In a whirlwind Tuesday meeting attended by a bevy of state officials, 14 articles of the cybercrime prevention bill were approved by Parliament’s Communications and Information Technology Committee (CITC) in a span of two hours.
The government-drafted bill, which is composed of 45 articles and includes 29 penalties sentencing offenders to up to five years in prison or fines of between LE,10,000 and LE20 million, was referred by the legislature’s speaker to the committee early this month and has largely been approved in principle.
The bill’s significance stems from the fact that, in the event that it is passed, it would be the first piece of legislation to regulate what is published on social media and establish principles to confront cybercrimes such as piracy and the hacking of private and government websites. Most importantly, the bill would set a precedent in regulating web censorship.
The gap in opinion between detractors and proponents of the bill does not center so much on whether cybercrime legislation is necessary, however, but on protection of data and the broad leeway the legislation would grant to authorities to place limitations on liberty.
For Ghada Moussa, the Planning, Monitoring and Administrative Reform Ministry’s transparency committee secretary general, there certainly is a need for a cybercrime law. But such a law, in her estimation, can only be part of a legislative package whose primary concern would be to make information available, with the identification of confidential information and regulation and protection thereof as a second priority, appended by a law to set exceptions and outline crimes.
Moussa points to the right to information law as another important legislative measure, whose delayed passage contributed to Egypt’s poorer ranking on Transparency International’s 2018 Corruption Perceptions Index (CPI) for the year of 2017.
Egypt’s score dropped by two points in the 2018 index, going from 34 in 2016 to 32 in 2017, slotting Egypt in at the 117(b) ranking out of the 180 states Transparency International reviewed.
On the other hand, Hassan al-Azhary, director of the legal unit at the Association of Freedom of Thought and Expression (AFTE), describes the bill as “rife with catches.” He argues that the bill is a continuation of several older bills that have been drafted and proposed under different titles since 2015. In fact, the defining features of these failed bills have made it into the new draft, constituting most its clauses. The principal difference, according to Azhary, is that the new draft introduces more censorship provisions. In his estimation, the bill will be approved by Parliament, with the possibility that the legislature will make changes to some minor, insignificant clauses and provisions.
Parliament’s CITC head Nidal al-Saeed believes that it is too early to criticize the bill. He tells Mada Masr that representatives of the ministries of communications and information technology, justice, defense, interior, foreign affairs and immigration; the State Information Service; the Cabinet’s Information and Decision Support Center; the Central Agency for Public Mobilization and Statistics; several media councils, authorities, agencies and services; the Consumer Protection Agency; the General Authority for Investment and Free Zones; the Central Bank of Egypt; the National Council for Childhood and Motherhood; and all “other relevant entities” have been involved in discussions around the bill.
According to Saeed, the bill is a top priority for the government and Parliament, and the committee will take the “requisite time” to carefully consider each article, with the aim of passing the legislation before the end of Parliament’s current session in July.
The committee reviewed and approved 14 articles on Tuesday, including the articles on the regulation of web censorship, appeals on censorship decisions, travel bans and the definition of national security. The outcome of the meeting raises the total number of approved articles to 21, as seven articles were approved on March 5.
Special attention, says Azhary, has been paid to providing judicial legitimacy for the web censorship decisions contained in the bill, making censorship decisions easier to take and shielding them from procedural obstacles that may arise as a result of the lack of coordination between various government entities at a later point.
Article 7 of the bill grants the relevant investigation authority the right to “order the censorship of websites” whenever “evidence arises that a website broadcasting from inside or outside the state has published any phrases, photos or films, or any promotional material or the like which constitute a crime, as set forth in this law, and poses a threat to national security or compromises national security or the national economy.”
Under the article, investigation authorities are obligated to “submit the censorship order to the competent court sitting in chambers within 24 hours of its issuance, accompanied by a legal memorandum which outlines its legal opinion, and the court shall render a decision within 72 hours after the submission of the order approving or rejecting thereof.”
In what the bill defines as “urgent cases” due to imminent danger, the article stipulates that “the competent investigation and interdiction entities” may inform the National Telecom Regulatory Authority (NTRA) in order for the latter to send notice to ISPs to block a website immediately. ISPs would then be required to execute the notice upon receipt. The investigation and interdiction entity which triggered the notice would then submit a report to the interrogation authorities within 48 hours noting that the procedure had been conducted, and the competent court would render a decision in the case to either uphold the censorship procedures or terminate them.
The State Council’s Legislative and Fatwa Committee suggested that this article be amended in a manner that guarantees that the investigation and interdiction entity would not enjoy greater power than that of the interrogation authority. The committee recommends – in its memorandum, which Mada Masr obtained a copy of – that the deadline for the investigation and interdiction entity’s procedure report in “urgent cases” be reduced to 24 hours, rather than 48 hours. This recommendation, however, was disregarded by the CITC.
Legislating censorship into legal practice is not the only problematic aspect of the bill for Azhary. It suffers, he says, from the same problems that have plagued several other pieces of recently passed legislation — namely the ambiguity of key definitions.
The bill’s explanatory memorandum, which was drafted by the Justice Ministry, specifically states that “avoiding ambiguity of definitions” is one of its primary purposes. The draft legislation has, however, included loose terminology, such as the definition of “digital evidence,” in an attempt to include an exceedingly wide range of technologies, according to Azhary. This, he believes, contravenes the need for a precise definition for the general concept of evidence, which is made essential by the substantive and procedural importance thereof at all stages of proceedings.
But the head of the CITC does not share Azhary’s sentiment. In fact, he praised the definition of “digital evidence” during Tuesday’s discussions, noting that the bill is the first to explicitly address the use of digital evidence as proof and impart on it authority equal to that of physical evidence in criminal investigations.
As defined by the technical regulations, digital evidence will be any probative piece of electronic data stored, transmitted, extracted or retrieved from computers, information networks and the like, which may be collected and analyzed using special devices, software or applications.
The CITC also amended a number of other definitions provided in Article 1 on Tuesday, including the definitions of the “protection of personal data,” as a definition is included in a separate piece of legislation, and “traffic data,” which the bill defines as data generated by an information system to indicate a communication’s origin, destination, sender, receiver, route, time, date, size, duration and type of service.
An agreement was also reached on defining the entities to be protected under the banner of “national security.” Ahmed al-Shobaky, the chair of the board of directors of the National Library and Archives of Egypt (NLA), requested that the NLA be added to the entities listed in the definition, citing the library’s possession of documents which concern national security entities’ affairs. However, Mohamed Hegazy, the Communication and Information Technology Ministry’s representative at Tuesday’s meeting, affirmed that a bill pertaining to the conservation of documents and data and electronic archiving is being drafted — at which point the discussion of the article was adjourned.
Parties to the meeting endorsed the definition of “national security” included in the government’s draft: “All that pertains to the independence, stability, security, unity and territorial integrity of the homeland and all that relates to the affairs of the Office of the President, the National Defense Council, the National Security Council, the Armed Forces, the Military Production Ministry, the Interior Ministry, the General Intelligence Service and the Administrative Control Authority and the entities affiliated therewith.”
Saeed postponed discussions on the definition of “website” and the second clause of Article 2, which pertains to maintaining the confidentiality of saved and stored data and its non-disclosure “without a substantiated order from a competent judicial authority.” The condition was contested by several government representatives and was, therefore, postponed by the head of the CITC.
Azhary also raises concerns regarding Article 26, which stipulates that anyone who violates “family principles and values observed in the Egyptian society” and “frequently sends a large number of emails” shall be liable to imprisonment for a term of six months and a fine of up to LE50,000.
His criticism extends to Article 31, which provides for stricter punishment for ISPs that may include imprisonment in a maximum security prison and a minimum fine of LE3 million, in the event that they refuse to comply with the decision of the competent authority pertaining to the censorship of a website and their refusal results in damage to national security or the death of one or more persons. Such repercussions, Azhary argues, would be impossible to prove in practice.
The State Council’s Legislative and Fatwa Committee stated that the ambiguity and generality of the bill, namely in Article 2, prompts “suspicion of unconstitutionality.”
Article 2 stipulates that ISPs shall be required to provide all technical capabilities upon request from national security entities but does not clearly state the nature of such capabilities and whether they include technologies, engineers or technicians, software, or all of the above. Yet, Article 34 criminalizes violation of the conditions laid out in Article 2.
The legislative committee stressed that the Justice Ministry’s draft was not in accordance with the established jurisprudence of the Supreme Constitutional Court, according to which, the notion of penalty – whether it be criminal, disciplinary or civil – signifies that a line which should not be crossed has been crossed. The draft also fails to specify the party that would bear the costs incurred by the investigation authorities’ use of technical capabilities, or approve compensation to ISPs for depriving them of the use during the period they are made available to national security entities.
The discussion of three portions of the bill was adjourned by the CITC head upon request from representatives of government agencies. The postponed items include the third item of Article 2, which pertains to the obligations and duties of ISPs. The approval process hit a snag when the representative of the Armed Forces raised an objection to the term “available,” citing that it was introduced after the bill was reviewed by the Legislative and Fatwa Committee at the State Council.
“Who is to say whether or not the ISP possesses such capabilities?” the Armed Forces representative said, demanding that the article’s original phrasing be restored.
According to Hegazy, the State Council’s Legislative and Fatwa Committee stated that, although the article in discussion necessitated that the ISP disclose all technical options if requested by the national security authorities, it did not specify what these “options” are. The Communications and Information Technology Ministry’s representative also stated that the committee’s remarks hinted that the constitutionality of the article is in question due to possible copyright violations.
When the possibility that ISPs might not cooperate with relevant authorities to disclose the requested information on grounds that they are incapable, the CITC head said that “technical experts are the ones who will determine whether not the ISPs are able to provide these options.” However, the Armed Forces representative insisted on adhering to the original text of the article, which led Saeed to postpone the approval of the article.
Azhary describes it as a repetition of article 67 of the telecommunications regulation law, which is also controversial and unclear in its use of the term “technical options.” The AFTE legal unit head says that the NTRA has cited article 67 to deny responsibility for blocking access to websites in Egypt, according to papers presented to the State Council after Mada Masr filed a lawsuit concerning the block of its website.
The generality that Azhary mentions also applies to Article 35 of the cybercrime prevention bill, which punishes violators with a maximum security prison sentence if they are charged with disrupting public order, endangering public safety and security, harming the country’s national security or economic status, or disrupting the implementation of constitutional and legislative provisions. The causality of the charges the article mentions, Azhary says, cannot be proven, a feature of legislation he notes has become an infection. In his opinion, as the bill has a disciplinary structure, it has to be more clear and less confusing.
For Azhary, the bill’s primary aim is to “legitimize” already existing measures, such as blocking users in Egypt from accessing specific websites. Azhary explains that Article 9 grants the public prosecutor the right to take precautionary measures, such as issuing travel bans, for attempted “immaterial” crimes, which he says more closely resembles incidents of misconduct.
According to Article 9, “If necessary or sufficient evidence is present to prove the seriousness of committing the charge or the attempted committing of the charge,” the public prosecutor, his representatives, or other investigation authorities have the right to issue travel bans.
The State Council’s legislative committee determined that the procedure was a violation of Article 62 of the Constitution, which specifies that travel bans should have a clear reason and should be for a specific period of time. The committee advised the Parliament to provide causes for the procedure.
In the explanatory memorandum appended to the bill, the Justice Ministry says the aim of the legislation is to strike a balance between the constitutional protection on confidentiality for private personal information, except in cases of judicial injunction, and the need to confront cybercrime and its effects.
The tradeoff that the bill makes, according to Azhary, is fewer protections for individuals in return for greater penalties in the event that government-affiliated websites, accounts or information is hacked .
The target of the law for the CITC head, however, concerns a range of cybercrimes: illegal organ trade, human trafficking, fraudulent marketing and online training, and piracy, in addition to breaches of government-affiliated websites and “terrorist sites” that aim to recruit youth. Saeed also asserted that each crime should be discussed on its own with the authorities, but that the bill reiterates the penalties outlined for existing crimes in the penal code.
Nonetheless, in each of these terrains the bill fails to differentiate between intentional and unintentional crimes, portioning out the same penalties to both, which Azhary says is an error carried over from other legislation. He points specifically to Article 16, which punishes whoever logs into a forbidden website, regardless of intention.
Articles 16 and 21, both of which make provision for punishments without reference to criminal intent, were passed on Tuesday. The penalties stipulated in Article 21 include imprisonment and a fine of no less than LE1 million and no more than LE5 million upon conviction of logging into government sites and destroying, changing, copying, recording or leaking any data, information, or accounts, regardless of the method used.
Discussions on Article 21 included demands that violators, whose crimes lead to the destruction of government projects, should receive harsher sentences. Ziad Abdel Tawab, the representative of the Cabinet’s Information and Decision Support Center, called for harsher penalties for cyberattacks that target government information systems, as they can disrupt or damage projects or infrastructure related to national security, including electricity plants, water stations, and gas pipes. The bill’s current fine of LE5 million is not enough, he argued.
MP Marianne Azer, a CITC member, asserted that the stipulated LE5 million is “very low” compared to the lives and money that may be lost in an attack.
Hegazy emphasized the importance of Azer’s comments but referred to the anti-terrorism law (Law 94/2015), which already covers such crimes.
If it is proven that a victim of a cybercrime fails to take sufficient protective and precautionary measures or fails to report a cybercrime, they too will be penalized under the proposed legislation, which Azhary says is another problematic feature of the bill. The AFTE legal unit’s head says that this contradicts the legal basis which requires a crime to have taken place for a penalty to be imposed. Azhary does not consider failing to report a violation of cybercrime legislation a crime.
For Saeed, the bill is an attempt to keep abreast of developments in the IT field, with regard to social media, websites in the private sphere and especially government platforms, as current laws do not punish individuals who are found to have hacked into private or government sites, the latter of which is considered a threat to national security.
While the CITC head is hopeful about the proposed legislation, Azhary says that it is unsuccessful in its attempt to distinguish between legal and illegal online activities, as it fails to outline the basis from which it can legally prove that a crime has taken place, the relation of individuals to what it calls “digital evidence” or the relation between crimes and the relevant penalties.
He asserts that the bill is weighted heavily in favor of arresting authorities, as the legal proceedings will rely on investigations that will be difficult to challenge or refute given the vague, often unclear definitions.
The Tuesday amendments are merely the latest step in the protracted process of passing cybercrime legislation. MP Tamer al-Shahawy submitted a draft law to the Cabinet’s Proposals and Complaints Committee in May 2016, which bore a distinct resemblance to a bill proposed by the Justice Ministry in March of the previous year. Around the time of the second proposal, several human rights organizations published a report titled “Anti-Technology,” which suggested that Shahawy’s draft “violates the principle of equality before the law and contains penalties regarding the use of information technology.” According to the report, the legislators who drafted the law had an “animosity” toward the internet, adding that should the bill be passed it would essentially lead to “a total ban on internet use.”
Shortly after, in September 2016, the Cabinet’s Legislation Reform Committee offered up another draft. Labeled the “IT Crimes Law,” it is the most similar to the legislation currently under discussion.