With a high-powered committee probing the cyber security breach at the Prime Minister’s office and being entrusted with preparing a legal framework for the seamless security of government assets, it has sparked a debate about whether Pakistan should finally join the famous Cybercrime Convention or not.
The Cybercrime Convention, or the Budapest Convention, took a global approach to cybercrime that involved harmonising national law related to cyber security and electronic crimes, improving forensic abilities, and enabling international cooperation between law enforcement agencies.
In order to get an idea about what this treaty offers, consider the following scenario: an Indian hacker uses phishing techniques to install malicious software in computers connected to our government’s intranet. They do this to record conversations by using office surveillance cameras, employee cell-phones connected to the private Wi-fi network or simply install a dedicated hardware bug to transmit recorded conversations to its cloud servers in the US or EU.
Now, Pakistan’s Prevention of Electronic Crimes Act (PECA) 2016 can’t take action against culprits who are not based in Pakistan. But had Pakistan ratified the Budapest convention, the FIA could request the US and European authorities to collect foreign evidence and help identify, trace, and block cyberattacks from their cyberspace.
The above scenario, however, is rather oversimplified; modern-day scenarios are more complicated and may involve cybercrime execution that is multifaceted. For example, the attacker could use the computing power of the cloud servers physically present in India, the storage aggregation of which takes place in another country, with the cloud service provider being registered in the US. In all this, the victim, whose data is being held by the service provider may be a resident of Iran – while the attacker originates from an entirely different country.
Hence, cybercrime that involves cloud resources could result in a jurisdictional nightmare.
The Budapest treaty, however, does not require ‘dual criminality’ to occur for an activity to be a declared crime in both countries or before one nation can request the police of another one to investigate. This means that Australia could ask Pakistan to investigate even those activities that are illegal in Australia but are perfectly legal in Pakistan.
In this way, the Budapest convention requires the participating nations to criminalise offenses such as hacking as well as the production, sale, procurement or distribution of hacking tools and requires the police of these members state to cooperate in mutual assistance requests. In order to help coordinate enforcement of cross-border cybercrimes, the convention equips the police with new surveillance technologies where it can ask ISPs for ‘internet-tapping’ of its subscribers.
The convention could also serve as a useful yardstick for Pakistani legislators to draft new laws and regulations addressing cybercrime.
As with any other law, this treaty also has its own downside; the Budapest Convention is capable of grossly undermining individual privacy rights and by rectifying the cybercrime convention or amending our law on similar lines it could short-circuit the debate of illegal surveillance conducted by law-enforcement agencies in Pakistan. The surveillance powers granted via this treaty are not balanced by exceptions or civil liberty restraints – even in political cases.
Similarly, though the convention asks members to cooperate ‘to the widest extent possible,’ the role of convention, however, is limited in the case of state-sponsored cyberterrorism. It focuses on private actors only and the treaty can’t be used to impose sanctions on states – even when the cyberattack is traced back to a government agency.
Due to the above weaknesses, since 2019, the United Nations has been engaged in developing consensus on a new global cybercrime treaty. The ad hoc committee that last met in June this year discussed proposals submitted by many states on countering the use of information and communication technologies for criminal purposes. Unfortunately, Pakistan has not sent its proposals and is not participating in this stakeholder engagement exercise while India, Iran and even Egypt have been participating actively in this multiyear negotiation exercise. In fact, India has established a Cyberlaw University which submitted an independent proposal to the UN as a non-governmental organisation.
There have always been privacy concerns in signing the Budapest convention, especially given that the treaty acts more as a NATO ‘wish list’, after the 9/11 incident with little civil society input, than a collective effort to combat cybercrime. But the new cybercrime treaty that is being spearheaded by the UN committee is something to look forward to – a step closer to universal adoption by all countries. Keeping up with this trend, Pakistan should initiate dialogue at the national level and participate in the UN committees.
The writer is a Cambridge graduate and is working as a strategy consultant
Published in The Express Tribune, November 21st, 2022.