Cybercrime Legislation in the Middle East

Cybercrime Legislation in the Middle East


Cybercrime Legislation in The Middle East THE ROAD NOT TRAVELED

Mohamed N. El Guindy ICT Researcher & Cybercrime Expert [email protected]

Faisal Hegazy Programme Officer, ROMENA UNODC [email protected]

Published February 27, 2012


Contents 4................................................................................. Introduction 5........................................................ Internet Penetration in MENA 9.......................................................... Cybercrime Cases in MENA 9............................................................... Organized Cybercrime 12.......................................... Cybercrime: An Economic Problem 15........................................................... Definitions of Cybercrime 18.............................................................. International Legislation 18............................................... The United Nations Approaches 19........................... Council of Europe: Convention on Cybercrime 20........................................................ Cyber Legis lation in MENA 20.............................................................. History of censorship 21......................................................... Human Rights & Privacy 22........................................ Cybercrime Legis lation: Poor or none 23..................................................................................... UAE 24..................................................................................... Qatar 24.......................................................................... Saudi Arabia 24.................................................................................... Oman 25.................................................................................. Tunisia 25................................................................................ Morocco 25.................................................................................... Egypt 26.................................................................................... Libya 26.................................................................................. Algeria 27..................................................................................... Syria 27................................................................................... Jordan 28................................................................................ Lebanon 28.................................................................................. Kuwait 28....................................................................................... Iraq 28................................................................................ Palestine 28................................................................................... Yemen 29.................................................................................. Bahrain 29.................................. Initiatives to tackle cybercrime in MENA 30............................................................................. Conclusion 31................................................................................ Contacts


Introduction Investments by MENA countries in ICTs is expanding annually and even overtaking the rest of the world. Millions of home users and businesses in the region are joining the global cyberspace. Virtually all modern services depend on ICTs and in a way or another are connected to cyberspace which considered one of today’s battlefields (Air, Land, Sea, Space, and Cyberspace). Failure to understand this situation w ill leave Middle East countries vulnerable to all types of attacks. Due to lack of technical and legislative capabilities, our region expected to become the biggest source and target for cybercrime in 21st century. Drafting a cyber law or even dedicated cybercrime legislation is not the solution but part of it. Extensive study of Cybercrime phenomenon and its consequences on the region should be considered along w ith cyber security issues. Although most countries in the region don’t have specific legislation for cybercrime or cyberspace, we still can see few countries w ith little progress in the field. In this research, we w ill investigate Cybercrime related issue in the region and w ill study legislation w ith overview on each country.


Internet Penetration in MENA During the past two years MENA countries w itnessed fast grow ing numbers of internet users. Millions of home users joined cyberspace and social networking w ebsites during the Arab uprising. According to statistics, Internet users in Middle East region reached 77 million in December 20111. This growth outpaced rest of the world as usual.

(Fig.1 Source : Inte rnet World Sta ts)

With regard to North African states2, w e can find the follow ing facts: - Egypt ranked No.2 w ith over 21.6 million Internet users - Morocco ranked No. 3 w ith over 15.6 million users - Algeria ranked No.7 w ith over 4.7 million Internet users - Tunisia ranked No. 10 w ith over 3.8 million users - Libyan users reached 391.880 Total Internet users in North African countries reached 46 m illion in December 2011. The number of Internet users worldw ide is increasing dramatically. But the phenomenal growth in MENA has special triggers especially when they connect to the Internet to join social networking websites.

1 2

http://www.internetworldstats.com/stats5.htm http://www.internetworldstats.com/stats1.htm


The follow ing diagram represents few factors for grow th of user base in MENA countries.

(Fig.2 Growth of Use r Base )

Millions of users joined the Arabic blogosphere3 and social netw orking4 websites during the past few years. One of the interesting findings is that Libyan Internet users are all on Facebook. It is obvious evidence that Arab uprising and political issues are common factors for Internet user grow th in MENA. Additional effective reason for Internet grow th is that the region has the youngest population in the world w ith over 66.8% aged below 305 in Middle East and over 70% aged below 30 in Africa. If we look at latest trends related to Facebook and Tw itter in the region, we can find that over 9.3 million users from Egypt alone are on Facebook w ith over 1.214 million on Tw itter. Egypt is the largest population online when compared to other MENA countries6.

3

http://cyber.law.harvard.edu/publications/2009/Mapping_the_Arabic_Blogosphere http://thenextweb.com/socialmedia/2012/01/25/facebook -is-killing-local-social-n etworks-around-th eworld/ 5 http://blog.euromonitor.com/2012/02/special-report-the-worlds-young est-populations-.html 6 http://www.guardian.co.uk/world/2012/jan/26/african-twitter-map-continent-conn ected 4


Morocco comes next in North Africa w ith over 4 million users on Facebook. Saudi Arabia has the largest online population in Middle East region w ith over 4.5 million on Facebook w hile UAE comes next in Middle East w ith over 2.7 million users on Facebook. It’s worth mentioning that accurate numbers of Facebook and Twitter users can’t be guaranteed due to unrest and political reasons especially in Syria as most users are using VPNs to connect. Social Networks and web 2.0 applications played an important role in Arab uprising, political scene, and conflicts between all parties7. The follow ing chart proves that social media most commonly used to raise awareness during revolutions and spread information.

(Fig. 3: Use s of Socia l Media in Arab Uprising) (Source : Dubai School of Gove rnment8)

The grow th of user base in the region especially on Facebook w hich might be considered the 3rd largest nation9 on earth opens new challenges for users and governments as well. Social media offers a supreme opportunity for people to selforganize and to create “virtual communities” where people seem to be continuously interconnected w herever they may be on Earth10. But it has also the ugly faces w hich include cybercrime11, cyber attacks, cyber terrorism12, malw are13, digital espionage, open source intelligence14, propaganda15, and violation of privacy16. 7

http://www.dsg.fohmics.net/Portals/Pdfs/repo rt.pdf http://www.dsg.fohmics.net/en/asmr3/ASMRGeneralFindings3.aspx 9 http://www.economist.com/node/16660401 10 http://www.economist.com/node/21531109 11 http://www.thenational.ae/business/technology/cybercrime-ugly-face-o f-social-m edia 12 http://publicintelligence.net/u fouoles-dhs-terrorist-us e-o f-so cial-n etworking-facebook-case-study/ 13 http://nakedsecurity.sophos.com/koobface/ 14 https://www.privacyinternational.org/article/bbi-open-source-intelligen ce-and-soci al-mediamonitoring 15 http://www.wired.com/dangerroom/2011/07/darpa-wants-so cial-media-sensor-for-propag anda-ops/ 8


While governments in the region understand the importance of the Internet and invested heavily in ICTs, they are concerned over its use by opposition movements. They try censorship and crackdowns on bloggers using advanced western tools17 in addition to surveillance and hacking18 techniques to track activists instead of cybercriminals. Unfortunately, most Middle East users are vulnerable to all types of such attacks due to poor security awareness and education programs w ith absence of “privacy and cyber legislation” w hich make the governments’ job easier. Governments in the region are recently dealing w ith Internet as an Information weapon and this w ill be the biggest challenge w hen it comes to drafting or ratifying cyber legislations.

16 17 18

https://mice.cs.columbia.edu/getTechreport.php?techreport ID=1459 http://netsafe.me/2011/12/03/wikileaks-the-spy -files/ http://netsafe.me/2011/12/01/how-government-spies-on -you/


Cybercrime Cases in MENA Cybercrime is rising alarmingly in the Middle East not only due to growth of user base, but also for many other reasons such as poor security awareness, poor technical capabilities, and lack of legislation19. All these factors make it hard if not impossible in many cases to investigate and prosecute cybercrime in the region.

Org anize d Cybe rcrime “Operation Phish Phry 20” is one of the well-known cases in the Middle East which the FBI and Egyptian authority were investigating. One American from LA w ho was the key figure in this crime sentenced to 13 years in federal prison21 after being found guilty of leading an international phishing operation, and grow ing marijuana on an industrial scale in his house. There were nearly 47 Egyptians involved in this phishing case. Authorities in Egypt released 27 on April 201122 and the rest of them escaped and no punishment is imposed at the time of w riting23 this research.

The technique that is used by this crime ring is a very simple phishing tactic to collect over $1.5 million. The emails were designed to trick recipients into clicking on fraudulent link inside the email body and normally sent through spam campaign to harvested email accounts from specific area or country. Professional hackers sometimes encrypt the link or encode it in different formats in order to trick the victim.

19 20 21 22 23

http://netsafe.me/2011/06/19/21st-century -cyber-threats-and -the-middle-east-dilemma/ http://www.fbi.gov/news/stories/2009/october/phishphry_100709 http://latimesblogs.latimes.com/lanow/2011/06/la-man-sentenced-phishing-pot-gro wing.html http://gate.ahram.org.eg/UI/Front/Inner.aspx?NewsContentID=57993 (Arabi c) http://www.youm7.com/News.asp?NewsID=524004&SecID=203&IssueID=0 (Arabic)


Fraudulent link that will lead to phishing website to steal bank account information

(Fig. 4: Example of Phishing Ema il)

This link w ill forward the victim to a w ell-design phishing page that looks like the original bank w ebsite.

(Fig.5: Phishing website with ge nuine look ing content)

This Phishing website is hosted on a domain name w ith similar name of the legitimate bank to trick the victim; for example: http://citibank.verifyme.com


Once victims enter their bank account details, it will be sent to the responsible persons inside the ring. They seem to withdraw small amounts from $200 to $500 from many accounts so as not to arouse suspicion and make it difficult for banks to check on so many thefts. The amounts then transferred to fraudulent accounts coordinated by conspiracy ring. A portion of the illegally obtained funds were transferred via “Western Union” to the Egyptians. This crime can be categorized under one of the follow ing: - Identity Theft - Wire and Bank Fraud - Computer Fraud - Money Laundering The Technical identity theft or “Phishing” portions of the operation seem to have been conducted by the Egyptian group. Spam emails might be originated from Egypt and also the phishing websites. The latest report published by APWG24 revealed that Egypt has ranked in the top three countries for hosting phishing websites.

(Fig.6 Top countries hosting phishing we bsites) (Source : APW G 2011)

Egypt has ranked high in past reports (from 2007 to 2010) which make it big source of Phishing, Identity theft, and Spam.

24

http://www.antiphishing.org


Cybercrime cases such as “Operation Phish Phry” can fall under “Transnational Organized Crime” w hen conducted by group of people as described by United Nations Convention against Transnational Organized Crime: “ Organized criminal group shall mean a structured group of three or

more persons, existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain, directly or indirectly, a financial or other material benefit” 25 Cybercriminals are increasingly sophisticated and sharing best practices. They are always looking for countries w ith poor legislation and poor security awareness to commit their crimes.

That leaves the Middle East vulnerable to new wave of complicated and organized cybercrime in the upcoming years.

Cybe rcrime : An Eco no mic Pro ble m According to “World Drug Report26” by UNODC, The global black market of “Global drug trafficking” is about $400 billion. Today’s cybercrime costs the economy $388 billion, Symantec revealed27. This shocking statistics is made up of tw o parts: $274 billion, Symantec's estimate of the value of time lost to cybercrime in the past year; added to $114 billion, said to be the industry's "direct cash costs." That is, the amount of money "spent on resolving cyber attacks" and the amount of money directly stolen by cybercriminals. Most Middle East and North African countries have ranked high in financial crimes such as fraud, bribery, corruption, and money laundering28. That makes the region suitable environment for “Financial Cybercrime”. 25

http://www.unodc.org/documents/treaties/UNTOC/Publications/TOC%20Convention/TOCebooke.pdf 26 http://www.unodc.org/documents/data-andanalysis/WDR2011/World_Drug_Report_2011_ebook.pdf 27 http://www.symantec.com/about/news/releas e/article.jsp?prid=20110907_02 28 http://www.pwc.com


The latest survey published by “PWC”29 revealed that cybercrime was experienced by 40% of respondents whose organizations had experienced economic crime in the last 12 months. In addition to over 35% feel their organizations have insufficient in-house capabilities to prevent, detect and investigate cybercrime. Cybercrime percentage in MENA is higher than the global average of 23% as it appears in Figure 7.

(Fig.7 Types of e conomic crime – Source: PWC 2012)

The region is also big target for cybercrime and even outpaced the global average of 17%, w hich makes it vulnerable to outside attacks.

(Fig.8 C ybe rcrime risk by bounda ries – Source : PWC 2012)

29

http://www.pwc.com


Outside attacks mean “Transnational crime” that target the region for financial gain. The latest “Symantec Cybercrime Report” revealed the follow ing alarming facts30: - 76% of UAE residents have fallen victims to cybercrime - Tw o citizens are affected by cybercrime every minute - Less than 25% of incidents are reported to the police - 53% of people don’t have up-to-date antivirus software - 20% of all cybercrime takes place in the mobile domain - Tw o weeks at least spent on fixing the damage from an attack The cost of cybercrime to the UAE economy was $611.3 million in both cash and the time it took to fix the damage during the 12 months between February 2010 and February 201131. One of the biggest problems in the Middle East is that these numbers might not be accurate enough. Most cybercrime victims might not know that they are attacked; they even don’t report it to authorities if they know , to protect their reputation. Although UAE has a dedicated cybercrime law , it can’t be considered complete solution to the problem. The main reason for the increase of attacks is due to lack of education and awareness not only legislation. Most GCC members seem to have the same problems of sophisticated threats that are quickly being put to work by the cybercriminals to target banks and their clients. Crimew are such as “Zeus32 and SpyEye33” are specifically built to attack banks’ customer computers34. Among Middle East countries there were higher infection rates in Egypt and Saudi Arabia35.

These phenomena tell the truth that Arab region becomes part of global cybercrime industry that knows no boundaries or crisis.

30

http://www.emirates247.com/business/technology/76-of-u ae-resid ents-are-victims-o f-cybercrime2011-09-18-1.419171 31 http://www.itp.net/586180-uae-faces -high-rates-o f-cyb er-crime 32 http://en.wikipedia.org/wiki/Zeus_(Trojan_horse) 33 http://www.net-security.org/malware_n ews.php?id=1784 34 http://www.spamfighter.com/News -15544-Middle-East-Online-Banking-Users -Easy-Targ ets-forCybercriminals.htm 35 http://www.zdnetasia.com/zeus-trojan -found-on -74000-pcs -in-global-botnet-62061270.htm


Definitions of Cybercrime There is no one definition for “Cybercrime”. You can see many definitions and terms drafted and used by either technicians or legislators. There is big difference between crimes committed using computers and the Internet and other crimes depend solely on computers and the Internet. When you understand this difference, you w ill be able to understand the difference between “Cybercrime” and “Computer related crime”. “Cybercrime” can be used as a narrow term for all types of “Computer crimes”, while “Computer related crimes” might refer to any crime that can be committed w ith or w ithout a computer system or netw ork. The 10 th United Nations Congress on the Prevention of Crime and the Treatment of Offenders held in Vienna, 10-17 April 200036, used two different terms to describe the term “Cybercrime”:

(Fig.9: C ybe rcrime De finitions a ccording to UN)

The term “illegal” might not be accurate in all States. An act might be illegal in one nation but not in another. The Australian Institute of Criminology uses different terms to deal w ith cybercrime such as “computer related crime, computer crime, Internet crime, and e-crime 37.

36 37

http://www.uncjin.org/Documents/congr10/10e.pdf http://www.aic.gov.au/en/crime_types/cybercrime/definitions.aspx


Council of Europe defines cybercrime as “Criminal offense committed against or w ith the help of computer networks; an offense against the confidentiality, integrity and availability of computer data and systems”38

The definitions are not the only challenge w hen dealing w ith cybercrime, there is also crime typology. Most cybercrime laws w ill have inconsistency w hen categorizing cybercrime.

(Fig.10: CoE crime typology)

Cybercrime categories might be overlapped in COE convention. But it is still the only complete w ork for defining and categorizing cybercrime. Understanding “Cyber space” is also very important to understand the meaning of “Cybercrime”. Many people think that Cyber space is the Internet, but this is not true. For example, a website might exist in cyberspace. But according to cyberspace interpretation, events taking place on the internet are not happening in the location w here that w ebsite is hosted or located but in cyberspace. The follow ing figure represents the three layers39 of cyber space.

38 39

http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG http://www.rand.org/pubs/monographs/2009/RAND_MG877.pdf


Data Layer Software Layer Physical Layer (Fig. 11: C ybe rspa ce la ye rs)

Physical layer consists of electrical energy, electronic components, and ICTs infrastructure. It is also called “Physical space”. Software and data are considered “Logical space” Cyberspace security depends on the CIA triad which means Confidentiality, Integrity, and Availability.

Confidentiality

Integrity

Availability (Fig. 12: CIA triad)

Any offense against (CIA) could be considered “cybercrime”. For example, Denial of Service attack (DoS) is an offense against (Availability) of data or information. Hacking into protected database or w ebsite is an offense against (Confidentiality) of data or information. Tampering or altering any online object on transit could be considered an offense against (Integrity) of data or information. There are also additional terms that can be added to the CIA triad such as “Authenticity”. In E-commerce or electronic signature it might be used to validate that both parties involved are who they claim they are.

Legislators should understand technical terms related to ICTs and cyber security when thinking of any related laws.


International Legislation The Unite d Natio ns Appro aches There is no International treaty or legal framew ork related to cybercrime. But the United Nations has adopted number of resolutions on combating the criminal misuse of information technologies as follows: - Resolution 55/36 (4 December 2000)40 - Resolution 56/121 (19 December 2001)41 Resolutions recommendations are considered general guidelines for member States to adopt w hen drafting cyber law . It includes also important recommendations for information flow , freedom of information, privacy, and protection of cyberspace. Example Recommendations: (a)

States should ensure that their laws and practice eliminate safe havens for those w ho criminally misuse information technologies;

(b)

Law enforcement cooperation in the investigation and prosecution of international cases of criminal misuse of information technologies should be coordinated among all concerned States;

(e)

Legal systems should protect the confidentiality, integrity and availability of data and computer systems from unauthorized impairment and ensure that criminal abuse is penalized;

The topic of cybercrime was also discussed at the 12 th UN Congress on Crime Prevention and Criminal Justice in Brazil 201042. At the congress there w ere very important recommendations for member States regarding legislative and technical capabilities needed to tackle cybercrime 43.

40

http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_55_63.pdf http://www.itu.int/ITU-D/cyb/cybersecurity/docs/UN_resolution_56_121.pdf 42 http://www.unodc.org/unodc/en/crime-cong ress/12th-crime-cong ress.html 43 http://www.unodc.org/documents/crime-congress/12th-CrimeCongress/Documents/A_CONF.213_9/V1050382e.pdf 41


The congress also stressed the importance of UNODC as a specialized UN body to help member States in building capabilities to deal w ith cybercrime. In July 2011, the United Nations Economic and Social Council issued “Resolution 2011/33”44 on Prevention, protection and international cooperation against the use of new information technologies to abuse and/or exploit children. It is stressed on how information technology and the Internet are used to exploit or abuse children around the world w ith important recommendations for member States. In May 2011, ITU and UNODC signed a memorandum of Understanding to collaborate globally on assisting member States on both legislative and technical capabilities45. In December 2011, the United Nations Economic and Social Council published an important study entitled “Cyber norm emergence at the United Nations”46. This study stressed on the importance of cyberspace in current political conflicts, cyber space and cybercrime, and cyber cooperation between member States.

Co uncil o f Euro pe : Co nve ntio n o n Cybe rcrime The Council of Europe adopted the draft Convention on Cybercrime in 200147. The Convention on Cybercrime was opened for signature at a signing ceremony in Budapest on 23 November 2001. The treaty is currently signed by 15 States and ratified by 32 States. There are non-member States signed on this treaty such as (USA, Canada, and South Africa etc)48. Although this treaty is considered great efforts to tackle cybercrime, it faces criticisms 49 around the world50. There are also new phenomena that couldn’t be addressed using current CoE treaty such as Cyber Terrorism, Botnet, and phishing attacks. Cybercrime is changing rapidly and legislation need to be regularly updated to address new threats. 44 45 46 47 48 49 50

http://www.un.org/en/ecosoc/docs/2011/res%202011.33.pdf http://www.itu.int/ITU-D/cyb/cybersecurity/docs/cybercrime.pdf http://www.un.org/en/ecosoc/cybers ecurity/maurer-cyber-norm-dp -2011-11.pd f http://www.coe.int/lportal/web/coe-portal http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG http://www.cs.brown.edu/courses/csci1950-p/sources/lec16/Vatis.pdf http://www.crime-research.org/library/CoE_Cybercrime.html


Cyber Legislation in MENA His to ry o f ce nso rs hip In most of the Middle East countries, communications and information media are controlled by governments. They need to control the information flow by applying censorship on print, broadcast media, and now the Internet. Local newspapers and television channels were broadcasting official statements and they were not allowed to criticize the government. The live media revolution started w ith the “CNN51” as it was the first TV channel to broadcast from Iraq during “Gulf War” resulting in over billion view ers worldw ide. This revolution changed the attitude of Middle East viewers towards their local channels. They started to understand that it can’t be credible source of information. In 1994 Saudi Arabia52 banned the satellite equipments and decoders followed later by Iran, Qatar53 and other countries. These various measures taken by governments didn’t seem to be effective. The Internet appeared in the Middle East in the 90s at the same time governments were struggling w ith the satellite issues, creating a new headache for those w ho want to control the flow of information to their countries. Saudi Arabia, as a leader for GCC States connected King Abdul Aziz City for Science and Technology to George Washington University in USA through BITNET54 in early 1990s then sw itched to the Internet. The Internet runs by state-owned telecommunication agencies through monopolized telephone lines. But access was only restricted to educational institutions and government departments. By 1997 there were 34 academic and commercial Internet service providers in Egypt. Most of Arab countries have only one semi-government Internet Service Provider such as Q-Tel in Qatar, Batelco in Bahrain, and Etisalat in UAE. Governments in the Middle East have taken the initiative to join the Internet and invested heavily in ICTs w hich results in other phenomena such as discussion boards, blogging55, and finally social networks. They started to apply censorship and surveillance56 as they did w ith satellite. 51 52 53 54 55 56

http://en.wikipedia.org/wiki/CNN http://www.independent.co.uk/news/world/saudi-arabi a-bans -all-satellite-dishes -1425819.html Disconnect ed: haves and have-nots in the information age, William Wresch, 1996 http://en.wikipedia.org/wiki/BITNET http://www.darrenkrape.com/blogging-the-middle-east/ http://netsafe.me/2011/12/03/wikileaks-the-spy -files/


Human Rig hts & Priv acy As members of the UN, all Arab countries “theoretically” recognize the Universal Declaration of Human Rights. But there are no practical procedures in Arab legislation to insure that declaration articles w ill be enforced. A rt icle 19.

“ Everyone has the right to freedom of opinion and expression; this

right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers .” 57 No Arab State has approved any constitutional rules that guarantee “The Right to Information58” except in Jordan59 as it has an “Access to information law ” as of January 2012. There are other regional initiatives for proposal of laws but lack the mechanism to access of information. A rt icle 12.

“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” 60 Privacy laws seem to be the weakest in most Arab countries. Few countries included “Privacy” in consumer protection laws, data protection laws, and constitution but not efficiently enforced. The follow ing countries have either special data protection law or privacy articles in constitution or in separate legislation:

57 58 59 60

http://www.un.org/en/documents/udhr/ http://rti-rating.org/ http://right2info.org/access -to-in formation-laws http://www.un.org/en/documents/udhr/


UAE • •

Constitution, Article 3161 Data Protection Law 200762 This law is to protect personal information of citizens as it is collected, processed and transferred.

Lebanon - Consumer Protection Law63 Jordan - Constitution, Articles 10 and 1364

Most governments in the region are violating privacy of citizens and don’t pay attention to even basic human rights that will be challenging when drafting cyber legislation.

Cybe rcrime Le g is latio n: Poo r o r no ne Cybercrime legislation in the Middle East is absent, except in UAE which has its own cybercrime law . In most cases, governments in the region use traditional laws, penal codes, or emergency laws to deal w ith cybercrime which make it hard if not impossible to investigate real cases. For example, authorities may prosecute “bloggers” as criminals in cases of libel, defamation, or criticism. In this case they deal w ith “website” or “blog” as a newspaper or published book w hich make it hard for courts to accept this. According to most publishing laws, websites can’t be treated as a newspaper, and blogger might not be considered a publisher or w riter. But in such cases authorities might use emergency laws65 to jail bloggers or crackdow n on activists.

61 62 63 64 65

http://www.mfnca.gov.ae/?lang=en&m=options&act=content_detail&content_id=442 http://dp.difc.ae/legislation/dp_protection/ http://www.economy.gov.lb/index.php/subCatInfo/2/11/4/0 http://www.kinghussein.gov.jo/constitution_jo.html http://opennet.net/research/regions/mena


Inconsistency in laws is a common factor when governments deal w ith cyberspace. Freedom of Speech and Privacy are good examples when authorities try to add special rules to apply censorship on websites. These rules w ill be incompatible w ith article 19 of the UN Universal Declaration of Human Rights w hich ratified by all Arab countries as member States in the UN. Many countries in MENA apply censorship and surveillance using technologies and software developed by w estern companies66 and there are no specific rules for w hat to be blocked. Anything could be considered prohibited according to this list by Etisalat67. Blocking contents is not good solution at all. People always want to know what’s behind the w all. Make the wall higher and they w ill look for a ladder. Make it even higher, and they w ill look for dynamite. Governments should invest in awareness and education instead of censorship. The follow ing States w ere assessed for their cybercrime law s.

UAE UAE is the first country in the Middle East to draft cybercrime law (Federal Law No.2 of 2006)68. Department of Justice announced in 2010 that it w ill establish specialist cybercrime courts69. Although UAE has taken good steps in this law , it is still full of surprises70. According to a law yer in Dubai, social media users may commit a crime by simply tagging a photo. The law didn’t mention other crimes that could be committed using the Internet such as malware development, piracy, copyright for online contents and trademarks.

66 67 68 69 70

http://netsafe.me/2011/12/03/wikileaks-the-spy -files/ http://www.etisalat.ae/assets/document/blockcontent.pd f http://gulfnews.com/uaessentials/residents-guide/legal/uae-cyb er-crimes -law-1.442016 http://www.hadefp artners.com/News/pag eid/120-137/default.aspx?mediaid=110 http://www.thenational.ae/news/uae-n ews/uae-cyb er-l aw-is-full-o f-surp rises


Qatar There is no specific law for cybercrime in Qatar. But articles from 370 to 387 in the penal code could be used71. In spite of good steps taken by Qatari government, it considered incomplete and insufficient law . Not all types of cybercrime are found in the penal code and they should realize that a separate and complete cybercrime law w ill be better.

Sau di Ara bia Saudi Arabia has passed special “system” covering cybercrime in March, 200772. It includes articles related to cybercrime but the “system” still not considered complete cybercrime law . It lacks any definitions for cybercrime or articles for privacy and freedom of speech. No specific procedures to investigate cybercrime are mentioned in the drafted “System”.

Oman Oman has the first Arabic penal law that deals w ith cybercrime. Part 7, chapter 1, articles 276bis, 276bis (1), 276bis (2), 276bis (3), and 276bis (4)73 are all dealing w ith cybercrime. But this can’t be considered complete cyber law as it lacks types of cybercrime, investigation procedures, and other descriptions of cybercrime. Oman started on special law for cybercrime in 2008 as a draft, then issued in 2011 w ith 35 articles dealing w ith cybercrime 74. This law is considered good achievement for Oman; however, it doesn’t include all types of cybercrime.

71

http://www.gcclegal.org/mojportalpublic/DisplayLegislations.aspx?country=3&LawTreeSectionID=2582 72 http://www.mcit.gov.sa/NR/rdonlyres/32961456-5A71-4374-B175515BB50FC999/0/Cybercrimeact.pd f 73 http://www.rop.gov.om/arabic/roprules/ROPRULE-1.pd f 74 http://www.ita.gov.om/ITAPortal_AR/MediaCenter/Document_detail.aspx?NID=64


Tunis ia There is no cybercrime law in Tunisia. Tunisian government issued in 2000 the Electronic Exchanges and Electronic Commerce Law75. It includes few articles that can be used to deal w ith cybercrime. But it can’t be considered sufficient law to prosecute or investigate cybercrime cases.

M o rocco There is no cybercrime law in morocco. Government of morocco is using the law no. 07-0376 to deal w ith information crimes77. There are also separate laws in morocco for electronic exchange. But all these laws are not cybercrime laws and can’t be used to deal w ith cybercrime cases.

Eg ypt No cybercrime law in Egypt. But w e can find improvements in electronic signature law (2004)78, intellectual property law (2002)79, consumer protection law (2006)80, and Telecommunications regulation law (2003)81. Egypt invested heavily in ICTs and Internet services but didn’t improve the legislation to deal w ith cybercrime issues. And current law s can’t be used to prosecute or investigate any cybercrime case. “Operation Phish Phry” which we discussed earlier is an identical transnational cybercrime case that couldn’t be solved using available legislation in Egypt. Diplomatic cables82 obtained by WikiLeaks revealed that Egyptian government was looking for International initiative to deal w ith cybercrime.

75 76 77 78 79 80 81 82

E-Commerce Law Around the World: STEPHEN ERROL BLYTHE, Ph.D http://www.parlement.ma/__print.php?filename=200803251141300 (Arabic) http://www.aawsat.com/details.asp?article=176544&issueno=8964 (Arabic) http://www.egypton.com/En/Ourprograms/IndustryIn frastructure/eSignature/Pages/d efault.aspx http://en.wikipedia.org/wiki/File:Egyptian_Intellectual_Property_Law_82_o f_2002_(English).pd f http://www.legal500.com/c/egypt/developments/2903 http://www.tra.gov.eg/uploads/law/law_en.pdf http://wikileaks.org/cable/2005/03/05CAIRO2469.html


US government wanted Egypt to take the leadership role in the region to promote COE83 convention on cybercrime as good starting point. The cables also revealed that “US government supports the COE convention because it took five years to develop and the w orld could not afford to spend another five years negotiating a different convention w hile cybercrime further developed, and that the resources needed to negotiate a new convention could be better spent on improving individual countries' capacities to fight cybercrime”84. In 2010, authorities in Egypt announced85 that they w ill draft special cybercrime law . But it seems to be something for suppression of free speech. This law has never been issued due to Egyptian uprising that ousted Hosni Mubarak86.

Liby a There is no law for cybercrime, communications, or any related technologies in Libya.

Alge ria There is no cybercrime law in Algeria. But other Telecommunication Frameworks can be used such as Law No. 2000-03 (Chapter 2)87. This law sets out the general legal framework for telecommunications in Algeria. It contains a detailed institutional framework, including the creation of the regulatory telecommunications authority. It includes also licensing, interconnection, resources management, and penalties. Penalties can be used w ith electronic communications including the Internet88 but it is not sufficient to deal w ith cybercrime. It seems that Algeria is looking to issue cybercrime law including articles for surveillance and censorship. But there are no more details available at the moment89. 83 84 85 86 87 88 89

http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/d efault_en.asp http://wikileaks.org/cable/2005/04/05CAIRO2892.html http://www.egynews.net/wps/portal/news?params=104691 (Arabic) http://en.wikipedia.org/wiki/Timeline_of_the_2011_Egyptian_ revolution http://www.joradp.dz/JO2000/2000/048/F_Pag.htm http://www.joradp.dz/JO2000/2007/037/AP13.pdf (Arabi c) http://www.arabic.xinhuanet.com/arabi c/2009-07/09/content_904192.htm (Arabic)


Sy ria Syrian government issued law no.4 (2009)90 for electronic signature and Internet services. Few articles in the law mentioned cybercrime but it can’t be considered sufficient. On January 2012, Syrian government issued cybercrime law w hich includes penalties and description of types of cybercrime 91. Although it is good step by Syrian governments, it looks like they wanted to apply more repression online. Authorities in Syria tried everything to suppress the uprising from military actions to online surveillance and censorship92. They even used spyware and viruses to hack into activists’ computers93. Issuing cybercrime law during the uprising doesn’t make any sense in combating cybercrime at all. By investigating this new law , we can easily find many articles allow authorities to interfere w ith anything on the Internet and invade privacy of citizens. This cannot be considered complete and efficient cybercrime law while Syrian government is violating every article in this law .

J o rdan Jordan issued temporary law no. 85 (2001) for Electronic Transactions94. But this is not a cybercrime law and can’t be used to prosecute cybercrime. Later on 2012 government of Jordan drafted a temporary law for cybercrime which is law no.30 (2010)95. This law doesn’t include definitions for cybercrime types and lacks many articles that deal w ith privacy and freedom of speech in addition to cybercrime investigation procedures.

90 91 92 93 94 95

http://www.moct.gov.sy/moct/?q=ar/node/69 (Arabic) http://www.moct.gov.sy/moct/?q=ar/node/247 (Arabic) http://edition.cnn.com/2012/02/17/tech/web/computer-virus-syria/index.html http://unremote.org/?p=942 http://www.lob.gov.jo/ui/laws/search_no.jsp?no=85&year=2001 http://www.lob.gov.jo/ui/laws/search_no.jsp?no=30&year=2010


Le bano n There is no cybercrime law in Lebanon at the moment. But government is looking to issue new law covering electronic transactions96 w ith grow ing criticism. There is only circular no. 4A (2006) for data protection and piracy which includes penalties for software piracy and other related issues. But it can’t be used to deal w ith cybercrime cases97.

Kuwa it There is no cyber law in Kuwait but the government is currently studying special law for E-commerce98.

Iraq No special cyber law in Iraq, however, the Iraqi cabinet is studying special law for e-signature and electronic transactions99.

Pales tine No specific cybercrime law in Palestine. Telecommunications and other related laws can be found at law website provided by Palestinian authority100.

Ye me n No cyber crime law in Yemen. There is only special law for electronic transactions and e-signature w hich is law no 40 (2006)101.

96

http://al-shorfa.com/cocoon/meii/xhtml/ar/features/meii/features/main/2011/08/17/feature-02 http://www.wipo.int/wipolex/en/text.jsp?file_id=238141 98 http://www.kt.com.kw/ba/e-gov/kuwait.htm (Arabic) 99 http://www.aswaq-aliraq.com/inp/view.asp?ID=66 (Arabic) 100 http://www.dft.gov.ps/index.php?option=com_dataentry&pid=11&leg_id= 14 101 http://www.centralbank.gov.ye/ar/CBY.aspx?keyid=80&pid=74&lang=2&cattype=1 (Arabic) 97


B ahrai n No cybercrime law in Bahrain. But government of Bahrain issued law no. 28 (2002) for electronic transactions102. Law yers in Bahrain urged to ratify special law for cybercrime103 as current law s considered insufficient to tackle cybercrime.

Initiativ es to tack le cybe rcrime in M ENA Few countries in the Middle East developed special units to monitor, combat, or investigate cybercrime issues. Although it is considered active strategy to deal w ith cybercrime, it is still need more progress at national and international levels. The follow ing table represents current CERT104 initiatives in MENA

Current CERT initiatives are currently working on different approaches, for example: - Monitor security threats - Post online alerts for current threats - Training and awareness on their websites - Working on security awareness campaigns - Cooperation w ith government organizations and private sector More efforts and effective security awareness campaigns in addition to international cooperation need to be implemented. CERTs need to work also as local focal points in their countries to raise the awareness for information security and cybercrime. They need to work w ith subject matter experts on legal issues and cybercrime legislation.

102

http://www.moic.gov.bh/NR/rdonlyres/90E87587-D2EC-4867-B174C7EDD703DA3B/157/LegislativeDecreeno28o f2002.pd f (Arabic) 103 http://www.alwasatnews.com/2996/news/read/510822/1.html (Arabic) 104 Computer Emergency Response Team


Co nclus io n After investigating cybercrime issues in the Middle East and North African countries, we found that their legislation systems still need a lot of improvements. Information and communication technology is a rapidly grow ing field that needs continuous w ork in technical and legislative capabilities. Recommendations to improve legislative and technical capabilities: •

Middle East countries need to improve national and international cooperation in drafting cybercrime laws

•

Governments need to extensively study the phenomenon of cybercrime in the region as it has special characteristics that need to be addressed in the law

•

Adding information security curriculums to local education system at all levels.

•

Invest in effective information security and cybercrime awareness campaigns for policymakers, government departments, private sectors, and individuals.

•

Develop education programs for judges, law yers, prosecutors, law enforcement, and judicial officers. They need to understand cyberspace, ICTs, cybercrime phenomena and how to deal w ith cybercrime cases.

We need to realize that cybercrime is not the only threat in cyberspace. We are moving forward to new three-dimensional reality with “Cyberwarfare”.


Co ntacts Mohamed N. El G uindy Preside nt a nd Founde r Informa tion Systems Se curity Associa tion Egypt Cha pte r Ema il: [email protected] Blog: www.ne tsafe .me Websites: www.issa -eg.org www.a sk pc.ne t

Faisal Hegazy Programme Office r, ROMENA Unite d Nations O ffice on Drugs and C rime Ema il: Fa isa l.Hega [email protected]

© 2012 ISSA-EG. All rights rese rved.