A Joint-submission by Bytes for All, Pakistan and Center for Social Justice to be discussed in 120thsession of Human Rights Committee

Introduction

The submission is being made by Bytes for All (B4A), Pakistan in collaboration with Center for Social Justice (CSJ). Free Press Unlimited (FPU) has also endorsed this submission.

B4A is a research think-tank with focus on information and communication technologies (ICTs) and human rights. It is committed to protect and promote the rights to freedom of expression, peaceful assembly and of association, privacy and intersection of religion and expression both in online and offline spaces. CSJ is established with a desire to engage in result-oriented research and advocacy concerning human rights, democratic development and social justice for the people in general and the marginalized groups in particular.

This submission focuses on the shrinking space for civil liberties as well as the restrictive operating environment for civil rights movement in the country. The enactment of the cyber crimes law aimed at combating online crimes and ensuring national security is another problematic issue compromising citizens political dissent, freedom of expression and larger digital rights.

Two policies will be especially analyzed in this submission: 1) The enactment of the Prevention of Electronic Crimes Act (PECA) 2016; and 2) Policy for regulation of International Non-governmental Organizations (INGOs).

In the name of promoting transparency and accountability, the proposed state policy for regulation of International Non-governmental Organizations (INGOs) will become a tool to curb freedom of association and independent operations of civil society organizations.

In early 2017, the case of five missing bloggers, and crackdown against social media activists, political workers and journalists underline that freedom of expression, opinion and speech is threatened in several ways ranging from restrictive laws and high handedness of state agencies.

We take this opportunity of Pakistan’s first review under International Convention on Civil and Political Rights to call attention to the issues needing urgent relief and remedy. This joint-submission is in response to and follows the order of the state party report that Pakistan submitted on November 25, 2015.

1.Article 17 — Right to privacy

Article 17 of the International Covenant on Civil and Political Rights (ICCPR) provides for the right of every person to be protected against arbitrary or unlawful interference with his or her privacy, family, home or correspondence as well as against unlawful attacks on his honour or reputation. Any interference with the right to privacy can only be justified if it is in accordance with the law, has a legitimate objective and is conducted in a manner that is necessary and proportionate. Rapid advances in technology have posed significant challenges to the right to privacy, yet governments are required to protect and promote this right in the digital age.[1]

Article 14, Clause 1 of the Constitution of Pakistan[2] provides for the inviolability of the privacy of the home, subject to law. However, the Constitution does not expressly protect privacy of communications, digital or otherwise. Moreover, Article 14 does not provide any limitations for laws that restrict the right to privacy to ensure that they are not arbitrary and comply with the principles of necessity and proportionality.

1.1PECA 2016 legitimizes arbitrary surveillance and mass collection of private data

The newly promulgated PECA 2016 also legitimizes the state’s activities to snoop into digital communications of the citizens, retain personal data for up to one year and share it with foreign governments and agencies. PECA 2016 poses a serious threat to the right to privacy as it permits the Pakistan Telecommunication Authority (PTA).

1.1.1Remarks on definitions

The Pakistani Act on cybercrime contains a range of definitions that have a broad and/or subjective scope, lacking clear definitions. For example, the definition of the term “access to data” is to gain “control or ability to use, copy, modify, or delete any data held in or generated by any device or information system”. This definition however implies more than access only and therefore has a scope that is too broad (which could lead to the criminalisation of innocent civilians). Another term that is being defined in the Act, namely the term “dishonest intention”, contains a subjective expression due to the fact that an intention cannot be measured. The terms “reasonably required” and “reasonable grounds”, as mentioned in articles 31 (a) and 33 of the Act, are also examples of subjective provisions. Subjective and vague/broad wording in laws could leave room for the government to interpret the Act in its own favour (contrary to article 9 ICCPR), which undermines the legal certainty of civilians.

Several definitions stated in the Act are based on a so called “circular definition”, meaning that a word is defined in terms of itself. For example: “authorised officer” outlined in the Act “means an officer of the investigations agency authorised to perform any function on behalf of the investigation agency by or under this Act”. By using circulardefinitions it remains unclear what the exact scope and meaning is of a definition, this again conflicts with the legal certainty of civilians.

Some definitions given in the Act are vague. The term “critical infrastructure” for example, states that the government may designate any private or government infrastructure in accordance with the objectives of sub-paragraphs (i) and (ii) above, as critical infrastructure may be prescribed under this Act. With this definition anything can be defined as infrastructure by the government. This could lead to uncertainty as to what is legal (or not) and creates a so called chilling effect (suppressing any sort of debate; this conflicts with article 19 ICCPR).

1.1.2Overall remarks

The overall wording of the Act is too broad. To give an example, articles 3 and 4 of the Act (on unauthorised access to information system or data and unauthorized copying or transmission of data) criminalise the intentional copying and transmission of any data when it is unauthorised. This causes a threat to journalists and whistle blowers whose work consists of accessing information in the public interest they are not authorised to access. This means that article 19 ICCPR, the right to freedom of expression, is being violated. Therefore the Act should be altered to make an exemption for anyone who might transmit data in the public interest and does not misuse it. This could be done by changing the words of the provisions so that only acts that are committed with the intent to cause harm are being categorized as an offense. These broad provisions could constitute a chilling effect on media activities in Pakistan and could pose a serious threat on the ability of journalists to work freely.

Besides journalists and whistle blowers, who might transmit unauthorised data in the public interests, harmless behaviour of the average internet user is also being criminalised under the Act. Article 9 for example (on the glorification of an offense) could lead to the arrest of an innocent blogger wanting to inform the public on a prosecution of a suspect, and the term “unsolicited” in article 25 of the Act (on spamming) could result in criminalizing the Act of sending an email without the recipients prior consent. Criminalisation of innocent civilians needs to be avoided at all times. Therefore, there has to be made a clear distinction in the Act between criminal activities and harmless behaviour.

Many provisions in the Act (e.g. article 18: tampering, etc. of communication equipment) also target those who use certain tools for legitimate purposes, restricting people from transmitting/publishing/accessing information online (such as anonymous browsing). Articles 19, 20, 25, 26 and 35 are also examples of online restrictions for ordinary citizens. These provisions deter innocent people from using the Internet and clash with article 19 ICCPR.

Some articles in the Act (such as article 10) could withhold people from forming deviating opinions (article 19 ICCPR) or conflict with the freedom of peaceful assembly or association (articles 21-22 ICCPR).

According to article 14 of the ICCPR everyone shall be entitled to a fair and public hearing by a competent, independent and impartial tribunal established by law. Uncertain is whether the authorised officer (article 31), the law enforcement agency (article 29) or the authority (article 21) mentioned in the Act, can be seen as independent authorities, against whom appeal is possible. In general, the Act permits government authorities to access data of internet users without any form of judicial review process to justify the access. Article 35 for example delegates various extensive rights to an authorised officer, without the obligation to request a warrant before these powers are being exercised. These (authorised) powers should only be used in the most exceptional cases, on a judge’s order and in case of threat to the national security. Warrants should be required for all offences.

No mechanism to rectify power abuse of an authority exists under this Act (in article 37 for example), contradicting the right to an effective remedy as defined in article 2 ICCPR. This could pose a threat to the right to freedom of expression of citizens. Article 20, on offences against dignity of a natural person, creates no right for a person being prosecuted under this article to prove the accuracy of information. Also the rights of journalists could be at stake due to this provision. Journalists have an important public function and only have the obligation to check the information they report. Normally they cannot guarantee the accuracy of information.

Article 31 on expedited preservation and acquisition of data does not require intervention of a judge when it comes to verification of the ground for the request to provide certain data. Also the term “reasonably required” in this provision is subjective and does not provide any legal certainty for civilians or those working in the public interest (for example journalists). This will do harm to the right to privacy as set out in article 17 of the ICCPR.

Article 32 is another example of the authorities not being checked up on by an independent, competent and impartial judge. No procedures have been made on data protection, usage and destruction. This threatens the right to privacy.

Article 37 on unlawful online content gives the Pakistan Telecommunication Authority the power to remove, block or issue directions for removal or blocking of access to information through any information system, if it considers it necessary in the interest of the glory of the Islam. Again, this constitutes a subjective power of the authority comprising no control by a court or any legal certainty as to how any online content is being evaluated. Besides this, this provision indicates a lack of respect for a religion or other belief system which is incompatible with the ICCPR (more specifically article 18).

The Act contains a provision (article 43) that provides international cooperation, without providing an independent judicial oversight mechanism for sharing this data. Without permission of a competent, independent and impartial tribunal sensitive information of citizens can be shared by the federal government. This raises privacy concerns.

Proportionality always needs to be maintained when using investigative powers. Some punishments in the Act violate the rule of proportionality.

The Preliminary declares the Act also applicable to any deed committed outside of Pakistan. This creates legal uncertainty for anyone outside of Pakistan, as no one is aware of laws other than laws directly applicable to the country they live in (article 15 ICCPR).

Phone calls are routinely tapped, which was admitted by the state intelligence agencies before the Supreme Court in 2015, when they stated that they were monitoring over 7,000 phone lines every month.[1] In addition, the government has implemented a mass digital surveillance programme under the guise of securing Islamabad.[2] Over 1,800 high-powered cameras have been installed all over Islamabad. These high-definition cameras are technologically advanced and their facial recognition feature links to National Database and Registration Authority (NADRA).[3] Punjab[4], Khyber-Pakhtunkhwa[5] and Sindh[6] governments have also unveiled their plans to install CCTV cameras in their respective jurisdictions.

1.1PECA 2016 legitimizes arbitrary surveillance and mass collection of private data

The government has been using intrusive technology such as FinFisher that surveils private communications. FinFisher offers different intrusive modules that silently sit in the recipient’s digital devices and enable remote surveillance such as key logging, webcam/microphone access, password gathering[7],[8],[9]. In addition, Pakistan also contacted the Hacking Team to acquire a similar type of intrusion malware suites.[10]

Punjab government’s initiative binds all hotels in Lahore to share guests’ data including foreigners with the city police. Hotel Eye software is introduced which is attached with crime database in their control room.[11] Pakistan lacks in legislative framework that would protect data of citizens.

In the absence of safeguards, such as judicial oversight, state institutions have been carrying out surveillance on digital communications of individuals, groups and organisations. There is increasing concern that local law enforcement agencies (LEAs) and intelligence agencies have the ability to access into a range of devices to capture data, encrypted or otherwise. Following guidelines set out by the government, courts and Ministry of Information Technology, PTA and multiple law enforcement agencies are able to conduct online surveillance and lawfully intercept and monitor data.[12]

The state appears to be using the 2002 Electronic Transaction Ordinance, the Investigation for Fair Trial Act 2013 and the Pakistan Telecommunications (Re-organization) Act 1996 to collect privileged communication and conduct broad surveillance[13].

1.2Absence of Privacy Commission

With serious data privacy and data protection issues, while the government institutions and corporations are collecting citizen’s data, Pakistan has still not developed any legislation on the data privacy or set up a privacy commission to deal with the queries on data protection and privacy. The biggest database is managed by the National Database and Registration Authority (NADRA) is not without flaws. For example, the government in 2013 ordered all telecommunication companies to verify all Subscriber Identity Modules (SIMs) and collect biometrics for existing and new users[14]. Similarly in 2015, the State Bank of Pakistan (SBP) also made biometric verification mandatory for opening bank accounts and using Automated Teller Machines (ATMs).[15]

2.Freedom of expression, opinion and right to information

Article 19 of the ICCPR guarantees everyone the right to hold opinions without interference, and the right to freedom of expression, including to freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers. Limitations to freedom of expression must be provided by law, pursuant to a legitimate aim, and necessary to achieve such aim.[16] As the Human Rights Committee elaborated with General Comment No. 34, Article 19 applies to online communications, and “[a]ny restrictions on the operation of websites, blogs or any other internet-based, electronic or other such information dissemination system, including systems to support such communication, such as internet service providers or search engines, are only permissible to the extent that they are compatible with Paragraph 3.

The situation regarding freedom of expression, both within offline and online spaces, is becoming increasingly life threatening in Pakistan[17]. The right to freedom of opinion and expression is guaranteed under Article 19[18] of the Constitution of Pakistan, which is subject to a set of limitations[19]. These include “restrictions imposed by law in the interest of the glory of Islam or the integrity, security or defense of Pakistan or any part thereof, friendly relations with foreign states, public order, decency or morality, or in relation to contempt of court, [commission of], or incitement to an offense”. A set of subjective and vague terminology in this Article makes it arbitrary and open to interpretation. Also the limitations such as “...glory of Islam or the integrity, security or defense of Pakistan, friendly relations with foreign states, decency or morality or in relation to contempt of court” are restrictions that do not meet the criteria provided in the ICCPR.

2.1Right to information

Sub-section 2 of Article 19 of the ICCPR also protects right to information and explicitly says, “Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.” As a result of 18th amendment, Article 19-A[20] was included in the

Constitution guaranteeing the right to information in all matters of public importance subject to regulations and ‘reasonable restrictions’ imposed by the law. However, guidelines for these ‘reasonable restrictions’ are missing in the Constitution leaving space for legislative bodies to introduce interpretations and limitations of their own choice to restrict this right.

Since the passage of 18th amendment, the federal government has not made progress on finalizing legislation on the Right to Information Act (RTI). Observers note this Act, if passed, is possibly the best tool to ensure better accountability in government institutions. However, Khyber-Pakhtunkhwa and Punjab governments have already enacted two effective laws in their respective provinces. Like the federal government, Baluchistan province has yet to replace its outdated RTI laws with the new ones.[21] Sindh assembly has also passed a new bill called Sindh Transparency and Right to Information Bill 2016, which is still pending for approval from the governor of the province[22].

2.2Blocking, censorship and regulation

PTA continues to block over 80,000 websites on grounds of morality and obscenity. Another 200,000 links containing ‘objectionable’ content remains inaccessible in Pakistani cyberspace[23]. In January 2016, PTA on the directions of the Supreme Court also instructed the internet service providers (ISPs) to block 400,000 ‘objectionable’ websites at domain level. However, ISPs reported back that blocking at such a mass scale would be costly[24].Though, all the websites marked to be blocked were not containing the above-mentioned content. Pakistani government also frequently requests Facebook, Twitter and Google to restrict or remove what they deem to be ‘objectionable content’ in Pakistan.