ZAFAR & ASSOCIATES - LLP | Cybercrime Law Services - Pakistan

Cybercrime, also known as computer crime, the use of a computer as an instrument to perform an illegal act, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy, cybercrime, especially through the Internet, has grown in importance as the computer has become central to commerce, entertainment and government.

There is no doubt that Information Technology has intruded in our life in such a manner and extent that presently nobody can imagine a well-facilitated and luxury life without it. Computers, Scanners, World Wide Web Sites, Intranet and Internet Electronic Messaging and Mails, Electronic Data Transfers and Exchange of Information, Electronic Commerce and Banking System, all are necessities of life based on or using different components based on the use of Information Technology, which are abundantly in use in our domestic, social and business life. Mobile phones, laptops and latest computers are using Digital Databases for different purposes. Similarly, Digital Databases are accessible through Intranet and Internet at International level without any problem or loss of time.

The dawning of Information Technology age has facilitated our life but at the same time it has given birth to different complex problems like its regulatory matters and use of the Information Technology for criminal and other heinous purposes by different anti-social elements. Regulatory matters regarding use of Information Technology require legal frame works and laws. Similarly, misuse and anti-social elements that are causing fear and disturbance not only in personal lives but also in the smooth running of social and commercial life, as a whole.

---

Cybercrime Law Practice in Pakistan

However, as the use of Information Technology has no boundaries, thus it is very difficult to design its regulatory regimes and regulatory laws to determine strict liability in case wrong and criminal application of different Software, Information Technology techniques and other related matters. Presently, all the nations and countries are facing the same problems for establishing effective regulatory regimes and legal systems for proper benefit of Information Technology within certain parameters which are beneficial to the society.

In Pakistan, in addition to the Pakistan Telecommunication (Re-Organization) Act, 1996, (Act XVII of 1996), The Electronic Transactions Ordinance, 2002 (Ordinance LI of 2002) is the first law to regulate different aspects and uses of Information Technology but the same has not solved all the problems. Thereafter, other laws have been made and promulgated to address different issues relating to Information Technology and its use for different purposes. After promulgation and enforcement of these laws, there was a need to compile these laws with case laws developed during this period for the benefit of legal professionals, academicians, researchers and general public.

It is also to point out that the Pakistan Telecommunication (Re- organization) Act, 1996 (XVII of 1996), is the basic legal framework given by the Parliament to achieve the ambitious goals in the telecommunication and Information Technology Sector in Pakistan providing different key organizations including the Pakistan Telecommunication Authority. Pakistan Telecommunication Authority has made a lot of efforts to regulate each and every aspect of the telecommunication sector in Pakistan and to meet the internationally posed challenges of competition and transparency. However, the Pakistan Telecommunication (Re-organization) Act, (XVII of 1996), The Telegraph Act, 1885 (Act XIII of 1885), and the Wireless Telegraphy Act, 1993 (Act XVII of 1933), have been introduced in different regimes. Prevention of Electronic Crimes Ordinance, 2007 (Ordinance LXXII of 2007) relating to Telecommunication Sector in Pakistan covering all aspects regarding telecommunications and Information Technology in their legal, national and international perspectives which may be consulted and used if you feel necessary and suitable to boost up your knowledge and information about basic regulatory regimes and frameworks in the telecommunications and information fields.

The growing danger from crimes committed against computers, or against information on computers, is beginning to claim attention in national capitals. In most countries around the world, however, existing laws are likely to be unenforceable against such crimes. This lack of legal protection means that businesses and governments must rely solely on technical measures to protect themselves from those who would steal, deny access to, or destroy valuable information.

Self-protection, while essential, is not sufficient to make cyberspace a safe place to conduct business. The rule of law must also be enforced. Countries where legal protections are inadequate will become increasingly less able to compete in the new economy. As cyber crime increasingly breaches national borders, nations perceived as havens run the risk of having their electronic messages blocked by the network. National Governments should examine their current statutes to determine whether they are sufficient to combat the kinds of crimes. Where gaps exist, Governments should draw on best practices from other countries and work closely with industry to enact enforceable legal protections against these new crimes.

What’s Different about Cyber Crime?

Undeterred by the prospect of arrest or prosecution, cyber criminals around the world lurk on the Net as an omnipresent menace to the financial health of businesses, to the trust of their customers, and as an emerging threat to nations’ security. Headlines of cyber attacks command our attention with increasing frequency. According to the Computer Emergency Response Team Coordination Center (CERT/CC), the number of reported incidences of security breaches in the first three quarters of 2000 has risen by 54 percent over the total number of reported incidences in 1999. Moreover, countless instances of illegal access and damage around the world remain unreported, as victims fear the exposure of vulnerabilities, the potential for Copycat Crimes, and the loss of public confidence. Cyber crimes—harmful acts committed from against a computer or network—differ from most terrestrial crimes in four ways. They are easy to learn how to commit; they require few resources relative to the potential damage caused; they can be committed in a jurisdiction without being physically present in it; and they are often not clearly illegal.

The laws of most countries do not clearly prohibit cyber crimes. Existing terrestrial laws against physical acts of trespass or breaking and entering often do not cover their “virtual” counterparts. Web pages such as the E-Commerce sites recently hit by widespread, distributed denial of service attacks may not be covered by outdated laws as protected forms of property. New kinds of crimes can fall between the cracks, as the Philippines learned when it attempted to prosecute the perpetrator of the May 2000 Love Bug virus, which caused billions of dollars of damage worldwide.

Effective Law Enforcement is complicated by the transnational nature of cyberspace. Mechanisms of cooperation across national borders to solve and prosecute crimes are complex and slow. Cyber criminals can defy the conventional jurisdictional realms of sovereign nations, originating an attack from almost any computer in the world, passing it across multiple national boundaries, or designing attacks that appear to be originating from foreign sources. Such techniques dramatically increase both the technical and legal complexities of investigating and prosecuting cyber crimes.

Six weeks after the Love Bug attack, the Philippines outlawed most computer crimes as part of a comprehensive e-commerce statute. In order to prevent a repeat of the catastrophe that prompted this action, however, the future of the networked world demands a more proactive approach, whereby Governments, Industry, and the Public Work together to devise enforceable laws that will effectively deter all but the most determined cyber criminals.

Poor Information Security Reduces the Competitiveness of Nations

In considering nations’ information security, the evaluated public trust in the security of information processed and stored on networks in each country. In this context, information security included: an assessment of the strength of legal protections and progress in protecting intellectual property rights, especially for software; the extent of efforts to protect electronic privacy; and the strength and effectiveness of the legal framework to authorize digital signatures. The existence of legal frameworks to prosecute cyber criminals, for a predictable environment of strong deterrence for computer crime is critical to the effective protection of valuable information and networks.

Although several countries, particularly in Europe and Asia, were found to have addressed a number of these broader information security factors, few countries were able to demonstrate that adequate legal measures had been taken to ensure that perpetrators of cyber crime would be held accountable for their actions. Overall, nearly half of the countries were rated as needing substantial improvement in information security. In addition, only a small fraction of countries needing substantial improvement indicated that progress was currently underway.

Outdated laws and regulations and weak enforcement mechanisms for protecting networked information, create an inhospitable environment in which to conduct e-business within a country and across national boundaries. Inadequate legal protection of digital information can create barriers to its exchange and stunt the growth of e-commerce. As e-business expands globally, the need for strong and consistent means to protect networked information will grow.

The Cyber Crime Laws of Nations

In the wake of the Philippines inability to prosecute the student responsible for the virus, McConnell International surveyed its global network of Information Technology policy officials to determine the state of cyber security laws around the world. Countries were asked to provide laws that would be used to prosecute criminal acts involving both private and public sector computers.

Over fifty national governments responded with recent pieces of legislation, copies of updated statutes, draft legislation or statements that no concrete course of action has been planned to respond to a cyber attack on the public or private sector. Countries were provided the opportunity to review the presentation of the results in draft, and this report reflects their comments.

Countries that provided legislation were evaluated to determine whether their criminal statutes had been extended into cyberspace to cover ten different types of cyber crime in four categories: Data-Related Crimes including interception, modification and theft; Network-Related Crimes including interference and sabotage; Crimes of Access including hacking and virus distribution and Associated Computer-Related Crimes including aiding and abetting cyber criminals, computer fraud and computer forgery.

Thirty-three of the countries surveyed have not yet updated their laws to address any type of cyber crime. Of the remaining countries, nine have enacted legislation to address five or fewer types of cyber crime, and ten have updated their laws to prosecute against six or more of the ten types of cyber crime.

Countries with fully, substantially or partially updated laws, in Pakistan, successful prosecutions of computer-related fraud have effectively updated the law. Pakistan also provides an example of a phenomenon in many countries—that law enforcement officials have strong confidence that existing laws provide sufficient coverage against the “computer-related crimes” of aiding and abetting cyber crimes, and computer-related fraud and forgery.

Even among these countries, crimes are not treated uniformly. In some, unauthorized access is a crime only if harmful intent is present; in others, data theft is a crime only if the data relates specifically to an individual’s religion or health, or if the intent is to defraud. Laws tend to be biased in favor of protecting public sector computers.

Discrepancies exist even within countries. For example, in September 2000, the Australian Democratic Party criticized the South Australian (state) government for creating a haven for cyber criminals by not having updated its laws to combat computer-based crime in accordance with the laws of Australia’s other states. Moreover, there is little uniformity across nations in terms of which types of crimes have been addressed through updated statutes.

The penalties provided in updated criminal statutes vary widely. Mauritius, the Philippines, and the United States have stronger penalties than many other countries for convictions of covered cyber crimes.

Finally, of the 33 countries with no updated laws in place, 13 indicated that progress toward the adoption of updated legislation to combat cyber crime is underway. Seven of these 13 countries are in Africa or the Middle East, indicating that, although these regions have not yet adequately addressed the issue of cyber crime, many countries are aware that action is needed.

Law Is Only Part of the Answer

Extending the rule of law into cyberspace is a critical step to create a trustworthy environment for people and businesses. Because that extension remains a work in progress, organizations today must first and foremost defend their own systems and information from attack, be it from outsiders or from within. They may rely only secondarily on the deterrence that effective law enforcement can provide.

Conclusion

1. Reliance on terrestrial laws is an untested approach

Despite the progress being made in many countries, most countries still rely on standard terrestrial law to prosecute cyber crimes. The majority of countries are relying on archaic statutes that predate the birth of cyberspace and have not yet been tested in court.

2. Weak penalties limit deterrence

The weak penalties in most updated criminal statutes provide limited deterrence for crimes that can have large-scale economic and social effects.

3. Self-protection remains the first line of defense

The general weakness of statutes increases the importance of private sector efforts to develop and adopt strong and efficient technical solutions and management practices for information security.

4. A global patchwork of laws creates little certainty

Little consensus exists among countries regarding exactly which crimes need to be legislated against, even in the 19 countries that have already taken steps to address cyber crimes. In the networked world, no island is an island. Unless crimes are defined in a similar manner across jurisdictions, coordinated efforts by law enforcement officials to combat cyber crime will be complicated.

5. A model approach is needed

Most countries, particularly those in the developing world, are seeking a model to follow. These countries recognize the importance of outlawing malicious computer-related acts in a timely manner in order to promote a secure environment for e-commerce. But few have the legal and technical resources necessary to address the complexities of adapting terrestrial criminal statutes to cyberspace. A coordinated, public-private partnership to produce a model approach can help eliminate the potential danger from the inadvertent creation of cyber crime havens.

Recommendations

The weak state of global legal protections against cyber crime suggests three kinds of action.

1. Firms should secure their networked information

Laws to enforce property rights work only when property owners take reasonable steps to protect their property in the first place. As one observer has noted, if homeowners failed to buy locks for their front doors, should towns solve the problem by passing more laws or hiring more police? Even where laws are adequate, firms dependent on the network must make their own information and systems secure. And where enforceable laws are months or years away, as in most countries, this responsibility is even more significant.

2. Governments should assure that their laws apply to cyber crimes

National governments remain the dominant authority for regulating criminal behavior in most places in the world. One nation already has struggled from, and ultimately improved, its legal authority after a confrontation with the unique challenges presented by cyber crime. It is crucial that other nations profit from this lesson and examine their current laws to discern whether they are composed in a technologically neutral manner that would not exclude the prosecution of cyber criminals. In many cases, nations will find that current laws ought to be updated. Enactment of enforceable computer crime laws that also respect the rights of individuals are an essential next step in the battle against this emerging threat.

3. Firms, governments, and civil society should work cooperatively to strengthen legal frameworks for cyber security

To be prosecuted across a border, an act must be a crime in each jurisdiction. Thus, while local legal traditions must be respected, nations must define cyber crimes in a similar manner. An important effort to craft a model approach is underway in the Council of Europe. The Council is crafting an international Convention on Cyber Crime. The Convention addresses Illegal Access, Illegal Interception, Data Interference, System Interference, Computer-related Forgery, Computer-related Fraud, and the Aiding and Abetting of these crimes. It also addresses investigational matters related to jurisdiction, extradition, the interception of communications and the production and preservation of data. Finally, it promotes cooperation among law enforcement officials across national borders.

Late in its process, the Council began to consider the views of affected industry and civil society. This process is making the Council’s product more realistic, practical, efficient, balanced and respectful of due process that protects individual rights. At this point, most observers support provisions to improve law enforcement cooperation across borders. However, industry, through the World Information Technology and Services Alliance argues that the requirements on service providers to monitor communications and to provide assistance to investigators, as outlined in the Draft Convention, would be unduly burdensome and expensive. Another provision considered objectionable could criminalise the creation and use of intrusive software, or hacking programmes, which are designed for legitimate security testing purposes. This action could stifle the advances in technology vital to keep up with evolving cyber threats. Privacy and Human Rights Advocates object to the Draft Convention’s lack of procedural safeguards and due process to protect the rights of individuals, and to the possibility that the ensuing national laws would effectively place restrictions on privacy, anonymity and encryption.

Types of Cyber Crimes

• Theft of Telecommunications Services

• Communications in furtherance of Criminal Conspiracies

• Telecommunications Piracy

• Dissemination of Offensive Materials

• Electronic Money Laundering and Tax Evasion

• Electronic Vandalism, Terrorism and Extortion

• Sales and Investment Fraud

• Illegal Interception of Telecommunications

• Eelectronic Funds Transfer Fraud

Problem Areas

• Telecommunications

• Electronic Vandalism, Terrorism and Extortion

• Stealing Telecommunications Services

• Telecommunications Piracy

• Pornography and other Offensive Material

• Telemarketing Fraud

• Electronic Fund Transfer Crime

• Electronic Money Laundering

Laws relating to Cybercrime in Pakistan

The Electronic Transactions Ordinance, 2002

The purpose of this ordinance is to recognize and facilitate Documents, Records, Information, Communications and Transactions in electronic form, and to provide for the accreditation of Certification Service Providers.

Defendant, according to sales contract, was to supply 1,600 M.T. steel rods, but it supplied only 500 M.T. of steel rods. Plaintiff filed suit claiming damages against defendant in respect of balance 1,100 M.T. of steel rods. Defendant filed application for stay of plaintiff’s suit seeking direction from the Court to order plaintiff to refer the dispute to arbitration as the parties by the very said contract had agreed to settle all disputes by arbitration. Claim of plaintiff was that sale transaction was based on pro forma invoice, purchase order and correspondence by faxes and E-mails and that plaintiff had never entered into any sales contract containing an agreement to arbitration.

In a paragraph of the Order, it has been observed that “The learned counsel for the Plaintiff has also argued that the Sales Contract has not been signed and therefore is not enforceable. As discussed above, the Defendant has established that sales contract was electronically sent to the plaintiff who acted on the same and opened a Letter of Credit in accordance with its terms and conditions, which also contained an arbitration clause. The submissions of the learned Advocate for the Plaintiff have no force in view of the provisions of the Electronics Transactions Ordinance, 2002 (Ordinance LI of 2002) – It is further to be pointed out that after promulgation of Electronic Transactions Ordinance, 2002, the Qanun-e- Shahadat, 1984 (P.O. 10 of 1984) stands amended in terms of section 29 of the Ordinance, 2002 – By the said amendments various definitions of the Qanun-e-Shahadat Order have been changed and specifically by addition of section 2(e) in the said Order all the documents produced or generated through modern devices have been given evidentiary value...

It is further observed in Paragraph 11 of the Order thereof that in view of the aforesaid provisions of the Electronic Transactions Ordinance 2002, as well as amendment in the Qanun-e-Shahadat Order, it appears that it is no longer necessary for electronically transmitted documents, which include Commercial / Banking Contracts, to be manually signed or for the same to be attested by any witness.

The Payment Systems and Electronic Fund Transfers Act, 2007

The purpose of the Act is to provide regulatory framework for payment systems and electronic fund transfers. “Electronic fund” means the money transferred through an electronic terminal, ATM, telephone instrument, computer, magnetic medium or any other electronic device to order, instruct or authorize Banking Company, a Financial Institution or any other Company or Person to debit and credit an account. The Act gives powers to State Bank of Pakistan that if it finds it necessary in the public interest, it can designate a “Payment System” (means a system relating to payment of instruments, or transfer, clearing, payment settlement, supervision, regulation or infrastructure etc.) as a Designated Payment System by a written order. State Bank can revoke the designation of payment system.

It also deals with Payment Systems, Real Time Gross Settlement System (RTGS), Operator Arrangement, Clearing and other obligations, Documentation of Transfers, Notification of Error, Liability of parties and penalties etc.

The Prevention of Electronic Crimes Ordinance, 2007

Aim of the Ordinance is to make provision for prevention of Electronic Crimes. Prevention of any action directed against the confidentiality, integrity and availability of electronic system, networks and data as well as the misuse of such system, networks and data by providing punishment of such actions and to provide mechanism for investigation, prosecution and trial of offences and the other matters connected thereto.

It deals with Criminal access, Criminal data Access, Data damage, System damage, Electronic fraud, Electronic forgery, Misuse of Electronic System or Electronic Device, Unauthorized access to Code, Misuse of encryption, Malicious code, Cyber stalking, Spamming, Spoofing, Unauthorized Interception, Cyber Terrorism it also deals with their punishments, abetting, aiding and attempts to commit offences, prosecution and trial of offences, establishment of investigation and prosecution agencies etc.

The Pakistan Telecommunication (Re-Organization) Act, 1996

The aim of the Act is the re-organization of telecommunication system. It provides for re-organization of telecommunication system in Pakistan by establishing the Pakistan Telecommunication Authority, the Frequency Allocation Board, National Telecommunication Corporation and the Pakistan Telecommunication Employees Trust, Regulation of Telecommunication Industry, Transfer of Telecommunication Services to private sector and matters connected and incidental thereto.

It elaborates the powers, functions and responsibilities of the Pakistan Telecommunication Authority.

Cognisance of the offences punishable under the Pakistan Telecommunication (Re-Organization) Act, 1996, could only be taken by the Court on a complaint in writing by an officer authorised by the Authority or the Board.

The Telegraph Act, 1885

The Act deals with telegraphs in Pakistan. The Federal Government may grant a license to any person that he may establish, maintain or work a telegraph within any part of Pakistan. The Government and the telegraph officer both shall not responsible for any loss or damage which may occur in consequence of failure to the receipt, transmission or delivery of any message unless the telegraph officer is negligent in performing his duties.

The Wireless Telegraphy Act, 1933

Wireless Telegraphy Act deals with the possession of wireless telegraphy apparatus. It prohibits the possession of wireless telegraph apparatus without a license. The Federal Government has power to exempt any person or class of persons from the operation of this Act by making rules on it either generally or on conditions. It also prescribes offences and penalties in case of violation of this Act.

The Anti-Money Laundering Ordinance, 2007

The Ordinance is made for prevention of money laundering. A person shall be guilty of the offence of money laundering if he acquires, converts, possesses or transfers property, knowing or having reason to believe that such property is proceeds of crime, or renders assistance to another person for the acquisition, conversion, possession or transfer of, or for concealing or disguising the true nature, origin, location, disposition, movement or ownership of property, knowing or having reason to believe that such property is proceeds of crime. The punishment for money laundering shall be one year but may extend to ten years according to the gravity of the offence and he shall also liable to fine which may extend to one million rupees and shall also be liable to forfeiture of property involved in the money laundering.

ZA–LLP deal in all kinds of Cyber Crime Laws including Anti-Money Laundering Ordinance, 2007. If you have any queries, please do not hesitate to contact us.

---

Our Core Competencies

---