Comments on the Proposed Draft  Ordinance on IT Law in Pakistan:



(P.S: This Note is purely an academic exercise by Cyber Law and does not represent any commercial or other interests)

 The growth in the use of Computers for Personal, Commercial and Government purposes all over the world has increased the need to make such use legally enforceable. To make the legal position of electronic documents clear to the public, and to avoid complications and confusions arising out of the wrong interpretations when common meta society laws are applied to the Cyber world, several Governments have drafted special legislation under the banner of “ Cyber Laws”. 

India was one of the early countries to adopt Cyber Laws when ITA-2000 was notified with effect from October 2000. Presently Pakistan is contemplating a legislation of similar nature and a draft of a proposed ordinance was released some time back. In the light of the Indian experience in ITA-2000, an attempt is made to look at the provisions in the proposed ordinance.  

1. Objectives: 

The ordinance is aimed at promotion of IT in national economy, delivery of Government services and promotion of public confidence in electronic communication.

 The declared objectives are positive looking and avoid focus on “Cyber Crimes” as a central theme. Readers may recall that when the ITA-2000 was discussed before enactment, the principle discussion was on the “Powers of the Police to Arrest offenders without Warrant”. Even though the objective clause of the Indian law was also promotion of E-Commerce, this aspect was lost in the overall context. In the din of the discussions surrounding this section, no worthwhile discussions took place in the Parliament on the other substantive issues. Hence it is interesting to note that the Pak ordinance is soft on the description of Cyber Crimes and presents the legislation in a positive manner even though most of the common Cyber crimes are covered.

 2        Definition of Electronic Signature and Security Procedure:

 The ordinance defines “Electronic Signature” as a means of authentication as to include “any letters, numbers, symbols, images, characters or any combination thereof applied to, incorporated in or directly associated with an electronic communication or electronic record, unique to the person signing, in order to establish the authenticity or integrity or both of the electronic record.

 The definition of Electronic signature used here is broad enough to incorporate the definition of Digital Signature backed by PKI system adopted by India. The “Security Procedure” is also defined in terms of the objective of securing the authenticity and integrity of the message and the ordinance avoids the need to define the Digital signature process with reference to the PKI technology only.

 However since there does not appear to be any established security procedure which is as good as the PKI system at present for securing the authentication and integrity of a document at the same time, ultimately the PKI system has to be recognized as an approved system. 

The sections on Certificates, Certification Service Provider, Certification practice statement, etc are also defined without tying up with a specific technology such s PKI.

 Technology neutrality was one of the factors which were not taken into account in the Indian law and many technologists had raised their objection to the rigidity. The Pak ordinance takes into account this factor.

 However, in the absence of an alternative system in sight (There are many bio metric systems that are used for authentication but they are still to be refined for the purpose of validating data integrity) the public needs to be made aware of the PKI system that is well established now. Perhaps the Government may try to do this through the certification service provider’s licensing procedure and the CPS.

 Since the security procedure is providing the flexibility of adopting a mutually agreeable procedure, the system can start functioning from day one without waiting for the infrastructure for Digital signature to be developed. This has been one of the stumbling blocks in Indian legislation since the Act made any system of authentication other than the suggested one as “Not Recognizable in Law”. 

The definition of the electronic signature used in the Pak ordinance is flexible enough to use the internationally available digital signature certificates (provided the licensing procedure does not prohibit this subsequently). It is necessary to allow this flexibility until domestic certification service providers develop their infrastructure which we in India have found to be time consuming. More over, being a smaller country, the market for certificates in Pakistan may not be high enough to warrant domestic certifying authorities coming up immediately and the system will fail to take off unless existing international certifying authorities are allowed to issue certificates within Pakistan in association with a local registration authority if required. 

The Indian law in this respect mandates the entire certifying infrastructure to be located in India and hence the financial viability of the Certification Authority projects has been in doubt.

 3. Extension of Other Laws to Electronic Documents:

Sections 3 and 4 of the ordinance extend the effects of other laws in the country to the field of electronic documents. This is similar to the bridging clause used in the Indian law. The exclusion of certain documents such as Negotiable Instruments etc is exactly similar to the Indian law.

 The section 3 of the ordinance is more comprehensive than the corresponding section in ITA-2000 and extends the concept of Electronic documents to such terms as Register, Document of Title, ledger, Map, book, attestation, witnessing, publishing etc.

One important aspect of the Pak ordinance is that it provides an indication to introduce Stamp duty for electronic documents in a time frame of two years for which a system is to be developed.

 4. Cyber Crimes:

 The Pak ordinance simplifies the definition of Cyber Crimes. Section 25 is particularly interesting.

 This section covers several aspects of Hacking and Virus related offences under the “Privacy Protection Objective”. Together with Section 26 it covers most of the offences coming under hacking and Virus without using any of the definitions for hacking and virus.

One of the problems with the Indian law has been an attempt to define words such as “hacking”, which is an unnecessary and often a dysfunctional exercise.

The Pak Ordinance is however silent on “Obscenity” and “Cyber Fraud”. These are left to be covered by the combination of the normal laws and the extension of the same to Electronic documents.

The ordinance is also similarly silent on Intellectual Property rights and Spamming.

 While the common law can take care of some of the offences, in order to make international offenders liable under the act as per section 32( Application of Act done outside Pakistan) , it would have been better if the Pak ordinance had defined punishments for Credit Card and various schemes of frauds that prevail in the Cyber World.

Spamming is also another menace which requires the cooperation of international ISP s and without it being declared as an offence, regulation would be difficult.

 Content filtering, Censorship, etc also is not covered in the ordinance. Again the absence of these may affect invocation of Section 32.

 5. Network Service Providers:   The Pak ordinance provides immunity to Network service providers as in the case of India.

 In the Indian context the role of Cyber Cafes has often caused some difficulty in the imposition of vicarious responsibilities. A broad outlook of a Network Service provider as used in the Indian law may with some effort cover Cyber Cafes under this category. The Pak definition of Network Service providers is however more specific and may exclude unlicensed systems of Internet sharing facilities, if they exist. If Internet is considered as a facility useful to the common man, it would be better to provide some kind of guidance to Cyber cafes of how they can protect themselves from the offences committed by the users. Granting immunity to them like the Network service providers would have been one option.

 If Cyber crimes are to be effectively tackled, the ISP s need to cooperate with law enforcement agencies in the preservation of evidence and their sharing with the law enforcement authorities. The Pak ordinance seems to have omitted to impose any responsibility to the ISP s in this regard.

6. Justice Dispensation System:

The Pak ordinance has not dealt with the justice dispensation system for Cyber crimes while the Indian Act did address this issue though not adequately.

If relief has to be provided to commercial establishments against Cyber crimes it is essential that the justice dispensation system must be quick and effective. It is therefore not a bad idea to provide for “Parallel Special Court System” similar to the “Adjudication” system adopted by the Indian Act. This would have taken care of the need for computer expertise for the Judges and the attorneys in dealing with Cyber crimes. Indian Act was good but was spoiled by subsequent “Rules” making it impossible for the public to get any worthwhile remedy in respect of Cyber crimes through the justice dispensation system. Pakistan could have avoided the repetition of the same mistake of leaving the Cyber crimes for disposal by the normal courts.

 7. Definition of a Person:

The definition of “person” in the ordinance does not include a “Computer”.

 Many of the Cyber crimes are committed through the use of software which can be crookedly programmed. Presently their actions are attributed to the “Programmer”. This has some practical complications say in a corporate network where the “Operational Ownership” is often shared by the system administrators and is not with the “programmer”. It is necessary to define the actions of an automated system as equivalent to that of an “agent”. Just as a corporate person is recognized as a legal entity, it is possible to define an automated system as an “Electronic Person” and treat him as an “Agent”. In such a case one can fix the liabilities arising out of the action of such agent with the principal. Such principal would be the one who assigns the specific task to the machine. This definition can help in the long run to meet various contingencies.

 8. Evidentiary Matters:

 According to Section 8 of the ordinance, one of the conditions for presuming the authenticity and data integrity of an electronic document is that the information system used for the application of the security procedure was in working order at all material times.

There will be a slight ambiguity when this clause is discussed in a court of law. The security procedure is applied first when the secured electronic document is produced. This will be received and stored by the recipient. Probably the security procedure would have been used at this end for verification. The dispute normally would be raised by the sender on the data integrity or the authentication process. The recipient would therefore not be in a position to either prove or disprove the “working order of the information system” at the time of the generation of the system.

Hence presumption should only require that the security procedure when applied in the presence of the court confirms the originator to be the alleged person. Beyond this it appears difficult to prove that either the sender’s information system or the receiver’s information system was in working order at all material times.

 9: The constitution of the Electronic Certification Licensing Authority (ECLA)

It is interesting to observe that the ECLA is a body corporate and comprising of three members one of whom is a cryptography expert the other an academic and the third a judge.

 The constitution is well thought out and better than the Government departmental structure adopted by India.

January 17, 2002. 

Draft of the proposed legislation is here

Comments and Suggestions can be sent to Naavi

For Structured Online Courses in Cyber laws, Visit Cyber Law


Back to