1

Legal Environment of E-commerce in Pakistan

By Taymour Aly Khan

Electronic commerce has completed the transition from a utopian vision to a veritable
economic reality. Unsurprisingly, the rapid growth of e-commerce has encouraged a
corresponding rise in proposals for its regulation. While there is a broad consensus that
electronic commerce should not be restricted by over-regulation, there is also a general
agreement that traditional paper-based legislation does not provide answers to questions
raised in an electronic environment.

Legal Barriers to E-commerce

It is not easy to create legal regulations when they should relate to a phenomenon which is
built on continuously changing technological solutions. A regime to create an effective
infrastructure for securing e-commerce requires a concerted and comprehensive development
of several elements, including laws, policies, industry self-regulation, technical standards and
law enforcement. Together these elements can provide a positive environment and
infrastructure to support the legal growth of e-commerce with reduced threats.

Traditional commerce is heavily based on documents, which must personally be signed in

order to develop legal relevance and legal commitment. With the ongoing shift from traditional
commerce to electronic commerce, traditional documents become electronic or digital
documents. These electronic or digital documents require to be signed by a substitute for the
personal signature:

Traditional Traditional Personal

Commerce Documents Signatures

Electronic Digital/ Digital

Commerce electronic Signatures
Documents

Like all transactions, electronic transactions involve documents (often referred to as “records” 1
“electronic records”2 or “data messages”3, and signatures (usually referred to as “electronic
signatures”4), that are created, communicated, and stored in electronic form5. They may be

1
The term “record” is typically defined as “information that is inscribed on a tangible medium or that is stored in an
electronic or other medium and is retrievable in perceivable form” See Electronic Signatures in Global and National
Commerce Act (“E-SIGN”), at 15 U.S.C._____7006; Uniform Electronic Transaction Act (“UETA”), at ____2(13).
2
The term “electronic record” means a “record created, generated, sent, communicated, received, or stored by
electronic means.” E-SIGN, 15 U.S.C. ___ 7006(4); UETA___2(7).
3
The term “data message” means “information generated, sent, received or stored by electronic, optical or similar
means including, but not limited to, Electronic Data Interchange (EDI), electronic mail, telegram; telex, or telecopy.”
UNCITRAL Model Law on Electronic Signatures, Article 2 ( c ).
4
The term “electronic signature” means “an electronic sound, symbol, or process, attached to or logically
associated with a contract or other record and executed or adopted by a person with the intent to sign the record.
E-SIGN, 15 U.S.C.__7006 (5); UETA___2(8). Under the European Union Electronic Signature Directive, “electronic
 2

created through the manual efforts of an individual, for example, typing an e-mail message,
through automated processing of computers, such as, by using software or a so-called
“electronic agent”, or through human interaction with a computer, for instance, when an
individual accesses a web site and enters into a purchase agreement. Electronic transactions
are communicated via an electronic medium, such as the Internet or a private value-added
network, and they are typically stored on a computer-readable medium, such as a disk, tape,
CD-ROM, or DVD-ROM. Evidence of electronic transactions quite often never exists on paper,
unless there is a need to provide a hard-copy or to introduce evidence to a court or other fact
finder.

The threshold question for any type of transaction is whether it will be legally valid and
enforceable if executed in electronic form. Answering this question requires consideration of
the legal barriers that might exist with respect to that type of transaction, and any additional
requirements for enforceability that might be imposed by law solely because of the electronic
nature of the transaction. For the purpose of discussion, it may be assumed that the
fundamental legal elements required for that type of transaction are otherwise present and
satisfied. If the electronic transaction, for instance, involves entering into a contract, it is
assumed that the basic requirements of a contract, namely, offer and acceptance,
consideration, etc., are present, and focus only on the additional requirements for
enforceability that arise because of the electronic nature of the transaction:

When the enforceability of electronic transactions was first considered, a variety of concerns
emerged. There were, for example, many questions regarding whether electronic records and
electronic signatures satisfy writing and signature requirements imposed by a variety of
statutes and regulations; whether records maintained solely in an electronic form will satisfy
legal record keeping requirements; whether the record keeper can establish the authenticity
and integrity of such records; whether an electronic record constitutes an “original” for
evidentiary purposes6; and whether electronic records and electronic signatures would be
denied admissibility in court because of their electronic form.

The biggest issue, by far, has focused on the writing and signature requirements imposed by
various laws. Specifically, in many cases, the law requires that a transaction be both
documented in “writing”7 and “signed” by the person who is sought to be held bound, in order

signature” means “data in electronic form which are attached to or logically associated with other electronic data
and which serve as a method of authentication.” Electronic Signatures Directive, 1999/93/EC(13 December 1999),
Article 2(1). See also S. 2 (n) of ETO 2002.
5
“Electronic” form connotes “relating to technology having electrical, digital, magnetic, wireless, optical,
electromagnetic, or similar capabilities.” E-SIGN, 15 U.S.C. __7006 (2); UETA__2(5). According to S.2(1) of the
ETO 2002, “electronic” includes electrical, digital, magnetic, optical, biometric, electrochemical, wireless or
electromagnetic technology.
6
The requirement that a document be “an original” may occur in a variety of contexts for a variety of reasons. In
many situations, documents must be transmitted uncharged (i.e., in their “original” form), so that other parties may
have confidence in their contents. Examples of documents where an “original” is often required include trade
documents like weight certificates, agricultural certificates, quality/quantity certificates, inspection reports,
insurance certificates and non-business related documents like birth certificates and death certificates. When these
documents exist on paper, they are usually only accepted if they are “original,” because alterations may be difficult
to detect in copies. The requirement that a document be “an original” is also important from an evidentiary
perspective. See McCormick on Evidence (Cleary Ed., 3d ed. 1984), ____t p. 704.
7
The requirement that agreements be “in writing” serves a variety of purposes. These include: (i) providing
tangible evidence of the existence and nature of the intent of the parties to bind themselves; ( ii ) alerting parties to
the consequences of entering into a contract; (iii) providing a document that is legible to all, including strangers to
 3

for that transaction to be enforceable. Statutes and regulations that require transactions to be
“in writing” and “signed” have generally been perceived to constitute legal barriers to
electronic transactions. The concern is that an electronic record might not qualify as “writing”,
and an electronic signature might not qualify as a “signature.” In other words, many felt that
such writing and signature requirements are satisfied only by ink on paper. This general
concern about the “legality” of electronic records and electronic signatures has persisted, not
only because of contrary court interpretations8, but also because of a want of specific statutory
authorization.

Legal barriers, it may however be remembered, are not necessarily the greatest barriers to the
evolution of e-commerce. Commercial difficulties and user resistance probably offer an equal,
if not greater, barrier to its widespread use at present. In fact, it would be fair to say that some
legal barriers may be even desirable, for the protection of the public interest, including the
prevention and detection of crime.

Development of E-commerce Legislation

E-commerce legislation is a recent phenomenon, both on international and national levels. All
‘e-commerce legislation’ is primarily concerned with the legal enforceability of e-commerce
transactions. Most countries have attempted to resolve this issue by way of what are
commonly known as ‘digital signature legislation’ or ‘electronic signature legislation’.

The efforts to regulate E-commerce were pioneered by the American Bar Association that
developed a set of Digital Signature Guidelines to deal with legal issues arising from digital
signatures in 1995. Since then, there has been an explosion of digital signature and
electronic signature legislation. In the US, the state of Utah enacted the first digital signature
legislation in the world by passing the Utah Digital Signature Act in May 1995.

The ABA Guidelines and the Utah Digital Signature Act proved popular both at the national
and international levels and they serve as models of digital signature legislation for many
other US states and other countries in the world. They both focused on digital signatures.
However, subsequent ‘e-commerce legislation’ started to move from a focus on digital
signatures specifically to a focus on electronic signatures generally.

On the international level, the United Nations Commission on International Trade Law
(UNCITRAL) adopted a Model Law on Electronic Commerce in 1996 aiming at removing legal
obstacles to the use of electronic and digital signatures. In the Model Law, it is expressly

the transaction; (iv) providing a permanent record of the transaction that remains unaltered over time; (v) allowing
the reproduction of a document so that each party can have a copy of the same; (vi) allowing for the authentication
of the data by means of a signature; (vii) providing a document that is in a form acceptable to public authorities and
courts; (viii) finalizing the intent of the author of the writing and providing a record at that intent; (ix) allowing easy
storage of data in tangible form; (x) facilitating control and subsequent audit for accounting, tax, or regulatory
purposes; and (xi) bringing legal rights and obligations into existence in those cases where a “writing” is required
for validity purposes. Se United Nations, UNCITRAL Model Law on Electronic Commerce with Guide to Enactment
1996, at par. 48, available at www.un.or.at/uncitral/english/texts/electcom/ml-ec.htm, and Illinois Commission on
Electronic Commerce and Crime, Final Report of the Commission on Electronic Commerce and Crime (May 26,
1998) available at www.bmck.com/cecc-fin.doc.
8
See, for instance, Department of Transportation v. Norris, 474 S.E.2d 216 (Ga.Ct.App. 1996), rev’d sub nom.,
Norris v. Georgia Dept of Transportation, 486 S.E. 2d 826 (1997) holding that fax transmission was not a writing.
 4

provided that where the law requires the signature of a person, that requirement is met in
relation to a data message if a method is used to identify that person and to indicate that
person’s approval of the information contained in the data message; and that method was as
reliable as was appropriate for the purpose for which the data message was generated or
communicated, in the light of all the circumstances, including any relevant agreement9.

The Model Law, therefore, does not only deal with digital signatures but covers all forms of
electronic signatures.

Main Approaches to E-commerce Legislation

For the most part, e-commerce regulations in the various countries have been offered in a
piecemeal fashion, with national governments attempting to fit cyberspace within the four
corners of their familiar domestic jurisprudence. In most cases they have taken a ‘functional
equivalent’ approach to rule-making, analyzing the role currently played by a particular legal
rule in the non-digital commercial world, identifying how the same function could be achieved
in electronic transactions, and extending the existing rule by analogy to cyberspace.
Legislatures and regulatory agencies around the world have taken divergent approaches in
their effort to take advantage of the emerging technologies. A review of legislative and
regulatory efforts reveals three basic approaches:

a. Minimalist approach,
b. Prescriptive approach,
c. “Two-tier” approach.

a. Minimalist Approach: the minimalist approach aims to facilitate use of electronic

signatures generally, rather than advocate a specific protocol or technology. Traditional
common law countries, such as, Canada, US, UK, Australia, and New Zealand, have
tended toward the minimalist approach.

b. Prescriptive Approach: the motivation of this approach often stems from a desire to
establish a legal framework for the operation of PKIs – whether or not other forms of
secure authentication are included or permitted – as well as a reflection of form and
handwriting requirements that apply in the offline world. Legislation and regulations
enacted under the prescriptive approach adopts asymmetric cryptography as the
approved means of creating a digital signature; imposes certain operational and financial
requirements on certificate authorities (CAs); prescribes duties of key holders; and
defines circumstances under which reliance on an electronic signature is justified. This
prescriptive approach allows legislatures and regulatory agencies to play a direct role in
setting standards for and influencing the direction of new technologies. Civil law
countries have tended to opt for the prescriptive approach viz., Germany, Italy and
Argentina.

c. “Two-tier” Approach: some jurisdictions began to realize that the first two approaches
are not necessarily mutually exclusive, and so adopted a “two-tier” approach

9 UNCITRAL Model Law (1996), Article 7.

 5

representing a synthesis of the first two approaches. This consolidated approach

generally takes the form of enacting laws that prescribe standards for operation of PKIs,
and concomitantly take a broad view of what constitutes a valid electronic signature for
legal purposes. The “electronic signatures” are generally given minimum legal effect,
while the “secure electronic signatures” are entitled to an additional presumption of
integrity, a presumption that the signature is that of the person with whom it is
associated, and a presumption that the user affixed the signature with the intent of
signing or approving the document. This “two-tier” approach has found increasing
support, most notably in the European Union and Singapore. Pakistan has also followed
“two-tier” approach in legislating the Electronic Transactions Ordinance in 2002.

Based on a crystallization of salient policy principles from electronic authentication regulations

around the world, and the belief that “legal inter-operability” is essential to realizing the
potential gains of electronic commerce, the Internet Law and Policy Forum has devised a set
of International Consensus Principles on Electronic Authentication in September 200010. The
Principles attempt to cut a middle ground between the divergent approaches. International
Consensus Principles prepared by Internet Law and Policy Forum to create a predictable legal
environment include:
• Removing legal barriers to electronic authentication;
• Respecting freedom of contract and parties’ ability to set provisions by
agreement;
• Making laws governing electronic authentication consistent across
jurisdictions;
• Avoiding discrimination and erection of non-tariff barriers;
• Allowing for use of current or future means of electronic authentication;
and
• Promoting market-driven standards.

Legislative Response in Pakistan

Before the passage of the Electronic Transactions Ordinance, a legal framework for e-
commerce did not exist in Pakistan. There had been a growing realization in Pakistan in
recent years that e-commerce can only achieve its full potential if there is a modern legal
infrastructure that can support the growth of e-commerce. In order to develop laws relating to
electronic transactions and e-commerce for Pakistan, an IT Law Forum was constituted by the
Government of Pakistan in 2000 comprising of leading lawyers of the country working in
various fields of law related to information technology. The forum convened various
consultations with financial sectors and legal community to draft the Electronic Transactions
Ordinance. Following the process of deliberations and after studying UNCITRAL model laws,
reviewing different implementation schemes of electronic authentication, regulatory models
and best practice guidelines, and keeping the “International Consensus Principals on
Electronic Authentication” designed by Internet Law and Policy Forum as standard guidelines,
the Electronic Transactions Ordinance, 2002 was promulgated on September 9, 2002.

10 See http://www.ilpf.org/events/intlprin.htm.
 6

The main objective for enacting the law was to move Pakistan from the old times’ paper-based
transactions to electronic transactions to improve its governance, economy and service to
citizens in the modern era11. The Electronic Transaction Ordinance, 2002 digital signatures.
Through this Ordinance, a legal framework for setting up of a Public Key Infrastructure is also
provided. Besides safety and security, the Ordinance also deals with the sanctity of the
documents. It accords legal sanction for records, files, documents and archives that are
retained in electronic form.

Electronic Transactions Ordinance 2002 – an analysis

Electronic Records and Contracts

The ETO 2002 puts electronic documents and records on the same standing as physical
documents by declaring that the validity or enforceability of such electronic versions cannot be
denied their legal effect on the basis of them being electronic12. The ETO makes it clear that
where a rule of law has a requirement for information to be in writing, an electronic record
containing that information will similarly satisfy that requirement of being in writing, so long as
the information can be accessed for subsequent use13. In the same vein, where a rule of law
requires a signature, an electronic signature will also satisfy the said rule of law. The ETO
has provided that an electronic signature can be proven in any manner14. Where there are
legal rules governing the retention of documents and records, the ETO sets out the
circumstances and requirements where such rules can be satisfied by storing the information
in an electronic form15. However, where the rule of law already expressly provides for the
requirements for the electronic retention records, or where a government agency or organ of
state has stipulated additional requirements, such requirements must be followed. It should
also be noted that in contracts, where the notice provision sets out specific mechanisms, such
as notification by post or facsimile, for notifying the other party in writing, if e-mail or other
electronic means are not explicitly listed as an authorized means of notification together with
the other traditional mechanisms, such other electronic means may not be accepted as a valid
method of giving notice.

The ETO implies that contracts can be formed electronically. An offer and an acceptance for a
contract can be made in the form of electronic records or messages. The intention of the
parties to enter into a contract as conveyed in an electronic form is of equal standing as that
conveyed through other traditional means. The ETO has provisions governing attribution, that
is, how the identity of an originator and an addressee of an electronic record will be
determined. The parties can also agree on an acknowledgement of receipt of electronic
records to be sent by the recipient, and the receipt of the electronic record can be conditional

11
See preamble to the ETO 2000: “WHEREAS it is expedient to provide for the recognition and facilitation of
documents, records, information, communications and transactions in electronic form, accreditation of certification
service providers, and for matters connected herewith and ancillary thereto…..”
12
ETO.S.3
13
Ibid., S.4
14
Ibid., S.8
15
Ibid., S. 6
 7

upon the receipt of the related acknowledgement16. The mere receipt of such an
acknowledgement can only be used to presume that the related electronic record was
received, but not that the content of the record that was sent corresponds to the content that
was received.

The ETO also deals with other important elements in the formation of contracts. These include
the time and place of dispatch and receipt of the electronic records relating to the contract17.
These may be explicitly agreed between the parties, or in some circumstances, may be
prescribed through regulations. In the absence of such circumstances, the dispatch of a
record occurs when it enters a system outside the control of the originator. In practical terms,
if a party is using a personal computer in the course of forming an electronic contract by e-
mail, dispatch occurs when the message sent by that party leaves his computer and enters
another machine outside his control (e.g. the Internet service provider). For receipt, the timing
depends on whether the recipient has designated a particular system to receive such records.
If there is a designated system, the time of receipt is when the record enters that designated
system. The time of receipt of a record sent to any other non-designated system is when the
record is retrieved by the recipient from the non-designated system. If no system is
designated, then the time of receipt is when the record enters a system of the addressee. It is
therefore advantageous for an addressee to designate the information system to which such
electronic records are to be sent. The addressee will need to diligently check the designated
information system for new records (similar to the need to check for incoming facsimiles).
However, records sent to any other non-designated system would be deemed received only
when the addressee retrieves the records from such a system.

In the electronic environment, dispatch and receipt can take place almost anywhere
geographically with a suitable telecommunication link. Hence, to avoid ambiguity, the ETO
has provided that the place of dispatch and receipt is deemed to be the place of business of
the originator and the addressee, irrespective of where the record was actually dispatched or
received. Where there is no such place of business, it will be deemed as the usual place of
residence18.

The ETO 2002 has allowed parties in transaction to vary any of the above general rules on
electronic contracting by agreement. However, the ETO has provided exceptions for which
the above general rules on electronic contracting will not apply19. These are in:
™ The creation or execution of a will;
™ Negotiable instruments;
™ The creation, performance or enforcement of an indenture, declaration of trust
or power of attorney with exception of constructive and resulting trusts;
™ Any contract for the sale or other disposition of immovable property, or any
interest in such property.

16
Ibid., S.14
17
Ibid., S. 15
18
Ibid., S.15(4) and 15(5).
19
Ibid., S.31 (1)
 8

™ The conveyance of immovable property or the transfer of any interest in

immovable property; and
™ Documents of title.

The Federal Government may modify these exceptions after consultation with the provinces20.

Section 3 of the ordinance extends the concept of Electronic documents to such terms as
Register, Document of Title, Map, book, attestation, witnessing, publishing etc. The ETO 2002
creates an incentive for transition from paper-based to paperless environment and E-
commerce by excluding the payment of Stamp Duty on Electronic Transactions. It, however,
provides an indication to introduce Stamp Duty for electronic documents in a time frame of two
years for which a system is yet to be developed by the provincial governments.

Signature-Electronic and Digital

The ultimate aim of any digital and electronic signature legislation is to give legal recognition
to electronic or digital signatures. All such legislation provide, in one way or another, that the
use of an electronic or digital signature on an electronic record will be treated in the same
manner as a handwritten signature on paper.

The terms ‘digital signature’ and “electronic signature’ are, however, terms of art. For
example, Smith and Tufaro defined the term ‘digital signature’ to signify authentication
methods employing ‘public key cryptography’ and the term ‘electronic signature’ to encompass
digital signatures as well as non-public key authentication methods21. In some countries,
‘electronic signature’ means any symbol or method executed or adopted with electronic
means with an intention to be bound. The Uniform Electronic Transactions Act (UETA)
approved in the US adopts this approach. It defines ‘electronic signature’ to mean an
electronic record, symbol, or process attached to or logically associated with a record and
executed or adopted by a person with the intent to sign the record’22.

Other countries adopt a different approach to ‘electronic signatures’. Under this approach,
‘electronic signature’ must posses certain attributes or meet certain requirements before they
will be considered enforceable. For example, in the EU Directive on Digital Signature23, it
differentiates ‘electronic signature’ and ‘advanced electronic signature’. ‘Electronic signature’
is defined to mean data in electronic form which are attached to or logically associated with
other electronic data and which serve as a method of authentication. On the other hand,
‘advanced electronic signature’ is defined to mean an electronic signature which is uniquely
linked to the signatory, capable of identifying the signatory, created using means that the
signatory can maintain under his sole control and is linked to the data to which it relates in
such a manner that any subsequent change of the data is detectable24.

20
Ibid, S. 31 (2)
21
Smith, B.W.and tufaro, P.S., (1998), to certify or not to certify: The OCC opens the door to digital signature
certification’ 24 Ohio Northern University Law Review, P. 813
22
Uniform Electronic Transactions Act, s2(8)
23
It was adopted on 30th November 1999 at the council of Telecommunication, European Union.
24
EU Directive on Digital Signatures, Article 2; also ETO 2002, S.2(e)
 9

In other countries or states, they only give legal recognition to ‘digital signature’ and do not
cover other forms of electronic signatures in their digital signature legislation. For example in
the Utah Act, it gives legal recognition to ‘digital signatures’ which is defined to mean a
transformation of message using an asymmetric cryptosystem such that a person having the
initial message and the signer’s public key can accurately determine whether:

a) the transformation was created using the private key that corresponds to the
signer’s public key; and
b) the message has been altered since the transformation was made.25

The Ordinance allows for a two tier system for authentication of documents. The first tier is
simply an electronic signature which can be any symbol, image, number, character etc. or its
combination which is included in the electronic information, document, record or
communication which is affixed by the affixer with the intention of authentication or signifying
his ownership or approval of the same. This, however, is not secure as it may be tampered
with and thus fails to fulfill the criteria of integrity and authenticity of the electronic information,
document, record or communication. In such a case, the signature if relied upon for either
authenticity or integrity before a Court of law would need to be proved by the one relying on
the same and the burden of proof would initially lie on that party. Thus, though it is possible to
allow legal recognition of such a simple electronic signature by leading evidence, it does not
attract any special advantage for evidential purposes in the Court and thus, proving the
signature may prove cost intensive.

The ETO 2002 defines an electronic signatures as meaning any letters, characters, numbers
or other symbols in a digital format attached to or logically associated with an electronic
record, an executed or adopted with the intention of authenticating or approving the electronic
record26. This wide definition includes digital watermarking, scanned image of handwritten
signatures, digital signatures and biometric signatures as possible forms of electronic
signature. Each type of electronic signature has a different level of security afforded to it.
Consequently, there is an incentive structure built into this Ordinance for the acquisition and
application of the more secure and reliable digital signatures or as has been defined the
advanced electronic signature. This constitutes the second and higher tier in relation to
electronic signatures in this Ordinance. The digital signature by its very nature and
programming is designed to provide secure authenticity (identity) of the maker, originator or
approver of the electronic information, document, record or communication and also
simultaneously provide integrity of the electronic information, documents, record or
communication ensuring that the same has not been altered, modified or tampered with
without leaving a record of the same. The heavy incentive that has been attached with use of
an advanced electronic signature is the fact that the Ordinance proved a legal presumption in
favour of any advanced electronic signature thereby reducing the costs increasing the efficacy
of proving such an electronic signature in Court.

25
Utah Code Ann (1995), s. 46-3-103(10)
26
ETO 2002, S.2 (n)
 10

The ETO provides for an electronic signature to be secure if through the application of a
prescribed security procedure or a commercially reasonable security procedure agreed to by
the parties involved, it can be verified that at the time the signature was made, the signature
was:

• Unique to the person using it;

• Capable of identifying such person;
• Created in a manner or using a means under the sole control of the person using it; and
• Linked to the electronic record to which it relates in a manner such that if the record was
changed the electronic signature will be invalidated27.

Am important feature of the ETO is the provision for the following rebuttable presumptions
relating to secure electronic records and secure electronic signatures that are appropriately
verified:

• The secure electronic record has not been altered since the specific point in time to which
the secure status relates;
• The secure electronic signature is the signature of the person to whom it correlates; and
• The secure electronic signature was affixed by that person with the intention of signing or
approving the electronic record.

The Ordinance goes further to provide for the effect of advanced electronic signatures. It
specifies how a digital signature will be treated as a secure electronic signature, and how an
electronic record signed with such an advanced electronic signature will be treated as a
secure electronic signature. Correspondingly, the evidentiary presumptions described above
will apply in these instances where the associated CA is licensed. In addition, the Ordinance
describes the general duties relating to digital signatures, duties of CAs, duties of subscribers,
and the regulation of CAs.

The definition of the electronic signature used in the Ordinance is flexible enough to use the
internationally available digital signature certificates (provided the licensing procedure does
not prohibit this subsequently). It is necessary to allow this flexibility until domestic certification
service providers develop their infrastructure, which we in India have found to be time
consuming. More over, being a smaller country, the market for certificates in Pakistan may not
be large enough to warrant domestic certifying authorities coming up immediately and the
system will fail to take off unless existing international certifying authorities are allowed to
issue certificates within Pakistan in association with a local registration authority if required.
On the other hand, as the Ordinance is drafted in such a ‘technology-specific’ style, it may
mislead the local people and market to assume that only digital signature technology is worthy
of trust and create unintended market distortions in the long run. By recognizing only one form
of electronic authentication, the Electronic Transactions Ordinance may have the unintended
effect of precluding other methods of electronic authentication that may be appropriate, and
inhibit the development of other electronic signature technologies that may be equal or even

27
ETO 2002, S. 2(e)
 11

superior to digital signatures. In other words, by enshrining a specific technology, the

Electronic Transactions Ordinance may have the counter-effect of reducing incentives for
further improvements and innovations in other electronic signature technologies, which is
potentially detrimental to the future development of e-commerce in Pakistan.

Certification of Service Providers & Digital Signatures

In order to provide security and guarantee that websites and E-Businesses are reliable not
only with regard to their security procedures but also with respect to reliance being placed
upon them for transacting commercially, the birth of the certification service provider and
encryption (digital signature) providers in Pakistan will go a long way to boost the IT industry
and promote International standards and thus economic growth both for the domestic as well
as international (exportable) markets. In order not to stifle the industry and become restrictive
and create obstacles or disincentives for entry into this industry, the policy decision was very
clearly not to make such accreditation into a licensing or regulatory framework. Unlike some
Asian countries which impose a mandatory registration system on all CAs28, Pakistan adopts
a voluntary recognition system.

The services of a CA are useful in relation to e-commerce transactions, as the transactions

will be legally binding although there is no prior face-to-face contact between the parties. The
use of such technology is especially useful for high value online transactions, or where the
identity of the customer is of primary concern. The CA also bears some liability in the even
that the CA does not correctly identify the customer.

Chapter 5 of the ETO 2002 deals with the regulations of certification service providers and the
establishment of a Certification Council for that purpose. The members of the Certification
Council and their qualifications have been set out in sections 19 and 20. The functions of the
Certification Council have been mentioned in section 21. The Certification Council shall have
powers to grant, renew or suspend accreditation certificates to certificates service providers.
Such certificate service providers in order to obtain the license shall prepare a certification
practice statement – a statement of the practice and procedure of issuing certificates under
section 25. The council would also regulate their cryptography services and security
procedures. Under the Pakistan Telecommunication (Re-organization) Act, 1996, the Pakistan
Telecommunication Authority (PTA) deals with regulation, operation and maintenance of
telecommunication systems29. Section 22 restricts the functions of PTA and the Certification
Council is exclusively granted the powers to grant, renew, suspend or revoke the accreditation
certificates to certificates service providers. Under Section 23 a repository (information
storage house) shall be maintained where all information of the accredited certification service
providers shall be stored and which shall be open to public inspection.

Under the Ordinance, every Certification Service Provider needs to issue and maintain an up-
to-date ‘certification practice statement’ (CPS)30, which is a statement issued by the

28
For example, in Malaysia, all CAs that issue certificates must register under the Digital Signature Act.
29
See Also section 4 & 5 of Pakistan Telecommunication (Re-organization) Act, 1996
30
ETO 2002, s. 25.
 12

Certification Service Provider to specify the practices and standards that are employed in
issuing certificates. It must also notify the Certification Council of any changes to its practices
as set out in its CPS31. The CPS is the principal document that defines the standards,
practices and responsibilities of the certification service provider and it determines the liability
standards of the certification service provider.

The ETO 2002, however, does not deal with the issue of foreign CAs. In other words, it
remains unclear whether certificates issued by foreign CAs are recognized in Pakistan. This is
unsatisfactory as if such certificates are not recognized e-commerce conducted on a cross-
border basis will be unnecessarily limited in scope. An implicit assumption under the
Electronic Transaction Ordinance on regulation of certification service provider and issue of
digital certificates issued by them appears to be that most of the electronic transactions
undertaken on the internet are of the ‘high-value’ type. In other words, the value of the
electronic transactions is high compared to the cost and money of obtaining a certificate from
the CAs. This may be true in the case of ‘business-to-business’ e-commerce, but is not
necessarily so in retail transactions. For example, electronic transactions of some goods, such
as books, may not justify the cost of a certificate.

Evidentiary Issues of Electronic Transactions

One basic feature of information systems is the alterability of the documents and records in
such system. Systems on which e-commerce solutions are built are no exception. This feature
makes the nature of the information and documents stored electronically fundamentally
different from their physical counterparts. Unlike physical documents, changes made to
electronic documents, if not protected by technological measures, are virtually undetectable.
Naturally in the event of a dispute where such electronic documents need to be produced in
court proceedings, challenges will be raised as to the reliability and admissibility of the
documents.

The ETO extends the expressions attestation, books, books of accounts, certificate, charts,
deed, document, document of title, execution, instrument, ledger, map, original, plans, publish,
record, register, seal, signature, witnessing, words, writing, or other words assuming paper or
other tangible medium to electronic form32.

According to Section 8 of the ETO one of the conditions for presuming the authenticity and
data integrity of an electronic document is that the information system used for the application
of the security procedure was in working order at all material times. There may be slight
ambiguity when this clause is discussed in a court of law. The security procedure is applied
first when the secured electronic document is produced. This will be received and stored by
the recipient. Probably the security procedure would have been used at this end for
verification. The dispute normally would be raised by the sender on the data integrity or the
authentication process. The recipient, therefore, may not be in a position to either prove or
disprove the working order of the information system at the time of the generation of the
system. Hence, the presumption should only require that the security procedure when applied

31
Ibid, s. 25(4)
32
ETO 2002, S. 30.
 13

in the presence of the court confirms the originator to be the alleged person. Beyond this, it
appears difficult to prove that either the sender’s information system or the receiver’s
information system was in working order at all material times.

As with other legislation tackling electronic signatures, the Electronic Transaction Ordinance
suffers from two fundamental problems. First, the changing nature of the digital signature
technology has the potential of rendering the Ordinance obsolete within a short span of time.
Second, the Electronic Transactions Ordinance, being a local law in nature, is rather
inadequate to cope with the regulation of e-commerce, which is basically a global
phenomenon. The Electronic Transactions Ordinance appears to be conservative in its
approach. When the Utah Act was enacted as the first ‘digital signature legislation’ in the
world in 1995, it adopted a regulatory and technology-specific approach. The legislative
approach to ‘e-commerce legislation’, however, has been changing rapidly since then. As time
moves on a minimalist, non-regulatory and technology-neutral stance is getting increasingly
popular33. To cope with the ever-changing demands of e-commerce, Pakistan needs to adapt
its legal system constantly.

Challenges of Risk of Criminal Activity

One of the main differences between e-commerce and traditional commerce is that electronic
transactions are far more impersonal, anonymous and automated than transactions made
between flesh-and-blood persons in a store, at a bank or even over the telephone. This
dehumanization of business relations is accompanied by an increase in the technical means
and opportunity for fraud and abuse of individual consumers and large corporation alike. The
emergence of Cyber crime threatens an implicit calculus that thus far has constrained real-
space crime. Computers make it easier for criminals to evade the constraint of social norms
through pseudonymity and removal from the physical site of the crime, legal sanctions by
diminishing the probability of getting caught, and monetary cost, because the resource inputs
necessary to cause a given unit of harm are much lower. For all these reasons a healthy
sense of caution, if not outright distrust, has prevailed in the evolution of many aspects of E-
commerce.

For any national programme to develop E-commerce, in addition to a technologically secure

infrastructure, a cohesive and supporting legal infrastructure is necessary. As part of the
efforts to promote e-commerce trust and confidence, every nation must have basic criminal
laws against activities that attack the confidentiality, integrity or availability of computer data,
computer systems and electronic networks.

The term “Cyber crime” basically refers to the use of a computer to facilitate or carry out a
criminal offense. This can occur in three different ways. First, a computer can be electronically
attacked. We may further subdivide this category by distinguishing among acts that involve (i)
unauthorized access to computer to computer files and programs, (ii) unauthorized disruption
of those files and programs and (iii) theft of an electronic identity. An example of the first
category is a break-in to Defense related computers. An example of the second category is

33
See Greenwood D. , (1998) Risk and Trust Management techniques For an ‘Open but Bounded” Public Key
Infrastructure’ 38 Jurimetrics Journal, p. 277.
 14

the “I Love You” worm. The third category, identity theft, occurs when a person or entity’s
identity is wrongfully appropriated. A webpage may be “page-jacked,” for example, so that
when you click onto a financial service to read investment news, you receive spurious
information instead. The above crimes involve situation in which a computer is the subject of
an attack. A rather different type of computer crime occurs when a computer is used to
facilitate or carry out a traditional offense. For example, a computer might be used to distribute
child pornography over the Internet or it might be used to create massive numbers of copies of
a popular, and copyrighted, song. Complicated insurance fraud, large cheque kiting operation,
and other sophisticated forms of white-collar crime rely on computers to run the criminal
operation. In these cases, computers make it easier to carry out a crime in real space. In
these circumstances, computers are tools that expedite traditional offenses34.

The problem of Cyber crime is a larger one of how the law deals with new technologies.
Sometimes, the law treats crimes that employ new technologies as different and deserving of
special regulation (wire fraud, hijacking of airplanes, grand theft auto) and other times it does
not (crimes performed with typewriters and the theft of most objects, which the same penalty
whether accomplished with James Bond-style panache or by a simple break-in). Lurking
underneath this differential regulation is a complex symbiotic relationship between technology
and law35.

Response to Cyber Crime in Pakistan

As a stop-gap arrangement before the promulgation of proper electronic crimes legislation, it
was necessary to deter and prevent commission of most common forms of electronic crimes
that might proliferate in the wake of legal recognition of electronic transactions. Thus, the
criminal offences under the ETO 2002 were made cognizable, compoundable and non-
bailable36. From false information being supplied by the subscriber of services of a certification
service provider, to issuance of false certificates by the provider and serious crimes such as
violation of privacy (data protection) and damage caused to electronic systems leading to data
loss or alternation etc. are covered under the Ordinance. Section 36 covers several aspects of
hacking and malicious code related offences under the ‘violation of privacy of information’.
Together with Section 37 it covers most of the offences coming under hacking and malicious
code without using any of the definitions for hacking and virus. The Ordinance is however
silent on offences like “Obscenity” and “Cyber Fraud”. Offences like spamming and content
filtering, censorship, etc., also are not covered in the Ordinance.

The Ministry of IT drafted an Electronic Crimes Act in 2004 that having been in circulation for
consultative inputs is now expected to be tabled in the Parliament. Though the proposed law
will definitely fill the long-felt gap in the regulatory environment for E-Commerce in Pakistan,
the bill, in its present form, is fraught with legal curiosities.

34
See Mark D. Rasch, Criminal Law and the Internet, in the Internet and Business: A Lawyers Guide to the
Emerging Legal Issues 3 (1996) 1
35
See Carolyin Marvin, When Old Technologies Were New; thinking about Electric Communication in the late
Nineteenth century (1988), pp. 88-97
36
ETO 2002, S. 38.
 15

The normative bases of the proposed Electronic Crimes Act are the foundational concepts of
“access” and “authorization”. Interpretations of “access” and “authorization” are inextricably
linked. The phrase without authorization modifies access and it is impossible to understand
the implication of access can balance a narrow without reference to the other. A broad
construction of access can balance a narrow construction of unauthorized, and vice versa.
The problem with a narrow construction of access is that individual users interact with
computers in countless ways for countless reasons, and it is difficult to carve out a type of
interaction that should be exempted entirely from computer misuse laws. In light of the
difficulty of drawing robust and sensible lines between different types of interactions with
computes and limiting access to just some of them, the better approach is to allow access to
refer broadly to any successful interaction with a computer, no matter how minor.

Section 5 of the draft Bill defines “criminal data access” as intentionally causing an electronic
system to perform any function for the purpose of gaining unauthorized access to any data
held in any electronic system. Unauthorized access, according to S.3 (w), means access of
any kind by any person to any electronic system or data held in an electronic system, without
authority or in excess of authority, if he is not himself entitled to control access of the kind in
question to the electronic system, or data and he does not have consent to such access from
any person, so entitled. Who and what determines whether access is authorized, and under
what circumstances? Can a computer owner set the scope of authorization by contractual
language? Or do these standards derive from the social norm of internet users? The proposed
bill does not answer these questions satisfactorily. Moreover, these provisions create a
dangerous precedent for the discovery of general, untargeted computer security vulnerability
information, threatening those that discover and appropriately report such vulnerabilities with
prosecution under Section 5.

The computer security community relies on robust debate and discussion about the reliability,
security and operation of products and services in adverse or hostile conditions. It is debate
and discussion that encourages manufacturers and developers to consider the security
impacts of poor programming, data inaccuracy, mis-configuration and the like. Restrictions
that are intentionally or otherwise placed on such debate and discussion will inevitably stifle
innovation and security. Whilst it is clear from a reading of the bill that the legislation is
intended to have a chilling effect on those who would claim they have an ulterior motive when
bringing about access, modification or impairment in an unauthorized fashion, it is unfortunate
that the side effect of S.5 may be to squelch debate and discussion regarding computer
security issues that otherwise may have yielded solutions to some of the problems. Consider
another scenario: Internet user X is using an internet search engine to look for information on
air traffic control facilities, and is presented with a link to a document entitled “airtrafficontrol-
Pakistan” on an FTP site located at airtraffic.gov.pk. X clicks on the link to view the contends
of the file. Transparently, X’s computes initiates a connection to the airtrffic.gov.pk FTP site,
logs in with the username anonymous and password email@example.com, retrieves the file
and displays it on screen to V. Upon reading the file, X discovers very obviously facilities that
were meant to remain confidential. X makes contact with the administrator of the
airtraffic.gov.pk FTP site to inform them of the availability of the sensitive information. The
 16

administrator of the airtrffic.gov.pk FTP site, suspecting foul play, instigates proceedings to
have X charged with an offence under Ss.4, 5 and or 20 of the proposed ECA.

In explaining this example, it is necessary to understand the capabilities and normal function
of an FTP site. An FTP server allows access to certain sets of files based on what particular
username and password are entered when a remote computer user initiates a connection to
the server. Such access is typical in one of two modes. A system user mode in which a
remote computer user must enter a username and password supplied by the system
administrator to gain access, or a system user + anonymous mode in which remote computer
users as mentioned above are granted access but also users entering the username
anonymous and their email address as password are granted a limited form of access. The
terms anonymous is somewhat of a misnomer, though, as connections and transfers to and
from the machine are almost always logged. In a strict sense, an FTP server operating in
system user + anonymous mode is anonymous and some email address as a password, or a
username and password supplied to them by a system administrator, they will not be granted
access to any files on the computer.

In addition to the possible normative confusion, certain areas of Cybercrime affecting directly
the e-commerce operations and sustainability have not been addressed in the draft ECA. No
provision, for instance, has been included in the proposed law on matters connected with the
offence of misuse and infringement of internet domain names as trademarks which have been
defined in chapter XIII of the Trade Marks Ordinance, 2001. Section 8 of the proposed law
defines the offence of fraud but the offence of misrepresentation by electronic means has not
been declared as offence. Similarly, express provisions about misuse of electronic cards,
regulation of online pharmacies, internet trademark violations, operations of a pirated website,
tax-evasion, illegal on line sale transactions, on-line gambling etc. should be part of a
comprehensive criminal statute that aims to reduce risk to e-commerce activities.

The Way Ahead

In order to be fully ready for E-commerce we need to do a bit more than regulating electronic
transactions. Further required legal framework for Pakistan should contain legislation on:
• Electronic Banking
• Data Protection
• Computer related crimes
• Database Protection
• Employment issues in Information society
• Liability
• Outsourcing
• Protection of confidential information.

Concluding Caveat
Legal solutions to problems related to the use of information technology are typically based on
traditional legal instruments and concepts that are modified accordingly. Besides, the basic
notions and norms, which have been created through and by the historical development of law
and have been expressed by paper documents, cannot be changed. The introduction of
 17

electronic means of expression should only contribute to a simpler way of dealing and
exchanging documents rather than eliminating the documentation or altering the basic
concepts, norms and canons of law. Electronic means of documentation cannot alter the
concept of justice. The introduction of new terminology can only serve the principles of law.
New legal concepts have to be introduced so that the law corresponds to the needs of
technology. As averred above, the new legal concepts cannot contradict the old concepts of
law because new electronic commerce terminology is introduced to serve the traditional
concepts of law. Of course, the introduction of new concepts of law cannot be prohibited since
new developments of life bring forward new notions for concepts. The rapidly changing nature
of technology calls for a continuous review of the regulatory environment employing new legal
concepts where required. One should also remain cautious against an over-zealous and over-
generalized approach towards criminalizing the unlawful use of any computer by any means
whatsoever, blunderbuss prohibitions would be unwarranted and one might just as well argue
for offences of impeding the lawful use of a television set or record player.