has targeted “governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers.”

According to the MSI, PLATINUM has been able to carry out several “espionage campaigns” going back to 2009, making use of custom software tools and techniques to access their desired data, and then in turn make efforts to delete any trace of their “infection tracks.” The length and breadth of their activities, not to mention their focus on state data, could indicate either funding and support from a state actor, or a private group funding for the same reason. More information can be found on PLATINUM, and its troubling implications for national security mechanism in South Asia and South-East Asia, can be found here.

Keeping the entire blog in account, the best practice for everyday internet user would be stay safe in every way possible. Basic human practices such as changing passwords frequently and not clicking unknown links would benefit in a larger scale

There are concerns that we have with this report by Microsoft, however, which users should note: the report does not make mention of malware attempts on other major operating systems such as Apple's OSX, or Linux. The lack of mentions of Linux is especially important, as a growing number of governments are looking to move away from proprietary OSes such as Windows, and towards open source alternatives – usually modification of Linux distributions - that can be tailored to be more stringent and with less bloat present.

Microsoft itself has come under fire in recent years, due to its heavy retention of, and demand for user data – which this report is itself is heavily reliant on – present in Windows 10, gathered via data collection from a number of input devices and services, such as: location, camera, microphone, speech, inking, typing, account info, contacts, calendar, messaging, radios, devices, feedback, diagnostics, and background apps. These demands, as well as the keylogger built into Windows 10, put the private data and security of users at risk, and conversely make systems running on Microsoft products much more appealing to malware operators.

The findings of the report, however, do have merit: to be as safe as possible, it is important that all internet users implement best practices to safeguard their security, especially at a time when malicious attacks are evolving. Simple techniques such as changing passwords frequently, not clicking on unknown and suspicious links, and keeping systems up to date are just some of the small steps that users can take to defend themselves.

Written by Adnan Chaudhri