Cybercrime Legislation in the Middle East
Cybercrime Legislation in the Middle East
Cybercrime Legislation in
The Middle East THE ROAD NOT TRAVELED
Mohamed N. El Guindy
ICT Researcher & Cybercrime Expert
Faisal Hegazy
Programme Officer, ROMENA
UNODC [email protected]
Published February 27, 2012
Cybercrime Legislation in the Middle East
Contents
Introduction .................................................................................4
Internet Penetration in MENA........................................................5
Cybercrime Cases in MENA ..........................................................9
Organized Cybercrime...............................................................9
Cybercrime: An Economic Problem .......................................... 12
Definitions of Cybercrime ........................................................... 15
International Legislation.............................................................. 18
The United Nations Approaches ............................................... 18
Council of Europe: Convention on Cybercrime ........................... 19
Cyber Legis lation in MENA ........................................................ 20
History of censorship .............................................................. 20
Human Rights & Privacy ......................................................... 21
Cybercrime Legis lation: Poor or none........................................ 22
UAE ..................................................................................... 23
Qatar ..................................................................................... 24
Saudi Arabia .......................................................................... 24
Oman .................................................................................... 24
Tunisia .................................................................................. 25
Morocco ................................................................................ 25
Egypt .................................................................................... 25
Libya .................................................................................... 26
Algeria .................................................................................. 26
Syria ..................................................................................... 27
Jordan ................................................................................... 27
Lebanon ................................................................................ 28
Kuwait .................................................................................. 28
Iraq ....................................................................................... 28
Palestine ................................................................................ 28
Yemen................................................................................... 28
Bahrain.................................................................................. 29
Initiatives to tackle cybercrime in MENA .................................. 29
Conclusion............................................................................. 30
Contacts ................................................................................ 31
Cybercrime Legislation in the Middle East
Introduction
Investments by MENA countries in ICTs is expanding annually and even overtaking the rest of the world. Millions of home users and
businesses in the region are joining the global cyberspace.
Virtually all modern services depend on ICTs and in a way or
another are connected to cyberspace which considered one of today’s battlefields (Air, Land, Sea, Space, and Cyberspace). Failure
to understand this situation will leave Middle East countries vulnerable to all types of attacks. Due to lack of technical and
legislative capabilities, our region expected to become the biggest
source and target for cybercrime in 21st century.
Drafting a cyber law or even dedicated cybercrime legislation is not the solution but part of it. Extensive study of Cybercrime
phenomenon and its consequences on the region should be considered along with cyber security issues.
Although most countries in the region don’t have specific legislation for cybercrime or cyberspace, we still can see few countries with
little progress in the field.
In this research, we will investigate Cybercrime related issue in the
region and will study legislation with overview on each country.
Cybercrime Legislation in the Middle East
Internet Penetration in MENA
During the past two years MENA countries witnessed fast growing
numbers of internet users. Millions of home users joined cyberspace and social networking websites during the Arab uprising. According
to statistics, Internet users in Middle East region reached 77 million in December 2011
1.
This growth outpaced rest of the world as usual.
(Fig.1 Source: Internet World Stats)
With regard to North African states
2, we can find the following facts:
- Egypt ranked No.2 with over 21.6 million Internet users
- Morocco ranked No. 3 with over 15.6 million users - Algeria ranked No.7 with over 4.7 million Internet users
- Tunisia ranked No. 10 with over 3.8 million users - Libyan users reached 391.880
Total Internet users in North African countries reached 46 million
in December 2011.
The number of Internet users worldwide is increasing dramatically.
But the phenomenal growth in MENA has special triggers especially
when they connect to the Internet to join social networking websites.
1 http://www.internetworldstats.com/stats5.htm 2 http://www.internetworldstats.com/stats1.htm
Cybercrime Legislation in the Middle East
The following diagram represents few factors for growth of user
base in MENA countries.
(Fig.2 Growth of User Base)
Millions of users joined the Arabic blogosphere
3 and social
networking4 websites during the past few years. One of the
interesting findings is that Libyan Internet users are all on
Facebook. It is obvious evidence that Arab uprising and political issues are common factors for Internet user growth in MENA.
Additional effective reason for Internet growth is that the region has the youngest population in the world with over 66.8% aged below
305 in Middle East and over 70% aged below 30 in Africa.
If we look at latest trends related to Facebook and Twitter in the
region, we can find that over 9.3 million users from Egypt alone are on Facebook with over 1.214 million on Twitter. Egypt is the largest
population online when compared to other MENA countries6.
3 http://cyber.law.harvard.edu/publications/2009/Mapping_the_Arabic_Blogosphere 4 http://thenextweb.com/socialmedia/2012/01/25/facebook-is-killing-local-social-networks-around-the-world/ 5 http://blog.euromonitor.com/2012/02/special-report-the-worlds-youngest-populations-.html 6 http://www.guardian.co.uk/world/2012/jan/26/african-twitter-map-continent-connected
Cybercrime Legislation in the Middle East
Morocco comes next in North Africa with over 4 million users on Facebook. Saudi Arabia has the largest online population in Middle
East region with over 4.5 million on Facebook while UAE comes next in Middle East with over 2.7 million users on Facebook. It’s worth
mentioning that accurate numbers of Facebook and Twitter users
can’t be guaranteed due to unrest and political reasons especially in Syria as most users are using VPNs to connect.
Social Networks and web 2.0 applications played an important role
in Arab uprising, political scene, and conflicts between all parties7.
The following chart proves that social media most commonly used
to raise awareness during revolutions and spread information.
(Fig. 3: Uses of Social Media in Arab Uprising) (Source: Dubai School of Government
8)
The growth of user base in the region especially on Facebook which
might be considered the 3rd largest nation9 on earth opens new
challenges for users and governments as well.
Social media offers a supreme opportunity for people to self-organize and to create “virtual communities” where people seem to
be continuously interconnected wherever they may be on Earth10
. But it has also the ugly faces which include cybercrime
11, cyber
attacks, cyber terrorism12
, malware13
, digital espionage, open
source intelligence14
, propaganda15
, and violation of privacy16
.
7 http://www.dsg.fohmics.net/Portals/Pdfs/report.pdf 8 http://www.dsg.fohmics.net/en/asmr3/ASMRGeneralFindings3.aspx 9 http://www.economist.com/node/16660401 10 http://www.economist.com/node/21531109 11 http://www.thenational.ae/business/technology/cybercrime-ugly-face-of-social-media 12 http://publicintelligence.net/ufouoles-dhs-terrorist-use-of-social-networking-facebook-case-study/ 13 http://nakedsecurity.sophos.com/koobface/ 14 https://www.privacyinternational.org/article/bbi-open-source-intelligence-and-soci al-media-
monitoring 15 http://www.wired.com/dangerroom/2011/07/darpa-wants-social-media-sensor-for-propaganda-ops/
Cybercrime Legislation in the Middle East
While governments in the region understand the importance of the
Internet and invested heavily in ICTs, they are concerned over its use by opposition movements. They try censorship and crackdowns
on bloggers using advanced western tools17
in addition to
surveillance and hacking18
techniques to track activists instead of cybercriminals.
Unfortunately, most Middle East users are vulnerable to all types of
such attacks due to poor security awareness and education programs with absence of “privacy and cyber legislation” which
make the governments’ job easier.
Governments in the region are recently dealing with Internet as an
Information weapon and this will be the biggest challenge when it comes to drafting or ratifying cyber legislations.
16 https://mice.cs.columbia.edu/getTechreport.php?techreport ID=1459 17 http://netsafe.me/2011/12/03/wikileaks-the-spy-files/ 18 http://netsafe.me/2011/12/01/how-government-spies-on-you/
Cybercrime Legislation in the Middle East
Cybercrime Cases in MENA
Cybercrime is rising alarmingly in the Middle East not only due to growth of user base, but also for many other reasons such as poor
security awareness, poor technical capabilities, and lack of legislation
19.
All these factors make it hard if not impossible in many cases to investigate and prosecute cybercrime in the region.
OOrrggaanniizzee dd CCyybbee rrccrriimmee
“Operation Phish Phry20
” is one of the well-known cases in the Middle East which the FBI and Egyptian authority were
investigating. One American from LA who was the key figure in this
crime sentenced to 13 years in federal prison21
after being found guilty of leading an international phishing operation, and growing
marijuana on an industrial scale in his house. There were nearly 47 Egyptians involved in this phishing case. Authorities in Egypt
released 27 on April 201122
and the rest of them escaped and no punishment is imposed at the time of writing
23 this research.
The technique that is used by this crime ring is a very simple
phishing tactic to collect over $1.5 million. The emails were designed to trick recipients into clicking on fraudulent link inside the
email body and normally sent through spam campaign to harvested
email accounts from specific area or country.
Professional hackers sometimes encrypt the link or encode it in different formats in order to trick the victim.
19 http://netsafe.me/2011/06/19/21st-century-cyber-threats-and-the-middle-east-dilemma/ 20 http://www.fbi.gov/news/stories/2009/october/phishphry_100709 21 http://latimesblogs.latimes.com/lanow/2011/06/la-man-sentenced-phishing-pot-growing.html 22 http://gate.ahram.org.eg/UI/Front/Inner.aspx?NewsContentID=57993 (Arabi c) 23 http://www.youm7.com/News.asp?NewsID=524004&SecID=203&IssueID=0 (Arabic)
Cybercrime Legislation in the Middle East
(Fig. 4: Example of Phishing Email)
This link will forward the victim to a well-design phishing page that
looks like the original bank website.
(Fig.5: Phishing website with genuine looking content)
This Phishing website is hosted on a domain name with similar
name of the legitimate bank to trick the victim; for example: http://citibank.verifyme.com
Fraudulent link
that will lead to
phishing website
to steal bank
account
information
Cybercrime Legislation in the Middle East
Once victims enter their bank account details, it will be sent to the
responsible persons inside the ring. They seem to withdraw small amounts from $200 to $500 from many accounts so as not to
arouse suspicion and make it difficult for banks to check on so many
thefts. The amounts then transferred to fraudulent accounts coordinated by conspiracy ring. A portion of the illegally obtained
funds were transferred via “Western Union” to the Egyptians.
This crime can be categorized under one of the following:
- Identity Theft
- Wire and Bank Fraud - Computer Fraud
- Money Laundering
The Technical identity theft or “Phishing” portions of the operation
seem to have been conducted by the Egyptian group. Spam emails might be originated from Egypt and also the phishing websites.
The latest report published by APWG
24 revealed that Egypt has
ranked in the top three countries for hosting phishing websites.
(Fig.6 Top countries hosting phishing websites) (Source: APWG 2011)
Egypt has ranked high in past reports (from 2007 to 2010) which make it big source of Phishing, Identity theft, and Spam.
24 http://www.antiphishing.org
Cybercrime Legislation in the Middle East
Cybercrime cases such as “Operation Phish Phry” can fall under
“Transnational Organized Crime” when conducted by group of people as described by United Nations Convention against
Transnational Organized Crime:
“Organized criminal group shall mean a structured group of three or
more persons, existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain,
directly or indirectly, a financial or other material benefit”25
Cybercriminals are increasingly sophisticated and sharing best practices. They are always looking for countries with poor legislation
and poor security awareness to commit their crimes.
That leaves the Middle East vulnerable to new wave of
complicated and organized cybercrime in the upcoming years.
CCyybbee rrccrriimmee :: AAnn EEccoonnoommiicc PPrroobblleemm
According to “World Drug Report26
” by UNODC, The global black
market of “Global drug trafficking” is about $400 billion.
Today’s cybercrime costs the economy $388 billion, Symantec revealed
27. This shocking statistics is made up of two parts: $274
billion, Symantec's estimate of the value of time lost to cybercrime in the past year; added to $114 billion, said to be the industry's
"direct cash costs." That is, the amount of money "spent on
resolving cyber attacks" and the amount of money directly stolen by cybercriminals.
Most Middle East and North African countries have ranked high in
financial crimes such as fraud, bribery, corruption, and money
laundering28
. That makes the region suitable environment for “Financial Cybercrime”.
25 http://www.unodc.org/documents/treaties/UNTOC/Publications/TOC%20Convention/TOCebook-e.pdf 26 http://www.unodc.org/documents/data-and-analysis/WDR2011/World_Drug_Report_2011_ebook.pdf 27 http://www.symantec.com/about/news/release/article.jsp?prid=20110907_02 28 http://www.pwc.com
Cybercrime Legislation in the Middle East
The latest survey published by “PWC”
29 revealed that cybercrime
was experienced by 40% of respondents whose organizations had experienced economic crime in the last 12 months. In addition to
over 35% feel their organizations have insufficient in-house
capabilities to prevent, detect and investigate cybercrime.
Cybercrime percentage in MENA is higher than the global average of 23% as it appears in Figure 7.
(Fig.7 Types of economic crime – Source: PWC 2012)
The region is also big target for cybercrime and even outpaced the
global average of 17%, which makes it vulnerable to outside
attacks.
(Fig.8 Cybercrime risk by boundaries – Source: PWC 2012)
29 http://www.pwc.com
Cybercrime Legislation in the Middle East
Outside attacks mean “Transnational crime” that target the region for financial gain. The latest “Symantec Cybercrime Report”
revealed the following alarming facts30
:
- 76% of UAE residents have fallen victims to cybercrime
- Two citizens are affected by cybercrime every minute - Less than 25% of incidents are reported to the police
- 53% of people don’t have up-to-date antivirus software - 20% of all cybercrime takes place in the mobile domain
- Two weeks at least spent on fixing the damage from an attack
The cost of cybercrime to the UAE economy was $611.3 million in
both cash and the time it took to fix the damage during the 12 months between February 2010 and February 2011
31.
One of the biggest problems in the Middle East is that these
numbers might not be accurate enough. Most cybercrime victims
might not know that they are attacked; they even don’t report it to authorities if they know, to protect their reputation.
Although UAE has a dedicated cybercrime law, it can’t be considered
complete solution to the problem. The main reason for the increase of attacks is due to lack of education and awareness not only
legislation. Most GCC members seem to have the same problems of
sophisticated threats that are quickly being put to work by the cybercriminals to target banks and their clients.
Crimeware such as “Zeus
32 and SpyEye
33” are specifically built to
attack banks’ customer computers34
. Among Middle East countries
there were higher infection rates in Egypt and Saudi Arabia35
.
These phenomena tell the truth that Arab region becomes part of
global cybercrime industry that knows no boundaries or crisis.
30 http://www.emirates247.com/business/technology/76-of-uae-residents-are-victims-of-cybercrime-2011-09-18-1.419171 31 http://www.itp.net/586180-uae-faces -high-rates-of-cyber-crime 32 http://en.wikipedia.org/wiki/Zeus_(Trojan_horse) 33 http://www.net-security.org/malware_news.php?id=1784 34 http://www.spamfighter.com/News-15544-Middle-East-Online-Banking-Users -Easy-Targets-for-
Cybercriminals.htm 35 http://www.zdnetasia.com/zeus-trojan-found-on-74000-pcs-in-global-botnet-62061270.htm
Cybercrime Legislation in the Middle East
Definitions of Cybercrime
There is no one definition for “Cybercrime”. You can see many definitions and terms drafted and used by either technicians or
legislators. There is big difference between crimes committed using computers and the Internet and other crimes depend solely on
computers and the Internet. When you understand this difference,
you will be able to understand the difference between “Cybercrime” and “Computer related crime”.
“Cybercrime” can be used as a narrow term for all types of
“Computer crimes”, while “Computer related crimes” might refer to
any crime that can be committed with or without a computer system or network.
The 10
th United Nations Congress on the Prevention of Crime and
the Treatment of Offenders held in Vienna, 10-17 April 200036
, used two different terms to describe the term “Cybercrime”:
)Fig.9: Cybercrime Definitions according to UN(
The term “illegal” might not be accurate in all States. An act might be illegal in one nation but not in another.
The Australian Institute of Criminology uses different terms to deal
with cybercrime such as “computer related crime, computer crime,
Internet crime, and e-crime37
.
36 http://www.uncjin.org/Documents/congr10/10e.pdf 37 http://www.aic.gov.au/en/crime_types/cybercrime/definitions.aspx
Cybercrime Legislation in the Middle East
Council of Europe defines cybercrime as “Criminal offense
committed against or with the help of computer networks; an offense against the confidentiality, integrity and availability of
computer data and systems”38
The definitions are not the only challenge when dealing with cybercrime, there is also crime typology. Most cybercrime laws will
have inconsistency when categorizing cybercrime.
(Fig.10: CoE crime typology)
Cybercrime categories might be overlapped in COE convention. But it is still the only complete work for defining and categorizing
cybercrime.
Understanding “Cyber space” is also very important to understand the meaning of “Cybercrime”.
Many people think that Cyber space is the Internet, but this is not true. For example, a website might exist in cyberspace. But
according to cyberspace interpretation, events taking place on the internet are not happening in the location where that website is
hosted or located but in cyberspace.
The following figure represents the three layers
39 of cyber space.
38 http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG 39 http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf
Cybercrime Legislation in the Middle East
(Fig. 11: Cyberspace layers)
Physical layer consists of electrical energy, electronic components,
and ICTs infrastructure. It is also called “Physical space”. Software and data are considered “Logical space”
Cyberspace security depends on the CIA triad which means
Confidentiality, Integrity, and Availability.
(Fig. 12: CIA triad)
Any offense against (CIA) could be considered “cybercrime”. For
example, Denial of Service attack (DoS) is an offense against (Availability) of data or information. Hacking into protected
database or website is an offense against (Confidentiality) of data or information. Tampering or altering any online object on transit could
be considered an offense against (Integrity) of data or information.
There are also additional terms that can be added to the CIA triad
such as “Authenticity”. In E-commerce or electronic signature it might be used to validate that both parties involved are who they
claim they are.
Legislators should understand technical terms related to ICTs and
cyber security when thinking of any related laws.
Physical Layer
Software Layer
Data Layer
Confidentiality
Integrity Availability
Cybercrime Legislation in the Middle East
International Legislation
TThhee UUnniittee dd NNaattiioonnss AApppprrooaacchheess
There is no International treaty or legal framework related to
cybercrime. But the United Nations has adopted number of resolutions on combating the criminal misuse of information
technologies as follows:
- Resolution 55/36 (4 December 2000)
40
- Resolution 56/121 (19 December 2001)41
Resolutions recommendations are considered general guidelines for
member States to adopt when drafting cyber law. It includes also important recommendations for information flow, freedom of
information, privacy, and protection of cyberspace.
Example Recommendations:
(a) States should ensure that their laws and practice eliminate
safe havens for those who criminally misuse information technologies;
(b) Law enforcement cooperation in the investigation and
prosecution of international cases of criminal misuse of
information technologies should be coordinated among all concerned States;
(e) Legal systems should protect the confidentiality,
integrity and availability of data and computer systems from unauthorized impairment and ensure that criminal
abuse is penalized;
The topic of cybercrime was also discussed at the 12th UN Congress
on Crime Prevention and Criminal Justice in Brazil 201042
. At the
congress there were very important recommendations for member States regarding legislative and technical capabilities needed to
tackle cybercrime43
.
40 http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_55_63.pdf 41 http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_56_121.pdf 42 http://www.unodc.org/unodc/en/crime-congress/12th-crime-congress.html 43 http://www.unodc.org/documents/crime-congress/12th-Crime-Congress/Documents/A_CONF.213_9/V1050382e.pdf
Cybercrime Legislation in the Middle East
The congress also stressed the importance of UNODC as a specialized UN body to help member States in building capabilities
to deal with cybercrime.
In July 2011, the United Nations Economic and Social Council issued
“Resolution 2011/33”44
on Prevention, protection and international cooperation against the use of new information technologies to
abuse and/or exploit children. It is stressed on how information technology and the Internet are used to exploit or abuse children
around the world with important recommendations for member States.
In May 2011, ITU and UNODC signed a memorandum of Understanding to collaborate globally on assisting member States
on both legislative and technical capabilities45
.
In December 2011, the United Nations Economic and Social Council
published an important study entitled “Cyber norm emergence at the United Nations”
46. This study stressed on the importance of
cyberspace in current political conflicts, cyber space and cybercrime, and cyber cooperation between member States.
CCoouunncciill ooff EEuurrooppee :: CCoonnvvee nnttiioonn oonn CCyybbee rrccrriimmee
The Council of Europe adopted the draft Convention on Cybercrime
in 200147
. The Convention on Cybercrime was opened for signature at a signing ceremony in Budapest on 23 November 2001. The
treaty is currently signed by 15 States and ratified by 32 States.
There are non-member States signed on this treaty such as (USA, Canada, and South Africa etc)
48.
Although this treaty is considered great efforts to tackle cybercrime,
it faces criticisms49
around the world50
.
There are also new phenomena that couldn’t be addressed using
current CoE treaty such as Cyber Terrorism, Botnet, and phishing attacks. Cybercrime is changing rapidly and legislation need to be
regularly updated to address new threats.
44 http://www.un.org/en/ecosoc/docs/2011/res%202011.33.pdf 45 http://www.itu.int/ITU-D/cyb/cybersecurity/docs/cybercrime.pdf 46 http://www.un.org/en/ecosoc/cybersecurity/maurer-cyber-norm-dp-2011-11.pdf 47 http://www.coe.int/lportal/web/coe-portal 48 http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG 49 http://www.cs.brown.edu/courses/csci1950-p/sources/lec16/Vatis.pdf 50 http://www.crime-research.org/library/CoE_Cybercrime.html
Cybercrime Legislation in the Middle East
Cyber Legislation in MENA
HHiiss ttoorryy ooff ccee nnssoorrss hhiipp
In most of the Middle East countries, communications and information media are controlled by governments. They need to
control the information flow by applying censorship on print, broadcast media, and now the Internet. Local newspapers and
television channels were broadcasting official statements and they were not allowed to criticize the government. The live media
revolution started with the “CNN51
” as it was the first TV channel to
broadcast from Iraq during “Gulf War” resulting in over billion viewers worldwide. This revolution changed the attitude of Middle
East viewers towards their local channels. They started to understand that it can’t be credible source of information. In 1994
Saudi Arabia52
banned the satellite equipments and decoders
followed later by Iran, Qatar53
and other countries. These various measures taken by governments didn’t seem to be effective.
The Internet appeared in the Middle East in the 90s at the same
time governments were struggling with the satellite issues, creating a new headache for those who want to control the flow of
information to their countries. Saudi Arabia, as a leader for GCC
States connected King Abdul Aziz City for Science and Technology to George Washington University in USA through BITNET
54 in early
1990s then switched to the Internet.
The Internet runs by state-owned telecommunication agencies
through monopolized telephone lines. But access was only restricted to educational institutions and government departments. By 1997
there were 34 academic and commercial Internet service providers in Egypt. Most of Arab countries have only one semi-government
Internet Service Provider such as Q-Tel in Qatar, Batelco in Bahrain, and Etisalat in UAE. Governments in the Middle East have taken the
initiative to join the Internet and invested heavily in ICTs which
results in other phenomena such as discussion boards, blogging55
, and finally social networks. They started to apply censorship and
surveillance56
as they did with satellite.
51 http://en.wikipedia.org/wiki/CNN 52 http://www.independent.co.uk/news/world/saudi-arabia-bans-all-satellite-dishes -1425819.html 53 Disconnect ed: haves and have-nots in the information age, William Wresch, 1996 54 http://en.wikipedia.org/wiki/BITNET 55 http://www.darrenkrape.com/blogging-the-middle-east/ 56 http://netsafe.me/2011/12/03/wikileaks-the-spy-files/
Cybercrime Legislation in the Middle East
HHuummaann RRiigghhttss && PPrriivvaaccyy
As members of the UN, all Arab countries “theoretically” recognize
the Universal Declaration of Human Rights. But there are no
practical procedures in Arab legislation to insure that declaration articles will be enforced.
Article 19.
“Everyone has the right to freedom of opinion and expression; this
right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any
media and regardless of frontiers.”57
No Arab State has approved any constitutional rules that guarantee
“The Right to Information58
” except in Jordan59
as it has an “Access to information law” as of January 2012. There are other regional
initiatives for proposal of laws but lack the mechanism to access of information.
Article 12.
“No one shall be subjected to arbitrary interference with his
privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of
the law against such interference or attacks.”60
Privacy laws seem to be the weakest in most Arab countries. Few countries included “Privacy” in consumer protection laws, data
protection laws, and constitution but not efficiently enforced.
The following countries have either special data protection law or
privacy articles in constitution or in separate legislation:
57 http://www.un.org/en/documents/udhr/ 58 http://rti-rating.org/ 59 http://right2info.org/access -to-information-laws 60 http://www.un.org/en/documents/udhr/
Cybercrime Legislation in the Middle East
UAE
• Constitution, Article 3161
• Data Protection Law 2007
62
This law is to protect personal information of citizens as it is
collected, processed and transferred.
Lebanon
- Consumer Protection Law
63
Jordan
- Constitution, Articles 10 and 1364
Most governments in the region are violating privacy of citizens
and don’t pay attention to even basic human rights that will be challenging when drafting cyber legislation.
CCyybbee rrccrriimmee LLee ggiiss llaattiioonn:: PPoooorr oorr nnoonnee
Cybercrime legislation in the Middle East is absent, except in UAE which has its own cybercrime law. In most cases, governments in
the region use traditional laws, penal codes, or emergency laws to deal with cybercrime which make it hard if not impossible to
investigate real cases. For example, authorities may prosecute
“bloggers” as criminals in cases of libel, defamation, or criticism. In this case they deal with “website” or “blog” as a newspaper or
published book which make it hard for courts to accept this.
According to most publishing laws, websites can’t be treated as a newspaper, and blogger might not be considered a publisher or
writer. But in such cases authorities might use emergency laws65
to
jail bloggers or crackdown on activists.
61 http://www.mfnca.gov.ae/?lang=en&m=options&act=content_detail&content_id=442 62 http://dp.difc.ae/legislation/dp_protection/ 63 http://www.economy.gov.lb/index.php/subCatInfo/2/11/4/0 64 http://www.kinghussein.gov.jo/constitution_jo.html 65 http://opennet.net/research/regions/mena
Cybercrime Legislation in the Middle East
Inconsistency in laws is a common factor when governments deal with cyberspace. Freedom of Speech and Privacy are good examples
when authorities try to add special rules to apply censorship on websites. These rules will be incompatible with article 19 of the UN
Universal Declaration of Human Rights which ratified by all Arab
countries as member States in the UN.
Many countries in MENA apply censorship and surveillance using technologies and software developed by western companies
66 and
there are no specific rules for what to be blocked. Anything could be considered prohibited according to this list by Etisalat
67.
Blocking contents is not good solution at all. People always want to know what’s behind the wall. Make the wall higher and they will
look for a ladder. Make it even higher, and they will look for dynamite. Governments should invest in awareness and education
instead of censorship.
The following States were assessed for their cybercrime laws.
UUAAEE
UAE is the first country in the Middle East to draft cybercrime law (Federal Law No.2 of 2006)
68. Department of Justice announced in
2010 that it will establish specialist cybercrime courts69
.
Although UAE has taken good steps in this law, it is still full of
surprises70
. According to a lawyer in Dubai, social media users may commit a crime by simply tagging a photo.
The law didn’t mention other crimes that could be committed using
the Internet such as malware development, piracy, copyright for
online contents and trademarks.
66 http://netsafe.me/2011/12/03/wikileaks-the-spy-files/ 67 http://www.etisalat.ae/assets/document/blockcontent.pdf 68 http://gulfnews.com/uaessentials/residents-guide/legal/uae-cyber-crimes-law-1.442016 69 http://www.hadefpartners.com/News/pageid/120-137/default.aspx?mediaid=110 70 http://www.thenational.ae/news/uae-news/uae-cyber-l aw-is-full-of-surprises
Cybercrime Legislation in the Middle East
QQaattaarr
There is no specific law for cybercrime in Qatar. But articles from
370 to 387 in the penal code could be used71
. In spite of good steps taken by Qatari government, it considered
incomplete and insufficient law. Not all types of cybercrime are found in the penal code and they should realize that a separate and
complete cybercrime law will be better.
SSaauuddii AArraabbiiaa
Saudi Arabia has passed special “system” covering cybercrime in
March, 200772
. It includes articles related to cybercrime but the “system” still not considered complete cybercrime law.
It lacks any definitions for cybercrime or articles for privacy and
freedom of speech. No specific procedures to investigate cybercrime
are mentioned in the drafted “System”.
OOmmaann
Oman has the first Arabic penal law that deals with cybercrime.
Part 7, chapter 1, articles 276bis, 276bis (1), 276bis (2), 276bis (3), and 276bis (4)
73 are all dealing with cybercrime.
But this can’t be considered complete cyber law as it lacks types of
cybercrime, investigation procedures, and other descriptions of
cybercrime.
Oman started on special law for cybercrime in 2008 as a draft, then issued in 2011 with 35 articles dealing with cybercrime
74.
This law is considered good achievement for Oman; however, it doesn’t include all types of cybercrime.
71 http://www.gcc-legal.org/mojportalpublic/DisplayLegislations.aspx?country=3&LawTreeSectionID=2582 72 http://www.mcit.gov.sa/NR/rdonlyres/32961456-5A71-4374-B175-515BB50FC999/0/Cybercrimeact.pdf 73 http://www.rop.gov.om/arabic/roprules/ROPRULE-1.pdf 74 http://www.ita.gov.om/ITAPortal_AR/MediaCenter/Document_detail.aspx?NID=64
Cybercrime Legislation in the Middle East
TTuunniiss iiaa
There is no cybercrime law in Tunisia.
Tunisian government issued in 2000 the Electronic Exchanges and
Electronic Commerce Law75
. It includes few articles that can be used to deal with cybercrime. But it can’t be considered sufficient law to
prosecute or investigate cybercrime cases.
MMoorrooccccoo
There is no cybercrime law in morocco. Government of morocco is using the law no. 07-03
76 to deal with information crimes
77. There
are also separate laws in morocco for electronic exchange. But all
these laws are not cybercrime laws and can’t be used to deal with cybercrime cases.
EEggyypptt
No cybercrime law in Egypt. But we can find improvements in
electronic signature law (2004)78
, intellectual property law (2002)79
, consumer protection law (2006)
80, and Telecommunications
regulation law (2003)81
.
Egypt invested heavily in ICTs and Internet services but didn’t
improve the legislation to deal with cybercrime issues. And current laws can’t be used to prosecute or investigate any cybercrime case.
“Operation Phish Phry” which we discussed earlier is an identical
transnational cybercrime case that couldn’t be solved using
available legislation in Egypt.
Diplomatic cables82
obtained by WikiLeaks revealed that Egyptian government was looking for International initiative to deal with
cybercrime.
75 E-Commerce Law Around the World: STEPHEN ERROL BLYTHE, Ph.D 76 http://www.parlement.ma/__print.php?filename=200803251141300 (Arabic) 77 http://www.aawsat.com/details.asp?article=176544&issueno=8964 (Arabic) 78 http://www.egypton.com/En/Ourprograms/IndustryInfrastructure/eSignature/Pages/default.aspx 79 http://en.wikipedia.org/wiki/File:Egyptian_Intellectual_Property_Law_82_of_2002_(English).pdf 80 http://www.legal500.com/c/egypt/developments/2903 81 http://www.tra.gov.eg/uploads/law/law_en.pdf 82 http://wikileaks.org/cable/2005/03/05CAIRO2469.html
Cybercrime Legislation in the Middle East
US government wanted Egypt to take the leadership role in the region to promote COE
83 convention on cybercrime as good starting
point. The cables also revealed that “US government supports the COE convention because it took five years to develop and the world
could not afford to spend another five years negotiating a different
convention while cybercrime further developed, and that the resources needed to negotiate a new convention could be better
spent on improving individual countries' capacities to fight cybercrime”
84.
In 2010, authorities in Egypt announced
85 that they will draft
special cybercrime law. But it seems to be something for
suppression of free speech. This law has never been issued due to Egyptian uprising that ousted Hosni Mubarak
86.
LLiibbyyaa
There is no law for cybercrime, communications, or any related
technologies in Libya.
AAllggee rriiaa
There is no cybercrime law in Algeria. But other Telecommunication Frameworks can be used such as Law No. 2000-03 (Chapter 2)
87.
This law sets out the general legal framework for telecommunications in Algeria. It contains a detailed institutional
framework, including the creation of the regulatory telecommunications authority. It includes also licensing,
interconnection, resources management, and penalties.
Penalties can be used with electronic communications including the
Internet88
but it is not sufficient to deal with cybercrime.
It seems that Algeria is looking to issue cybercrime law including articles for surveillance and censorship. But there are no more
details available at the moment89
.
83 http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp 84 http://wikileaks.org/cable/2005/04/05CAIRO2892.html 85 http://www.egynews.net/wps/portal/news?params=104691 (Arabic) 86 http://en.wikipedia.org/wiki/Timeline_of_the_2011_Egyptian_revolution 87 http://www.joradp.dz/JO2000/2000/048/F_Pag.htm 88 http://www.joradp.dz/JO2000/2007/037/AP13.pdf (Arabi c) 89 http://www.arabic.xinhuanet.com/arabi c/2009-07/09/content_904192.htm (Arabic)
Cybercrime Legislation in the Middle East
SSyyrriiaa
Syrian government issued law no.4 (2009)90
for electronic signature
and Internet services. Few articles in the law mentioned cybercrime but it can’t be considered sufficient.
On January 2012, Syrian government issued cybercrime law which
includes penalties and description of types of cybercrime91
.
Although it is good step by Syrian governments, it looks like they
wanted to apply more repression online. Authorities in Syria tried everything to suppress the uprising from military actions to online
surveillance and censorship92
. They even used spyware and viruses to hack into activists’ computers
93.
Issuing cybercrime law during the uprising doesn’t make any sense in combating cybercrime at all. By investigating this new law, we
can easily find many articles allow authorities to interfere with anything on the Internet and invade privacy of citizens.
This cannot be considered complete and efficient cybercrime law while Syrian government is violating every article in this law.
JJoorrddaann
Jordan issued temporary law no. 85 (2001) for Electronic
Transactions94
. But this is not a cybercrime law and can’t be used to prosecute cybercrime.
Later on 2012 government of Jordan drafted a temporary law for
cybercrime which is law no.30 (2010)95
.
This law doesn’t include definitions for cybercrime types and lacks
many articles that deal with privacy and freedom of speech in addition to cybercrime investigation procedures.
90 http://www.moct.gov.sy/moct/?q=ar/node/69 (Arabic) 91 http://www.moct.gov.sy/moct/?q=ar/node/247 (Arabic) 92 http://edition.cnn.com/2012/02/17/tech/web/computer-virus-syria/index.html 93 http://unremote.org/?p=942 94 http://www.lob.gov.jo/ui/laws/search_no.jsp?no=85&year=2001 95 http://www.lob.gov.jo/ui/laws/search_no.jsp?no=30&year=2010
Cybercrime Legislation in the Middle East
LLeebbaannoonn
There is no cybercrime law in Lebanon at the moment. But
government is looking to issue new law covering electronic transactions
96 with growing criticism.
There is only circular no. 4A (2006) for data protection and piracy
which includes penalties for software piracy and other related
issues. But it can’t be used to deal with cybercrime cases97
.
KKuuwwaaiitt
There is no cyber law in Kuwait but the government is currently studying special law for E-commerce
98.
IIrraaqq
No special cyber law in Iraq, however, the Iraqi cabinet is studying special law for e-signature and electronic transactions
99.
PPaalleess ttiinnee
No specific cybercrime law in Palestine.
Telecommunications and other related laws can be found at law website provided by Palestinian authority
100.
YYeemmeenn
No cyber crime law in Yemen. There is only special law for electronic
transactions and e-signature which is law no 40 (2006)101
.
96 http://al-shorfa.com/cocoon/meii/xhtml/ar/features/meii/features/main/2011/08/17/feature-02 97 http://www.wipo.int/wipolex/en/text.jsp?file_id=238141 98 http://www.kt.com.kw/ba/e-gov/kuwait.htm (Arabic) 99 http://www.aswaq-aliraq.com/inp/view.asp?ID=66 (Arabic) 100 http://www.dft.gov.ps/index.php?option=com_dataentry&pid=11&leg_id= 14 101 http://www.centralbank.gov.ye/ar/CBY.aspx?keyid=80&pid=74&lang=2&cattype=1 (Arabic)
Cybercrime Legislation in the Middle East
BBaahhrraaiinn
No cybercrime law in Bahrain. But government of Bahrain issued law no. 28 (2002) for electronic transactions
102. Lawyers in Bahrain
urged to ratify special law for cybercrime103
as current laws
considered insufficient to tackle cybercrime.
IInniittiiaattiivveess ttoo ttaacckkllee ccyybbee rrccrriimmee iinn MMEENNAA
Few countries in the Middle East developed special units to monitor, combat, or investigate cybercrime issues. Although it is considered
active strategy to deal with cybercrime, it is still need more progress at national and international levels.
The following table represents current CERT104
initiatives in MENA
Current CERT initiatives are currently working on different approaches, for example:
- Monitor security threats - Post online alerts for current threats
- Training and awareness on their websites - Working on security awareness campaigns
- Cooperation with government organizations and private sector
More efforts and effective security awareness campaigns in addition
to international cooperation need to be implemented.
CERTs need to work also as local focal points in their countries to raise the awareness for information security and cybercrime. They
need to work with subject matter experts on legal issues and
cybercrime legislation.
102 http://www.moic.gov.bh/NR/rdonlyres/90E87587-D2EC-4867-B174-C7EDD703DA3B/157/LegislativeDecreeno28of2002.pdf (Arabic) 103 http://www.alwasatnews.com/2996/news/read/510822/1.html (Arabic) 104 Computer Emergency Response Team
Cybercrime Legislation in the Middle East
CCoonncclluuss iioonn
After investigating cybercrime issues in the Middle East and North
African countries, we found that their legislation systems still need a
lot of improvements. Information and communication technology is a rapidly growing field that needs continuous work in technical and
legislative capabilities.
Recommendations to improve legislative and technical capabilities:
• Middle East countries need to improve national and
international cooperation in drafting cybercrime laws
• Governments need to extensively study the phenomenon of cybercrime in the region as it has special characteristics that
need to be addressed in the law
• Adding information security curriculums to local education
system at all levels.
• Invest in effective information security and cybercrime
awareness campaigns for policymakers, government departments, private sectors, and individuals.
• Develop education programs for judges, lawyers, prosecutors,
law enforcement, and judicial officers. They need to understand cyberspace, ICTs, cybercrime phenomena and
how to deal with cybercrime cases.
We need to realize that cybercrime is not the only threat in cyberspace. We are moving forward to new three-dimensional
reality with “Cyberwarfare”.
Cybercrime Legislation in the Middle East
CCoonnttaaccttss
Mohamed N. El Guindy President and Founder Information Systems Security Association Egypt Chapter Email: [email protected]
Blog: www.netsafe.me Websites: www.issa-eg.org www.askpc.net
Faisal Hegazy Programme Officer, ROMENA United Nations Office on Drugs and Crime Email: [email protected]
© 2012 ISSA-EG. All rights reserved.