Violations of user rights continued at high levels during the coverage period, including two unrelated murders by different actors responding to online speech, and five blogger abductions. Civil society groups say the Prevention of Electronics Crimes Act approved in 2016 criminalizes legitimate online activity, and more problematic prosecutions based on allegations of online blasphemy were reported.
Article 19 of Pakistan’s constitution establishes freedom of speech as a fundamental right, although it is subject to several broad restrictions. Pakistan became a signatory to the International Covenant on Civil and Political Rights in 2010.
Several laws have the potential to restrict the rights of internet users, including one passed during the coverage period of this report. In August 2016, the Prevention of Electronic Crimes Act (PECA) became law, despite concerns from civil society organizations regarding the lack of transparency involved in the drafting process. Though it contains some procedural safeguards for cybercrime investigations by law enforcement agencies, international and local human rights groups condemned the law’s overly broad language and disproportionate penalties, including a 14 year prison term for acts of cyber-terrorism that the law failed to adequately define. The law also punishes preparing or disseminating electronic communication to glorify terrorism; and preparing or disseminating information that is likely to advance religious, ethnic or sectarian hatred, both with up to seven years in prison. Section 20 criminalizes displaying or transmitting information that intimidates or harms the “reputation or privacy of a natural person” with a maximum three year prison term or a fine of PKR 1 million (US$9,500) or both. The law also granted the PTA broad censorship powers (see Blocking and Filtering), and raised privacy concerns (see Surveillance, Privacy, and Anonymity).
The law’s harsh penalties were cause for particular concern in light of recent sentences passed by antiterrorism courts for online speech. In November 2015 and March 2016, two individuals were each sentenced to 13 years in prison in separate cases for allegedly distributing “hateful” or “sectarian” material on Facebook. The material was not reported to involve threats of violence. Those cases would have fallen under earlier counterterror legislation such as the Protection of Pakistan Act 2014, which expired in 2016, rather than the new PECA. But closed military courts remain available for trying terrorism-related offences. The secretive courts were established in 2015 through the 21st amendment to the constitution, which was set to lapse in January 2017 until the National Assembly and Senate approved a two-year extension.
Other procedural concerns about the law’s implementation have been raised. In October 2016, news reports said the government had “accepted a proposal by the Inter-Services Intelligence (ISI) to let its operatives take pre-emptive action against individuals and organizations breaching national security under the recently enacted cybercrime laws.” This would effectively authorize the intelligence agency to act unilaterally in cybercrime investigations considered to affect national security.
Sections of the penal code which cover blasphemy, including 295(c) which carries a mandatory death penalty, are frequently invoked to limit freedom of expression, and many cases involve electronic media (see Prosecutions and Detentions for Online Activities). In March 2017, the Islamabad High Court ruled that those accused of posting blasphemous content on social media should be barred from leaving the country until their name is cleared. Any citizen can file a blasphemy complaint against any other, leaving the accused vulnerable to violent reprisals regardless of whether the complaint has foundation. Human rights groups report that the law lacks safeguards to prevent abuse to settle personal vendettas.
Other laws threaten online speech. Sections 36 and 37 of the Electronic Transaction Ordinance of 2002 punish “violations of privacy of information” and “damage to information systems” respectively. The 2002 Defamation Ordinance allows for imprisonment of up to five years. The PECA effectively replaced the ordinances but they were still invoked during the reporting period, and some older cases were also ongoing. Section 124 of the penal code on sedition is broadly worded, and covers acts of sedition “by words” or “visible representation,” which could include digital speech, though it has yet to be applied in an online context. The Surveying and Mapping Act 2014 limits digital mapping activity to organizations registered with the governmental authority Survey of Pakistan, with federal permission required for collaborating with foreign companies.
Prosecutions and Detentions for Online Activities
The climate for prosecutions improved slightly in comparison to the previous reporting period, when two 13-year prison sentences were passed for Facebook comments that were not reported to include threats of violence (see Legal Environment). But arrests continued to be documented, and the brief respite with regard to sentencing was short lived. On June 10, 2017, just days after the end of the coverage period, a court awarded the death penalty in a blasphemy trial involving comments published on Facebook.
Several new blasphemy prosecutions were initiated in 2016 and 2017. In September 2016, teenager Nabeel Masih was arrested for simply “liking” an allegedly blasphemous post on Facebook. In mid-2017, he was still awaiting trial. More arrests were reported in early 2017, after the Islamabad High Court ordered the government to take swift action against blasphemous material online (see Content Removal). The FIA arrested three individuals for posting blasphemous material online and revealed that they will be tried in closed antiterrorism courts (see Legal Environment). The FIA also claimed to have arrested a “gang” of 11 blasphemers in relation to content published on social media platforms. No further details were available regarding these cases in mid-year.
Political speech was also subject to investigation during the coverage period of this report. In December 2016, the FIA detained three bloggers for allegedly sharing images of Prime Minister Nawaz Sharif with a politician incorrectly identified as a judge. The image was perceived as an attempt to malign the judiciary. No formal charges were pressed, according to official statements.
Surveillance, Privacy, and Anonymity
The Prevention of Electronics Crimes Act passed during the coverage period of this report grants overly broad surveillance powers, both to agencies within Pakistan, and potentially beyond, since it includes provisions that permit the sharing of data with international agencies without adequate oversight. Section 32 requires service providers to retain traffic data for a minimum of one year, and allows for that period to be extended with a warrant issued by a court.
There is currently no data protection law in Pakistan. As a result of this lack of oversight, ISPs and mobile companies are not obliged to maintain or comply with data protection policies that protect consumers. Data collected by the state’s National Database Registration Authority (NADRA), which maintains a centralized repository of information about citizens, is not subject to any transparent privacy rules.
Government surveillance is a concern for activists, bloggers, and media representatives, as well as ordinary internet users. Pakistani law enforcement and intelligence agencies appear to have expanded their monitoring activities, including at the local level, ostensibly to curb terrorism and violent crime. In 2015, U.K.-based Privacy International reported that the Pakistani government’s surveillance capabilities, particularly those of the Inter-Services Intelligence Agency, outstrips domestic and international legal regulation. “Mass network surveillance has been in place in Pakistan since at least 2005,” using technology obtained “from both domestic and foreign surveillance companies, including Alcatel, Ericsson, Huawei, SS8 and Utimaco,” according to the report.
A separate 2013 report by Citizen Lab indicated that Pakistani citizens may be vulnerable to FinFisher spyware, which collects data such as Skype audio, key logs, and screenshots. The analysis found FinFisher’s command and control servers in 36 countries worldwide, including on the PTCL network in Pakistan, but did not confirm that actors in Pakistan are knowingly taking advantage of its capabilities. In 2014, however, hackers released internal FinFisher documents indicating that a client identified as “Customer 32” licensed software from FinFisher to infect Microsoft office documents with malware to steal files from target computers in Pakistan.
The Fair Trial Act, passed in 2013, allows security agencies to seek a judicial warrant to monitor private communications “to neutralize and prevent [a] threat or any attempt to carry out scheduled offences.” It covers information sent from or received in Pakistan, or between Pakistani citizens whether they are resident in the country or not. Under the law, service providers face a one-year jail term or a fine of up to PKR 10 million (US$103,000) for failing to cooperate with warrants. Warrants can be issued if a law enforcement official has “reason to believe” there is a risk of terrorism; it can also be temporarily waived by intelligence agencies. A 2014 white paper issued by the Digital Rights Group said that provisions of the Fair Trial Act contravene the constitution and international treaties which Pakistan has signed.
ISPs, telecommunications companies, and SIM card vendors are required to authenticate the Computerized National Identity Card details of prospective customers with the National Database and Registration Authority (NADRA) before providing service. A reregistration drive was launched following a 2014 terrorist attack on a school that was reportedly facilitated by mobile phones with unregistered SIM cards, and the government added a biometric thumb impression to the registration requirements for SIM cards. In 2015, those who failed to meet the new requirement were warned of automatic disconnection, and 26 million SIM cards were subsequently blocked.
Pakistanis are also vulnerable to surveillance from overseas intelligence agencies. In June 2015, The Intercept published revelations of hacking and infiltration of the Pakistan Internet Exchange (PIE) by Britain’s GCHQ intelligence agency prior to 2008. According to The Intercept, this gave GCHQ “access to almost any user of the internet inside Pakistan” and the ability to “re-route selected traffic across international links towards GCHQ’s passive collection systems.”
Intimidation and Violence
Intimidation and violence intensified significantly during the reporting period, when abductions and murders were documented in direct reprisal for digital activities, including an “honor” killing in which a social media personality was murdered by her brother.
In January 2017 five bloggers known to have criticized the establishment, the military, or religious militancy, separately went missing from different parts of the country in the space of a few days. Four of them were recovered after they made contact with their families around the end of January. The fifth, Samar Abbas, had yet to return in mid-2017. In June, police said that no progress had been made on the case. The government denied any involvement in the abductions, but in March, one of the recovered activists told the BBC that he had been held by a “”government institution” with links to the military” and subjected to torture while he was missing. Online smear campaigns simultaneously accused the bloggers of blasphemy (see Digital Activism). The government shut down websites operated by the bloggers soon after their first disappearance, and a court accepted a petition accusing Facebook of circulating blasphemous content allegedly published by the missing men (see Content Removal).
In April 2017, Mashal Khan, a student of journalism in Abdul Wali Khan University in Mardan, was murdered by a mob for allegedly “publishing blasphemous content online.” No evidence of any such content was subsequently found, and news reports said Khan had notified his contacts on Facebook the previous December that someone was operating a fake account in his name. In late 2017, 57 individuals had been indicted by an antiterrorism court in relation to the case.
Violence against women thought to have brought shame on their communities can involve ICT usage. Militant Islamic groups have launched attacks on cybercafes and mobile phone stores in the past for allegedly encouraging moral degradation. No attacks were documented during the coverage period of this report.
Women have also been murdered for digital activities in so-called “honor” killings. In July 2016, Qandeel Baloch, a social media celebrity known for openly expressing her sexuality, was killed by her brother. Baloch had sought police protection following threats when her real identity was published on the internet. Her brother acknowledged killing her because “she was doing videos on Facebook and dishonoring the family name.” He was arrested, along with three other family members accused of carrying out or facilitating the murder, and pleaded not guilty; the cases were ongoing in late 2017. The accused were required to serve trial under new laws; families were previously allowed to forgive the assailants in honor killings to avoid prosecution.
Many people also report being intimidated on digital platforms. Leaking explicit photos, threats of blackmail, and other incidences of online harassment are increasing in Pakistan. In January 2017, Naila Rind, a student at the University of Sindh Jamshoro, committed suicide as a result of blackmail threats received on her mobile phone. While the PECA criminalized blackmail using digital tools, the lack of support for victims means cases are seldom reported. Free expression activists and bloggers have also reported receiving death threats online, and Pakistan is one of the world’s most dangerous countries for traditional journalists.
Technical attacks against the websites of nongovernmental organizations, opposition groups, and activists are common in Pakistan, though many go unreported. The activity increased during the coverage period. In January and April 2017, for example, Dawn News, a leading English-language newspaper, revealed that its website was subjected to sustained cyber-attacks. Dawn had reported aggressively on the apparently enforced disappearances of bloggers and on civil-military relations.
The websites of government agencies are also commonly attacked, often by ideological hackers attempting to make a political statement. In 2015, the website of the religious political party Jamaat-e-Islami was hacked for its alleged support of terrorists.
Cross-border cyberattacks between Pakistan and India remain prevalent. As tensions escalated between the two states in early 2017, hackers claimed to have compromised crucial state websites on both sides of the border. Among the most serious was a claim that Indian hackers had targeted Pakistani airports in Islamabad, Peshawar, Multan, and Karachi.