A two day meeting took place on Wednesday and Thursday i.e. June 29-30 respectively where the Senate Sub-Committee overlooking the Prevention of Electronic Crimes Bill 2016 deliberated with civil society actors, social media activists and internet service providers, on the many issues within the draft.

This post is the first of a two part series on the proceedings of the meeting.

On Wednesday, the parliamentary panel looked into amending the different clauses that will hurt the cause of human rights in Pakistan. Freedom of expression, social media and the different punishments that are to be meted out were put on the table.

Osman Saifullah Khan chaired the meeting which was also attended by Digital Rights Foundation Executive Director Nighat Dad.

The problem of there being no balance was brought up during the meeting. A multitude of sections were discussed during the meeting and the stakeholders present gave their input as to what should be changed and what should be omitted.

Senator Farhatullah Babar who was also present on the occasion said that the bill required more clarity. He questioned the impact that the bill would have on the flow of information and freedom of expression. He also highlighted that data protection and safeguards to personal data are an issue that needs to be remedied.

The committee placed under consideration Section 19 which talks about offences against the dignity of the natural person.

NayaTel CEO Wahaj-u-Siraj was of the view that other laws already deal with this issue and this clause should be omitted from the bill. He also said that the clause could be used to abuse power and curb freedom on social media. The committee said that the proposed punishment for the section i.e. fine and imprisonment, also needed to be revisited.

Senator Mohsin Khan Leghari said that citizens also needed protection and the bill was failing to provide. It. Senator Shibli Faraz highlighted the ignorance that is prevalent in Pakistan and said that the laws need to be developed in a manner so that they could benefit the average Pakistani.

While the committee said that the clause should be kept because it would play an important role, they also acknowledged that it needed major amendments before it could be allowed to go through.

The committee also looked into Section 22 which has to do with spamming. It was observed that laws against spamming exist in many countries, however, it should not be criminalized.

Here Nighat Dad pointed out that the bill had no protection for whistle blowers or those who leaked information with public interest in their mind. The FIA official present was adamant that anyone giving out information was committing a crime, irrespective of their intent. Officials responded to a question by Babar by saying that the spamming had to do with commercial and marketing spamming and not unsolicited communication.

They advised that the imprisonment should be removed, however, the fine penalty should be retained. During the next meeting, a comparison of EU and Singaporean law will also be brought to the table to see what improvements can be made to the PECB.

For Section 21, which deals with cyber stalking, the committee recommended that the content of the bill be tightened for better clarity.

The meeting of the Senate Standing Committee on Information Technology’s Sub-Committee on the PECB continued on Thursday, June 30 and was rife with discussion on data.

The problems pertaining to data sharing and data protection took centre stage with all stakeholders trying to come to consensus as to what should be done. The question of whether the Pakistan Telecommunication Authority (PTA) and PEC itself require the powers that are being allotted to them was also brought up.

Once again, Osman Saifullah Khan took his position as the chair and was joined by other senators at the session.

Section 39, which has to do with international cooperation was brought up during the meeting. This section allowed the government to share information with spy agencies and foreign governments.

Senator Farhatullah Babar said that the section was flawed and made him feel vulnerable. He questioned why the government could provide his information and details to any country or agency without any safeguards in place to ensure that the data was not mishandled or misused.

He also asked what guarantee there was to ensure that the investigation officer would not use the data to manipulate, harass or extort another person.

The Digital Rights Foundation proposes that this section needs rules and procedures for its implementation. It should not be the prerogative of the Pakistani government to share any information with another government without due processes.

Section 38, which has to do with confidentiality of information, also came under discussion. The committee pointed out that the ministry needed to ensure that the seized item and their data remained protected.

The officials present said that a proper channel would be used to share data under international cooperation law. The blanket authority being granted to the PTA as per section 29 was questioned by both the civil society and the committee members.

Civil society said that the clause should be deleted because of the privacy violation of the entire internet users in Pakistan. However, Senator Osman Saifullah said that in a country like Pakistan this is not possible and we need to look for a middle ground solution.

In response to that, Senator Farhatullah Babar mentioned that if ISPs need to retain internet users data they need to include judicial oversight and only retain data of criminals and terrorists once they have reasonable suspicions.

Even to retain data for those criminals they need a judicial warrant and follow procedure mentioned in the Fair Trial Act. Dad also pointed out that while larger ISPs could afford the cost of retaining so much data, smaller ISPs would not be able to do so. Ultimately, the burden of that cost will be thrown to the average user who will end up paying a lot more for their online presence.

As an advocate of privacy our organization is of the view that there is no evidence to support the assertion that data retention leads to a decrease in terrorist activities.

Research has demonstrated that many countries have rejected data retention, including Austria, Belgium, Greece, Sweden, Germany, Bulgaria etc. Serious crimes continue to exist in these countries, and they continue to tackle them without data retention that hurts civil liberties. This clause should be omitted as it violates the right to privacy.

Section 34, which gives powers to PTA to block anything they want, also came under discussion. For a little background readers should know that PTA’s ability to block content at will is already being challenged in court.

The civil society present said that it should be removed but some of the senators said that deletion is not a proper solution and some powers should exist. They proposed that these powers be not added to this legislation and instead the PTA act should be amended to include these powers.

However, this solution is facing resistance because of the lengthy process involved.

Members of the civil society also asked that Section 10 be removed from the bill. The section has to do with cyber terrorism.

Dad said that there is no need for this section when the entire section already exists in the Anti Terrorism Act 1997 and the section is 11 W.

Apart from this it was also mentioned that this section mentions a 14 year penalty, whereas the ATA only mentions 6 months. So an offline act of terrorism, which includes many things, only 6 months are mentioned but for online terrorism act they are mentioning 14 years of imprisonment.

The reason for pointing this out was to highlight that there is a replicability between laws and there is a lack of consistency. Why can’t they implement existing legislation instead of making new ones, Dad questioned.

Dad further said that amendments need to be made to existing legislation to include new provisions that are needed - there is no agreed definition of cyber terrorism globally, she explained and further asked how it would be defined in Pakistan.

It is also disheartening that repetitions and provisions that are glaring examples of what should be removed from the bill are being allowed to only go through 'amendments' by the sub-committee. Despite the civil society stakeholders having submitted their recommendations and highlighting how this law could backfire later, redrafting has been restricted to actions that are simply not enough.

The speculations that civil society actors were not prepared and didn't submit formulations is incorrect. Farieha Aziz from Bolo Bhi read out many alternative formulations of clauses at the meetings.
DRF believes that civil liberties should not a be a casualty in the name of security and the fight against terrorism under such legislations. Pakistan should set a good precedent by enacting a cyber crime law that is a balance between security and human rights

With the onset of the digital age, legislation that protects citizens from cybercrime and terrorism is needed more than ever, provided that a fair and progressive balance is struck between security and liberty. The Prevention of Electronic Crimes Bill does not meet that balance - rather than protect the rights of Pakistani citizens as its authors and supporters claim, its passage will in effect criminalise freedom of expression, and put the privacy of Pakistani citizens at risk. The Bill has attracted criticism from Pakistani and international observers and rights organisations, including the UN Special Rapporteur on freedom of expression, and from members of the opposition in the Pakistani National Assembly. This has not stopped this flawed legislation from being passed by the NA Standing Committee on IT, however, on April 13, 2016, with more than 90% of MNAs not present. The fate of the PECB now rests with the Senate.

On Tuesday, May 17, 2016, Digital Rights Foundation and Bolo Bhi will hold a consultation with the Senate of Pakistan, on the Prevention of Electronic Crimes Bill, to tackle the bill and stop it from being law. Join us!

% of Malware Infections Worldwide in 4Q2015. Courtesy of Microsoft.

Microsoft released its annual Security Intelligence report in the first week of May, covering the last half of 2015, from June to December. This report, now in its 20^th volume, examines and breaks down what the Seattle-based tech company calls the “threat landscape of exploits, vulnerabilities, and malware using data from internet services and over 600 million computers worldwide”. According to the company, Microsoft looks as upwards of at least “10 million attacks” a day – nearly half of which originate in Asia.

To gauge which countries are the biggest targets for malware, Microsoft gathers the data from global computer systems that run its security software in real-time, reporting all incidents of malware attacks, regardless of success penetration or not – this metric is referred to Microsoft as the "encounter rate". Another metric used is the "Computers Cleaned per mile" or CCM, which is defined as the number of “computers cleaned for every 1,000 unique computers executing the Malicious Removal Tool (MRST)”, a free tool Microsoft uses to clean or remove over “200 highly prevalent or serious threats from computers.

Infection & CCM Graphs, indicating malware attacks in 4Q2015, regardless of success or otherwise. Courtesy of Microsoft.

Utilising the "encounter rate" and CCM metrics, what Microsoft found was that the countries that were most under threat from attempted malware attacks last year were Bangladesh, Palestine, Nepal, Indonesia, and Pakistan. They found that while the worldwide encounter rate and CCM by the end of the last quarter of 2015 were 20.8% and 16.9% respectively, Pakistan experienced a 63% encounter rate, and a CCM rate of 71.3%. The three most common forms of malware attacks that Pakistani computer systems were experiencing by the end of the last quarter of 2015 were:

• Worms, “encountered by 35% of all computers”, marking an increase from 25.6 in the third quarter of 2015;
• Trojans “encountered by 25% of all computers”, marking an increase from 23.3 in the third quarter of 2015;
• Viruses “encountered by 11.6% of all computers”, marking an increase from 8.5 in the third quarter of 2015.

The Microsoft Security Intelligence (MSI) report on Pakistan, which breaks down what these numbers mean for users, can be downloaded here.

PLATINUM Threat

In addition to malware, the MSI report also covers the history and activities of a targeted activity group (TAG) that it has codenamed PLATINUM – a group that has garnered concerned interest due to its “aggressive, persistent tactics and techniques as well as its repeated use of new zero-day exploits to attack its targets.”

TAGs are generally opportunistic, with no fixed geographic target profile or attack strategy per se, looking globally. Much like other TAGs, PLATINUM shares an interest in stealing very sensitive intellectual property “related to government interests”. Where PLATINUM differs, however, is that unlike many other groups, it appears to have a specific geographic focus, in this case South and South-East Asia. Making use of “zero-day exploits” (where an attacker makes use of vulnerabilities in a computer system to exploit the system and networks) and “spear phishing” (target-specific phishing attacks), PLATINUM has targeted “governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers.”

According to the MSI, PLATINUM has been able to carry out several “espionage campaigns” going back to 2009, making use of custom software tools and techniques to access their desired data, and then in turn make efforts to delete any trace of their “infection tracks.” The length and breadth of their activities, not to mention their focus on state data, could indicate either funding and support from a state actor, or a private group funding for the same reason. More information can be found on PLATINUM, and its troubling implications for national security mechanism in South Asia and South-East Asia, can be found here.

Keeping the entire blog in account, the best practice for everyday internet user would be stay safe in every way possible. Basic human practices such as changing passwords frequently and not clicking unknown links would benefit in a larger scale

There are concerns that we have with this report by Microsoft, however, which users should note: the report does not make mention of malware attempts on other major operating systems such as Apple's OSX, or Linux. The lack of mentions of Linux is especially important, as a growing number of governments are looking to move away from proprietary OSes such as Windows, and towards open source alternatives – usually modification of Linux distributions - that can be tailored to be more stringent and with less bloat present.

Microsoft itself has come under fire in recent years, due to its heavy retention of, and demand for user data – which this report is itself is heavily reliant on – present in Windows 10, gathered via data collection from a number of input devices and services, such as: location, camera, microphone, speech, inking, typing, account info, contacts, calendar, messaging, radios, devices, feedback, diagnostics, and background apps. These demands, as well as the keylogger built into Windows 10, put the private data and security of users at risk, and conversely make systems running on Microsoft products much more appealing to malware operators.

The findings of the report, however, do have merit: to be as safe as possible, it is important that all internet users implement best practices to safeguard their security, especially at a time when malicious attacks are evolving. Simple techniques such as changing passwords frequently, not clicking on unknown and suspicious links, and keeping systems up to date are just some of the small steps that users can take to defend themselves.

Written by Adnan Chaudhri

Though many do not yet realise it, April 13 was a dark day in the history of digital rights for the people of Pakistan. The Prevention of Electronic Crimes Bill (PECB) 2015 was passed by the National Assembly despite a lack of quorum. The processes through which the bill was created lacked representation of key stakeholders. In its current form the Bill is set to serve the interests of those who rule, instead of serving the interests of the common Pakistan.

• Prevention of Electronic Crimes Bill as drafted on February 16, 2016

The following documents contain important information about the Bill:

• IT Minister Anusha Rehman's Statement on the Bill

Minister of State for Information Technology Anusha Rahman's statement on the objects and reasons behind PECB2015. While the statement highlights the many reasons that new legislation is needed, it fails to address the many shortcomings of the present bill.

• List of Amendment Clauses added to the PECB as drafted on February 16, 2016

These are the amendments that were entered into the PECB as drafted on February 16, 2016. What stands out is that the amendments on display have all been pushed forward by Ms. Anusha Rahman, Pakistan's IT Minister.