An Enough Code of Cyber Laws in Pakistan

S J Tubrazy

A proposed bill of cyber laws is under reading for legislation in Pakistan. A general discourse is being

discussed as such that there are no cyber laws in Pakistan. In my assertive opinion we still have an

enough code of cyber laws. The provisions of Electronic Transaction Ordinance 2002 and of Payment

System Electronic Funds Transfer Act being substantive laws cover the almost all financial crimes and

cyber privacy crimes.

Substantive Provisions Cyber Laws

The provisions of ETO 2002 dealwith recognition and facilitation of electronic documentation and e-

commerce however ETO 2002 also apprehend the cybercrimes relating to provisions of false

information, issue of false certificate, Violation of privacy of information and Damage to information

system.

Likewise the PSEFTA 2007 provides regulatory framework for payment systems and electronic fund

transfers. It also provides standards for protection of the consumer and to determine respective rights

and liabilities of the financial institutions and other Service Providers, their consumers and participants.

Electronic Transaction Ordinance 2002

CHAPTER 8

OFFENCES

34. Provision of false information, etc. by the subscriber. (1) Anysubscriber who:

(a) provides information to a certification service provider knowing suchinformation to be false or not

believing it to be correct to the best of hisknowledge and belief;

(b) fails to bring promptly to the knowledge of the certification service providerany change in

circumstances as a consequence whereof any informationcontained in a certificate accepted by the

subscriber or authroised by him for publication or reliance by any person, ceases to be accurate or

becomesmisleading, or

(c) knowingly causes or allows a certificate or his electronic signatures to be usedin any fraudulent or

unlawful manner,shall be guilty of an offence under this Ordinance.

(2) The offence under sub-section (1) shall be punishable with imprisonmenteither description of a term

not exceeding seven years, or with fine which may extend toten million rupees, or with both.

35. Issue of false certificate, etc.—(1) Every director, secretary and otherresponsible officer, by whatever

designation called, connected with the management ofthe affairs of a certification service provider,

which:

(a) issues, publishes or acknowledges a certificate containing false or misleadinginformation;

(b) fails to revoke or suspend a certificate after acquiring knowledge that anyinformation contained

therein has become false or misleading;

(c) fails to revoke or suspend a certificate in circumstances where it oughtreasonably to have been

known that any information contained in thecertificate is false or misleading;

(d) issues a certificate as accredited certification service provider while itsaccreditation is suspended or

revoked;shall be guilty of any offence under this Ordinance.

(2) The offence under sub-section (l) shall be punishable with imprisonment eitherdescription of a term

not exceeding seven years, or with fine which may extend to tenmillion rupees, or with both.

(3) The certification service provider or its employees specified in sub-section (1),

shall also be liable, upon conviction, to pay compensation for any foreseeable damage suffered by any

person or subscriber as a direct consequence of any of the eventsspecified in clauses (a) to (d) of sub-

section (1).

(4) The compensation mentioned in sub-section (3) shall be recoverable as arrearsof land revenue.

36. Violation of privacy of information.—Any person who gains or attempts togain access to any

information system with or without intent to acquire the informationcontained therein or to gain

knowledge of such information, whether or not he is aware ofthe nature or contents of such

information, when he is not authorised to gain access, asaforesaid, shall be guilty of an offence under

this Ordinance punishable with eitherdescription of a term not exceeding seven years, or fine which may

extend to one millionrupees, or with both.

37. Damage to information system, etc.—(1) Any person who does or attemptsto do any act with intent

to alter, modify, delete, remove, generate, transmit or store anyinformation through or in any

information system knowingly that he is not authorised todo any of the foregoing, shall be guilty of an

offence under this Ordinance.

(2) Any person who does or attempts to do any act with intent to impair theoperation of, or prevent or

hinder access to, any information contained in any informationsystem, knowingly that he is not

authorised to do any of the foregoing, shall be guilty ofan offence under this Ordinance.

(3) The offences under sub-section (1) and (2) of this section will be punishablewith either description of

a term not exceeding seven years or fine which may extend toone million rupees, or with both.

38. Offences to be non-bailable, compoundable and cognizable.—All offencesunder this Ordinance shall

be non-bailable, compoundable and cognizable.

39. Prosecution and trial of offences.—No Court inferior to the Court ofSessions shall try any offence

under this Ordinance.

Payment Systems and Electronic Fund Transfers Act, 2007

56. Criminal Liability.- Whoever knowingly and willfully gives false informationor inaccurate information

or fails to provide information which he is required todisclose by this Act or any instruction issued

thereunder, or otherwise fails tocomply with any provision of this Act shall be punished with

imprisonment ofeither description which may extend to three years, or with fine which may extendto

three million rupees, or with both.

57. Violations Affecting Electronic Commerce.- Whoever –

(1) knowingly, in a transaction effected by electronic commerce,uses or attempts or conspires to use

any counterfeit, fictitious,altered, forged, lost, stolen, or fraudulently obtained DebitInstrument to

obtain money, goods, services or anything else ofvalue aggregating five thousand rupees or more, or

(2) knowingly receives, conceals, uses or transports money, goods,services or anything else of value

aggregating five thousand rupeesor more obtained by use of any counterfeit, fictitious, altered,forged,

lost, stolen, or fraudulently obtained Debit Instrument, or

(3) knowingly receives, conceals, uses, sells, or transports one ormore tickets for transportation, and

which have been purchased orobtained with one or more counterfeit, fictitious, altered, forged, lost,

stolen or fraudulently obtained Debit Instrument,shall be punished with imprisonment of either

description for a term whichmay extend to seven years, or with fine which may extend to one

millionrupees, or with both.

Explanation.-For the purpose of this section e-commerce means the activity ofbuying, selling or

contracting for goods, services and making payments usinginternet or worldwide web through

communication networks including of wirelessnetworks, within or outside Pakistan.

58. Cheating by Use of Electronic Device.- Whosoever cheats by pretendingto be some other person, or

by knowingly substituting one person for another, orrepresenting that he or any other person is a

person other than he or such otherperson really is, or by cheating by impersonation, fraudulently or

dishonestlyuses any credit or debit card, or code or any other means of access to anElectronic Fund

Transfer device, and thereby causes any wrongful gain tohimself or any wrongful loss to any other

person, shall be punished withimprisonment of either description for a term which may extend to seven

years,or with fine which shall not be less than the wrongful loss caused to any person,or with both.

Anti-Money Laundering Act 2010

Act of money laundering through online method amount to cybercrime.Anti-money laundering laws

properlyknobsuch crimes. The section 2 f (v) of Anti-money Laundering Act 2010recognizes the

electronic money and the record maintained in the electronic device.

Pakistan Protection Act 2014

Crimes via internet and information technology against state and state owned institutions may be

cybercrimes. The section 2(i) provides a schedule in The Pakistan Protection Act 2014 which sets the

schedule cybercrimes as;

(ix) destruction of or attack on communication and interaction lines, devices, grids, stations, or systems

etc

(xiv) crimes against computers including cybercrimes, internet offenses and otheroffences related to

information technology etc

Procedural Cyber Laws

To define the basic digital and cyber law terms and provide a procedural mechanism for trial and

investigation of cybercrimes,Qanun-e-Shahdat Order 1984 has been necessarily amended. Investigation

for Fair Trial Act 2013 has been enacted for collection, seizure, discovery, forensic andinvestigation for

digital evidence contain in modern digital devices. The relevant provisions and sections of enactments

are given below;

Investigation of Fair Trial Act 2013

Preamble

An Act to provide for investigation for collection of evidence by means of modern techniques and

devices to prevent and effectively deal with scheduled offences and to regulate the powers of the law

enforcement and intelligence agencies and for matters connected therewith or ancillary thereto.

Whereas in order to prevent the law enforcement and intelligence agencies from using their powers

arbitrarily it is necessary to regulate the said powers and provide for their permissible and fair uses in

accordance with law and under proper executive and judicial oversight; And whereas further being

mindful that the existing laws neither comprehensively provide for nor specifically regulate advance and

modern investigative techniques such as covert surveillance and human intelligence, property

interference, wiretapping and communication interception that are used extensively in other

jurisdictions to successfully prevent the offences and as an indispensable aid to the law enforcement

and administration of justice.

And whereas in order to neutralize and prevent the threat or any attempt to carry out scheduled

offenses it is necessary that the law enforcement and other agencies be given certain specific

authorizations to obtain evidence in time and only in accordance with law;

And whereas it is also in order to declare the admissibility and use of the material obtained during lawful

investigation under the present law, in judicial proceedings and all other legal proceedings or processes

to ensure fair trial;

Authorization under the warrant.---(1) The warrant of surveillance or interception to be issued by

the Judge may authorize and allow the lawful doing of any or all of the following acts; namely:--

(a) interception and recording of telephonic communication of the suspect with any person;

(b) video recording of any person, persons, premises, event, situation etc;

(c) interception or recording or obtaining of any electronic transaction including but not limited to e-

mails, SMS etc;

d) interception and taking over of any equipment used in the communication in respect of which the

warrant is issued, including but not limited to telephone, cell phone, mobile sims, electronic database,

demonstrating linking of electronic communication with the database belonging to the person in respect

of whom the warrant has been issued:

Provided that the Judge shall authorize take-over of equipment only where the material or

statement of the authorized officer discloses a substantial threat or possibility of an attempt to commit

a scheduled offence;

(e) collection of evidence through any modern devices in addition to the ones mentioned above;

(f) use of human intelligence;

(g) covert surveillance and property interference; and

(h) access to any information or data in any form related to a transaction, communication or its

content.

(2) Any other form of surveillance or interception that the Federal Government may notify in this

behalf.

17. Method of executing the warrant.---(1) Where the warrant is issued, the applicant in case of the

warrant of interception, shall approach the designated agency or body, for serving the same on service

provider in the manner provided for in Schedule III and the designated agency or body shall duly serve

the said warrant on the service provider or give effect to it within seven days.

(2) The service provider shall not extend technical facilities of interception to any person or

organization other than the Designated Agency or Body.

(3) Where nature of surveillance or interception is such that it is not necessary to serve the warrant

on anyone, then the same shall not be served and its issuance alone shall be sufficient basis to collect

evidence.

(4) While executing the warrants each applicant shall act within the mandate provided for it under

the law.

18. Indemnity for service provider.---Access granted by the service provider in accordance with this

law shall not be called in question under any law by any person who may have been prejudiced by such

access.

19. Immunity to service provider.---The service provider shall have immunity in any civil or criminal

legal proceedings that any person may commence against his corporate entity or against his office

bearers or employees, for having complied with the warrant issued under this Act.

20. Service provider to cooperate.---In the event the service provider declines, fails or interferes in

any manner in the execution of warrant then he shall be liable to have committed an offence under this

Act for obstructing investigation and justice and shall be punished with fine upto ten million rupees.

21. Service provider to ensure confidentiality.---The service provider shall also be responsible for

ensuring the confidentiality of the execution or warrant from his staff members except those necessary

to execute the warrant and in case of unauthorized disclosure or misuse of data by any of his staff

member, the officials of the service provider and the concerned staff shall be punished with

imprisonment which may extend to one year or with fine which may extend to ten million rupees.

Admissibility of warrant based information.---(1) Notwith-standing anything contained in the Qanun-e-

Shahadat, 1984 (P.O.10 of 1984) or any other law for the time being in force, the evidence including

data, information, documents or any other material collected or received under this Act shall be

admissible as evidence in the legal proceedings.

(2) Nothing contained in subsection (1), shall debar the admissibility of evidence collected or

received, prior to the coming into force or this Act, under the provisions of any other law for the

time being in force.

25. Report of expert.---In case where an analysis of the intercepted material collected pursuant to

the warrant of surveillance or interception is required, then the same shall be carried out by a person

referred to in section 3(f) being suitably qualified, trained or experienced, who shall be deemed to be an

expert as described under section 510 of the Code of Criminal Procedure, 1898 (Act V of 1898) and his

report shall have the same effect as given to the report of the experts of different fields mentioned in

the said section.

MUTUAL LEGAL ASSISTANCE

31. Warrants to be served outside Pakistan.---(1) Warrants obtained under the Act shall be

executable outside Pakistan as well as in foreign jurisdictions, either directly on the concerned service

providers or through mutual legal assistance mechanism as agreed between Pakistanand the concerned

foreign State as provided under the law, treaty or agreement.

(2) The warrant issued under this Act shall be processed for execution outside Pakistan through the

Designated Agency or Body.

32. Warrants received from outside Pakistan.---Warrants received from outside Pakistan may be

executed by the Designated Agency or Body in the light of mutual legal assistance mechanism as agreed

betweenPakistan and the concerned foreign State as provided under the law, treaty or agreement.

35. Unauthorized surveillance or interception.---Any person who carries out any surveillance or

interception except in accordance with the provision of this Act shall in addition to any other

punishment to which he may be liable under any other law for the time being in force be punished with

imprisonment for up to three years and shall also be liable to fine.

QANUN –E-SHAHDAT ORDER 1984

AMENDMENT IN QANUN-E-SHAHADAT ORDER, 1984 (P.O. No. 10 OF1984)

1. Amendment of Article 2, P.O. No. 10 of 1984.—In the Qanun-e-Shahadat Order, 1984 (P.O. No. 10 of

1984), hereinafter referred to as the said Order, in clause (1), after sub-clause (d), the following new

sub-clauses (e) and (f) shall be added, namely:

“(e) the expression, “automated”, “electronic”, “information”, “information system”, “electronic

document”, “electronic signature”, “advanced electronic signature” and “security procedure”, shall bear

the meanings given in the Electronic Transactions Ordinance, 2002;

(f) the expression “certificate”, where the context so admits, includes the meaning given to it in the

Electronic Transactions Ordinance, 2002.

2. Amendment of Article 30, P.O. No. 10 of 1984.—In the said Order, in Article 30, for the full stop at the

end a colon shall be substituted and thereafter the following explanation shall be added, namely:

“Explanation.—Statements gene rated by automated information systems may be attributed to the

person exercising power or control over the said information system.”

3. Insertion of new Article 46, P.O. No. 10 of 1984.—In the said Order, after Article 46, the following new

Article shall be inserted, namely:

“46-A. Relevance of information generated, received or recorded by automated information system.—

Statements in the form of electronic documents generated, received or recorded by an automated

information system while it is in working order, are relevant facts.

4. Amendment of Article 59, P.O. No. 10 of 1984.—In the said Order, in Article 59—

(a) after the word “impressions” the comma and the words “, or as to authenticity and integrity of

electronic documents made by or through an information system” shall be inserted ; and

(b) for the words “are relevant facts” the words and commas “or as to the functioning, specifications,

programming and operations of information systems, are relevant facts” shall be substituted.

5. Amendment of Article 73, P.O. No. 10 of 1984.—In the said Order, in Article

73, after the second Explanation, the following new Explanations shall be added, namely:

“Explanation 3.—A printout or other form of output of an automated information system shall not be

denied the status of primary evidence solely for the reason that it was generated, sent, received or

stored in electronic form if the automated information system was in working order at all material times

and, for the purposes hereof, in the absence of evidence to the contrary, it shall be presumed that the

automated information system was in working order at all material times.

“Explanation 4.—A printout or other form of reproduction of a Electronic Document, other than a

Document mentioned in Explanation 3 above, first generated, sent, received or stored in electronic

form, shall be treated as primary evidence where a security procedure was applied thereto at the time it

was generated, sent, received or stored.”

6. Insertion of new Article, P.O No. 10 of 1984.—In the said Order, after Article 78, the following new

Article shall be inserted, namely :—

“78-A. Proof of electronic signature and electronic document.—If an electronic document is alleged to

be signed or to have been generated wholly or in part by any person through the use of an information

system, and where such allegation is denied, the application of a security procedure to the signature or

the electronic document must be proved.”

7. Amendment of Article 85, P.O No. 10 of 1984.—In the said Order, in Article 85, after clause (5), the

following new clause (6) shall be added, namely:

“(6) certificates deposited in a repository pursuant to the provisions of the Electronic Transactions

Ordinance, 2002.”

Regulation of PTA Regulations

Pakistan Telecommunication Authority has issued S.R.O 713 (1)/2009 against spams which is called,

Protection from Spam,Unsolicited, Fraudulent an Obnoxious Communication Regulations 2009.

PTA in its letter No. 1609/11/N&TA to all CMTOs has restrain from sending SMS contain bar-code or

Masking.