The NSA has the greatest surveillance capabilities that we’ve ever seen in human history. What they will argue is that they don’t use this for nefarious purposes ... That’s something like saying ‘I have a gun pointed at your head, but I’m not going to pull the trigger. Trust me’.
Edward Snowden says he didn’t trust them, and that’s why he did what he did: revealing literally terabytes of data about the National Security Agency’s surveillance activities and capabilities, both foreign and domestic.
For some, it was a frightening affirmation of something we’ve known all along, but hoped to God wasn’t true. e-mails, chats, social media activity, video, photo and music as well as online transactions and credit card activity and every other thing in between; the NSA has access to literally anything and everything that passes (in the form of internet traffic) in and out of the United States of America.
Because of the unique way the internet works, major internet companies such as Google and Facebook shuffle their data around between servers that are located all around the world. In doing so, all the emails in your email account, or mine, become the property of the US government.
This doesn’t bother us very much. If you look at cat photos and listen to Taylor Swift on your cousin’s Spotify account that you run via a $25/year web proxy and post too many pictures of your pet cactus on Facebook, the US government has no quarrel with you.
But the government of Pakistan does. Specifically, the Pakistan Telecommunication Authority (PTA), the Ministry of Information Technology (MoIT) and the handful of other shadowy government committees and departments that currently hold sway over what you can and cannot access on the internet.
Imagine, they have the power to intercept all forms of online communication; from your text to your grandmother to a photograph sent to a loved one. Nothing will be privileged. Nothing will be sacred. Nothing will be private.
If this account sounds too much like the last dystopian thriller you read, it probably is. Thanks to the raging war against terrorism, Pakistan has had to take some radical measures, the chief amongst which is the National Action Plan (NAP) to counter terrorism and extremism.
The Prevention of Electronic Crimes Bill (PECB) 2015 is a key pillar of NAP. A recent implementation report prepared by the interior ministry notes the bill as one of the cornerstones of the government’s plan to fight the spread of terrorists’ and militants’ activity online.
When asked about the terminology used to define terms such as ‘cyber-stalking’ and ‘spamming’ in a recent televised interview, State Minister for Information Technology Anusha Rehman said that the PECB 2015 drew on a lot of existing material, such as the Budapest Convention and the Australian Anti Spam Act of 2003. She was insistent that the government did not want to reinvent the wheel with regards to the legal terminology used in the PECB 2015.
It is a cogent argument, one that makes sense. Other countries have had far more experience in dealing with online crime and their safety mechanisms have had a longer time to evolve. The Australian law, for instance, contains a list of exceptions to the anti-spamming regulations that is nearly as long as the text of the law itself. The Budapest Convention offers internationally recognised definitions for concepts such as illegal access, interception, data and system interference, misuse of devices, computer-related forgery and fraud and offences related to child pornography, copyright and intellectual property rights. It also defines universal laws for procedural issues such as preservation of data, disclosure of traffic, search, seizure, real-time collection and interception of data.
However, these footnotes and explanations are missing from the bill as it has been cleared by the standing committee. According to MQM MNA Ali Raza Abidi, the committee seemed to be in a hurry to send the bill to the house floor. Insiders say that this is because the MoIT was under pressure to give the government some teeth with which to pursue NAP objectives in the online realm. But whether the need to pursue and prosecute terrorists outweighs the need to ensure that citizens’ fundamental rights are safeguarded, is a question that has troubled nearly every government, anywhere in the world, at one time or the other.
What is also troubling is the possibility that our government is not just drawing inspiration from internet governance models in liberal democracies. At a hearing of the YouTube case in the Lahore High Court, the government counsel submitted to the court that they were looking at the Chinese and Saudi Arabian model in the context of censorship that would enable the government to bring back the video sharing website, sans blasphemous content. This flies completely in the face of all established principles of freedom of expression, but does line up with models where civil liberties are sacrificed for the sake of ‘national security’ or the ‘greater good’.
The need for framing of abstract technical concepts into a legal framework that can govern life online and be used to prevent or punish misdemeanours arising from online activity cannot be argued with. We keep forgetting that despite having memories of the erstwhile cybercrime ordinance that was introduced during the Musharraf regime, our country currently has no law that deals specifically with electronic crime per se. In that respect alone, the PECB 2015 is a document that needs to pass.
One can contest, however, how competent our current law enforcement capabilities are of dealing with the new and unique threats that cybercrime brings to the table. The bill stipulates that the federal government “may establish or designate a law enforcement agency as the investigation agency for the purposes of investigation of offences under this act”. Most observers put their money on the Federal Investigation Agency to regain its former role and revitalise the cyber crime circle or utilise the existing National Response Centre for Cyber Crime (NR3C) to open investigations into criminal activity in the electronic realm.
Of course, there will be responsibility-sharing within the intelligence community. The Protection of Pakistan Act and the Fair Trial Act both describe the possibility of electronic surveillance and data capture for use as evidence in terrorism cases. There is speculation that the responsibility of data-analysis will be passed on to one agency, while real-time monitoring may be the domain of another. Whoever gets the job, the consensus across the board seems to be that these guardians of the law will have to be smarter than the criminals they are pursuing and well-versed in the law that they are enforcing.
There are, as expected, question marks over this. A key government functionary involved with the preparation of the bill said, on condition of anonymity, that there should be `safety valves` to ensure that citizens` fundamental rights were upheld and that their privacy was protected as enshrined under prevailing laws. He was also sceptical about the FIA and other agencies’ ability to handle crimes under the PECB 2015 and stressed the need for judges and officers to be extensively trained.
These concerns are also shared by former IT minister and MNA Awais Khan Leghari, who has been insisting on the formation of special courts. “The present judicial system cannot handle cybercrime cases and it will lead to havoc,” Mr Leghari said during the deliberations of the National Assembly Standing Committee on IT.
Then there is the question of capability. Nighat Dad of the Digital Rights Foundation has been fighting against government attempts to police the internet. She says, “In the past we have seen solid evidence that the government used Finfisher to spy on people. They have resources and capacity to use and employ but there is never any transparency and accountability in the purchase and use of such potentially dangerous and invasive tools.”
This is one of the criticisms that Edward Snowden raises against the NSA as well. The fact that a behemoth will be storing all communication between private individual and that employees in that organisation will have access to private communication between individuals is a very scary thought.
Ms Dad complains: “There are no assurances within the bill about control of access to information that has been preserved or acquired under Section 28 (Expedited preservation and acquisition of data). By providing the power but not the control, the bill seriously threatens Pakistanis’ right to privacy across the country.”
Sana Saleem of Bolo Bhi agrees. “None of the systems installed by the government are sophisticated, and there’s no system that can effectively analyse the data and maintain its integrity as long as it is operated for mass surveillance, because human biases are involved. It also doesn’t help that there’s no data protection law in place.”
In addition, there are problems of definition. For example, the bill’s definition of ‘service provider’ – a term usually used to describe companies that provide internet access – casts a very wide net. Yasser Latif Hamdani, who was Bytes For All’s counsel in the YouTube case, says that under the new definition, “Every hotel, every restaurant or cafe is also a service provider. It is problematic because tomorrow these individuals may be called upon to collect data on the users using their platforms.”
While the focus is on the Cyber Crime bill, allegations that the Pakistani government is using the spying software Finfisher are going largely unprobed
During his days at Bilborough College in Nottingham, UK, over a decade ago, Shehzad was not quite sure how one of his good friends would know precisely what Shehzad had been up to the day before.
“We would meet in the morning and while joking around, he would say something like ‘so did you like that article on xyz website?’ Other times he would say something like, ‘you must have cooled down after visiting that hot website last night.’ I would just shrug him off. But deep down, I would sometimes feel that this guy was probably some sort of a telepathic genius. Other friends felt the same way,” he recalls.
It was only after sometime when Shehzad and other friends discovered that their “telepathic genius” friend’s “paranormal” behavior could in fact be explained through science – computer science that is.
Shehzad’s friend Ron had installed a trojan in their computers.
“A trojan is basically a computer programme that has two components, a server and a client. You install the server on the target computer and control it through the client,” explains Umair Ahmad, a Lahore-based computer programmer.
Depending on its level of sophistication, a trojan could allow its controller to carry out simple tasks from opening the CD drive tray, or monitoring the screen - to taking full control of the target system – and that includes potentially stealing sensitive information from the hard drive.
“One could either install the server component of the trojan on a computer if he has physical access to that machine or he could trick someone into installing it – a type of social engineering,” explains Ahmad.
When cornered, Ron had told his friends that he was not spying on them but only hacking into their systems “for the fun of it” and the “technical challenge”.
However, experts and whistleblowers have warned of more serious threats than those posed by people like Ron.
Edward Snowden has worked as Systems Administrator at America’s CIA and for the National Security Agency.
“There is an infrastructure in place in the United States and worldwide that NSA has built in cooperation with other governments as well that intercepts basically every digital communication, every radio communication, every analogue communication that it has sensors in place to detect and with these capabilities basically the vast majority of human and computer to computer communications and device based communications which sort of form a relationship with humans are automatically ingested without targeting,” argues Snowden.
He says the system in place allows spy agencies to even look into the past by digging out telephone call recordings and digital data of virtually any person. All they need is something as basic as a telephone number or e-mail address and that would dig out the ingested data.
At the forefront of spying operations is a company called Gamma Group that supplies spying technology to many governments around the world. The company boasts that its products can be used for social media monitoring & analysis, IP monitoring, active and passive lawful interception, data retention & analysis, strategic & tactical satellite monitoring, GSM location and tracking, command & control monitoring centers and media mining.
Marketing videos of Gamma Group show how governments could easily use their products, including Finfisher to monitor, e-mail, telephone, Skype and other communications.
Professor Ronald Deibert is Head of Citizen Lab, an interdisciplinary laboratory at the University of Toronto. Along with a team of computer and security experts, he has been tracking down Finfisher and other spy software.
“In the case of Finfisher, what we did is we first were able to get samples of the malware, of the malicious software from targets. Through forensic analysis of the software samples, reverse engineering and understanding how the spyware works, we were able to see where the software connects to. After doing that we found the locations of servers in a number of countries, one of which was Pakistan.”
In addition to that, documents by WikiLeaks have also confirmed that Pakistan is one of the clients of Gamma Group. The information was obtained when a computer hacker broke into Gamma Group servers and stole over 40 Gigabytes of data that he passed on to the WikiLeaks. The data included a technical support chat between Gamma Group representative and an unknown client in Pakistan.
The discovery led Bytes for All, a Pakistani human rights organisation focused on information and communication technologies, to probe the spying operations in Pakistan. Based on their findings, they initiated legal action against the Pakistan government for violating the constitution through mass spying of its citizens.
Computer experts have also discovered that the Finfisher is programmed with a backdoor. So not only does the software allow the Pakistani government to spy on its citizens but can also effectively allow spy agencies of other countries to break into Pakistan’s telecommunication infrastructure.
Officials from Pakistan’s Information Technology Ministry, Pakistan Telecommunication Limited — PTCL — and from other departments have either refused to talk about the subject or come across as clueless.
“Anyone could pick up a paper and pencil, jot something down and get it published and that would be a report. I don’t know about that (Finfisher) report. We hear from different places that the super power is engaged in spying. If that is true then it is not the right thing to do,” says Senator Mushahidullah Khan.
Bytes for All says that even the courts are reluctant to proceed with the case.
“When we filed this petition, the court ordered PTCL, which is the main respondent, to investigate the matter and comeback and deliver its report. Even though six different dates were given for hearings, on the last minute each time the court hearings were cancelled for different reasons. And since then there have not been any new dates. The petition is still with the court but it seems as though it is dormant,” says Fahad Desmukh, project manager at Bytes for All.
Computer experts say while it may not be possible to completely evade monitoring by intrusive state institutions, there are some steps the general public could take to make themselves relatively more secure while using computers:
Install and keep up-to-date an anti-virus programme on your computer. However do not fall prey to a false sense of security. Just because you have an anti-virus programme installed does not mean you are fully protected as certain malicious programmes can bypass anti-virus scanners.
Install a firewall on your system. Configure it properly so that it blocks all incoming and outgoing connections unless authorised by you.
Frequently check firewall logs for any access attempts from outside or local programmes trying to access the internet. Probe any access attempts.
Never open e-mail attachments from unknown senders no matter how tempted you may be. It is possible to trick someone into executing a Trojan server while packaging it as a video.
An attachment from a friend does not necessarily mean that it would be safe. The friend may have infected his own system and forwarded you a trojan server guised as a tempting video or game.
Just because you find a USB stick lying around the office does not mean you let curiosity get the better of you. Do not insert it in your computer. Spy software like Finfisher can be installed on a system simply by inserting a USB stick into the system.
Only install Windows or other updates through the official/authentic medium or through its updater. Never execute attachments supposedly received in e-mail from “Microsoft” or any other sender.
Various websites, particularly porn sites, could incorporate Active X technology that could install a backdoor into your system while you are in a state of virtual thoughtlessness.
Learn to use encryption software and use it to encrypt your communications.
Avoid storing sensitive information on your computer. You may wish to store it on some offline medium and keep it in a secure place.
Watch out for people using social engineering to extract information from you. Does someone really need to know what s/he is asking you?
Use strong passwords on your computer and do not leave your system unattended.
Privacy and digital rights groups have complained about the ‘draconian’ provisions in the Prevention of Electronic Crimes Bill 2015, but do they have any solutions to offer?
By Ahmed Yusuf
Shahzad Ahmad is the country director of Bytes for All, Pakistan, a human rights organisation with a focus on information and communication technologies (ICTs). His focus includes ICT policy advocacy, internet rights, privacy, and freedom of expression online. In March 2014, Shahzad was awarded the prestigious Index on Censorship Award for his advocacy work on freedom of expression. We speak to him regarding his reservations about PECB 2015
Groups such as yours have complained that the current cybercrime bill did not take stakeholders on board. What exactly do you mean by this and what kind of consultation would you have wanted?
In any democratic country, when laws are framed there is usually an associated implementation mechanism suggested and framed by lawmakers. This ensures that citizens are made part of the process: what do they need, how can they be facilitated, what new institutions and structures do we need to build, how do we staff them, how do we satisfy the citizenry’s qualms and redress their grievances, how do we better serve them? These are the questions that need to be addressed.
Unfortunately, our incumbent government has shown a tendency to discuss, debate and implement critical legislation behind closed doors. In practice, what this means is that those who’ll be affected by this new legislation are kept out and their voices shunned. Looked at another way, the state, for all ostensible purposes, is acting in its interests and not of its citizenry. This distance between the government and the governed is at the heart of the current debate and the perception that the new legislation is draconian.
The best practices to make the citizenry an active stakeholder are found in developed democracies such as Canada, Australia and New Zealand, where they have instituted privacy commissioners. These are independent individuals, who work as a bridge between the government and the governed, and ensure that individual liberties are not curtailed in the name of security. They ensure that personal information is protected and respected while the state carries on its stated objectives of net neutrality.
What Pakistan needs is privacy commissioners, answerable to the parliament, and for the government to help setting them up, fund them, and establish a connection with the citizenry.
Till now, what we have witnessed is that no judicial oversight has been ensured, lawyers don’t know much about the internet or about net governance, citizens have low awareness about how their privacy is being compromised, and all power rests with various law enforcement agencies.
Privacy commissioners will help us bridge that gap. They will ensure that all offices that need to be set up to facilitate and help common citizens are built, they will listen to common people’s complaints and outstanding issues, and they will tell us which law enforcement agency is crossing its bounds or misusing its authority. If privacy commissioners can help in making common people part of the process, citizens are likelier to welcome new legislation and actually feel secure about it.
Surely online hate speech needs to be curbed, and this bill is a step in that direction ...
To criminalise hate speech this way means that you will exclude a certain segment of your population from any national debate. In Pakistan, this means that that our minorities’ thought and speech will be curbed.
If you scan our current netscape, you will notice that Shias and Ahmadis, for example, are often targeted and harassed online by sectarian organisations for their belief systems. Then there are non-state actors who find patronage from various powerful actors, which allows the former impunity to do as they please, both offline and online. After the legislation, you will find that those at the receiving end of hate speech will be at a greater risk for being punished if they respond to any abuse or insult hurled at them.
We believe that there should be open channels of communication. Hate speech and divisive ideas, particularly in Pakistan, can only be countered with more speech and critical, constructive ideas. Nobody should be prosecuted or killed because of what they think. We need to start discriminating between hate speech and incitement to violence; the latter can be dealt with through the provisions already provided in the penal code. Hate speech cannot be criminalised through subjective provisions.
What then would be the way forward, if we were to concentrate on what the government should be doing?
To reiterate, there is a distance between the government and the governed. The new cyber crimes legislation has come about as part of the National Action Plan (NAP) to counter terrorism, with the government receiving much support within Parliament to take whatever measures it needs to.
Pakistan is a signatory to a United Nations convention on human rights, whereby it has to constitute a “national human rights institution” that can listen to and redress citizen complaints. The government has recently announced the formation of this institution, but we don’t know what its composition is and who are its members. And since this step has come about as part of the NAP initiatives, the law passed recently excludes jurisdiction on human rights violations carried out by security agencies.
Second, on June 19, 2014, Chief Justice of Pakistan Justice Tassaduq Hussain Jillani issued a historic judgment to remind the government that it must uphold the law to protect minorities. Justice Jillani had directed the federal government to establish a taskforce to develop strategies to tackle religious intolerance, to establish a national council for minorities, and also to constitute a special police force that can protect the minorities’ places of worship.
Then there were directions on bringing the delinquents of social media to court, those who resort to hate speech of various kinds. The court had also ordered the law enforcement agencies to work within the ambits of the constitution, to take prompt action against those involved in hate speech.
In total, Justice Jillani had laid out 10 directives for the government, which were to act as a roadmap for the protection and security of minorities. None of those directives have been met in totality thus far.
What the government needs to realise is that these laws are not symbolic, but are connected with the larger fabric of society and with lowering the volume of faith-based hate that seems to have become the norm in many parts of the country.
If we can begin by implementing Supreme Court orders, we will see that genuine cyber crime too will be easier to thwart. We also need to make existing laws consistent with human rights requirements, and remove all predatory provisions from the Pakistan Protection Act and Fair Trial Act.
Law requires all citizens to be deemed equal; law enforcement agencies cannot be exempted from this. In fact, the government needs to ensure the national human rights institution’s capacity to deal with complaints around cyber crime, and to do that, it needs to ensure that no human rights violations take place at the hands of law enforcement agencies.
The state and the government need to work towards ending the prevalent environment of distrust and fear; there is a culture of impunity skewed towards preachers of hate in Pakistan, and it targets journalists and human rights defenders. On the other hand, law does not govern those spreading hate or the law enforcement agencies. This culture of impunity needs to end; else the government should assume responsibility for the damage being caused to society.
Beyond the obvious concerns regarding privacy and abuse, what other negative effects are you concerned about?
Educators and businesses both stand to lose in the event that this legislation is implemented in its current shape and form.
The government has been arguing that after this law, YouTube will be re-opened. With localised versions of YouTube, the major trend across the globe is that they leave service providers open to arm-twisting in terms of what they put up. Instead of sensitising the citizenry to new ideas or to innovative approaches to problem-solving, censorship will bind them in antiquated ideas.
Businesses will lose out because no Western trading partner will accept the draconian clauses in this legislation, and they are likely to advise their investors against entering Pakistan. We must situate this new legislation within a human rights framework to prevent such an eventuality. Even though security underpins the approach of this bill, it has to be pro-people, pro-human rights, and pro-business.
But if we choose an isolationist stance, it will have far-reaching impacts on tech and innovation in Pakistan, since much of the capital and patronage for new tech businesses arrives from the West, business relationships are built with Western companies, and technical advice and assistance is provided by established ventures.
This will also affect how businesses think about innovation, since the main advantage of technology is for cyberspace to reach far-flung areas and to benefit them in ways similar to urban centres. One can cite agricultural solutions or even access to education as innovations driven by tech. The new legislation will make such outreach or social mobility prohibitive and exclusionary.
The writer tweets @ASYusuf
Published in Dawn, Sunday Magazine, April 26th, 2015