Cybercrime Legislation in the Middle East

Cybercrime Legislation in the Middle East


Cybercrime Legislation in

The Middle East THE ROAD NOT TRAVELED

Mohamed N. El Guindy

ICT Researcher & Cybercrime Expert

[email protected]

Faisal Hegazy

Programme Officer, ROMENA

UNODC [email protected]

Published February 27, 2012


Contents

Introduction .................................................................................4

Internet Penetration in MENA........................................................5

Cybercrime Cases in MENA ..........................................................9

Organized Cybercrime...............................................................9

Cybercrime: An Economic Problem .......................................... 12

Definitions of Cybercrime ........................................................... 15

International Legislation.............................................................. 18

The United Nations Approaches ............................................... 18

Council of Europe: Convention on Cybercrime ........................... 19

Cyber Legis lation in MENA ........................................................ 20

History of censorship .............................................................. 20

Human Rights & Privacy ......................................................... 21

Cybercrime Legis lation: Poor or none........................................ 22

UAE ..................................................................................... 23

Qatar ..................................................................................... 24

Saudi Arabia .......................................................................... 24

Oman .................................................................................... 24

Tunisia .................................................................................. 25

Morocco ................................................................................ 25

Egypt .................................................................................... 25

Libya .................................................................................... 26

Algeria .................................................................................. 26

Syria ..................................................................................... 27

Jordan ................................................................................... 27

Lebanon ................................................................................ 28

Kuwait .................................................................................. 28

Iraq ....................................................................................... 28

Palestine ................................................................................ 28

Yemen................................................................................... 28

Bahrain.................................................................................. 29

Initiatives to tackle cybercrime in MENA .................................. 29

Conclusion............................................................................. 30

Contacts ................................................................................ 31


Introduction

Investments by MENA countries in ICTs is expanding annually and even overtaking the rest of the world. Millions of home users and

businesses in the region are joining the global cyberspace.

Virtually all modern services depend on ICTs and in a way or

another are connected to cyberspace which considered one of today’s battlefields (Air, Land, Sea, Space, and Cyberspace). Failure

to understand this situation will leave Middle East countries vulnerable to all types of attacks. Due to lack of technical and

legislative capabilities, our region expected to become the biggest

source and target for cybercrime in 21st century.

Drafting a cyber law or even dedicated cybercrime legislation is not the solution but part of it. Extensive study of Cybercrime

phenomenon and its consequences on the region should be considered along with cyber security issues.

Although most countries in the region don’t have specific legislation for cybercrime or cyberspace, we still can see few countries with

little progress in the field.

In this research, we will investigate Cybercrime related issue in the

region and will study legislation with overview on each country.


Internet Penetration in MENA

During the past two years MENA countries witnessed fast growing

numbers of internet users. Millions of home users joined cyberspace and social networking websites during the Arab uprising. According

to statistics, Internet users in Middle East region reached 77 million in December 2011

1.

This growth outpaced rest of the world as usual.

(Fig.1 Source: Internet World Stats)

With regard to North African states

2, we can find the following facts:

- Egypt ranked No.2 with over 21.6 million Internet users

- Morocco ranked No. 3 with over 15.6 million users - Algeria ranked No.7 with over 4.7 million Internet users

- Tunisia ranked No. 10 with over 3.8 million users - Libyan users reached 391.880

Total Internet users in North African countries reached 46 million

in December 2011.

The number of Internet users worldwide is increasing dramatically.

But the phenomenal growth in MENA has special triggers especially

when they connect to the Internet to join social networking websites.

1 http://www.internetworldstats.com/stats5.htm 2 http://www.internetworldstats.com/stats1.htm


The following diagram represents few factors for growth of user

base in MENA countries.

(Fig.2 Growth of User Base)

Millions of users joined the Arabic blogosphere

3 and social

networking4 websites during the past few years. One of the

interesting findings is that Libyan Internet users are all on

Facebook. It is obvious evidence that Arab uprising and political issues are common factors for Internet user growth in MENA.

Additional effective reason for Internet growth is that the region has the youngest population in the world with over 66.8% aged below

305 in Middle East and over 70% aged below 30 in Africa.

If we look at latest trends related to Facebook and Twitter in the

region, we can find that over 9.3 million users from Egypt alone are on Facebook with over 1.214 million on Twitter. Egypt is the largest

population online when compared to other MENA countries6.

3 http://cyber.law.harvard.edu/publications/2009/Mapping_the_Arabic_Blogosphere 4 http://thenextweb.com/socialmedia/2012/01/25/facebook-is-killing-local-social-networks-around-the-world/ 5 http://blog.euromonitor.com/2012/02/special-report-the-worlds-youngest-populations-.html 6 http://www.guardian.co.uk/world/2012/jan/26/african-twitter-map-continent-connected


Morocco comes next in North Africa with over 4 million users on Facebook. Saudi Arabia has the largest online population in Middle

East region with over 4.5 million on Facebook while UAE comes next in Middle East with over 2.7 million users on Facebook. It’s worth

mentioning that accurate numbers of Facebook and Twitter users

can’t be guaranteed due to unrest and political reasons especially in Syria as most users are using VPNs to connect.

Social Networks and web 2.0 applications played an important role

in Arab uprising, political scene, and conflicts between all parties7.

The following chart proves that social media most commonly used

to raise awareness during revolutions and spread information.

(Fig. 3: Uses of Social Media in Arab Uprising) (Source: Dubai School of Government

8)

The growth of user base in the region especially on Facebook which

might be considered the 3rd largest nation9 on earth opens new

challenges for users and governments as well.

Social media offers a supreme opportunity for people to self-organize and to create “virtual communities” where people seem to

be continuously interconnected wherever they may be on Earth10

. But it has also the ugly faces which include cybercrime

11, cyber

attacks, cyber terrorism12

, malware13

, digital espionage, open

source intelligence14

, propaganda15

, and violation of privacy16

.

7 http://www.dsg.fohmics.net/Portals/Pdfs/report.pdf 8 http://www.dsg.fohmics.net/en/asmr3/ASMRGeneralFindings3.aspx 9 http://www.economist.com/node/16660401 10 http://www.economist.com/node/21531109 11 http://www.thenational.ae/business/technology/cybercrime-ugly-face-of-social-media 12 http://publicintelligence.net/ufouoles-dhs-terrorist-use-of-social-networking-facebook-case-study/ 13 http://nakedsecurity.sophos.com/koobface/ 14 https://www.privacyinternational.org/article/bbi-open-source-intelligence-and-soci al-media-

monitoring 15 http://www.wired.com/dangerroom/2011/07/darpa-wants-social-media-sensor-for-propaganda-ops/


While governments in the region understand the importance of the

Internet and invested heavily in ICTs, they are concerned over its use by opposition movements. They try censorship and crackdowns

on bloggers using advanced western tools17

in addition to

surveillance and hacking18

techniques to track activists instead of cybercriminals.

Unfortunately, most Middle East users are vulnerable to all types of

such attacks due to poor security awareness and education programs with absence of “privacy and cyber legislation” which

make the governments’ job easier.

Governments in the region are recently dealing with Internet as an

Information weapon and this will be the biggest challenge when it comes to drafting or ratifying cyber legislations.

16 https://mice.cs.columbia.edu/getTechreport.php?techreport ID=1459 17 http://netsafe.me/2011/12/03/wikileaks-the-spy-files/ 18 http://netsafe.me/2011/12/01/how-government-spies-on-you/


Cybercrime Cases in MENA

Cybercrime is rising alarmingly in the Middle East not only due to growth of user base, but also for many other reasons such as poor

security awareness, poor technical capabilities, and lack of legislation

19.

All these factors make it hard if not impossible in many cases to investigate and prosecute cybercrime in the region.

OOrrggaanniizzee dd CCyybbee rrccrriimmee

“Operation Phish Phry20

” is one of the well-known cases in the Middle East which the FBI and Egyptian authority were

investigating. One American from LA who was the key figure in this

crime sentenced to 13 years in federal prison21

after being found guilty of leading an international phishing operation, and growing

marijuana on an industrial scale in his house. There were nearly 47 Egyptians involved in this phishing case. Authorities in Egypt

released 27 on April 201122

and the rest of them escaped and no punishment is imposed at the time of writing

23 this research.

The technique that is used by this crime ring is a very simple

phishing tactic to collect over $1.5 million. The emails were designed to trick recipients into clicking on fraudulent link inside the

email body and normally sent through spam campaign to harvested

email accounts from specific area or country.

Professional hackers sometimes encrypt the link or encode it in different formats in order to trick the victim.

19 http://netsafe.me/2011/06/19/21st-century-cyber-threats-and-the-middle-east-dilemma/ 20 http://www.fbi.gov/news/stories/2009/october/phishphry_100709 21 http://latimesblogs.latimes.com/lanow/2011/06/la-man-sentenced-phishing-pot-growing.html 22 http://gate.ahram.org.eg/UI/Front/Inner.aspx?NewsContentID=57993 (Arabi c) 23 http://www.youm7.com/News.asp?NewsID=524004&SecID=203&IssueID=0 (Arabic)


(Fig. 4: Example of Phishing Email)

This link will forward the victim to a well-design phishing page that

looks like the original bank website.

(Fig.5: Phishing website with genuine looking content)

This Phishing website is hosted on a domain name with similar

name of the legitimate bank to trick the victim; for example: http://citibank.verifyme.com

Fraudulent link

that will lead to

phishing website

to steal bank

account

information


Once victims enter their bank account details, it will be sent to the

responsible persons inside the ring. They seem to withdraw small amounts from $200 to $500 from many accounts so as not to

arouse suspicion and make it difficult for banks to check on so many

thefts. The amounts then transferred to fraudulent accounts coordinated by conspiracy ring. A portion of the illegally obtained

funds were transferred via “Western Union” to the Egyptians.

This crime can be categorized under one of the following:

- Identity Theft

- Wire and Bank Fraud - Computer Fraud

- Money Laundering

The Technical identity theft or “Phishing” portions of the operation

seem to have been conducted by the Egyptian group. Spam emails might be originated from Egypt and also the phishing websites.

The latest report published by APWG

24 revealed that Egypt has

ranked in the top three countries for hosting phishing websites.

(Fig.6 Top countries hosting phishing websites) (Source: APWG 2011)

Egypt has ranked high in past reports (from 2007 to 2010) which make it big source of Phishing, Identity theft, and Spam.

24 http://www.antiphishing.org


Cybercrime cases such as “Operation Phish Phry” can fall under

“Transnational Organized Crime” when conducted by group of people as described by United Nations Convention against

Transnational Organized Crime:

“Organized criminal group shall mean a structured group of three or

more persons, existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain,

directly or indirectly, a financial or other material benefit”25

Cybercriminals are increasingly sophisticated and sharing best practices. They are always looking for countries with poor legislation

and poor security awareness to commit their crimes.

That leaves the Middle East vulnerable to new wave of

complicated and organized cybercrime in the upcoming years.

CCyybbee rrccrriimmee :: AAnn EEccoonnoommiicc PPrroobblleemm

According to “World Drug Report26

” by UNODC, The global black

market of “Global drug trafficking” is about $400 billion.

Today’s cybercrime costs the economy $388 billion, Symantec revealed

27. This shocking statistics is made up of two parts: $274

billion, Symantec's estimate of the value of time lost to cybercrime in the past year; added to $114 billion, said to be the industry's

"direct cash costs." That is, the amount of money "spent on

resolving cyber attacks" and the amount of money directly stolen by cybercriminals.

Most Middle East and North African countries have ranked high in

financial crimes such as fraud, bribery, corruption, and money

laundering28

. That makes the region suitable environment for “Financial Cybercrime”.

25 http://www.unodc.org/documents/treaties/UNTOC/Publications/TOC%20Convention/TOCebook-e.pdf 26 http://www.unodc.org/documents/data-and-analysis/WDR2011/World_Drug_Report_2011_ebook.pdf 27 http://www.symantec.com/about/news/release/article.jsp?prid=20110907_02 28 http://www.pwc.com


The latest survey published by “PWC”

29 revealed that cybercrime

was experienced by 40% of respondents whose organizations had experienced economic crime in the last 12 months. In addition to

over 35% feel their organizations have insufficient in-house

capabilities to prevent, detect and investigate cybercrime.

Cybercrime percentage in MENA is higher than the global average of 23% as it appears in Figure 7.

(Fig.7 Types of economic crime – Source: PWC 2012)

The region is also big target for cybercrime and even outpaced the

global average of 17%, which makes it vulnerable to outside

attacks.

(Fig.8 Cybercrime risk by boundaries – Source: PWC 2012)

29 http://www.pwc.com


Outside attacks mean “Transnational crime” that target the region for financial gain. The latest “Symantec Cybercrime Report”

revealed the following alarming facts30

:

- 76% of UAE residents have fallen victims to cybercrime

- Two citizens are affected by cybercrime every minute - Less than 25% of incidents are reported to the police

- 53% of people don’t have up-to-date antivirus software - 20% of all cybercrime takes place in the mobile domain

- Two weeks at least spent on fixing the damage from an attack

The cost of cybercrime to the UAE economy was $611.3 million in

both cash and the time it took to fix the damage during the 12 months between February 2010 and February 2011

31.

One of the biggest problems in the Middle East is that these

numbers might not be accurate enough. Most cybercrime victims

might not know that they are attacked; they even don’t report it to authorities if they know, to protect their reputation.

Although UAE has a dedicated cybercrime law, it can’t be considered

complete solution to the problem. The main reason for the increase of attacks is due to lack of education and awareness not only

legislation. Most GCC members seem to have the same problems of

sophisticated threats that are quickly being put to work by the cybercriminals to target banks and their clients.

Crimeware such as “Zeus

32 and SpyEye

33” are specifically built to

attack banks’ customer computers34

. Among Middle East countries

there were higher infection rates in Egypt and Saudi Arabia35

.

These phenomena tell the truth that Arab region becomes part of

global cybercrime industry that knows no boundaries or crisis.

30 http://www.emirates247.com/business/technology/76-of-uae-residents-are-victims-of-cybercrime-2011-09-18-1.419171 31 http://www.itp.net/586180-uae-faces -high-rates-of-cyber-crime 32 http://en.wikipedia.org/wiki/Zeus_(Trojan_horse) 33 http://www.net-security.org/malware_news.php?id=1784 34 http://www.spamfighter.com/News-15544-Middle-East-Online-Banking-Users -Easy-Targets-for-

Cybercriminals.htm 35 http://www.zdnetasia.com/zeus-trojan-found-on-74000-pcs-in-global-botnet-62061270.htm


Definitions of Cybercrime

There is no one definition for “Cybercrime”. You can see many definitions and terms drafted and used by either technicians or

legislators. There is big difference between crimes committed using computers and the Internet and other crimes depend solely on

computers and the Internet. When you understand this difference,

you will be able to understand the difference between “Cybercrime” and “Computer related crime”.

“Cybercrime” can be used as a narrow term for all types of

“Computer crimes”, while “Computer related crimes” might refer to

any crime that can be committed with or without a computer system or network.

The 10

th United Nations Congress on the Prevention of Crime and

the Treatment of Offenders held in Vienna, 10-17 April 200036

, used two different terms to describe the term “Cybercrime”:

)Fig.9: Cybercrime Definitions according to UN(

The term “illegal” might not be accurate in all States. An act might be illegal in one nation but not in another.

The Australian Institute of Criminology uses different terms to deal

with cybercrime such as “computer related crime, computer crime,

Internet crime, and e-crime37

.

36 http://www.uncjin.org/Documents/congr10/10e.pdf 37 http://www.aic.gov.au/en/crime_types/cybercrime/definitions.aspx


Council of Europe defines cybercrime as “Criminal offense

committed against or with the help of computer networks; an offense against the confidentiality, integrity and availability of

computer data and systems”38

The definitions are not the only challenge when dealing with cybercrime, there is also crime typology. Most cybercrime laws will

have inconsistency when categorizing cybercrime.

(Fig.10: CoE crime typology)

Cybercrime categories might be overlapped in COE convention. But it is still the only complete work for defining and categorizing

cybercrime.

Understanding “Cyber space” is also very important to understand the meaning of “Cybercrime”.

Many people think that Cyber space is the Internet, but this is not true. For example, a website might exist in cyberspace. But

according to cyberspace interpretation, events taking place on the internet are not happening in the location where that website is

hosted or located but in cyberspace.

The following figure represents the three layers

39 of cyber space.

38 http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG 39 http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf


(Fig. 11: Cyberspace layers)

Physical layer consists of electrical energy, electronic components,

and ICTs infrastructure. It is also called “Physical space”. Software and data are considered “Logical space”

Cyberspace security depends on the CIA triad which means

Confidentiality, Integrity, and Availability.

(Fig. 12: CIA triad)

Any offense against (CIA) could be considered “cybercrime”. For

example, Denial of Service attack (DoS) is an offense against (Availability) of data or information. Hacking into protected

database or website is an offense against (Confidentiality) of data or information. Tampering or altering any online object on transit could

be considered an offense against (Integrity) of data or information.

There are also additional terms that can be added to the CIA triad

such as “Authenticity”. In E-commerce or electronic signature it might be used to validate that both parties involved are who they

claim they are.

Legislators should understand technical terms related to ICTs and

cyber security when thinking of any related laws.

Physical Layer

Software Layer

Data Layer

Confidentiality

Integrity Availability


International Legislation

TThhee UUnniittee dd NNaattiioonnss AApppprrooaacchheess

There is no International treaty or legal framework related to

cybercrime. But the United Nations has adopted number of resolutions on combating the criminal misuse of information

technologies as follows:

- Resolution 55/36 (4 December 2000)

40

- Resolution 56/121 (19 December 2001)41

Resolutions recommendations are considered general guidelines for

member States to adopt when drafting cyber law. It includes also important recommendations for information flow, freedom of

information, privacy, and protection of cyberspace.

Example Recommendations:

(a) States should ensure that their laws and practice eliminate

safe havens for those who criminally misuse information technologies;

(b) Law enforcement cooperation in the investigation and

prosecution of international cases of criminal misuse of

information technologies should be coordinated among all concerned States;

(e) Legal systems should protect the confidentiality,

integrity and availability of data and computer systems from unauthorized impairment and ensure that criminal

abuse is penalized;

The topic of cybercrime was also discussed at the 12th UN Congress

on Crime Prevention and Criminal Justice in Brazil 201042

. At the

congress there were very important recommendations for member States regarding legislative and technical capabilities needed to

tackle cybercrime43

.

40 http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_55_63.pdf 41 http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_56_121.pdf 42 http://www.unodc.org/unodc/en/crime-congress/12th-crime-congress.html 43 http://www.unodc.org/documents/crime-congress/12th-Crime-Congress/Documents/A_CONF.213_9/V1050382e.pdf


The congress also stressed the importance of UNODC as a specialized UN body to help member States in building capabilities

to deal with cybercrime.

In July 2011, the United Nations Economic and Social Council issued

“Resolution 2011/33”44

on Prevention, protection and international cooperation against the use of new information technologies to

abuse and/or exploit children. It is stressed on how information technology and the Internet are used to exploit or abuse children

around the world with important recommendations for member States.

In May 2011, ITU and UNODC signed a memorandum of Understanding to collaborate globally on assisting member States

on both legislative and technical capabilities45

.

In December 2011, the United Nations Economic and Social Council

published an important study entitled “Cyber norm emergence at the United Nations”

46. This study stressed on the importance of

cyberspace in current political conflicts, cyber space and cybercrime, and cyber cooperation between member States.

CCoouunncciill ooff EEuurrooppee :: CCoonnvvee nnttiioonn oonn CCyybbee rrccrriimmee

The Council of Europe adopted the draft Convention on Cybercrime

in 200147

. The Convention on Cybercrime was opened for signature at a signing ceremony in Budapest on 23 November 2001. The

treaty is currently signed by 15 States and ratified by 32 States.

There are non-member States signed on this treaty such as (USA, Canada, and South Africa etc)

48.

Although this treaty is considered great efforts to tackle cybercrime,

it faces criticisms49

around the world50

.

There are also new phenomena that couldn’t be addressed using

current CoE treaty such as Cyber Terrorism, Botnet, and phishing attacks. Cybercrime is changing rapidly and legislation need to be

regularly updated to address new threats.

44 http://www.un.org/en/ecosoc/docs/2011/res%202011.33.pdf 45 http://www.itu.int/ITU-D/cyb/cybersecurity/docs/cybercrime.pdf 46 http://www.un.org/en/ecosoc/cybersecurity/maurer-cyber-norm-dp-2011-11.pdf 47 http://www.coe.int/lportal/web/coe-portal 48 http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG 49 http://www.cs.brown.edu/courses/csci1950-p/sources/lec16/Vatis.pdf 50 http://www.crime-research.org/library/CoE_Cybercrime.html


Cyber Legislation in MENA

HHiiss ttoorryy ooff ccee nnssoorrss hhiipp

In most of the Middle East countries, communications and information media are controlled by governments. They need to

control the information flow by applying censorship on print, broadcast media, and now the Internet. Local newspapers and

television channels were broadcasting official statements and they were not allowed to criticize the government. The live media

revolution started with the “CNN51

” as it was the first TV channel to

broadcast from Iraq during “Gulf War” resulting in over billion viewers worldwide. This revolution changed the attitude of Middle

East viewers towards their local channels. They started to understand that it can’t be credible source of information. In 1994

Saudi Arabia52

banned the satellite equipments and decoders

followed later by Iran, Qatar53

and other countries. These various measures taken by governments didn’t seem to be effective.

The Internet appeared in the Middle East in the 90s at the same

time governments were struggling with the satellite issues, creating a new headache for those who want to control the flow of

information to their countries. Saudi Arabia, as a leader for GCC

States connected King Abdul Aziz City for Science and Technology to George Washington University in USA through BITNET

54 in early

1990s then switched to the Internet.

The Internet runs by state-owned telecommunication agencies

through monopolized telephone lines. But access was only restricted to educational institutions and government departments. By 1997

there were 34 academic and commercial Internet service providers in Egypt. Most of Arab countries have only one semi-government

Internet Service Provider such as Q-Tel in Qatar, Batelco in Bahrain, and Etisalat in UAE. Governments in the Middle East have taken the

initiative to join the Internet and invested heavily in ICTs which

results in other phenomena such as discussion boards, blogging55

, and finally social networks. They started to apply censorship and

surveillance56

as they did with satellite.

51 http://en.wikipedia.org/wiki/CNN 52 http://www.independent.co.uk/news/world/saudi-arabia-bans-all-satellite-dishes -1425819.html 53 Disconnect ed: haves and have-nots in the information age, William Wresch, 1996 54 http://en.wikipedia.org/wiki/BITNET 55 http://www.darrenkrape.com/blogging-the-middle-east/ 56 http://netsafe.me/2011/12/03/wikileaks-the-spy-files/


HHuummaann RRiigghhttss && PPrriivvaaccyy

As members of the UN, all Arab countries “theoretically” recognize

the Universal Declaration of Human Rights. But there are no

practical procedures in Arab legislation to insure that declaration articles will be enforced.

Article 19.

“Everyone has the right to freedom of opinion and expression; this

right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any

media and regardless of frontiers.”57

No Arab State has approved any constitutional rules that guarantee

“The Right to Information58

” except in Jordan59

as it has an “Access to information law” as of January 2012. There are other regional

initiatives for proposal of laws but lack the mechanism to access of information.

Article 12.

“No one shall be subjected to arbitrary interference with his

privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of

the law against such interference or attacks.”60

Privacy laws seem to be the weakest in most Arab countries. Few countries included “Privacy” in consumer protection laws, data

protection laws, and constitution but not efficiently enforced.

The following countries have either special data protection law or

privacy articles in constitution or in separate legislation:

57 http://www.un.org/en/documents/udhr/ 58 http://rti-rating.org/ 59 http://right2info.org/access -to-information-laws 60 http://www.un.org/en/documents/udhr/


UAE

• Constitution, Article 3161

• Data Protection Law 2007

62

This law is to protect personal information of citizens as it is

collected, processed and transferred.

Lebanon

- Consumer Protection Law

63

Jordan

- Constitution, Articles 10 and 1364

Most governments in the region are violating privacy of citizens

and don’t pay attention to even basic human rights that will be challenging when drafting cyber legislation.

CCyybbee rrccrriimmee LLee ggiiss llaattiioonn:: PPoooorr oorr nnoonnee

Cybercrime legislation in the Middle East is absent, except in UAE which has its own cybercrime law. In most cases, governments in

the region use traditional laws, penal codes, or emergency laws to deal with cybercrime which make it hard if not impossible to

investigate real cases. For example, authorities may prosecute

“bloggers” as criminals in cases of libel, defamation, or criticism. In this case they deal with “website” or “blog” as a newspaper or

published book which make it hard for courts to accept this.

According to most publishing laws, websites can’t be treated as a newspaper, and blogger might not be considered a publisher or

writer. But in such cases authorities might use emergency laws65

to

jail bloggers or crackdown on activists.

61 http://www.mfnca.gov.ae/?lang=en&m=options&act=content_detail&content_id=442 62 http://dp.difc.ae/legislation/dp_protection/ 63 http://www.economy.gov.lb/index.php/subCatInfo/2/11/4/0 64 http://www.kinghussein.gov.jo/constitution_jo.html 65 http://opennet.net/research/regions/mena


Inconsistency in laws is a common factor when governments deal with cyberspace. Freedom of Speech and Privacy are good examples

when authorities try to add special rules to apply censorship on websites. These rules will be incompatible with article 19 of the UN

Universal Declaration of Human Rights which ratified by all Arab

countries as member States in the UN.

Many countries in MENA apply censorship and surveillance using technologies and software developed by western companies

66 and

there are no specific rules for what to be blocked. Anything could be considered prohibited according to this list by Etisalat

67.

Blocking contents is not good solution at all. People always want to know what’s behind the wall. Make the wall higher and they will

look for a ladder. Make it even higher, and they will look for dynamite. Governments should invest in awareness and education

instead of censorship.

The following States were assessed for their cybercrime laws.

UUAAEE

UAE is the first country in the Middle East to draft cybercrime law (Federal Law No.2 of 2006)

68. Department of Justice announced in

2010 that it will establish specialist cybercrime courts69

.

Although UAE has taken good steps in this law, it is still full of

surprises70

. According to a lawyer in Dubai, social media users may commit a crime by simply tagging a photo.

The law didn’t mention other crimes that could be committed using

the Internet such as malware development, piracy, copyright for

online contents and trademarks.

66 http://netsafe.me/2011/12/03/wikileaks-the-spy-files/ 67 http://www.etisalat.ae/assets/document/blockcontent.pdf 68 http://gulfnews.com/uaessentials/residents-guide/legal/uae-cyber-crimes-law-1.442016 69 http://www.hadefpartners.com/News/pageid/120-137/default.aspx?mediaid=110 70 http://www.thenational.ae/news/uae-news/uae-cyber-l aw-is-full-of-surprises


QQaattaarr

There is no specific law for cybercrime in Qatar. But articles from

370 to 387 in the penal code could be used71

. In spite of good steps taken by Qatari government, it considered

incomplete and insufficient law. Not all types of cybercrime are found in the penal code and they should realize that a separate and

complete cybercrime law will be better.

SSaauuddii AArraabbiiaa

Saudi Arabia has passed special “system” covering cybercrime in

March, 200772

. It includes articles related to cybercrime but the “system” still not considered complete cybercrime law.

It lacks any definitions for cybercrime or articles for privacy and

freedom of speech. No specific procedures to investigate cybercrime

are mentioned in the drafted “System”.

OOmmaann

Oman has the first Arabic penal law that deals with cybercrime.

Part 7, chapter 1, articles 276bis, 276bis (1), 276bis (2), 276bis (3), and 276bis (4)

73 are all dealing with cybercrime.

But this can’t be considered complete cyber law as it lacks types of

cybercrime, investigation procedures, and other descriptions of

cybercrime.

Oman started on special law for cybercrime in 2008 as a draft, then issued in 2011 with 35 articles dealing with cybercrime

74.

This law is considered good achievement for Oman; however, it doesn’t include all types of cybercrime.

71 http://www.gcc-legal.org/mojportalpublic/DisplayLegislations.aspx?country=3&LawTreeSectionID=2582 72 http://www.mcit.gov.sa/NR/rdonlyres/32961456-5A71-4374-B175-515BB50FC999/0/Cybercrimeact.pdf 73 http://www.rop.gov.om/arabic/roprules/ROPRULE-1.pdf 74 http://www.ita.gov.om/ITAPortal_AR/MediaCenter/Document_detail.aspx?NID=64


TTuunniiss iiaa

There is no cybercrime law in Tunisia.

Tunisian government issued in 2000 the Electronic Exchanges and

Electronic Commerce Law75

. It includes few articles that can be used to deal with cybercrime. But it can’t be considered sufficient law to

prosecute or investigate cybercrime cases.

MMoorrooccccoo

There is no cybercrime law in morocco. Government of morocco is using the law no. 07-03

76 to deal with information crimes

77. There

are also separate laws in morocco for electronic exchange. But all

these laws are not cybercrime laws and can’t be used to deal with cybercrime cases.

EEggyypptt

No cybercrime law in Egypt. But we can find improvements in

electronic signature law (2004)78

, intellectual property law (2002)79

, consumer protection law (2006)

80, and Telecommunications

regulation law (2003)81

.

Egypt invested heavily in ICTs and Internet services but didn’t

improve the legislation to deal with cybercrime issues. And current laws can’t be used to prosecute or investigate any cybercrime case.

“Operation Phish Phry” which we discussed earlier is an identical

transnational cybercrime case that couldn’t be solved using

available legislation in Egypt.

Diplomatic cables82

obtained by WikiLeaks revealed that Egyptian government was looking for International initiative to deal with

cybercrime.

75 E-Commerce Law Around the World: STEPHEN ERROL BLYTHE, Ph.D 76 http://www.parlement.ma/__print.php?filename=200803251141300 (Arabic) 77 http://www.aawsat.com/details.asp?article=176544&issueno=8964 (Arabic) 78 http://www.egypton.com/En/Ourprograms/IndustryInfrastructure/eSignature/Pages/default.aspx 79 http://en.wikipedia.org/wiki/File:Egyptian_Intellectual_Property_Law_82_of_2002_(English).pdf 80 http://www.legal500.com/c/egypt/developments/2903 81 http://www.tra.gov.eg/uploads/law/law_en.pdf 82 http://wikileaks.org/cable/2005/03/05CAIRO2469.html


US government wanted Egypt to take the leadership role in the region to promote COE

83 convention on cybercrime as good starting

point. The cables also revealed that “US government supports the COE convention because it took five years to develop and the world

could not afford to spend another five years negotiating a different

convention while cybercrime further developed, and that the resources needed to negotiate a new convention could be better

spent on improving individual countries' capacities to fight cybercrime”

84.

In 2010, authorities in Egypt announced

85 that they will draft

special cybercrime law. But it seems to be something for

suppression of free speech. This law has never been issued due to Egyptian uprising that ousted Hosni Mubarak

86.

LLiibbyyaa

There is no law for cybercrime, communications, or any related

technologies in Libya.

AAllggee rriiaa

There is no cybercrime law in Algeria. But other Telecommunication Frameworks can be used such as Law No. 2000-03 (Chapter 2)

87.

This law sets out the general legal framework for telecommunications in Algeria. It contains a detailed institutional

framework, including the creation of the regulatory telecommunications authority. It includes also licensing,

interconnection, resources management, and penalties.

Penalties can be used with electronic communications including the

Internet88

but it is not sufficient to deal with cybercrime.

It seems that Algeria is looking to issue cybercrime law including articles for surveillance and censorship. But there are no more

details available at the moment89

.

83 http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp 84 http://wikileaks.org/cable/2005/04/05CAIRO2892.html 85 http://www.egynews.net/wps/portal/news?params=104691 (Arabic) 86 http://en.wikipedia.org/wiki/Timeline_of_the_2011_Egyptian_revolution 87 http://www.joradp.dz/JO2000/2000/048/F_Pag.htm 88 http://www.joradp.dz/JO2000/2007/037/AP13.pdf (Arabi c) 89 http://www.arabic.xinhuanet.com/arabi c/2009-07/09/content_904192.htm (Arabic)


SSyyrriiaa

Syrian government issued law no.4 (2009)90

for electronic signature

and Internet services. Few articles in the law mentioned cybercrime but it can’t be considered sufficient.

On January 2012, Syrian government issued cybercrime law which

includes penalties and description of types of cybercrime91

.

Although it is good step by Syrian governments, it looks like they

wanted to apply more repression online. Authorities in Syria tried everything to suppress the uprising from military actions to online

surveillance and censorship92

. They even used spyware and viruses to hack into activists’ computers

93.

Issuing cybercrime law during the uprising doesn’t make any sense in combating cybercrime at all. By investigating this new law, we

can easily find many articles allow authorities to interfere with anything on the Internet and invade privacy of citizens.

This cannot be considered complete and efficient cybercrime law while Syrian government is violating every article in this law.

JJoorrddaann

Jordan issued temporary law no. 85 (2001) for Electronic

Transactions94

. But this is not a cybercrime law and can’t be used to prosecute cybercrime.

Later on 2012 government of Jordan drafted a temporary law for

cybercrime which is law no.30 (2010)95

.

This law doesn’t include definitions for cybercrime types and lacks

many articles that deal with privacy and freedom of speech in addition to cybercrime investigation procedures.

90 http://www.moct.gov.sy/moct/?q=ar/node/69 (Arabic) 91 http://www.moct.gov.sy/moct/?q=ar/node/247 (Arabic) 92 http://edition.cnn.com/2012/02/17/tech/web/computer-virus-syria/index.html 93 http://unremote.org/?p=942 94 http://www.lob.gov.jo/ui/laws/search_no.jsp?no=85&year=2001 95 http://www.lob.gov.jo/ui/laws/search_no.jsp?no=30&year=2010


LLeebbaannoonn

There is no cybercrime law in Lebanon at the moment. But

government is looking to issue new law covering electronic transactions

96 with growing criticism.

There is only circular no. 4A (2006) for data protection and piracy

which includes penalties for software piracy and other related

issues. But it can’t be used to deal with cybercrime cases97

.

KKuuwwaaiitt

There is no cyber law in Kuwait but the government is currently studying special law for E-commerce

98.

IIrraaqq

No special cyber law in Iraq, however, the Iraqi cabinet is studying special law for e-signature and electronic transactions

99.

PPaalleess ttiinnee

No specific cybercrime law in Palestine.

Telecommunications and other related laws can be found at law website provided by Palestinian authority

100.

YYeemmeenn

No cyber crime law in Yemen. There is only special law for electronic

transactions and e-signature which is law no 40 (2006)101

.

96 http://al-shorfa.com/cocoon/meii/xhtml/ar/features/meii/features/main/2011/08/17/feature-02 97 http://www.wipo.int/wipolex/en/text.jsp?file_id=238141 98 http://www.kt.com.kw/ba/e-gov/kuwait.htm (Arabic) 99 http://www.aswaq-aliraq.com/inp/view.asp?ID=66 (Arabic) 100 http://www.dft.gov.ps/index.php?option=com_dataentry&pid=11&leg_id= 14 101 http://www.centralbank.gov.ye/ar/CBY.aspx?keyid=80&pid=74&lang=2&cattype=1 (Arabic)


BBaahhrraaiinn

No cybercrime law in Bahrain. But government of Bahrain issued law no. 28 (2002) for electronic transactions

102. Lawyers in Bahrain

urged to ratify special law for cybercrime103

as current laws

considered insufficient to tackle cybercrime.

IInniittiiaattiivveess ttoo ttaacckkllee ccyybbee rrccrriimmee iinn MMEENNAA

Few countries in the Middle East developed special units to monitor, combat, or investigate cybercrime issues. Although it is considered

active strategy to deal with cybercrime, it is still need more progress at national and international levels.

The following table represents current CERT104

initiatives in MENA

Current CERT initiatives are currently working on different approaches, for example:

- Monitor security threats - Post online alerts for current threats

- Training and awareness on their websites - Working on security awareness campaigns

- Cooperation with government organizations and private sector

More efforts and effective security awareness campaigns in addition

to international cooperation need to be implemented.

CERTs need to work also as local focal points in their countries to raise the awareness for information security and cybercrime. They

need to work with subject matter experts on legal issues and

cybercrime legislation.

102 http://www.moic.gov.bh/NR/rdonlyres/90E87587-D2EC-4867-B174-C7EDD703DA3B/157/LegislativeDecreeno28of2002.pdf (Arabic) 103 http://www.alwasatnews.com/2996/news/read/510822/1.html (Arabic) 104 Computer Emergency Response Team


CCoonncclluuss iioonn

After investigating cybercrime issues in the Middle East and North

African countries, we found that their legislation systems still need a

lot of improvements. Information and communication technology is a rapidly growing field that needs continuous work in technical and

legislative capabilities.

Recommendations to improve legislative and technical capabilities:

• Middle East countries need to improve national and

international cooperation in drafting cybercrime laws

• Governments need to extensively study the phenomenon of cybercrime in the region as it has special characteristics that

need to be addressed in the law

• Adding information security curriculums to local education

system at all levels.

• Invest in effective information security and cybercrime

awareness campaigns for policymakers, government departments, private sectors, and individuals.

• Develop education programs for judges, lawyers, prosecutors,

law enforcement, and judicial officers. They need to understand cyberspace, ICTs, cybercrime phenomena and

how to deal with cybercrime cases.

We need to realize that cybercrime is not the only threat in cyberspace. We are moving forward to new three-dimensional

reality with “Cyberwarfare”.


CCoonnttaaccttss

Mohamed N. El Guindy President and Founder Information Systems Security Association Egypt Chapter Email: [email protected]

Blog: www.netsafe.me Websites: www.issa-eg.org www.askpc.net

Faisal Hegazy Programme Officer, ROMENA United Nations Office on Drugs and Crime Email: [email protected]

© 2012 ISSA-EG. All rights reserved.

Cybercrime Legislation in the Middle East

Technology

operation

united nations

studying special

transnational

consumer protection

computer related

poor security

middle east