TALAL AL ISMAIL

CIT 510: I NFORMATION SECURITY, P OLICY , AND E THICS

Z AYED U NIVERSITY

MAY 2011

SWOT Analysis: U.A.E Cyber Law

Abstract

The task of this paper is to highlight the current status of Cyber Crime around the world and

the Middle East region in general and make SWOT (strengths, weaknesses, opportunities,

and threats) analysis of the current law of cybercrime of the U.A.E. indicating points of

strengths and weaknesses and what amendments should be done further in the future in

terms of defending against possible threats.

Introduction

Despite the high levels of technological advancement the world has reached today in

multiple domains; starting from the spread of Internet, social networking sites, VoIP, cloud

computing, advanced telecommunications, and other modern technological trends.

However, this progress is still offset by parallel shortcoming in the development of terms

and laws that control the use of the mentioned technologies, especially the legislative

provisions that control the use of the Internet. It is well known now, that the Internet is no

longer a safe environment to trust or use. Moreover, surfing the Internet has become unsafe

due to the proliferation of Cyber Crime whereas, a recent study by McAfee (2009) says "the

cost of Cyber Crime has reached $1 trillion globally" (Lieberman, 2011). Hence, the

importance of finding a universal legal formula to adjust these crimes is highly needed.

The Budapest (2001) Convention on Cyber Crime drafted the first "International Cyber Crime

Treaty" that had been ratified by more than 46 countries around the world (Harley, 2010).

These concerted efforts reflects the need for such law to help prevent growth in cross-

border Cyber Crimes and help secure the growth in legitimate cross-border computing.

Unaffected by geographical boundaries, cybercrimes only seem to be getting worse as hybrid

threats, hack attacks, and the real possibility of cyber terrorism continue to haunt

enterprises and government bodies around the globe.

In the Middle East, the most current and widely abused cybercrime is intellectual property

and software privacy. On the other hand, when talking about laws governing cybercrime in

the Middle East they are close to non-existence as most of these countries have translated

cybercrime into an analogous offline category of offense . Nonetheless, few countries in

the Middle East such as United Arab Emirates, Egypt, and Saudi Arabia have drawn up their

own Cyber Laws in an attempt to fight this new type of crime ( Bednarski, Chen, Chen,

Jovanovich, Osman, 2003).

The fact that the United Arab Emirates is one of the leading nations of the Gulf Cooperation

Council; the U.A.E. is living it's economic boom which seems evident in the application of the

latest means and technological solutions in all walks of life. This means that the United Arab

Emirate is not immune against the arising threats coming from the cyber world. Therefore,

in Jan 2006, the United Arab Emirates has developed and put together a firm cyber law in

response to current and potential cybercrimes (Aecert.ae, 2006). Knowing that cybercrime

costs the country $2 million a year (Plewes, 2010) and the figure has the potential to

increase. Having a first look at this number which seems really small comparing to other

countries such as the UK where the cost of cybercrime exceeds expectations of $43.5 billion

a year (Clark, N, 2011).

Since the United Arab Emirates is still recent in relation to the development of special laws

that control use of the Internet, however, this research tries to take a close look at the most

important aspects of the strengths and weaknesses that characterize this Act and

opportunities for development and what are the potential risks resulting from frequent

changes in the cyber world.

Strength

When talking about the positive points of the cybercrime law of the United Arab Emirates,

the local government specifically the Telecommunications Regulatory Authority (TRA)

realizes the need for such law and how it is important to stay up-to-date in the world of

Cyber Crime. Since the legal framework of the law covers a good number of different crimes

categories such as Human Trafficking, Data Forgery of prohibitive data, and unauthorized

use and interception of computer services. It includes penalties for imprisonment for a term

which may extend to ten years and a fine up to 200,000 AED. The Act also stresses the

respect for religion and the Islamic identity of the state and respect for other religions as a

total of 202 different nationalities exist in the UAE labor market, according to the Under-
Secretary of the Ministry of Labor (khaleejtimes.com, 2006). Dwyer (2010) supports the idea

that with the increase in cyber-attacks and the motives behind them, governments should

be more encouraged to avoid letting the crimes divert their attention from the Cyber Crimes.

Moreover, the local government has created a Computer Emergency Response Team

(arCERT) with a dedicated website to provide awareness, information, advice, and receive

problem alerts from users, as well as has created Cyber Crime Courts to deal with the jump

in the computer-related crimes (UAEinteract.com, 2007).

Carrying out electronic businesses in a well-defined legal structure will definitely contribute

positively to the nation’s economy and even create more opportunities to the businesses

themselves (Robert et al., 2010).

Weaknesses

The Institute of Training and Judicial Studies of Abu Dhabi, held a discussion debate right

after the issuance of the cybercrime law in 2006 revealing that, the Act contains many

loopholes that need further explanation and that specialized courts should be assigned for

its implementation. Confirmation of this, and from a judicial point of view, the judge

Mohammed Obeid al-Kaaby assured that "some articles may cause the prosecutor to be

puzzled because of the contradictory penalties that might exist in the same article"

(Openarab.net, 2006).

In consonance with The Initiative for an Open Arab Internet, for instance, the law ignored

the criminalization of gambling while criminalized prostitution and temptation. The law also

failed to clarify the penalty of constructing terrorist websites or spreading terrorist

information online using vague pretexts (Openarab.net, 2006). Those controversial

loopholes vary between unclear terms, penalties, and fines. This study will review some of

the articles that are dominated by vagueness and uncertainty. Here are some articles from
the current law that need justification for the terms used (Parts highlighted in yellow need

clarification):

Article (15)

The penalty of imprisonment and a fine or either applies to whoever commits any of the
following offences through the Internet or an information technology device:

1. Abuse of an Islamic holy shrine or ritual

2. Abuse of a holy shrine or ritual of any other religion where such shrine or ritual is
protected under Islamic Sharia
3. Defamation of any of the divine religions
4. Glorification, incitement or promotion of wrongdoing

What kind of crimes against Islam can occur via the Internet or cyber world?

Article (16)

A person who violates family principles and values or publishes news or pictures in violation
of the privacy of an individual’s private or family life, even if true, through the Internet or an
information technology device, shall be liable to imprisonment for at least 1 year and a fine
of at least AED 50,000 or either.

What are those family-principles/values exactly? Who should determine them? And who

have the right to do so? Taking into account that UAE is a multinational country as more

than 200 nationalities stay on its land.

Article (20)

A person who sets up a website or publishes information on the Internet or an information

technology device for a group engaged in facilitating and promoting programs and ideas
contrary to public order and morals shall be liable to imprisonment for up to 5 years.

What is meant by public order and morals? How should it be defined? This article is really

critical for the security of the nation, wherefore, further accurate justification is highly

required.
After this quick review it's essential to say that these terms are open to a wide range of

interpretation. Hence, UAE government should take quick steps to reduce and eliminate any

kind of confusion might happen.

Additionally, some of the articles presented in the Act are not really clear especially in terms

of imprisonment and fine amounts, but for the United Arab Emirates to further improve and

strengthen their existing cybercrime law there should be a clear penalty definition to some

of the presented articles preventing cyber criminals from escaping from a full prosecution.

Down below Articles from UAE law of cybercrime need to be clarified in terms of fine

amounts and imprisonment periods (Parts highlighted in yellow need clarification):

Article (2)

1. Any intentional act whereby a person unlawfully gains access to a website or

Information System by logging onto the website or system or breaking through a
security measure carries imprisonment and a fine or either.
2. If such act results in the deletion, erasure, destruction, disclosure, damaging,
alteration or republication of data or information, the punishment shall be
imprisonment for a term of at least 6 months and a fine or either.
3. If the data or information is personal, the punishment shall be imprisonment for a
term of at least 1 year and a fine of not less than AED 10,000 or either

Article (4)

The penalty shall be temporary detention for anyone who forges a document of the federal
or local government or federal or local public entity or corporation that is legally recognized
in an Information System.

The penalty shall be imprisonment and a fine or either for forging any other document with
intent to injure.

The penalty prescribed for forgery applies, as appropriate, in the case of anyone who
knowingly uses a forged document.

Article (5)

A person who in any way hinders or delays access to a service, system, program or database
through the Internet or an information technology device shall be liable to imprisonment
and a fine or either.
 Article (6)

A person who uses the Internet or an information technology device in order to disable,
disrupt, destroy, wipe out, delete, damage, or modify programs, data or information on the
Internet or an information technology device shall be liable to temporary detention and a
fine of not less than AED 50,000 or either.

Article (7)

Anyone procuring, facilitating or enabling the modification or destruction of medical

examination, diagnosis, treatment or health records through the Internet or an information
technology device shall be liable to temporary detention or imprisonment.

 Article (8)

Anyone who intentionally and unlawfully eavesdrops, or receives or intercepts

communication transmitted across the Internet or an information technology device shall be
liable to imprisonment and a fine or either.

Article (11)

Anyone who uses the Internet or an information technology device to unlawfully access the
number or details of a credit card or other electronic card shall be liable to imprisonment
and a fine. If the offence is committed with intent to acquire the property or avail of the
services of another the penalty is imprisonment for a period of at least 6 months and a fine
or either. If the property of another is appropriated for the account of the perpetrator or
someone else the penalty is imprisonment for at least 1 year and a fine of at least AED
30,000 or either.

Article (12)

Anyone who produces, arranges, sends or stores with intent of using, circulating or offering,
through the Internet or an information technology device, information that is contrary to
public morals or operates a venue for such purpose shall be liable to imprisonment and a
fine or either.

If the act is committed against a minor, the penalty shall be imprisonment for a period of at
least 6 months and a fine of not less than AED 30,000.

Article (13)

The penalty shall be imprisonment and a fine for whoever incites lures or assists a male or
female into committing an act of prostitution or fornication by means of the Internet or an
information technology device.

If the victim is a minor, the penalty shall be imprisonment for at least 5 years and a fine.
 Article (14)

A person who unlawfully login to an Internet website in order to change, delete, destroy, or
modify its design or take over its address shall be liable to imprisonment and a fine or either.

Article (15)

The penalty of imprisonment and a fine or either applies to whoever commits any of the
following offences through the Internet or an information technology device:

1. Abuse of an Islamic holy shrine or ritual

2. Abuse of a holy shrine or ritual of any other religion where such shrine or ritual is
protected under Islamic Sharia
3. Defamation of any of the divine religions
4. Glorification, incitement or promotion of wrongdoing

The penalty shall be imprisonment for up to 7 years for an offence involving opposition to
Islam or injury to the tenets and principles of Islam, opposition or injury to the established
practices of Islam, prejudice to Islam, the breaching of a religion other than Islam or the
propagation, advocacy or promotion of any discipline or idea of such nature.

Article (17)

A person who set ups a website or publishes information on the Internet or an information
technology device for the purpose of conducting or facilitating human trafficking shall be
liable to temporary detention.

Article (18)

A person who sets up a website or publishes information on the Internet or an information

technology device for the purpose of selling or facilitating the trade of narcotics, mind
altering substances and the like in other than legally prescribed circumstances shall be liable
to temporary detention.

The highlighted parts of the text need to be clarified fully against its legal interpretation.

Furthermore, Table 1. shows which articles need to be justified further more in terms of

both fine amounts and imprisonment.

 Table 1. Articles need justification in terms of Fine & Imprisonment

Imprisonmen
)#( Article Fine
t
2 Not clear Not clear

4 Not clear Not clear

5 Not clear Not clear

6 Clear Not clear

7 - Not clear

8 Not clear Not clear

11 Not clear Clear

12 Not clear Not clear

13 Not clear Not clear

14 Not clear Not clear

15 Not clear Clear

17 - Not clear

18 - Not clear

Source: Personal study

Moreover, the current Act contains no specific article that clearly declares if this Act applies

to expatriates living in the United Arab Emirates or not. It's notable that the word "minor"

has been mentioned only twice through this Act specifically in articles (12) & (13) in case of

that the minor was the victim. But what if the "minor" was the perpetrator himself? This

means that all types of crimes mentioned in the Act are not applicable to minors! Does

that apply to reality?

Not any of the articles discussed the issue of cross border cybercrime. What if the

perpetrator was from outside the UAE? What procedures should be taken and what would

be the punishment for such situation?

Indeed there is no single article criminalize minors in case they commit any type of the

crimes presented in the Act. As well as, it is true that none of the articles presented in the

cybercrime Act clearly describe any kind of compensation for cybercrime victims.

Providing that, there are no clear benchmarks or studies determine the effectiveness of this

law and the results achieved since it was placed into use. Also, the existing law does not

provide sufficient coverage against more recent computer-related crimes such as:

1. Against person:

 Defamation

 Cyber-stalking

 Harassment through e-mail

 Indecent exposure

2. Against property of an individual:

 Transmitting virus, worm, Trojan or spyware

 Computer vandalism

 Hacking/cracking

 Violation of intellectual property right

3. Against organizations:

 Hacking & Cracking

 Transmitting virus, worm, Trojan or spyware

 Distribution of pirated software

 Discreditation

 Cyber terrorism against the government organization

 Violation of intellectual property right

According to the points stated above, these points should be taken into account if any

coming amendment happens in the future as more and more sophisticated types of crime

are developing every day. Speaking at AusCERT 2011, Kaspersky Labs founder and security

expert, Eugene Kaspersky argued that "cybercrime now is the second largest criminal activity

in the world" (Barwick, 2011). As cybercrime was proving difficult to fight due to a

combination of its secretive nature and underground forums along with a lack of

cooperation between international anti-cybercriminal police forces (Barwick, 2011).

However, it is still recommended to have few more amendments in order to include explicit

topics such as viruses, malware, online gambling, Data diddling and spam email attacks

which are considered as the main motives behind the cyber criminals nowadays due to its

huge financial returns (Dwyer, 2010, Hopkins, 2003). According to Dwyer (2010), dealing

with Cyber Crimes requires decisive security awareness. The Middle East region, especially

Gulf Cooperation Countries including the United Arab Emirates, lack many of the awareness

programs, training and education in the field of Cyber Crime due to the late interest in this

topic. With sufficient training programs and campaigns and the involvement of parties

starting from IT professionals, to organizations’ decision makers and also the general public

the level of awareness will gradually increase which in turn leads higher levels of protections

that users might take into consideration.

Opportunities

The United Arab Emirates enjoys great economic position among other countries in the

Middle East region which requires her to take stronger and quicker steps to use all available

opportunities to improve its current Cyber Law status to increase the level of security in a

fertile environment replete with e-businesses. As discussed earlier in the strengths section,

and as provided by Robert et al. (2010), the country could attract a more diverse economic

environment to take place that supports both consumers and organizations performing
electronic businesses. Therefore, with more solid and specific defined cybercrime laws, the

country could attract more electronic based services.

The government still has the chance to update its cyber law and make the necessary

amendments to cover any loopholes and include new sophisticated topics and other types of

upcoming cybercrimes. Several steps have been taken. The Ministry of Justice, in order to

combat cybercrime in the UAE, new cybercrime courts with specialist judges are to be set up

to expedite litigation and serve litigants more effectively (Zawaya.com, 2010). The creation

of a Computer Emergency Response Team (aeCERT) for the detection and prevention of

cybercrime in the country will help improve the efficiency and the effectivity of the current

law.

"A solution to the problem might be that, in addition to having police agencies investigate

cybercrime, an Internet Interpol (international police) could be established." -- Kaspersky

founder Eugene Kaspersky

One of the suggested solutions to slow down or stop the increasing growth of cybercrimes is

an online (ID) identification to verify people engaging in such acts. The founder of Kaspersky

suggested that (Barwick, 2011).

Cyber Crimes are spread worldwide now and there is no single country to be considered

immune against it. There has been a considerable growth in Cyber Crimes in the Middle East

during the last couple of years. This growth has resulted from lack of regulations, trainings

and awareness. UAE should take this opportunity to build more solid base for their Cyber

Crime courts through trainings and organizing awareness campaigns throughout the nation

for professionals and general public (Dwyer, 2010).

They could also introduce special certifications with alliance to worldwide standards in the

digital forensics field and develop stronger Cyber Crime knowledge base. This could also lead
UAE to be the leader in the region and assist other governments to develop similar laws and

strategies in defending against the Cyber Crimes. In addition, it could be a start to creating a

.Cyber Crime convention to better define international cooperation (Hopkins, 2003)

Last but not least, public and private organizations should build their security policies and

cyber awareness precautions in harmony with the government in order to create a safe

.cyber community

Threats

The Telecommunications Regulatory Authority (TRA) has done a survey during the course of

2010 (TRA.gov.ae, 2010) reporting that the number of internet users in the country was

estimated to 65% of the population and the ratio can be increased significantly. This means

that half of the UAE population is prone to the risk of cybercrime, especially lots of hacking

tools are free available and downloadable from the Internet. In addition, sluggish

responsiveness in taking corrective actions to cover the existing loopholes in the current law

would result in negative consequences.

Information revolution era makes it even easier for hackers to share hacking details and

techniques. This produces a more skilled breed of Cyber Criminals that continuously

introduce new crimes which leaves governments behind in coping with technology related

laws (Ghosh, 2010). Due to the lack of the awareness discussed earlier, many of the victims

are unwilling to report Cyber Crimes. Therefore, educating people on how to deal with

cybercrimes at the time of occurrence is necessary to make users report such incidents. This

could help TRA recognize most frequently committed crimes and their time of occurrence

and to produce important statistical surveys that could help fight such crimes.

Conclusion
It can be said that, no single country on earth is considered to be the ultimate in being

immune against cybercrimes. But also it can be said that there are countries doing hard work

in developing their own national policies and laws to defend against this new type of crime

coming from the cyber world. And the United Arab Emirates is one of those countries. The

UAE in most of situations seeks to be proactive as the country is thriving economically, which

requires the state to build a safe, secure, and supportive environment for electronic based

services.
References

Aecert.ae. (2006, Jan 30). The Federal Law No. (2) of 2006 on The Prevention of

Information Technology Crimes. Retrieved from

http://www.aecert.ae/preventionoftechcrimes.php

Bednarski, G., Chen, P., Chen, K., Jovanovich, A., Osman, H. (2003). International

Cybercrime: Law, Trends, and Treaties. (p. 23)

Barwick, H. (2011, May 17). AusCERT 2011: Eugene Kaspersky calls for Internet Interpol.

Retrieved from

http://www.computerworld.com.au/article/386790/auscert_2011_eugene_kaspersky

/__calls_internet_interpol

Chan, N., Coronel, S., & Chiat Ong, Y. (2003). The Threat of the Cybercrime Act 2001 to
Australian IT Professionals. Proceedings of the The First Australian Undergraduate
Students' Computing Conference (pp. 25-33).

Clark, N. (2011, March 9). Business counts the cost of cyber crime. Retrieved from

http://www.independent.co.uk/news/business/analysis-and-features/business-

counts-the-cost-of-cyber-crime-2236158.html

Dwyer, P. (2010). Cyber Crime in the Middle East. Retrieved from www.paulcdwyer.com

Ghosh, S. (2010). Cybercrimes: A Multidisciplinary Analysis. New York: Springer.

Harley, B. (2010, March 23). A Global Convention on Cybercrime?. Retrieved from

/http://www.stlr.org/2010/03/a-global-convention-on-cybercrime

Hopkins, Shannon L. (2003). Cybercrime Convention: A Positive Beginning to a Long Road

Ahead. J. High Tech. L., 2(1), 101-122.

Khaleejtimes.com. (2006, Aug 25). 202 nationalities in labour market. Retrieved from

http://www.khaleejtimes.com/DisplayArticleNew.asp?

section=theuae&xfile=data/theuae/2006/august/theuae_august735.xml

Lieberman, D. (2011, March 6). Cyber Crime Costs Over $1 Trillion Globally?. Retrieved from

https://www.infosecisland.com/blogview/12352-Cyber-Crime-Costs-Over-1-Trillion-

Globally.html

Lunjevich, M., Al Shaikh, O. (2010, Jan 18). UAE To Establish Specialist Cybercrime courts.

Retrieved from

http://www.zawya.com/Story.cfm/sidZAWYA20100118085552/UAE%20To

%20Establish%20Specialist%20Cybercrime%20Courts/

Robert, E., Okonigene, & Bola, Adekanle. (2010). Cybercrime in Nigeria. Business Intelligence
Journal. 3(1), 93-9

.Openarab.net. (2011). Implacable Adversaries: Arab Governments and the Internet

Retrieved from http://old.openarab.net/en/node/348

Plewes, A. (2010, May 21). Cybercrime costs UAE enterprises $2m each year. Retrieved from

http://blogs.orange-business.com/live/2010/05/cybercrime-costs-uae-

enterprises-2m-each-year.html

TRA.gov.ae. (2010). ICT in the UAE. Retrieved from

http://www.tra.gov.ae/download.php?filename=ICT_Survey%20English%202010.pdf

UAEinteract.com. (2007, April 5). UAE creates team to fight cyber crime. Retrieved from

http://www.uaeinteract.com/docs/UAE_creates_team_to_fight_cyber_crime/24690.

htm