[Pakistan took an important step in the Cyber Law area on
September 11, 2002, by promulgating the Electronic Security Ordinance 2002 (ESO
2002) similar to the Information Technology Act 2000 (ITA-2000) of India. We are
analysing some of the important provisions of this ordinance.]
The first aspect that attracts any common man in a new
legislation is the way "Crimes" have been defined. Let us therefore take a
peep at the ESO-2002 of Pakistan and see how the Cyber Crimes have been
addressed in the legislation.
More over, since the legislation for Cyber crimes
follows the UNCITRAL convention, it invariably includes "Extra
territorial Jurisdiction". Just as an American Citizen can be punished for a
Cyber Crime in India even though he has never set foot in India, an Indian can
be punished for a Cyber Crime under ESO-2002 even though he has never set foot
in Pakistan. This makes it essential for Indian Netizens to be conversant with
the laws of Cyber Crimes in Pakistan.
With the present tensions between the two countries, it
would not be impossible for any mischievous criminal trying to discredit an
Indian Citizen to spoof an e-mail message inciting an illegal act and expose
them for a possible threat of trial and conviction in the Pakistani
court for a Cyber crime.
We need to therefore clearly understand the scope of Cyber
Crime legislation in ESO-2002.
Crimes Under ITA-2000
Just to have a background for discussion let us recall that
ITA-2000 has covered offences under two chapters namely Chapter 9 and Chapter
11 with Chapter 9 covering the offences where the victim can claim a
compensation and Chapter 11 covering offences where there could a criminal
prosecution.
Chapter 9 offences come under the purview of the
Adjudicator if appointed or fall under the jurisdiction of the Civil Courts.
Chapter 11 offences come under the jurisdiction of the Police authorities for
investigation and the Criminal Courts for dispensation.
Chapter 9 contains Section 43 which lists the various
offences where the victim can claim damages to the extent of Rs 1 crore and
Section 44 covers the penalties that can be imposed on the Certifying
Authorities if they fail to maintain books or submit required returns to the
Controller or the Certifying Authority.
Virus and Denial of Service attacks as well as Frauds come
under the scope of Section 43.
On the other hand, Chapter 11 covers Hacking, Obscenity,
Tampering of Cyber Evidence by intermediaries, Interception and forced
decryption powers for the Controller, Misrepresentation for obtaining or
fraudulent obtaining of Digital Certificate as well as Breach of confidential
information by the intermediaries such as the Certifying authorities.
The penalties prescribed are imprisonment upto a maximum of
10 years and fines upto Rs 2 lakhs.
Offences under ESO 2002:
The legislatory framework of the ESO-2002 is conspicuous
for its simplicity.
Sections 34 to 37 of the Ordinance cover offences connected
with the administration of the Electronic Signature System.
Under Section 34 (a), providing a false information to the
Certificate Service Provider (CSP) is an offence punishable with 7 years
imprisonment and a fine of Rs 1 crore.
Section 34 (b) is of significance according to which,
not informing the CSP of any changes in the information contained in an
already published certificate also carries similar penalty. While the
intention behind 34 (b) is good, it will severely restrict issue of Digital
Certificates with value added parameters such as a physical address, Credit
Standing etc.
Section 34 (c) provides for similar punishment if a person
causes or allows a certificate or his electronic signature to be used n any
fraudulent or unlawful manner. This is also a dangerous provision since it can
be extended to a person who compromises his password to the file containing
the private key.
In a country where. like in India, there will be shared
computers and people are yet to learn how to set good passwords, such
draconian provisions may put off people from trying out electronic signatures.
Section 35 refers to issue of a certificate
containing false information and failure to revoke/suspend a certificate when
required and renders the employees of the CSP liable for 7 years imprisonment
and payment of compensation. This again could be considered very onerous
clause for what could be an administrative lapse too. This places a huge
burden on the Certifying Authorities to establish the identification of the
applicant to an Electronic Signature Certificate. International Certifying
authorities intending to set up office in Pakistan need to properly assess the
risks to their directors and employees arising out of this provision.
Section 36 of the ESO-2002 is interesting. It is headlined
"Violation of Privacy of Information" and states
" Any person
who gains or attempts to gain access to any information
system
with or without intent to acquire the information contained
therein or to gain knowledge of such information,
whether or not he is aware of the nature or contents of
such information,
when he is not authorised to gain access, as aforesaid,
shall be guilty of an offence under this ordinance
punishable with either description of a term not exceeding seven years, or
fine which may extend to one million rupees or with both."
A close observation of this section indicates that it can
cover hacking, spyware activities as well as virus introduction in some cases.
Section 37 follows with the statement
Damage to Information System etc:
(1) Any person who does or attempts to do any act with
intent to alter, modify, delete, move, generate, transmit, or store any
information through or in any information system knowingly that he is not
authorised to do any of the foregoing shall be guilty of an offence under this
ordinance.
(2) Any person who does or attempts to do any act with
intent to impair the operation of or prevent or hinder access to, any
information contained in any information system, knowingly that he is not
authorised to do any of the foregoing, shall be guilty of an offence under
this ordinance.
(3) The offences under sub sections (1) and (2) of this
section will be punishable with either description of a term not exceeding 7
years or fine which may extend to one million rupees or with both.
This section covers the classical defacement of websites
and certain virus activities etc.
All offences under the ESO are declared as non-bailable,
compoundable and cognizable.
The drafting of the ESO in respect of the Cyber Crimes is
simple and effective.
It may however be noted that as in the Indian case, the ESO does not attempt to address SPAM or Domain Name issues in this ordinance.
Similarly offences such as frauds, do not figure in the ordinance and are
hopefully covered by the regular laws. Copyright issues are also not directly
covered.
The ordinance is also silent on obscenity or any activities
of the intermediaries such as "Tampering with Electronic Data".
Surprisingly, there is no provision for the Certificate
Council or any other authority to intercept the electronic messages. We
presume that the Pakistani system covers this requirement under the
Telecommunication regulations.
Take off:
While the ESO 2002 is simple and covers all major cyber
offences, there could be some areas such as traditional offence with Cyber
documents or special Cyber offences such as Cyber squatting, Cyberjacking,
Copyright violations on the Web etc where the legislation may prove inadequate
