PEC Bill
Criticism
9. Glorification of an offence and hate speech. Whoever prepares or Every accused is to
disseminates intelligence, through any information system or device, where be presumed
the commission or threat is with the intent to:innocent unless
proven guilty.
(a) glorify an offence or the person accused or convicted of a crime;
Therefore, there is
(b) support terrorism or activities of proscribed organizations; and
no justification for
(c) advance religious, ethnic or sectarian hatred
making
shall be punished with imprisonment for a term which may extend to five glorification of an
years or with fine up to ten million rupees or with both.
accused an offence.

Justification
In order to ensure fair trial as guaranteed
under Article 10-A of the Constitution, it
is important that media trial of any
accused is avoided. Similarly media
projection of any accused also need to be
avoided for fair trial. Many countries
prohibit discussions on sub judice matters
and this provision is therefore in line with
the international best practices.
Explanation: “Glorification” includes depiction of any form of praise or
celebration in a desirable manner
“In a 2001 Joint Statement, the
UN, OSCE and OAS Special Mandates on
the right to freedom of expression set out
a number of conditions which hate speech
laws should respect:
 No one should be penalised for
statements which are true
 No one should be penalised for the
dissemination of hate speech
unless it has been shown that they
did so with the intention of
inciting discrimination, hostility or
violence
 The right of journalists to decide
how
best
to
communicate
information and ideas to the public
should be respected, particularly
when they are reporting on racism
and intolerance
 No one should be subject to prior
1
censorship
 Any imposition of sanctions by
courts should be in strict
conformity with the principle of
proportionality.
These provide a good basis for assessing
the legitimacy of any particular hate
speech law.”
The aforementioned legal standards are
taken from the UNHRCm after the ECHR
case Jersild v Denmark.
These standards are a good reference
point as to what the international standard
should be, and show that Sec 9 is actually
not entirely aligned to international
standards.
The provision in this section can be seen
as disproportional, taking away from the
right of a journalist to decide how and
what to report, and limiting opinion on
ongoing cases. In cases where a fair trial
could be influenced by the media, the
courts already have the power to stop the
media from reporting. However, it is not
the job or objective of the media to be fair
and unbiased, but it IS the job of the
courts. Therefore, this provision seems to
put the onus on the media, while doubting
the integrity of the judicial systems.
2
14. Unauthorised use of identity information.-(1) Whoever obtains, sells, Identity
possesses, transmits or uses another person’s identity information without information is not
authorisation shall be punished with imprisonment for a term which may defined.
extend to three years or with fine up to five million rupees, or with both.
(2) Any person whose identity information is obtained, sold, possessed, used
or transmitted may apply to the Authority for securing, destroying, blocking
access or preventing transmission of identity information referred to in subsection (1) and the Authority on receipt of such application may take such
measures as deemed appropriate for securing, destroying or preventing
transmission of such identity information.
Identity information is clearly defined in
Chapter I as:
“identity
information”
means
an
information which may authenticate or
identify an individual or an information
system and enable access to any data or
information system;
According to the definition of identity
information as provided, it extends the
scope of this section to phone numbers
and email addresses and other such
correspondence. This opens the floodgates
for arrest and litigation, for a simple
sharing of a phone number and/or email
address or the likes. Therefore, this
section has to be reworded for the intent
to be clarified as followed:
1. The defendant willfully obtained
someone else's personal identifying
information;
2. The defendant willfully used that
information for an unlawful purpose;
AND
3. The defendant used the information
without the consent of the person whose
identifying information (he/she) was
using.
Someone commits an act willfully when
he or she does it willingly or on purpose.
3
An unlawful purpose includes unlawfully
(obtaining/ [or] attempting to obtain)
(credit[,]/ [or] goods[,]/ [or] services[,]/
[or] medical information) in the name of
the other person.
(California Criminal Law 2040.
Unauthorized use of personal identifying
information)
This clarifies that the provision will only
be used against a person committing an
UNLAWFUL act, through UNLAWFUL
means, limiting the scope and addressing
the real problem.
17. Unauthorised interception.- Whoever intentionally commits Ethical hacking has Ethical or white hat hacking is done with
unauthorised interception by technical means of:been criminalized. permission of the network/system owner.
Therefore, the same is not unauthorized
(a) any transmission that is not intended to be and is not open to the public,
and does not constitute an offence under
from or within an information system; or
the proposed law.
(b) electromagnetic emissions from an information system that are carrying
data,
To limit the scope of abuse, it must be:
a) Clarified that ethical hacking is
shall be punished with imprisonment of either description for a term which
NOT criminalized
may extend to two years or with fine up to five hundred thousand rupees or
b) Create legal language to protect
with both.
ethical hackers from litigation
c) Create a standard/procedure that
must be used to prove that
UNETHICAL hacking has taken
place.
“An analysis must be done to identify
these requirements and to develop
solutions. A set of controls and
4
instructions should be drafted to capture
these requirements and provide clear
instructions to the ethical hacker.
Everyone involved in the process should
be informed about all requirements, and
continuous monitoring should be put into
place to ensure compliance. Ethical
hackers not employed by the company
should execute a written agreement to act
within those requirements and agree to
indemnify the company for any breach of
these promises.”
An excerpt from the American Bar
Association. This clearly shows the need
to not only identify ethical hacking, but
also create standards, requirements and
procedures.
Ethical hacking is important for the
development of industry and therefore
those in the industry need to be protected.
5
18. Offences against dignity of natural person- (1) Whoever intentionally
publicly exhibits or displays or transmits any false intelligence, which is
likely to harm or intimidate the reputation or privacy of a natural person
shall be punished with imprisonment for a term which may extend to three
years or with fine up to one million rupees or with both:
Provided, nothing under this sub-section (1) shall apply to anything aired by
a broadcast media or distribution service licensed under Pakistan Electronic
Media Regulatory Authority Ordinance, 2002 (XIII of 2002).
(2) Any aggrieved person or his guardian, where such person is a minor,
may apply to the Authority for passing of such orders for removal,
destruction or blocking access to such intelligence referred to in sub-section
(1) and the Authority on receipt of such application, may take such measures
as deemed appropriate for securing, destroying, blocking access or
preventing transmission of such intelligence.
Facebook
messages or tweets
may
also
be
criminalized under
this provision.
Dignity of man is inviolable under Article
14 of the Constitution. The proposed
provision is pertaining to false
information only and any fair comments,
criticism, opinion etc do not fall under
this provision. It is merely a
transformation of an identical provision
relating to criminal intimidation.
Section
503
of
PPC
Criminal
Intimidation: Whoever threatens another
with any injury to his person, reputation
or property, or to the person or reputation
of any one in whom that person is
interested, with intent to cause alarm to
that person, or to cause that person to do
any act which he is not legally bound to
do, or to omit to do any act which that
person is legally entitled to do, as the
means of avoiding the execution of such
threat, commits criminal intimidation.
Explanation: A threat to injure the
reputation of any deceased person in
whom the person threatened is interested,
is within this section.
6
The problem with the section is that it
makes the law very subjective. What
constitutes harm to one may not constitute
harm to another. And with defamation
laws already present in Pakistan, it
renders this section useless and actually
weak compared to the defamation law in
Pakistan.
“likely to cause harm” “likely to
intimidate the reputation” means very
little when looking at the law from an
objective point of view. In fact, while
most statements on mediums like Twitter
or Facebook, while being false and
unsubstantiated, objectively looking, are
unimportant and HIGHLY unlikely to
cause a damage to reputation. In such
events, courts all over the world are not
likely to accept a claim of defamation.
Therefore in order to truly make this
section count, one must remove these
provisions, and punishments, and create a
system that allows a complainant to
register
a
complain,
and
after
investigation, if necessary, courts simply
issue a take down notice.
This was also suggested in:
As the author of the article Remedies for
Web Defamation and lawyer by trade,
Neville L. Johnson, suggests:
“One possible solution to the problem of
7
Internet defamation is to amend section
230 to more closely resemble the Digital
Millennium Copyright Act, with its
system of notice and take-down
procedures to regulate copyrighted
material online. (See 17 U.S.C. § 101.)”
21. Cyber stalking.- (1) Whoever with the intent to coerce or intimidate or
harass any person uses information system, information system network, the
Internet, website, electronic mail, intelligence or any other similar means of
communication to:(a) communicate obscene, vulgar, contemptuous, or indecent
intelligence; or
(b) make any suggestion or proposal of an obscene nature; or
(c) threaten to commit any illegal or immoral act; or
(d) take a picture or photograph of any person and display or distribute
without his consent or knowledge in a manner that harms a person;
or
(e) display or distribute information in a manner that substantially
increases the risk of harm or violence to any person, commits the
offence of cyber stalking.
Uploading
a
photograph
of
another
person
without permission
has
been
criminalized.
There are extensive legislations in many
developed countries regarding personal
data protection and cyber stalking. EU
Personal Data Protection Directive 1995
is one such example. Even most of the
social sites get a confirmation from the
person uploading a photo whether he is
authorized the photo or not.
Privacy of home is protected as a
fundamental right under Article 14 of the
Constitution.
8
(2) Whoever commits the offence specified in sub-section (1) shall be
punishable with imprisonment for a term which may extend to two years or
with fine up to one million rupees, or with both:
Provided that if the victim of the cyber stalking under sub-section (1) is a
minor the punishment may extend to five years or with fine upto ten million
rupees, or with both.
(3) Any aggrieved person may apply to the Authority for issuance of
appropriate orders for removal or destruction of, or blocking access to such
intelligence as referred to in sub-section (1) and the Authority upon receipt
of such application may take such measures as deemed appropriate for
removal or destruction of, or blocking access to, such intelligence.
Cyber stalking cannot and does not, in
any parts of the world, constitute a onetime behavior. It is a continuous,
obsessive and repetitive behavior. The
clause must be amended to include the
term “repeatedly” and “obsessively”,
Cyber Stalking must be clearly defined.
An example of a good definition:
“At its most basic legal definition, “cyberstalking is a repeated course of conduct
that’s aimed at a person designed to cause
emotional distress and fear of physical
harm,” said Danielle Citron, a professor at
the University of Maryland’s Francis
King Carey School of Law. Citron is an
expert in the area of cyber-stalking, and
recently published the book called Hate
Crimes in Cyberspace”.
9
22. Spamming.- (1) Whoever intentionally transmits harmful, fraudulent,
misleading, illegal or unsolicited intelligence to any person without the
express permission of the recipient, or causes any information system to
show any such intelligence commits the offence of spamming.
Explanation.- “Unsolicited intelligence” does not include:
i.
ii.
Marketing authorized under the law; or
Intelligence which has not been specifically unsubscribed by the
recipient.
(2) A person engaged in direct marketing shall provide the option to the
recipient of direct marketing to block or subscribe such marketing.
(3) Whoever commits the offence of spamming as described in sub-section
(1) or engages in direct marketing in violation of sub-section (2), for the first
time, shall be punished with fine not exceeding fifty thousand rupees and for
every subsequent violation shall be punished with imprisonment for a term
which may extend to three months or with fine up to one million rupees or
with both.
Criminalizing
“unsolicited”
messages, is very
harsh and may
hamper
various
economic
and
social activities.
Using the basic legal definition provided
by Danielle Citron; it shows a clear design
and direction to take cyberstalking,
instead of just “intent to coerce or
intimidate or harass any person”.
Term “unsolicited intelligence” has been
explained in the same provision and it
does not include any intelligence which
has not been specifically unsubscribed. It
means that any intelligence shall only be
considered unsolicited when the recipient
has specifically unsubscribed to it.
Spamming becomes redundant to address
if spoofing is included. It bears no weight
and in fact confuses the law. Most email
providers and other such correspondence
have the options of “block”, phones have
in built spam protections. In Pakistan,
spamming is mostly done as either a (i)
marketing scheme or (ii) fraudulently
acquire funds from naïve citizens. To
counter this,
i)
the term whoever is replaced
with TeleComs be removed to
stop unsubscribed messages
from reaching people. The
term person removed and
replaced
with
company,
thereby distancing citizens
from falling under this law.
ii)
a PSA would suffice telling
citizens not to fall for it, and
10
criminalizing such behavior
under spoofing would suffice
However, most countries have
separate spamming laws and it is NOT
categorized under cyber bill. A good
example would be the Canadian Anti
Spam
Law:
https://sendgrid.com/blog/canadiananti-spam-law-need-know/
23. Spoofing.- (1) Whoever dishonestly, establishes a website or sends any Spoofing appears
intelligence with a counterfeit source intended to be believed by the to criminalize
recipient or visitor of the website, to be an authentic source commits satire.
spoofing.
(2) Whoever commits spoofing shall be punished with imprisonment for a
term which may extend to three years, or with fine up to five hundred
thousand rupees or with both.
It clearly gives exclusion to normal
mass emails while emphasizing that a
mass email that is of commercial
nature or invites to engage in a
commercial activity would be spam.
Please refer to the link above that
simply explains the Spam Laws.
Spoofing is synonym to using a forged
document as genuine. Satire is not
covered
under
this
offence
as
counterfeiting a source with dishonest
intentions and using it as authentic and
making people to believe it is authentic is
not satire. Satire means the use of
humour, irony, exaggeration, or ridicule
to expose and criticize people's stupidity
or vices, particularly in the context of
contemporary politics and other topical
issues.
A proper explanation of what “spoofing”
is:
“an automated form of social engineering,
11
criminals use the Internet to fraudulently
extract sensitive information from
businesses and individuals, often by
impersonating legitimate web sites. It is a
technique of pulling out confidential
information from the bank/financial
institution
account holders by deceptive means.
Phishing is just one of the many frauds on
the Internet, trying to fool people into
parting with their money. Phishing refers
to the receipt of unsolicited emails by
customers of financial institutions,
requesting them to enter their username,
password or other personal information to
access their account for some reason. The
term phishing is a general term for the
creation and use by criminals of e-mails
and websites – designed to look like they
come from well-known, legitimate and
trusted businesses, financial institutions
and government agencies – in an attempt
to gather personal, financial and sensitive
information”
Therefore, the intent should not be “to
be believed by recipient” but in fact,
the intent must be to “fraudulently
extract
sensitive/confidential
information, or fraudulently extract
funds from users via misrepresentation
online”
and
include
under
misrepresentation, “setting up false
12
website, sending out emails containing
false information or using a forged IP
address to trick recipient’s computer to
believe it is from a trusted source”.
29.
Retention of traffic data.---(1) A service provider shall, within its
existing or required technical capability, retain its traffic data for a minimum
period of one year or such period as the Authority may notify from time to
time and provide that data to the investigation agency or the authorised
officer whenever so required.
(1) Deletion of
internet browser
(2)
The service providers shall retain the traffic data under sub section history has been
(1) by fulfilling all the requirements of data retention and its originality as stopped.
provided under sections 5 and 6 of the Electronic Transaction Ordinance,
2002 (LI of 2002).
(2) Cost of service
provision will
(3)
Any person who contravenes the provisions of this section shall be increase.
punished with imprisonment for a term which may extend to six months or
with fine up to five hundred thousand rupees or with both.
By simplifying the intent of the act, it
opens the floodgates to civil suits. It must
be clarified that the intent is not just to
dupe the recipient but to cause a financial
loss or illegal information gathering
(The requirement of retaining traffic data
added in agreement with ISPAK and
PASHA).
(1) The requirement of retaining traffic
data is applicable only to the service
providers and a subscriber/user of service
can delete his browser history or any
traffic data as no such obligation has been
put on him.
(2) Retention of traffic data for a period of
one year will not have any impact on cost
of services as it is already a part of the
licence terms and conditions of the
service providers. In other countries there
are also similar obligations on service
providers for data retention. For example
under EU Data Retention Directive,
operators are also obliged to retain traffic
data for a minimum of one year.
According to Centre for Internet &
Society (India) under Indian ISP
License, there are eight categories of
records that service providers are required
13
(3) Privacy has
been compromised.
to retain for security purposes that pertain
to customer information or transactions.
In some cases the license has identified
how long records must be maintained, and
in other cases the license only states that
the records must be made available and
provided.
(3) In order to ensure that traffic data so
retained is not misused/unlawfully
accessed, requirement of obtaining prior
warrant from the court has been provided
in the bill.
The real question is why is data retention
so important. Massive surveillance cannot
take place without cause. There is no
evidence supporting the idea that retention
of data has caused a decrease in terroristic
activities;
please
see:
http://www.abc.net.au/news/2015-0210/bradley-the-case-for-data-retentionstill-hasnt-been-made/6075684. In fact,
this provision just seems to be opening up
way to extend territorial scopes; as long as
communications is between Pakistanis,
when one could be anywhere in the world,
their data is being stored. It is a
Jurisdictional reach, beyond the scope of
ability of law. Research shows that
countries like Austria, Belgium, Bulgaria,
Germany, Greece, Romania and Sweden,
have rejected it. These countries continue
14
to tackle serious crime without
undermining their citizens’ civil liberties
through blanket data retention.
15
34. Power to manage intelligence and issue directions for removal or
blocking of access of any intelligence through any information system:
(1) The Authority is empowered to manage intelligence and issue directions
for removal or blocking of access of any intelligence through any
information system.
The Authority or any officer authorised by it in this behalf may direct any
service provider, to remove any intelligence or block access to such
intelligence, if it considers it necessary in the interest of the glory of Islam
or the integrity, security or defence of Pakistan or any part thereof, friendly
relations with foreign states, public order, decency or morality, or in relation
to contempt of court or commission of or incitement to an offence under this
Act.
Government
or
PTA shall have the
control to block
any online content.
Any
political
content or criticism
on the government
may
also
be
blocked.
This power already exists under the
Pakistan
Telecommunication
(Reorganization) Act, 1996 and is currently
be exercised by PTA. Exercise of such
power by PTA has been endorsed and
even required by the Honourable Superior
courts.
(2) The Authority may prescribe rules for adoption of standards and
procedure to manage intelligence, block access and entertain complaints.
This provision merely ensures that PTA
develops proper legal framework for
exercise of this power and exercises the
power strictly in accordance with the
Constitution. Political comment or
criticism on the government cannot be
blocked under this provision.
(3) Until such procedure and standards are prescribed, the Authority shall
exercise its powers under this Act or any other law for the time being in
force in accordance with the directions issued by the Federal Government
not inconsistent with the provisions of this Act.
It is factually incorrect to say that under
the PTA Act, PTA has the power to block.
PTA must be given the right to censorship
through legislation with SEC 34 is doing.
The wordings in this provision do NOT
merely give PTA the directive to create a
legal framework. In fact, the term in (2)
“may prescribe rules” means that there is
no need to prescribe rules, just that they
have the ability to, which is reemphasized
in (3). The Federal Government had
already made a statement giving the PTA
authority to censorship; soon after
WordPress was banned.
While language has been borrowed from
16
Article 19, the very important term
“reasonable restrictions” has been
forgotten. “Reasonable restrictions” are
found in precedence; as such no
precedence or standard is present in
Pakistan law. Therefore, it would be
important here to not only incorporate the
term “reasonable restrictions” but also to
justify these restrictions. In order for this
provision to be MERELY a provision
urging for framework and in accordance
to our Constitution, there should be clear
mentions of all types of speech that is not
allowed. It is unclear what constitutes
integrity of Pakistan, or friendly relations
with foreign states. These need to be
clarified, a standard to meet this
clarification to be created and exceptions
to be established. Till then, this section
needs to be removed in its entirety
because is actually a clear violation of the
Universal Declaration of Human Rights,
and international practice. Any law that
violates international HR standards cannot
and should not be formulated in to law.
Please refer to case: Yildirim v.Turkey
17