You’re hanging out on the street and you see a famous actor riding a car with a senior government official. You take out your phone, snap a photo of them and post it online.
A news media website picks up your photo, publishes a story on their website, linking the story to earlier news of the celebrity’s connection to the senior government official, and shares it on social media platforms.
The story finds its way to the government official in the photo. He files a lawsuit, as is his right under the provisions of the cybercrime law, which was ratified by the president on August 18.
First: You will be prosecuted for publishing a personal photo without the consent of the person in it. You can now be punished, in accordance with the cybercrime law, with a minimum of six-month prison term and/or a fine ranging between LE50,000 and LE100,000. The editor, developer and host of the news media website, as well as the social media officer running its accounts – whether that officer works directly for the media outlet or for a third party service provider – will also face the charge of “facilitating a crime punishable by law;” liable to no less than two years in prison and/or a fine ranging between LE20,000 and LE200,000.
What if the investigators find that your internet service provider (ISP) did not collect and retain your browsing data, traffic data and traffic content for the past 180 days? Or that the company hosting the media website did not collect the same information about the website editors? These two companies are now liable to a fine of at least LE5 million and up to LE10 million, and they may lose their licenses to operate in Egypt.
This is an example to illustrate the multiple parties that stand subject to prosecution, under the new cybercrime law, for an everyday act like publishing a photo of a celebrity or public figure in a public place. The law – passed to “protect citizens and safeguard their freedom,” according to head of Parliament’s Communications and Information Technology Committee Nidal al-Saeed — defines a broad scope of penalties that apply to a wide range of persons.
Mada Masr has developed this guide to make sense of how this law will affect our daily activities — whether as casual internet users or as telecom and information technology (IT) professionals who work in web development, system administration, hosting, digital marketing, information security or online journalism.
As a casual user
- If you post original content — videos, photos or texts — on websites or social media platforms, and that content violates the privacy of others and is posted without their consent, the applicable penalty is no less than a six-month prison term and/or a LE50,000 to LE100,000 fine, in accordance with Article 25. The penalty is applicable regardless of the validity of the information involved, so even if the information pertains to a public figure and is in the public interest. For example, if you post a photo of Egypt’s interior minister having dinner with his Russian counterpart at a restaurant, you are liable for prosecution.
- If the original content you post may be construed as “[violating] family principles and values upheld by Egyptian society” — let’s say, content promoting women’s right to abortion — you may receive a minimum of six months in prison and/or a fine ranging between LE50,000 and LE100,000, under the same Article 25.
- Creating parody accounts (of public figures) is also punishable by the new law. Article 24 stipulates that anyone who creates an email address, website or personal account and “fraudulently” attributes it to a legally registered individual or organization should be imprisoned for a term of no less than three months and/or a fine of LE10,000 or up to LE30,000. If the account insults the person it parodies, the minimum term is a year in prison, while the minimum fine is LE50,000 and the maximum LE200,000.
- You can be held accountable for accessing or hacking a website, private account, database or device, whether you access it intentionally or unintentionally and “then wrongfully remain inside.” Let’s say that you have an account on the government’s e-procurement portal, and you accidentally access a file containing a list of companies bidding for a certain project. You will be penalized with time in prison of no less than a year and/or a fine ranging between LE50,000 and LE100,000. If the fact that you accessed the file leads to the damage, erasure, altering, copying or redistribution of data or information, the term of imprisonment extends to no less than two years, according to the provisions of Article 15.
- Encryption and online security services, such as the Tor browser and virtual private networks (VPNs), incur liability for both users and service providers as well. Under Article 22, “whoever possesses, acquires, obtains, sells, makes available, manufactures, produces, imports, exports or circulates any device, equipment, software, pass codes, passwords or any similar data without permission from the [National Telecom Regulatory] Authority (NTRA), good reason or legal justification” shall be penalized with imprisonment for a term of no less than two years and/or a fine of no less than LE300,000 and no more than LE500,000, if the motive of doing so is proven to be using them to perform any of the actions that the cybercrime law defines as unlawful; or concealing traces or evidence of any of these actions.
- Finally, if you use wireless networks around you with or without the knowledge of their owners, reach an agreement with your neighbor to use their internet service, or use broadcasting channels (for example, a walkie-talkie) without a communications permit or a video/audio broadcasting license, you could receive a prison sentence of no less than three months and be fined between LE10,000 and LE50,000, under Article 13.
As a service provider
The law defines a service provider as a legal individual or organization which provides users with information technology and telecom services. The definition applies to telecom operators, ISPs, web hosts, email service providers, software development companies and internal network solution services, among other IT service providers.
The cybercrime law renders service providers legally liable in the following conditions:
- Overlooking censorship orders: If a censorship order or directive is issued by the competent authority against a certain website and a service provider fails to carry out that order, Article 30 stipulates that the service provider shall be imprisoned for no less than a year and/or receive a fine of between LE500,000 and LE1 million. However, the article does not specify who would be subject to imprisonment — the owner(s) of the company or the employee(s) directly in charge of web censorship activities.
- Interception: The law defines interception as the “wrongful viewing or obtaining of data or information for illegitimate reasons by means of eavesdropping, interrupting, storing, copying, recording, altering, abusing, redirecting or rerouting.” In light of this definition and under the provisions of Article 16, you — a telecom company or an ISP — would be liable to no less than a year in prison and/or a LE50,000 to LE250,000 fine, if you wrongfully view your clients’ online activities through the use of an intermediary device or eavesdrop on them.
This translates to legal liability if you, as a service provider, censor a website “wrongfully or for illegitimate reasons,” since censoring a website involves “redirecting” or “rerouting” the data of users who send requests for that website. Lawful censoring of a website requires an order or directive that has to have been issued by the competent authority. Such an order can be issued by an investigative authority, which may submit a censorship request to the competent court. The court is then allowed 72 hours to examine the request and issue a verdict. If the matter is urgent, the investigative or the interdiction authority may inform the NTRA, which will then issue a censorship directive. The investigative authority is then required to submit a report to the competent court, which may sustain the directive or overturn it.
The law does not make an exception for intercepting data in order to test the security of networks or devices.
- Storing and sharing client data: Telecom, web hosting and cloud computing companies are required under Article 2 to retain data to identify its users, traffic data and other data content for 180 days. If a telecom company cannot provide a record of the identities of its users, their call logs, browsing histories and their call destinations, volume, durations and content for the past 180 days, they face a penalty stipulated in Article 33 of between LE5 million and LE10 million as a fine for non-compliance with Article 2. In the event of a repeat offense, the fine can be doubled to an upper limit of LE20 million, and the court may revoke the company’s license to operate in Egypt.
Yet the provisions of the law do not take into account the fact that cloud computing service providers are now using stronger encryption techniques, which prevent the company itself from accessing user content. For example, an e-commerce hosting service provider would have to roll back its digital security standards in order to comply with the cybercrime law and provide a record of users’ data. Data types could include users’ credit information, and such measures could entail making the data more vulnerable to hacking.
Meanwhile, as a service provider, you are required to secure the user data that the cybercrime law requires you to collect and to keep said data confidential, with the exception of law enforcement and security authorities. Failure to comply with this requirement would make you liable to further penalties of no less than a year in prison and/or fines of LE5,000 to LE20,000 under Article 31. Multiple fines can be incurred in the event that the data of multiple victims are not secured.
Your responsibility does not end here. You — as a telecom, email, hosting or cloud computing service provider — are required to provide “the technical capabilities that allow national security entities to exercise their duties as stipulated by the law.” The law does not specify what functions these entities may perform. Let’s say, for instance, that a national security entity wishes to track down and identify the admin of a Facebook page or a user who posted a comment on a website. Under the law, the responsibility to provide the technology that the entity would need to accomplish this falls on the telecom company, the hosting service provider and even Facebook itself. Failure to comply could earn you a penalty of no less than three months in prison and/or a LE200,000 to LE1 million fine.
The law also requires telecom, email, hosting and cloud computing service providers to comply with the orders of investigative authorities by handing over to judicial officers all data or information that the service provider has that relate to an information system or device that is under its control or stored by it, as well as a service user’s data and data pertaining to traffic flowing through that system or device. But the grounds for such an order must be specified in all cases, as per Article 6. Failure to comply is punishable, under Article 32, with a prison term of no less than six months and/or a fine of LE20,000 to LE100,000.
- Sharing users’ data: As a service provider, you are required to obtain a client’s consent before you can send them promotional electronic messages, such as SMS messages containing your latest offers. User consent is also required for you to provide their data to a system or website for the purpose of promoting goods or services, such as giving their phone number to a food franchise that will use it for promote an offer. Any service provider or company found to be in violation of this requirement faces a penalty of no less than six months in prison and/or a LE50,000 to LE100,000 fine, under Article 25. The law does not specify whether consent must be explicitly obtained or whether it may be included as part of the terms of service, which typically require the client to consent to the use of their data for promotional purposes if they are to use the service. The law also fails to specify terms to regulate a client’s right to revoke their consent after it is given.
- Reporting crimes against companies that use your services: You are an employee or a company that manages a website or an information system on behalf of another company or person. The website or system that you manage carries out an offense punishable under the cybercrime law. Should you fail to report that crime, you will be held legally liable under Article 35. This liability extends to employees of the service provider as well as the acting administrator(s), under Article 36, regardless of whether or not the employee acted in compliance with administrative instructions. The court may also suspend your license to practice as a service provider for up to a year, if the “acting administrator(s) at the company is (are) proven to have been aware of or to have facilitated any of the aforementioned acts” committed by an employee. In the event of a repeated offense, the court may revoke the service provider’s license or dissolve the company.
As a digital security expert
For a subset of service providers, including security service providers and hackers, the law stipulates a number of additional punishable acts. These may occur in the course of testing infrastructure and information systems for security vulnerabilities, and the penalties for them are applicable whether you act as an independent digital security specialist or an employee at a company providing digital security services.
- Let’s say that you work as a digital security consultant at a private company or government department. It is a punishable offense under the new law for you to access a website, private account or information system for a longer time or to a greater extent than your security clearance permits, regardless of your intention. The penalties would apply even if you are testing the company or department’s information system, website or account for vulnerabilities. For instance, a cybersecurity infrastructure specialist who discovers a security vulnerability in the civil registration database is an offender in the eyes of the law. You stand to be imprisoned for six months or more and to pay fines between LE30,000 and LE50,000, under Article 14. If you access the information with the intention of obtaining government data, Article 20 makes provision for both penalties (imprisonment and/or a fine), with the fine being set between LE100,000 and LE500,000. If the fact that you access those government data in order to process them, the limits of the fine are increased to between LE1 million and LE5 million and come alongside imprisonment, per the same article.
- What if you uncover vulnerabilities in a technique that is used to transfer credit data (bank card numbers and data pertaining to them)? You can get at least three months in prison and/or a LE30,000 to LE50,000 fine, per Article 23. If you use that credit information to make purchases or benefit from the services to which the information grants access, the minimum term of imprisonment is six months and the fine ranges between LE50,000 and LE100,000. If you are able to seize funds belonging to someone else by using the data, the penalty is a prison term of at least a year and/or a fine of LE100,000 to LE200,000. But there is no language in the article to set acts committed with malicious intent apart from those committed with the intention of demonstrating a weakness in the system without causing harm to the party to whom the data belongs.
- Discovering vulnerabilities in an information system that belongs to a private company or a government network – whether discovered in the course of examining the system or network, or to demonstrate a weakness in the network, system or website – constitutes “unlawful access” on your part as a cybersecurity specialist. It is an offense that comes with a penalty of imprisonment for no less than a year and/or a fine of LE50,000 or up to LE100,000. Under articles 15 and 17, a penalty of no less than two years in prison and/or a LE100,000 to LE200,000 fine follows if such access results in the damage, erasure, altering, copying or redistribution of the data or information on a website, private account or information system, even if it is meant to clean the system of malware. Now, let’s say that you find these vulnerabilities in a state-owned or state-controlled information system, such as the income tax database, or that you find security vulnerabilities in the government’s online portal. In this case, the penalty you will face will be residence in a prison cell for at least two years and/or a fine between LE50,000 and LE200,000, as provided in Article 20.
- Lighter penalties are provided for hacking into personal accounts and emails, but the motive is also disregarded. The penalty is no less than a month in prison and/or a fine of LE50,000 to LE100,000, even if you hack into the account to demonstrate how weak the password or network used to access the account is. A harsher penalty of no less than six months in prison and/or a LE100,000 to LE200,000 fine is provided for hacking into an email, website or private account that belongs to a private legal person, per Article 18.
- Interacting with the design of a website is also an offense that is punishable with no less than three months in prison and/or a LE20,00 to LE100,000 fine. It applies to anyone who wrongfully damages, brings down, slows down, disfigures, hides or alters the design of a website that belongs to company, institution, establishment or natural person, per Article 19.
As a web, account, email or information system administrator
If you are an employee at a company that provides web hosting services, or if you are a web designer, an editor who enjoys admin privileges to the content management system of a website, or a social media officer who runs a company’s page, you are a web administrator in the eyes of the law. The definition the law provides is: “Anyone who is in charge of the organization, administration, management or maintenance of one or more websites on [the internet,] including [anyone who controls] users’ rights to access the website, designs it, generates or controls its pages or the content on it, or administers it.” The law holds you liable for a special set of offenses, whether you are a full-time web admin or a service provider.
- First, you bear responsibility if content that is prohibited by the law (in the form of an article or a comment, for example) is published on a website that you administer (design, edit or host), posted by a private social media account that you manage, or shared via an email account that you manage. Such content could be a photo of a public figure that is published, posted or shared without the consent of the subject, art that contains criticism of motherhood which could be deemed by the law to be “not in line with family values that are upheld by society,” a parody account of a public figure, or an op-ed piece on the corruption of that public figure which may be deemed by the law as “a threat to national security.” Even if you have no control over the content, you stand to receive a sentence of two (or more) years and/or be forced to pay between LE20,000 and LE200,000 as a fine. If the content is published or circulated as the result of negligence, then you, as a web administrator, are liable to no less than six months in prison and/or a LE10,000 to LE100,000 fine, under Article 29.
- If a website, private account or information system is used to commit any crime that is punishable by the cybercrime law, each of the website’s developers or administrators (designer, editor or host) will be penalized with no less than two years in prison and/or a LE100,000 to LE300,000 fine, under Article 27.
- Erasing evidence pertaining to a punishable offense, under this law, is also punishable. If a reader posts a comment that contains criticism of the military to your Facebook page or if they share such content via email and you delete that comment or email, you face a penalty of at least six months in prison and/or a LE20,000 to LE200,000 fine.
If you are a government employee
The court may issue a ruling to temporarily suspend a government employee from their job if they commit any of the acts that are punishable by the law. This suspension becomes mandatory sentencing if the website, email account or information system that belongs to the government entity you work at – and whose online presence you manage – is the object of any act that is provided as punishable by the cybercrime law, and that you do not report to the competent authority at the time you become aware of it.
Conciliation for punishable offenses
Conciliation is defined by the cybercrime law as reaching an amicable agreement between the offender and the victim in connection with some offenses. The victim or their legal attorney can come before the court and state that the two parties have reached a settlement or submit a [document] to that effect, in which case the action is settled. It is not within the court’s purview to decline the motion. This, however, only applies to a select set of punishable offenses.
These are the main points of how this law regulates conciliation:
- Recourse to conciliation is possible at any stage of proceedings, provided that a final ruling has not been issued. In other terms, conciliation is possible as long as all stages of proceedings have not been exhausted in full, up to cassation, and a non-appealable ruling has not been received.
- Recourse to conciliation is provided for the following offenses: unlawful access; unlawful interception; violating the integrity of data, information or an information system; hacking an email, website or private account; infringing on the design of a website; and violating a state-owned information system; as well as offenses related to fake or parody websites, private accounts and emails; offenses committed by a web administrator (“anyone who creates, manages or uses a website or private account on an information system that is intended to commit a punishable offense or facilitate the commission thereof”); offenses related to violating data confidentiality by a service provider; and abstaining from handing over data when ordered to do so by a judicial entity.
- The law also provides that, for some offenses, conciliation must be conducted through the NTRA. This stipulation is for offenses that involve the revocation of license. As the authority that granted the license to begin with, the NTRA must be represented in the conciliation process.
Illustrations by Mo Mohsen.
Hassan al-Azhari, a lawyer, reviewed the legal content in this guide.