An article published in yesterday’s Dawn provided great detail of a cybercrime legislation drafted by Akram Sheikh Associates, commissioned by the government. Following are some initial and immediate concerns that the proposed legislation raises.
The proposed legislation does not reflect a clear understanding of digital space or medium, and lacks adequate safeguards that should be in place to curb violations and excesses which have been committed in the past, under the Prevention of Electronic Crimes Ordinance, which is what led to its redrafting.
Other than the vague definitions, what this proposed legislation misses is description and detail of processes by which a crime is to be determined. In the electronic and digital medium, the process that leads to an action is of utmost importance. Determination of the crime is directly linked to that. Failure to establish a chain of deliberate and intentional events that lead to an action undermine the strength of the case. And so, with the processes and methods of determination undefined, the legislation remains open-ended and liable to misuse. This could potentially cause innocents to be charged and tried – a concern that has been highlighted in the past.
This brings us to the proportionality of punishments as well as the method of investigation and trial. Firstly, it is questionable whether some offences listed in this legislation should be considered offences in the first place. Many of them, elsewhere, are considered as Tort. Secondly, the authorities constituted and the functions and powers ascribed appear to be too wide-ranging.
The manner of their constitution, appointment, functioning and decision-making is centralised, with the controls in the hands of the federal government. The little representation of private entities for which provision is created is also left to the discretion of government authorities, allowing them to handpick candidates. The authorities are created with the goal of empowering them to be the law unto themselves, instead of creating a system of checks and balances. Instead of devolving authority so as to require warrants, and establish a clear method of investigation and trial that should include a documented procedure that is to be followed, no boundaries have been ascribed to the authorities.
There is no consideration of the event that if the said authorities were to overstep their mandate – which in fact is not clearly defined – how is that event to be dealt with. While there are punishments for citizens, nothing is prescribed for authorities and officials when they commit a mistake or deliberately misuse authority.
Most disturbing are some of the functions which are unheard of, and can only undermine the security and integrity of information systems in the country. To this extent, certification accreditation and cryptography are of great concern.
It is quite startling to see that various portions of this proposed legislation have been replicated in their entirety from the Information Technology Act of 2000 of India. For example: Section 44 is a copy of Section 43 of the IT Act 2000 of India, Section 45 is a copy of Section 66 of the IT Act, and Section 54 and 55 are mere offshoots of Section 67 of the IT Act of 2000. It would be unwise to consider the Information Technology Act of 2000 as a stepping stone, as the Act was heavily criticized for infringing upon the personal liberties of Indian citizens. Moreover, it did not take into consideration evolving technologies and new forms of communication which is why in 2008, the Information Technology Act of 2000 was heavily amended by the Indian Parliament and the Amended IT Act of 2008 was introduced.
Similarly, the Prevention of Electronic Crimes Ordinance, when first proposed received heavy criticism from civil advocacy and industry groups due to the degree to which it ignored civil liberties, business continuity and a sheer disregard of international practices. The legislation aimed to instill upon the citizens a harsh brand of justice, which was evidence of not a democratic and aware society but more of a police state. This ultimately led to its redrafting.
Any proposed legislation should ensure it is not violative of due process and fundamental rights considerations. These should be at the very center of lawmaking. The uncanny resemblance of the proposed legislation under discussion in this paper, the discarded Indian IT Act and PECO indicates that little or no attention was paid to the concerns raised previously.
The approach to lawmaking in the digital space, as we have seen repeatedly, is undertaken with little or no knowledge of the nature of digital mediums and devices. It is futile to draw from existing frameworks and replicate those for electronic/digital media. Unless very specific, practical, implementable aspects of the functioning of these mediums take into consideration, laws will continue to remain irrelevant, unsound and repressive. Sound technical knowledge along with clear standards of rights and privacy are the very first requirement for law-making in this space. This expertise, as we have seen in the past, remains missing within the policy-making circles. The multi-stakeholder input is the only way forward. And we expect that when the time to table legislation arrives, the multistakeholder approach is the one adopted over political expediency.