“The government’s pick-and-choose approach to enforcement and interpretation, is what makes the cybercrime bill so dangerous” — Nighat Dad

Q. Why should I, as an average citizen of Pakistan, care about the passage of the PECB?

A. You should care whether or not you have an internet connection, at home or at work. Anyone who accesses the internet, or any computer for that matter, runs the risk of being charged under the provisions of this law, thanks to its very broad language.

On the face of it, it could appear to someone as a law that protects the rights of the people. But in reality, anything you say or are construed to have said can be used against you. If you are accused or suspected of having committed a criminal act, which again has only been broadly defined within the bill, your data can be retained by the authorities without your knowledge and without your consent. You can be termed a criminal due to certain online actions that you didn’t even know constituted cyber crimes. Every citizen with a smartphone or access to the internet should worry about this law because it is nearly impossible to live without using information and communication technologies (ICT) in one form or the other.

Q. People say ‘Oh, the state will never know it was me’ because they don’t reveal their identity online, or they use Virtual Private Networks (VPNs) or other means to stay anonymous online. Is this impression correct or does the state have more sophisticated tools than we give it credit for?

A. Breaking Tor encryption is nearly impossible, so anyone who uses that software can be anonymous. However, given the sophisticated surveillance technology that is being imported into Pakistan such as Netsweeper, there can be little doubt about the government’s intentions. They were even talking to HackingTeam, before the Italian-based company got hacked themselves and it came out that they were in talks with the government of Pakistan. In addition, the military’s capabilities are also quite sophisticated. So the state does have the capability, we can’t say they don’t have the capability to identify individual users.

But [the use of] anonymity [software, such as virtual private networks or proxies] is already regulated under the law. Anyone seeking to use a VPN must go through an application process administered by the Pakistan Telecommunication Authority (PTA). The application form and information provided suggest that the authorisation process is directed primarily at companies rather than individuals. There does not appear to be a process designed for individuals to seek authorisation to use a VPN. The criteria on which applications are approved or declined isn’t public either.

There are also indications that the PTA is cracking down on unauthorised VPN usage. In February 2015, users of an Islamabad-based internet service provider received a notification that the PTA “has started blocking of IP addresses that are carrying unauthorised Voice-over Internet Protocol (VoIP) or Encrypted Virtual Private Networks (EVPNs), through an automated system”. This message reinforced PTA ads that ran in national newspapers in 2014, advising people to stop using unauthorised VPNs.

This is also connected to data retention: why is the government insistent on retaining one year’s worth of user data? It’s to develop profiles on people. If one person is using only one IP address, and then logs in from a different IP from another location, it will expose their offline activity to prying eyes.

This is the same thing the National Security Agency (NSA) has done. This is why activists have been lobbying for the abolition of the clause that asks internet service providers (ISPs) to retain one year’s worth of data. It has already been pointed out that such data retention has been ruled to be a breach of privacy and struck down by the Court of Justice of the European Union.

[Editor’s note: Tor software directs internet traffic through a worldwide network of relays to conceal an individual’s internet usage and location from anyone conducting surveillance.]

Q. What is it about the bill that makes it so dangerous?

A. The bill is dangerous because of the very broad language that lies within. It is a very punitive piece of legislation but with little in the way of clarity or specifics and with no regard for context. Again, there are no protections for data privacy in the event of data retention, and in the event of foreign government requests for data.

There are certain welcome developments; for example, under the data retention clause, law-enforcement agencies are now required to seek a judicial warrant before asking ISPs to hand over an individual’s data. But this is no guarantee against misuse of the law, which is why built-in safeguards are so important.

Q. In Pakistan, laws are seldom fully implemented, so it would stand to reason that civil society shouldn’t be too scared about this bill either, since it won’t be possible to enforce it fully. How would you respond to that?

A. Some laws may not be ‘fully implemented’ in Pakistan, but this partly depends on the specific law itself. The blasphemy law, death penalty notwithstanding, is one that the government adheres to fairly strictly, to the point that people have been given long prison terms for what they’ve said online. This broad overreach, as well as the government’s pick-and-choose approach to enforcement and interpretation, are what make the cybercrime bill so dangerous. Sleeping provisions in any law can be used to target minorities and political dissidents whenever the state or non-state actors wish.

This fear will lead to self-censorship online. The little space that minority and vulnerable groups have found online will be shut down because of fear of prosecution, not just persecution. In any case, there are no adequate protections for rights such as freedom of expression and privacy for Pakistani citizens. The view that ‘law X was not strictly implemented in the past, therefore we should not worry too much about this law’ is a dangerous one. Apathy is never the answer and can lead to a further erosion of citizens’ rights, online and offline.

Q. Would you say that you were unable to mobilise mass opposition for the bill, or is its passage a sign that enough people don’t care about the law or don’t know enough about it to realise how problematic it will be?

A. No, the fact that we were able to get the Senate Committee to take notice and to discuss the bill at length for so long has been an achievement. This indicates that there are lawmakers that are cognisant of what’s at stake and what can be done. Yes, the bill may pass, but that does not mean that the fight is over. People will care about the law once its implications become clear to everyone, not just the tech and rights community.

Q. As a journalist, what kind of dangers await me following the passage of the PECB?

A. Covering the affairs of the state or other institutions from a critical lens can leave you open to charges such as glorifying “an offence or the person convicted of a crime and support terrorism or activities of proscribed organisations” under the current PECB.

Under provisions of this bill, your data can be collected and retained, which will enable the government to sift through your internet and data traffic for the identities of sources and the locations that you visit. How you will protect your sources and whistleblowers when all these activities are being criminalised under the PECB? Being a journalist in Pakistan has historically been a dangerous profession — this bill will make it even harder to do your job in safety and with confidence.

Q. Do you think the policymakers who made this bill fully grasp all the technicalities of cyberspace and the scope of state control and surveillance that they are about to sign into law?

A. Policymakers push for the implementation of laws that they believe will protect the country in some shape or form, whether they are right or wrong. The problem lies in how protection is defined, which varies from state to state. To some, total control over all data is the best way to detect potential threats. But as we have seen in the case of the US’s NSA and the Central Intelligence Agency (CIA), total data control has not helped pinpoint potential terrorists or other persons of interest.

Moreover, several policymakers are active on social media and what they know of cyberspace and cyber security in part comes from what they read online, as well as in the local and international press. This content, for the most part, tends to be either dramatic or inaccurate.

Heightened tensions in the region and around the world mean that lawmakers are going to often sign up for legislation that, on the surface, can ensure adequate protection for the people and the state. I think that some lawmakers have signed up because of this reason, especially in the wake of the horrendous attack on the Army Public School in Peshawar. But what is also happening is that the government and certain parts of the media have been shouting down or demonising criticism of the PECB and other laws like it, casting aspersions and referring to critics as ‘troublemakers’.

Make no mistake; a cybercrime bill — or two — is necessary. What we have been fighting for is awareness that this bill is not something that will protect Pakistan’s digital frontiers, and if anything, can freeze the freedom of expression and technical progress made in Pakistan. But lawmakers do not seem to grasp this, by and large.

Published in Dawn, Sunday Magazine, August 14th, 2016