(P.S: This Note is purely an academic exercise by Cyber
Law College.com and does not represent any commercial or other interests)
The growth in the use of Computers for Personal,
Commercial and Government purposes all over the world has increased the need
to make such use legally enforceable. To make the legal position of electronic
documents clear to the public, and to avoid complications and confusions
arising out of the wrong interpretations when common meta society laws are
applied to the Cyber world, several Governments have drafted special
legislation under the banner of “ Cyber Laws”.
India was one of the early
countries to adopt Cyber Laws when ITA-2000 was notified with effect from
October 2000. Presently Pakistan is contemplating a legislation of similar
nature and a draft of a proposed ordinance was released some time back. In the
light of the Indian experience in ITA-2000, an attempt is made to look at the
provisions in the proposed ordinance.
1.
Objectives:
The ordinance
is aimed at promotion of IT in national economy, delivery of Government
services and promotion of public confidence in electronic communication.
The
declared objectives are positive looking and avoid focus on “Cyber Crimes” as
a central theme. Readers may recall that when the ITA-2000 was discussed
before enactment, the principle discussion was on the “Powers of the Police to
Arrest offenders without Warrant”. Even though the objective clause of the
Indian law was also promotion of E-Commerce, this aspect was lost in the
overall context. In the din of the discussions surrounding this section, no
worthwhile discussions took place in the Parliament on the other substantive
issues. Hence it is interesting to note that the Pak ordinance is soft on the
description of Cyber Crimes and presents the legislation in a positive manner
even though most of the common Cyber crimes are covered.
2
Definition of Electronic Signature and Security Procedure:
The
ordinance defines “Electronic Signature” as a means of authentication as to
include “any letters, numbers, symbols, images, characters or any combination
thereof applied to, incorporated in or directly associated with an electronic
communication or electronic record, unique to the person signing, in order to
establish the authenticity or integrity or both of the electronic record.
The
definition of Electronic signature used here is broad enough to incorporate
the definition of Digital Signature backed by PKI system adopted by India. The
“Security Procedure” is also defined in terms of the objective of securing the
authenticity and integrity of the message and the ordinance avoids the need to
define the Digital signature process with reference to the PKI technology
only.
However
since there does not appear to be any established security procedure which is
as good as the PKI system at present for securing the authentication and
integrity of a document at the same time, ultimately the PKI system has to be
recognized as an approved system.
The
sections on Certificates, Certification Service Provider, Certification
practice statement, etc are also defined without tying up with a specific
technology such s PKI.
Technology neutrality was one of the factors which were not taken into
account in the Indian law and many technologists had raised their objection to
the rigidity. The Pak ordinance takes into account this factor.
However,
in the absence of an alternative system in sight (There are many bio metric
systems that are used for authentication but they are still to be refined for
the purpose of validating data integrity) the public needs to be made aware of
the PKI system that is well established now. Perhaps the Government may try to
do this through the certification service provider’s licensing procedure and
the CPS.
Since the
security procedure is providing the flexibility of adopting a mutually
agreeable procedure, the system can start functioning from day one without
waiting for the infrastructure for Digital signature to be developed. This has
been one of the stumbling blocks in Indian legislation since the Act made any
system of authentication other than the suggested one as “Not Recognizable in
Law”.
The
definition of the electronic signature used in the Pak ordinance is flexible
enough to use the internationally available digital signature certificates
(provided the licensing procedure does not prohibit this subsequently). It is
necessary to allow this flexibility until domestic certification service
providers develop their infrastructure which we in India have found to be time
consuming. More over, being a smaller country, the market for certificates in
Pakistan may not be high enough to warrant domestic certifying authorities
coming up immediately and the system will fail to take off unless existing
international certifying authorities are allowed to issue certificates within
Pakistan in association with a local registration authority if required.
The Indian
law in this respect mandates the entire certifying infrastructure to be
located in India and hence the financial viability of the Certification
Authority projects has been in doubt.
Sections 3 and 4 of the
ordinance extend the effects of other laws in the country to the field of
electronic documents. This is similar to the bridging clause used in the
Indian law. The exclusion of certain documents such as Negotiable
Instruments etc is exactly similar to the Indian law.
The section 3 of the
ordinance is more comprehensive than the corresponding section in ITA-2000
and extends the concept of Electronic documents to such terms as Register,
Document of Title, ledger, Map, book, attestation, witnessing, publishing
etc.
One important aspect of
the Pak ordinance is that it provides an indication to introduce Stamp duty
for electronic documents in a time frame of two years for which a system is
to be developed.
4. Cyber Crimes:
The Pak ordinance
simplifies the definition of Cyber Crimes. Section 25 is particularly
interesting.
This section covers
several aspects of Hacking and Virus related offences under the “Privacy
Protection Objective”. Together with Section 26 it covers most of the
offences coming under hacking and Virus without using any of the definitions
for hacking and virus.
One of the problems with
the Indian law has been an attempt to define words such as “hacking”, which
is an unnecessary and often a dysfunctional exercise.
The Pak Ordinance is
however silent on “Obscenity” and “Cyber Fraud”. These are left to be
covered by the combination of the normal laws and the extension of the same
to Electronic documents.
The ordinance is also
similarly silent on Intellectual Property rights and Spamming.
While the common law can
take care of some of the offences, in order to make international offenders
liable under the act as per section 32( Application of Act done outside
Pakistan) , it would have been better if the Pak ordinance had defined
punishments for Credit Card and various schemes of frauds that prevail in
the Cyber World.
Spamming is also another
menace which requires the cooperation of international ISP s and without it
being declared as an offence, regulation would be difficult.
Content filtering,
Censorship, etc also is not covered in the ordinance. Again the absence of
these may affect invocation of Section 32.
5. Network Service
Providers: The Pak ordinance provides immunity to Network service
providers as in the case of India.
In the Indian context
the role of Cyber Cafes has often caused some difficulty in the imposition
of vicarious responsibilities. A broad outlook of a Network Service provider
as used in the Indian law may with some effort cover Cyber Cafes under this
category. The Pak definition of Network Service providers is however more
specific and may exclude unlicensed systems of Internet sharing facilities,
if they exist. If Internet is considered as a facility useful to the common
man, it would be better to provide some kind of guidance to Cyber cafes of
how they can protect themselves from the offences committed by the users.
Granting immunity to them like the Network service providers would have been
one option.
If Cyber crimes are to
be effectively tackled, the ISP s need to cooperate with law enforcement
agencies in the preservation of evidence and their sharing with the law
enforcement authorities. The Pak ordinance seems to have omitted to impose
any responsibility to the ISP s in this regard.
6. Justice Dispensation
System:
The Pak ordinance has not
dealt with the justice dispensation system for Cyber crimes while the Indian
Act did address this issue though not adequately.
If relief has to be
provided to commercial establishments against Cyber crimes it is essential
that the justice dispensation system must be quick and effective. It is
therefore not a bad idea to provide for “Parallel Special Court System”
similar to the “Adjudication” system adopted by the Indian Act. This would
have taken care of the need for computer expertise for the Judges and the
attorneys in dealing with Cyber crimes. Indian Act was good but was spoiled
by subsequent “Rules” making it impossible for the public to get any
worthwhile remedy in respect of Cyber crimes through the justice
dispensation system. Pakistan could have avoided the repetition of the same
mistake of leaving the Cyber crimes for disposal by the normal courts.
7. Definition of a
Person:
The definition of “person”
in the ordinance does not include a “Computer”.
Many of the Cyber crimes
are committed through the use of software which can be crookedly programmed.
Presently their actions are attributed to the “Programmer”. This has some
practical complications say in a corporate network where the “Operational
Ownership” is often shared by the system administrators and is not with the
“programmer”. It is necessary to define the actions of an automated system
as equivalent to that of an “agent”. Just as a corporate person is
recognized as a legal entity, it is possible to define an automated system
as an “Electronic Person” and treat him as an “Agent”. In such a case one
can fix the liabilities arising out of the action of such agent with the
principal. Such principal would be the one who assigns the specific task to
the machine. This definition can help in the long run to meet various
contingencies.
8. Evidentiary Matters:
According to Section 8 of
the ordinance, one of the conditions for presuming the authenticity and data
integrity of an electronic document is that the information system used for
the application of the security procedure was in working order at all
material times.
There will be a slight
ambiguity when this clause is discussed in a court of law. The security
procedure is applied first when the secured electronic document is produced.
This will be received and stored by the recipient. Probably the security
procedure would have been used at this end for verification. The dispute
normally would be raised by the sender on the data integrity or the
authentication process. The recipient would therefore not be in a position
to either prove or disprove the “working order of the information system” at
the time of the generation of the system.
Hence presumption should
only require that the security procedure when applied in the presence of the
court confirms the originator to be the alleged person. Beyond this it
appears difficult to prove that either the sender’s information system or
the receiver’s information system was in working order at all material
times.
9: The constitution of
the Electronic Certification Licensing Authority (ECLA)
It is interesting to observe
that the ECLA is a body corporate and comprising of three members one of
whom is a cryptography expert the other an academic and the third a judge.
The constitution is well
thought out and better than the Government departmental structure adopted by
India.
Naavi
January 17, 2002.
Draft
of the proposed legislation is here