Important issues in Pakistan's Cyber Crime Bill

8,161 views
7,953 views

Published on

This presentation was made by Zahid Jamil on 7th Sept 2007 which highlighted important issues regarding the new cyber Crime Bill which is soon to be made into a law. http://dbtb.org

Published in: Technology
4 Comments
9 Likes
Statistics
Notes
  • sir can u please allow to download this presentation please
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Please go right ahead - and make those comments - each independent comment appears on the relevant slide but it also shows up at the start of the presentation allowing people to browse through the entire set of comments. I find it useful - I took the liberty of deleting the duplicate comments if you don't mind

    Thanks
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • F: 14. *Spamming/pollupostage* - (1)Quiconque transmet des messages *électroniques nocifs, frauduleux, trompeurs, illégaux ou non requis en masse* à qui que ce soit sans l'autorisation explicite du destinataire, ou fait en sorte qu'un système électronique quelconque montre un message de cette sorte ou *s'engage dans l'enregistrement falsifié d'un compte d'utilisateur en ligne ou dans l'enregistrement falsifié d'un nom de domaine* à des fins commerciales, commet le délit de spamming/pollupostage.

    I: 14. *Spamming* - (1) Chiunque trasmetta messaggi *elettronici fraudolenti, ingannevoli, illegali o non richiesti* in *massa* a chicchessia senza il consenso esplicito del destinatario, o faccia in modo che un sistema elettronico qualsiasi faccia vedere qualsiasi messaggio del genere, oppure *si impegni nella registrazione falsificata di account di utente online o nella registrazione falsificata di un nome di dominio* con fini commerciali, commette il reato di spamming.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • (Please don't mind what I write: I am just using the comments to translate your slides).
    PS This is getting unwieldy: I thought the comments would appear under each slide, not all in a thread - I'll do the translation on another page, then link it here. Thank you so much for the great lesson.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
8,161
On SlideShare
0
From Embeds
0
Number of Embeds
125
Actions
Shares
0
Downloads
0
Comments
4
Likes
9
Embeds 0
No embeds

No notes for slide

Important issues in Pakistan's Cyber Crime Bill

  1. 1. Prevention of Electronic Crimes Bill 2007 By Zahid U. Jamil Barrister-at-law www.jamilandjamil.com
  2. 2. <ul><li>This slideshow was prepared and presented </li></ul><ul><li>by Zahid Jamil at </li></ul><ul><li>The Second Floor </li></ul><ul><li>on 7 th Sept 2007 </li></ul><ul><li>It is very difficult to convey the message simply through slides </li></ul><ul><li>but pay careful attention to the BOLD text which have been deliberately highlighted and need to be fully understood </li></ul>
  3. 3. <ul><li>Electronic Transactions Ordinance 2002 </li></ul>
  4. 4. <ul><li>36. Violation of privacy information.— </li></ul><ul><li>gains or attempts to gain access </li></ul><ul><li>to any information system with or without intent </li></ul><ul><li>to acquire the information </li></ul><ul><li>Gain Knowledge </li></ul><ul><li>Imprisonment 7 years </li></ul><ul><li>Fine Rs. 1 million </li></ul>
  5. 5. <ul><li>Data Protection Act </li></ul><ul><li>Data Confidentiality Law </li></ul>
  6. 6. <ul><li>37. Damage to information system, etc.— </li></ul><ul><li>alter, modify, delete, remove, generate, </li></ul><ul><li>transmit or store information </li></ul><ul><li>to impair the operation of, </li></ul><ul><li>or prevent or hinder access to,information </li></ul><ul><li>knowingly not authorised </li></ul><ul><li>Imprisonment 7 years </li></ul><ul><li>Fine Rs. 1 million </li></ul>
  7. 7. <ul><li>“ Cyber Stalking ” </li></ul><ul><li>(a) communicate obscene , vulgar, profane, lewd, lascivious , or indecent language, picture or image; </li></ul><ul><li>(b) make any suggestion or proposal of an obscene nature; </li></ul><ul><li>(c) threaten any illegal or immoral act; </li></ul><ul><li>(d) take or distribute pictures or photographs of any person without his consent or knowledge ; </li></ul><ul><li>(e) display or distribute information in a manner that substantially increases the risk of harm or violence to any other person, commits the offence of cyber stalking. </li></ul><ul><li>How can anyone of the above provisions help in defining Cyber Stalking? This provision needs substantive work or deletion. </li></ul>
  8. 8. <ul><li>“ electronic” includes electrical, digital, magnetic, optical, biometric, electro-chemical, wireless or electromagnetic technology; </li></ul><ul><li>? </li></ul>
  9. 9. <ul><li>14. Spamming .—(1) Whoever transmits harmful, fraudulent , misleading, illegal or unsolicited electronic messages in bulk to any person without the express permission of the recipient, or causes any electronic system to show any such message or involves in falsified online user account registration or falsified domain name registration for commercial purpose commits the offence of spamming. </li></ul>
  10. 10. <ul><li>“ spoofing ” </li></ul><ul><li>establishes a website , or sends an electronic message with a counterfeit source intended to be believed by the recipient or visitor or its electronic system to be an authentic source with intent to gain unauthorized access to commit further offence or obtain their valuable information which later can be used for any unlawful purposes is said to commit the offence of spoofing. </li></ul><ul><li>This is phishing! </li></ul><ul><li>(fish´ing) (n.) The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. </li></ul>
  11. 11. <ul><li>“ malicious code” </li></ul><ul><li>Explanation: includes but not limited to a computer program or a hidden function in a program that damages data or compromises the electronic system’s performance or uses the electronic system resources without proper authorization , with or without attaching its copy to a file and is capable of spreading over electronic system with or without human intervention including virus, worm or Trojan horse. </li></ul><ul><li>Code performing functions unintended or unauthorized functions </li></ul><ul><li>NOT COMPATIBLE WITH INT’L DEFINITIONS </li></ul>
  12. 12. <ul><li>Council of Europe </li></ul><ul><li>Convention on Cyber Crimes </li></ul><ul><li>Budapest Convention </li></ul><ul><li>23.11.2001 </li></ul>
  13. 13. <ul><li>Data damage.— (1) Whoever with intent to cause damage to the public or any person , damages any data is said to commit the offence of data damage. </li></ul><ul><li>Data Interference </li></ul><ul><li>Budapest Convention interference-centric policy rather than damage-centric. </li></ul>
  14. 14. <ul><li>System damage.— (1) Whoever with intent to cause damage to the public or any person interferes with or interrupts or obstructs the functioning, reliability or usefulness of an electronic system by inputting, transmitting, damaging or deteriorating any data is said to commit system damage. </li></ul><ul><li>System Interference </li></ul>
  15. 15. <ul><li>Electronic fraud.— </li></ul><ul><li>(1) Whoever for gain interferes with data or electronic system to induce any person to enter into a relationship or with intent to deceive any person, which act or omission is likely to cause damage or harm to that person or any other person , commits electronic fraud. </li></ul><ul><li>intentionally and without right, the causing of a loss of property to another by: </li></ul><ul><li>a.     any input, alteration, deletion or suppression of computer data, </li></ul><ul><li>b.     any interference with the functioning of a computer system, </li></ul><ul><li>with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another. </li></ul>
  16. 16. <ul><li>Electronic forgery.— (1) Whoever for gain interferes with data or electronic system, with intent to cause injury to the public or to any person , or to support any claim or title or to cause any person to part with property or to enter into any express or implied contract, or with intent to commit fraud, commits electronic forgery, regardless of the fact that the data is directly readable and intelligible or not. </li></ul><ul><ul><li>without right, the input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic, regardless whether or not the data is directly readable and intelligible. </li></ul></ul>
  17. 17. <ul><li>Corporate liability.— A corporation shall be held liable for a criminal offence committed on its instructions or for its benefit . The corporation shall be punished with fine not less than one hundred thousand rupees. </li></ul><ul><li>International Investment, FDI, Foreign MNCs </li></ul>
  18. 18. <ul><li>6. Terrorism. --- </li></ul><ul><li>(1) In this Act, “terrorism” means the use or threat of action where: </li></ul><ul><li>(a) the action falls within the meaning of sub-section (2), and </li></ul><ul><li>(b) the use or threat is designed to coerce and intimidate or overawe the Government or the public or a section of the public or community or sect or create a sense of fear or insecurity in society; or </li></ul><ul><li>(c) the use or threat is made for the purpose of advancing a religious, sectarian or ethnic cause. </li></ul><ul><li>(2) An “action” shall fall within the meaning of sub-section (1), if it: </li></ul><ul><li>(a) involves the doing of anything that causes death; </li></ul><ul><li>(b) involves grievous violence against a person or grievous bodily injury or harm to a person; </li></ul><ul><li>(c) involves grievous damage to property; </li></ul><ul><li>(d) involves the doing of anything that is likely to cause death or endangers a person’s life; </li></ul>
  19. 19. <ul><li>(e) involves kidnapping for ransom, hostage-taking or hijacking; </li></ul><ul><li>(f) incites hatred and contempt on religious, sectarian of ethnic basis to stir up violence or cause internal disturbance; </li></ul><ul><li>(g) involves stoning, brick-bating or any other forms of mischief to spread panic; </li></ul><ul><li>(h) involves firing on religious congregations, mosques, imambargahs, churches, temples and all other places or worship, or random firing to spread panic, or involves any forcible takeover of mosques or other places of worship; </li></ul><ul><li>(i) creates a serious risk to safety of the public or a section of the public, or is designed to frighten the general public and thereby prevent them from coming out and carrying on their lawful trade and daily business, and disrupts civic, life; </li></ul><ul><li>(j) involves the burning of vehicles or any other serious form of arson; </li></ul><ul><li>(k) involves extortion of money (“bhatta”) or property; </li></ul><ul><li>(l) is designed to seriously interfere with or seriously disrupt a communications system or public utility service; </li></ul><ul><li>(m) involved serious coercion or intimidation of a public servant in order to force him to discharge or to refrain from discharging his lawful duties; or </li></ul><ul><li>(n) involves serious violence against a member of the police force, armed forces, civil armed forces, or a public servant. </li></ul>
  20. 20. <ul><li>Cyber Terrorism .— (1) Any person, group, organization, or faction who, with terroristic intent utilizes, or accesses or causes to be accessed a computer or computer network by any available means, and thereby knowingly engages in or attempts to engage in a terroristic act shall be guilty of a crime of cyber terrorism. </li></ul><ul><li>“ After reading this document I am seriously thinking of shutting down our operations here in Pakistan and leaving. ” </li></ul>
  21. 21. <ul><li>Explanation: For the purposes of this section, terroristic intent means to act </li></ul><ul><li>with the purpose to alarm, frighten, disrupt, harm , damage , or carry out an act of violence against a large segment of the population, or Government or entity associated therewith. </li></ul><ul><li>Explanation: For the purposes of this section, a terroristic act includes , but is not limited to : </li></ul><ul><li>(1) Altering by addition, deletion, or change or attempting to alter information that may result in the imminent injury, sickness, or death to any portion of the public at large. </li></ul>
  22. 22. <ul><li>(2) Transmission or attempted transmission of a </li></ul><ul><li>harmful program with the purpose of substantially disrupting or disabling any computer network operated by the Government or any public entity. </li></ul><ul><li>Aiding the commission of or attempting to aid the commission of an act of violence against the sovereignty of Pakistan, whether or not the commission of such act of violence is actually completed. </li></ul><ul><li>Stealing or copying, or attempting to steal or copy secure or classified information or data necessary to manufacture any form of chemical, biological, or nuclear weapon, or any other weapon of mass destruction. </li></ul><ul><li>(5) Whoever commits the offence of cyber terrorism and causes death of any person shall be punished with death or imprisonment for life and in any other case he shall be liable for imprisonment of either description for a term which may extend to ten years. or with fine not less than ten million rupees or with both. </li></ul>
  23. 23. <ul><li>Agency Powers </li></ul><ul><li>After obtaining search warrant </li></ul><ul><li>[NO GROUNDS]: </li></ul><ul><li>access inspect any electronic system </li></ul><ul><li>use any such electronic system to search any data </li></ul><ul><li>access to any information, code or technology, encrypted data </li></ul>
  24. 24. <ul><li>require any person where: </li></ul><ul><ul><li>reasonable cause to suspect, any electronic system is or has </li></ul></ul><ul><ul><li>been used; or </li></ul></ul><ul><ul><li>reasonable technical and other assistance as </li></ul></ul><ul><ul><li>require any person to such decrypt information </li></ul></ul><ul><li>obstruction </li></ul><ul><ul><li>one year imprisonment </li></ul></ul><ul><ul><li>one hundred thousand rupees </li></ul></ul>
  25. 25. <ul><li>Real-time collection </li></ul><ul><li>of traffic data </li></ul><ul><li>The Federal Government compel service provider </li></ul><ul><li>within its existing or required technical capability to collect or record to </li></ul><ul><li>co-operate with law enforcement or counter- intelligence agency </li></ul><ul><li>in the collection or recording of traffic data or data, in real-time </li></ul><ul><li>Safeguards, how long, circumstances etc? </li></ul>
  26. 26. <ul><li>Retention of traffic data </li></ul><ul><li>Service provider retain its traffic data: </li></ul><ul><li>minimum 90 days </li></ul><ul><li>Federal Government may extend the period </li></ul><ul><li>to retain such date as and when deems appropriate </li></ul><ul><li>Service providers shall retain the traffic data by fulfilling all the requirements of data retention and its originality as provided under Electronic Transaction Ordinance 2002 </li></ul>
  27. 27. <ul><li>Information and Communication Technologies Tribunal </li></ul><ul><li>Federal Government shall appoint </li></ul><ul><li>Chairman and members of the Tribunal </li></ul><ul><li>Qualifications : </li></ul><ul><li>2 years as District Judge, </li></ul><ul><li>10 years High Court, </li></ul><ul><li>Special knowledge of legislation and professional experience of not less than ten years in the field of telecommunication and information technologies </li></ul>
  28. 28. <ul><li>Civil Jurisdiction </li></ul><ul><li>Criminal Jurisdiction </li></ul><ul><li>Oust Courts </li></ul><ul><li>PTA </li></ul><ul><li>and </li></ul><ul><li>ECAC decisions heard by Tribunal </li></ul><ul><li>PTA + IT + Cyber Crime Tribunal </li></ul>
  29. 29. <ul><li>NO </li></ul><ul><li>RIGHT </li></ul><ul><li>TO CHALLENGE </li></ul>
  30. 30. <ul><li>EXAMPLE: </li></ul><ul><li>investigating agency seizing the computer </li></ul><ul><li>adding incriminating evidence (pornography) </li></ul><ul><li>possibly framing </li></ul><ul><li>accused no protection under Draft Act </li></ul><ul><li>to ensure security of his data / IPR </li></ul><ul><li>to ensure State produces in Court what was actually in the PC </li></ul>
  31. 31. <ul><li>Council of Europe </li></ul><ul><li>Convention on Cyber Crimes </li></ul><ul><li>Budapest Convention </li></ul><ul><li>23.11.2001 </li></ul>
  32. 32. <ul><li>PREAMBLE </li></ul><ul><li>…… proper balance between the interests of law enforcement and respect for fundamental human rights , </li></ul><ul><li>1966 United Nations International Covenant on Civil and Political Rights , as well as other applicable international human rights treaties, </li></ul><ul><li>Right of everyone to hold opinions without interference, as well as the right to freedom of expression, including the freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers, and the rights concerning the respect for privacy; </li></ul>
  33. 33. <ul><li>Article 15 – Conditions and safeguards </li></ul><ul><li>Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law , which shall provide for the adequate protection of human rights and liberties , including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights , and other applicable international human rights instruments, and which shall incorporate the principle of proportionality . </li></ul>
  34. 34. <ul><li>Such conditions and safeguards shall, as appropriate in view of the nature of the power or procedure concerned, inter alia, include: </li></ul><ul><li>judicial or other independent supervision, </li></ul><ul><li>grounds justifying application, and </li></ul><ul><li>limitation on the scope and </li></ul><ul><li>the duration of such power or procedure. </li></ul><ul><li>Country shall consider the impact of the powers and procedures upon the rights, responsibilities and legitimate interests of third parties . </li></ul>
  35. 35. <ul><li>UK- Regulation of Investigatory Powers Act 2000 - SAFEGUARDS </li></ul><ul><li>Disclosure of protected information </li></ul><ul><li>proportionate to what is sought to be achieved by its imposition </li></ul><ul><li>Necessary on Grounds : </li></ul><ul><li>( a) in the interests of national security; </li></ul><ul><li>(b) for the purpose of preventing or detecting crime; or </li></ul><ul><li>(c) in the interests of the economic well-being of the United Kingdom. </li></ul>
  36. 36. <ul><li>Must give notice & Warrant : </li></ul><ul><li>(a) in writing or produces a record of its having been given; </li></ul><ul><li>(b) describe the protected information; </li></ul><ul><li>(c) specify the matters; </li></ul><ul><li>(d) specify the office, rank or position held by the person giving it; </li></ul><ul><li>(f) time by which the notice is to be complied with; and </li></ul><ul><li>(g) set out the disclosure that is required by the notice and the form and manner in which it is to be made; </li></ul><ul><li>time specified for the purposes of paragraph (f) must allow a period for compliance which is reasonable in all the circumstances. </li></ul>
  37. 37. <ul><li>description of communications </li></ul><ul><li>single set of premises </li></ul><ul><li>addresses, numbers, apparatus or other factors, or combination of factors, that are to be used for identifying the communications that may be or are to be intercepted </li></ul><ul><li>Duration </li></ul><ul><li>Cancellation/Challenge </li></ul>
  38. 38. <ul><li>Protected </li></ul><ul><li>Retained </li></ul><ul><li>Destroyed </li></ul><ul><li>Number of persons to whom disclosed </li></ul><ul><li>Any breach actionable – ie. Can recover loss! </li></ul>
  39. 39. <ul><li>the number of persons to whom any of the material or data is disclosed or otherwise made available, </li></ul><ul><li>the extent to which any of the material or data is disclosed or otherwise made available, </li></ul><ul><li>the extent to which any of the material or data is copied, and </li></ul><ul><li>the number of copies that are made, is limited to the minimum that is necessary for the authorised purposes. </li></ul>
  40. 40. <ul><li>UNITED STATES CODE </li></ul><ul><li>ANNOTATED TITLE 18. </li></ul><ul><li>CRIMES AND CRIMINAL PROCEDURE </li></ul><ul><li>CHAPTER 121 </li></ul><ul><li>STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS </li></ul>
  41. 41. <ul><li>Requirements for court order </li></ul><ul><li>only if governmental entity offers: </li></ul><ul><li>specific and articulable facts </li></ul><ul><li>showing reasonable grounds to believe that </li></ul><ul><li>contents of electronic communication, </li></ul><ul><li>or the records or other information sought, </li></ul><ul><li>are relevant and material to an ongoing criminal investigation. </li></ul><ul><li>Quash or Modify Court order </li></ul><ul><li>on a motion made promptly by the service provider: </li></ul><ul><li>if the information or records requested are unusually voluminous in nature or </li></ul><ul><li>compliance with such order otherwise would cause an undue burden on such provider. </li></ul>
  42. 42. <ul><li>CUSTOMER CHALLENGE </li></ul><ul><li>Within 14 days after notice </li></ul><ul><li>by the governmental entity </li></ul><ul><li>to the subscriber or customer </li></ul><ul><li>file a motion to quash such subpoena </li></ul><ul><li>or vacate such court order, </li></ul><ul><li>with copies served upon the governmental entity and with written notice of such challenge to the service provider </li></ul>
  43. 43. <ul><li>Court or Department or Agency </li></ul><ul><li>determines violation of this law and the court or </li></ul><ul><li>circumstances surrounding the violation raise serious questions about whether or not an officer or employee of the United States acted willfully or intentionally with respect to the violation , </li></ul><ul><li>department or agency shall, upon decision of court promptly initiate a proceeding to determine whether disciplinary action against the officer or employee is warranted. </li></ul>
  44. 44. <ul><li>INTERNATIONAL CO-OPERATION </li></ul><ul><li>foreign government, Interpol or other international agency </li></ul><ul><li>with whom it has or establishes reciprocal arrangements </li></ul><ul><li>But what if no reciprocal arrangement? </li></ul><ul><li>Cyber criminal can forum shop! </li></ul>
  45. 45. <ul><li>(5) The Federal Government may </li></ul><ul><li>refuse to accede </li></ul><ul><li>to any request made by such foreign government, </li></ul><ul><li>Interpol or international agency </li></ul><ul><li>if the request </li></ul><ul><li>concerns an offence which it considers </li></ul><ul><li>a political offence or </li></ul><ul><li>an offence connected with a political </li></ul><ul><li>offence, or that execution of the request is likely to </li></ul><ul><li>prejudice its sovereignty, security, order public </li></ul><ul><li>or other essential interests. </li></ul>
  46. 46. <ul><li>Council of Europe </li></ul><ul><li>Convention on Cyber Crimes </li></ul><ul><li>Budapest Convention </li></ul><ul><li>23.11.2001 </li></ul>
  47. 47. <ul><li>Signatures: 34 </li></ul><ul><li>Albania Armenia Austria </li></ul><ul><li>Belgium Bulgaria Croatia </li></ul><ul><li>Cyprus Denmark Estonia </li></ul><ul><li>Finland France Germany </li></ul><ul><li>Greece Hungary Iceland </li></ul><ul><li>Ireland Italy Luxembourg </li></ul><ul><li>Malta Moldova Netherlands </li></ul><ul><li>Norway Poland Portugal </li></ul><ul><li>Romania Slovenia Spain </li></ul><ul><li>Sweden Switzerland Ukraine </li></ul><ul><li>Republic of Macedonia United Kingdom </li></ul><ul><li>_________________________________________________________________________________________ </li></ul><ul><li>Canada Japan South Africa </li></ul><ul><li> United States </li></ul>
  48. 48. <ul><li>WHAT IS REQUIRED? </li></ul><ul><li>Harmonious/Compatible Legal Regime </li></ul><ul><li>Harmonious/Compatible Definitions of offences </li></ul><ul><li>Harmonious/Compatible Powers,Protections </li></ul><ul><li>Real time, Immediate, Flexible Cooperation between International agencies </li></ul>
  49. 49. <ul><li>Only </li></ul><ul><li>20% </li></ul><ul><li>Compatible </li></ul><ul><li>With the rest of the World </li></ul>
  50. 50. <ul><li>(FedCIRC) </li></ul><ul><li>Federal Computer Incident Response Center </li></ul><ul><li>CERT/CC </li></ul><ul><li>US-CERT </li></ul><ul><li>Information Sharing and Analysis Centers in the US, www.cert.org </li></ul><ul><li>EuroCERT </li></ul><ul><li>European Network and Information Security Agency </li></ul><ul><li>AusCERT </li></ul><ul><li>ICC Commercial Crime Services, UK </li></ul>
  51. 51. <ul><li>QUESTIONS </li></ul><ul><li>www.jamilandjamil.com </li></ul>

×