Bad Laws Are Contagious: Demystifying the UAE’s New Information Tech Law
This post first appeared in Global voices and can be found here. It was guest authored by Amin Jobran, who works as the MENA region outreach manager with the Internet censorship research group ASL19 .
The United Arab Emirates federal government will soon pass an amendment that could criminalize the use of VPNs and other censorship-dodging tools. Violators could face astronomical fines of up to 545,000 USD and possible jail time. What does this law mean? How might it affect online expression in the MENA region?
UAE law already bans the use of VPNs and other circumvention technologies in specific circumstances — the chief purpose of the new amendment is to extend the law to anyone who “uses a fraudulent computer network protocol address (IP address) by using a false address or a third party address by any other means for the purpose of committing a crime or preventing its discovery.” (Federal Law No. 12/2016, Article 1, United Arab Emirates.)
Stakeholders on various sides of the issue are struggling with the ambiguity of the language used in the amendment. In response to their complaints, the Telecommunication Regulatory Authority issued a follow-up statement vowing that the law will not affect economic interests, and promising that business can continue to use VPN technology on their internal networks, as long as they don’t misuse it for criminal activities.
But the TRA statement does not talk about unlicensed and unorganized services. Would using a VPN on a public network be considered illegal? Is using a VPN to access a service that is not licensed, like Viber for example, be considered a crime in itself? Answers to these questions will depend on how the government interprets and enforces the new amendment.
Part of a regional trend
In its broadest interpretation, the law could affect everyone using a VPN or other circumvention tools, even those who aren’t accessing illegal content, banned services (such as certain VOIP providers), or engaging in truly malicious criminal activities.
This is no small matter in the UAE, where VPN use is widespread at universities, businesses, airports and private homes. Many Emiratis use VPNs to hide their IP addresses to protect against data theft through cyber attacks. And recent policy changes — such as the blocking of VOIP services — have made VPNs more vital than ever, especially for working class users.
A VPN (aka virtual private network) is a tool that lets you to create a secure connection to another network in a different physical location. So someone in the UAE, for example, might connect to a VPN located in Canada. This allows them to bypass Emirati censors and use the Internet as if they were in Canada. It’s an important tool for people who live in countries whose governments restrict access to certain websites and services.
Preceded by a wave of VOIP blocking in various Arab countries, the new law comes as no surprise for those familiar with digital policy in the region. In the last six months alone, the UAE blocked snapchat for its video feature, Morocco blocked VOIP calls, and Saudi Arabia blocked Whatsapp calling, Facebook messenger calling features, and Facetime for iPhone.
These governments justify their decisions on security and economic grounds. Free VOIP services naturally make customers less likely to use paid international calling features through their local telecom service providers. This means loss of revenue for national, often state-affiliated telecom companies. With rising tensions surrounding violent extremism in the region, MENA governments are also wary of VOIP and certain messaging apps because of their security features — tools like WhatsApp, which now features end-to-end encrypted messaging, make it difficult for governments to monitor users’ communications.
There are also market and policy factors in play. Etisalat and DU are the UAE’s only two ISPs. Both are licensed to provide VPN services, but these are centralized and unencrypted VPN services that eliminate the user’s ability to protect their privacy. This is especially problematic, given that Emirate Investment Authority (EIA), a sovereign wealth fund for UAE federal government, owns 60% of Etisalat shares and 39.5% of DU shares, the only two telecom companies operating in the country. This overlap of interests and power between state and corporate entities all but ensures that state authorities will have relatively easy access to VPN user data.
And this power dynamic is not limited to the UAE. Etisalat is present in four Arab countries, while Zain (34.4% owned by the Kuwaiti government), the other major regional telecom giant, is present in eight Arab countries. This indicates that they have major influence over Internet policy in these countries as well. So the new laws passed in the UAE can be exported, one way or another, to other countries in the MENA region.
Implementation is everything
Beyond enabling VOIP usage, VPNs have important accessibility and privacy functions, such as accessing blocked content and adding a layer of security to Internet browsing.
These features are important for users but could also have critical implications for the new law’s implementation. In practice — as with an encrypted messaging app — it is often impossible to track a user’s activities when he or she is using a VPN. A developer with a major open source VPN explained to ASL19: “Many types of VPN traffic can be detected by a network operator. If the VPN is using appropriate encryption, ISPs should not be able to easily identify what the user is doing through the VPN.”
This means that while Emirati Internet service providers (ISPs) can see if a customer is using a VPN, they cannot easily determine what services or websites that customer is accessing. Simply put, it may be impossible for authorities to determine whether or not a person is using a VPN for “criminal activity.”
How can civil society push back?
In light of the increasing threats to digital access, online free expression and privacy in the MENA region, civil society must organize and work to defend the rights of Internet users. While the impact of such advocacy might fall on deaf ears in some countries, it has proven effective in other instances. When VOIP services were blocked in Morocco in January 2016, users’ boycotted telecom companies, launched online initiatives and started using VPNs to circumvent the blocking. Telecom companies rescinded their decision a few weeks later.
But the blocking was restored some months later, after telecom regulator ANRT upheld the ban in a controversial decision, ruling that VOIP services do not have licenses to operate in Morocco. ANRT’s decision was based on an outdated law from 2004 criminalizing the use of VOIP services for commercial purposes, not personal ones. Following the decision, there were calls from the public asking the king to intervene, but the ban remained.
At ASL19, an organization providing information access solutions for users in countries where surveillance and censorship are prevalent, our staff monitored the situation and began working to distribute circumvention tools. We saw a strange drop in the usage of some tools following the second ban. After investigating and receiving many comments on social media, we learned that users had fears about the prison sentence in the 2004 decree that regulates VOIP use, even though the law only applies to the commercial use of VPNs.
The Morocco case is indicative of the need to raise public awareness of digital rights. Educating Internet users about their digital rights — and their rights to organize, speak out, and demand stronger services and accountability from local telcos — will be critical in shaping the future of the Internet in the MENA region.