TALAL AL ISMAIL

ZAYED UNIVERSITY
MAY 2012

SWOT Analysis: U.A.E Cyber Law

Abstract
This paper aims at emphasizing the importance of the UAE cybercrime law enacted in June 2006. In this paper, a SWOT analysis of the UAE cybercrime law is conducted to identify the internal factors (strength and weaknesses) and external factors (opportunities and threats). It is found that some articles of the UAE cybercrime law contain some deficiencies both in defining imprisonment period and fine value. For this purpose, it is suggested to benchmark with other cybercrime laws of other countries like the United States, the United Kingdom and India in order to clarify and upgrade any missing points which will result in a law that commensurate with the progress going in the field of cybercrime.

Introduction
Despite the high levels of technological advancement the world has reached today in multiple domains; starting from the spread of Internet, social networking sites, VoIP, cloud computing, advanced telecommunications, and other modern technological trends; however, this progress is still offset by a parallel shortcoming in the development of terms and laws that control the use of the aforementioned technologies, especially the legislative provisions that control the use of the Internet. It is well known now, that the Internet is no longer a safe environment to trust or use. Moreover, surfing the Internet has become unsafe due to the proliferation of cybercrime. Whereas a recent study by McAfee (2009) says "The cost of Cyber Crime has reached $1 trillion globally" (Lieberman, 2011). Hence, the importance of finding a universal legal formula to adjust these crimes is highly needed. The Budapest (2001) Convention on Cybercrime drafted the first "International Cyber Crime Treaty" that had been ratified by more than 46 countries around the world (Harley, 2010). These concerted efforts reflect the need for such laws to help prevent growth in crossborder cybercrimes and help secure the growth in legitimate cross-border computing. Unaffected by geographical boundaries, cybercrimes only seem to be getting worse as hybrid threats, hack attacks, and the real possibility of cyber terrorism continue to haunt enterprises and government bodies around the globe. In the Middle East, the most current and widely abused cybercrime is intellectual property and software privacy. On the other hand, when talking about laws governing cybercrime in the Middle East they are close to non-existence as most of these countries have translated

cybercrime into an analogous offline category of offense. Nonetheless, few countries in

the Middle East such as United Arab Emirates, Egypt, and Saudi Arabia have drawn up their own Cyber Laws in an attempt to fight this new type of crime (Bednarski, Chen, Chen, Jovanovich, Osman, 2003).

The fact that the United Arab Emirates is one of the leading countries of the Gulf Cooperation Council; the U.A.E is living it's economic boom which seems evident in the application of the latest means of technological solutions in all walks of life. This means that the United Arab Emirate is not immune against the arising threats coming from the cyber world. Therefore, in Jan 2006, the United Arab Emirates developed and put together a firm cyber law in response to current and potential cybercrimes (Aecert.ae, 2006). Knowing that cybercrime costs the country $2 million a year (Plewes, 2010) and the figure has the potential to grow. Having a first look at this number which seems really small comparing to other countries such as the UK where the cost of cybercrime exceeds expectations of $43.5 billion a year (Clark, 2011). Since the United Arab Emirates is still novice in relation to the development of special laws that control use of the Internet, however, this research tries to take a close look at the most important aspects of the strengths and weaknesses that characterize this Act and opportunities for development and what are the potential risks resulting from frequent changes in the cyber world.

Methodology
The research mainly applies the SWOT analysis approach to recognize the existing stand of the UAE cybercrime law. Although not so much information on the UAE cybercrime law is available, however, whatever information that is available on the World Wild Web (EJournals, Magazines, Newspaper, etc.,) in relation to the subject has been collected and analyzed accurately. The SWOT analysis conducted involves two steps. On one hand, identify the internal factors (strength and weaknesses) and external factors (opportunities and threats) of the UAE

cybercrime law. On the other hand, the analysis of these factors was based merely on the author's personal opinion.

Strength
It is worth mentioning that the UAE is the first country in the Middle East region to adopt
cybercrime enactment, with its Cybercrime Law No. 2, enacted in June 2006. For the

consolidation of this law, the UAE government is looking at ways to involve local universities so they partner in the process of spreading the concept of cyber security through establishing academic programs centered on cyber security to help prepare and train a new generation of graduates that is able to understand and deal with this new science field in all aspects. For instance, in 2008, Zayed University launched a new graduate program that offers a master degree in Information Technology (Specialization in Cyber Security) focuses on the development of concepts, knowledge and skills that will enable successful participants to become experts in the area of information security, internet crime prevention, and digital crime investigation (Ameinfo.com, 2008). Moreover, the Telecommunications Regulatory Authority (TRA) realizes the need for such law and how it is important to stay up-to-date in the world of cybercrime. Since the legal framework of the law covers a good number of different crimes categories such as Human Trafficking, Data Forgery of prohibitive data, and unauthorized use and interception of computer services. It includes penalties for imprisonment for a term which may extend to ten years and a fine up to 200,000 AED. The Act also stresses the respect for religion and the Islamic identity of the state and respect for other religions as a total of 202 different nationalities exist in the UAE labor market, according to the Under-Secretary of the Ministry of Labor (Khaleejtimes.com, 2006). For further illustration, the UAE cybercrime law is characterized by a set of articles that cover highly critical issues. Thereupon in comparison with the Saudi Arabia(GCC member) cybercrime law, it's found that the UAE cybercrime law contains articles (7 & 13)

that criminalize changing or destroying medical test, diagnosis, treatment or healthcare and incitement to prostitution and debauchery using the internet or high-tech means, whereas the Saudi cybercrime law doesn't address or cover these issues. Likewise, the cybercrime law of Jordan doesn't address or cover issues related to the defamation of divine religions, creating a website or publishing information with the aim of promoting narcotics, and illegal transfer of funds resulting from money laundering using the internet or high-tech means. Whilst the cybercrime law of the UAE processes and criminalizes the aforementioned acts in articles (15, 18, and 19). Furthermore, while a fine in the cybercrime law of the UAE reaches up to 200,000 AED, the value of a fine in the cybercrime law of Jordan doesn't exceed 26,000 AED. Dwyer (2010) supports the idea that with the increase in cyber-attacks and the motives behind them, governments should be more encouraged to avoid letting the crimes divert their attention from cybercrimes. Moreover, the local government has created a Computer Emergency Response Team (arCERT) with a dedicated website to provide awareness, information, advice, and receive problem alerts from users, as well as has created Cybercrime Courts to deal with the jump in the computer-related crimes cases (UAEinteract.com, 2007). Accordingly, the Ministry of Justice, in order to combat cybercrime in the UAE, new "Cybercrime" courts with specialist judges have been established to expedite litigation and serve litigants more effectively (Zawaya.com, 2010). In line with the introduction of the UAE cybercrime law, the local government began to work actively on hosting international conferences in an attempt to bring in international expertise which will contribute in boosting the level of knowledge related to cyber security and provides access to the latest findings and results in the field of cyber security. For example, in 2010, Zayed University hosted the "2nd International ICST Conference on Digital Forensics and Cyber

Crime" (Thenational.ae, 2010) as a proactive step to host this type of international conference in the Middle East. Carrying out electronic businesses in a well-defined legal structure will definitely contribute positively to the nations economy and even create more opportunities to the businesses themselves (Robert et al., 2010).

Weaknesses
Although the UAE cybercrime law covers an accepted number of cybercrimes which sounds good, however, some articles of that law are punctuated with a lack of clarification and shrouded in mystery which seems evident in many of the law articles we are going to review from an analytical point of view. The Institute of Training and Judicial Studies of Abu Dhabi held a discussion debate right after the issuance of the UAE cybercrime law in 2006, revealing that the Act contains many loopholes that need further explanation and that specialized courts should be assigned for its implementation. Confirmation of this, and from a judicial point of view, the judge Mohammed Obeid Al-Kaaby assured that "some articles may cause the prosecutor to be puzzled because of the contradictory penalties that might exist in the same article" (Openarab.net, 2006). In consonance with the mentioned above, for instance, the law ignored the criminalization of gambling while criminalized prostitution and temptation. The law also failed to clarify the penalty of constructing terrorist websites or spreading terrorist information online using vague pretexts. These controversial loopholes vary between unclear terms, penalties, and fines. This study will review the articles that are dominated by vagueness and uncertainty. Here are some articles from the current law that need justification for the terms used (Parts highlighted in yellow need clarification):

Article (15) The penalty of imprisonment and a fine or either applies to whoever commits any of the following offences through the Internet or an information technology device: 1. Abuse of an Islamic holy shrine or ritual 2. Abuse of a holy shrine or ritual of any other religion where such shrine or ritual is protected under Islamic Sharia 3. Defamation of any of the divine religions 4. Glorification, incitement or promotion of wrongdoing What kind of crimes against Islam might occur via the Internet or cyber world? Article (16) A person who violates family principles and values or publishes news or pictures in violation of the privacy of an individuals private or family life, even if true, through the Internet or an information technology device, shall be liable to imprisonment for at least 1 year and a fine of at least AED 50,000 or either. What are those family-principles/values exactly? Who should determine them? And who has the right to do so? Taking into account that UAE is a multinational country as more than 200 nationalities stay on its land.

Article (20) A person who sets up a website or publishes information on the Internet or an information technology device for a group engaged in facilitating and promoting programs and ideas contrary to public order and morals shall be liable to imprisonment for up to 5 years. What is meant by public order and morals? How should it be defined? This article is really critical for the security of the nation, thus, further accurate justification is highly required. After this quick review it's essential to say that these terms are open to a wide range of interpretations. Hence, UAE government should take quick steps to reduce and eliminate any kind of confusion might happen. Additionally, some of the articles presented in the Act are not really clear especially in terms of imprisonment and fine amounts, but for the United Arab Emirates to further improve and strengthen their existing cybercrime law there should be a clear penalty definition to some of the presented articles preventing cyber criminals from escaping from a full prosecution.

Down below Articles from UAE law of cybercrime need to be clarified in terms of fine amounts and imprisonment periods (Parts highlighted in yellow need clarification): Article (2)

1. Any intentional act whereby a person unlawfully gains access to a website or Information System by logging onto the website or system or breaking through a security measure carries imprisonment and a fine or either. 2. If such act results in the deletion, erasure, destruction, disclosure, damaging, alteration or republication of data or information, the punishment shall be imprisonment for a term of at least 6 months and a fine or either. 3. If the data or information is personal, the punishment shall be imprisonment for a term of at least 1 year and a fine of not less than AED 10,000 or either Article (4) The penalty shall be temporary detention for anyone who forges a document of the federal or local government or federal or local public entity or corporation that is legally recognized in an Information System. The penalty shall be imprisonment and a fine or either for forging any other document with intent to injure. The penalty prescribed for forgery applies, as appropriate, in the case of anyone who knowingly uses a forged document. Article (5) A person who in any way hinders or delays access to a service, system, program or database through the Internet or an information technology device shall be liable to imprisonment and a fine or either. Article (6) A person who uses the Internet or an information technology device in order to disable, disrupt, destroy, wipe out, delete, damage, or modify programs, data or information on the Internet or an information technology device shall be liable to temporary detention and a fine of not less than AED 50,000 or either. Article (7) Anyone procuring, facilitating or enabling the modification or destruction of medical examination, diagnosis, treatment or health records through the Internet or an information technology device shall be liable to temporary detention or imprisonment. Article (8)

Anyone who intentionally and unlawfully eavesdrops, or receives or intercepts communication transmitted across the Internet or an information technology device shall be liable to imprisonment and a fine or either.

Article (11) Anyone who uses the Internet or an information technology device to unlawfully access the number or details of a credit card or other electronic card shall be liable to imprisonment and a fine. If the offence is committed with intent to acquire the property or avail of the services of another the penalty is imprisonment for a period of at least 6 months and a fine or either. If the property of another is appropriated for the account of the perpetrator or someone else the penalty is imprisonment for at least 1 year and a fine of at least AED 30,000 or either. Article (12) Anyone who produces, arranges, sends or stores with intent of using, circulating or offering, through the Internet or an information technology device, information that is contrary to public morals or operates a venue for such purpose shall be liable to imprisonment and a fine or either. If the act is committed against a minor, the penalty shall be imprisonment for a period of at least 6 months and a fine of not less than AED 30,000. Article (13) The penalty shall be imprisonment and a fine for whoever incites lures or assists a male or female into committing an act of prostitution or fornication by means of the Internet or an information technology device. If the victim is a minor, the penalty shall be imprisonment for at least 5 years and a fine.

Article (14) A person who unlawfully login to an Internet website in order to change, delete, destroy, or modify its design or take over its address shall be liable to imprisonment and a fine or either. Article (15) The penalty of imprisonment and a fine or either applies to whoever commits any of the following offences through the Internet or an information technology device: 1. Abuse of an Islamic holy shrine or ritual 2. Abuse of a holy shrine or ritual of any other religion where such shrine or ritual is protected under Islamic Sharia 3. Defamation of any of the divine religions 4. Glorification, incitement or promotion of wrongdoing

The penalty shall be imprisonment for up to 7 years for an offence involving opposition to Islam or injury to the tenets and principles of Islam, opposition or injury to the established practices of Islam, prejudice to Islam, the breaching of a religion other than Islam or the propagation, advocacy or promotion of any discipline or idea of such nature. Article (17) A person who set ups a website or publishes information on the Internet or an information technology device for the purpose of conducting or facilitating human trafficking shall be liable to temporary detention. Article (18) A person who sets up a website or publishes information on the Internet or an information technology device for the purpose of selling or facilitating the trade of narcotics, mind altering substances and the like in other than legally prescribed circumstances shall be liable to temporary detention. The highlighted parts of the text need to be clarified fully against its legal interpretation. Furthermore, Table 1. shows which articles need to further justification both in terms of fine amount and imprisonment. Table 1. Articles need justification in terms of Fine & Imprisonment

Article (#) 2 4 5 6 7 8 11 12 13 14 15 17 18

Fine Not clear Not clear Not clear Clear Not clear Not clear Not clear Not clear Not clear Not clear -

Imprisonment Not clear Not clear Not clear Not clear Not clear Not clear Clear Not clear Not clear Not clear Clear Not clear Not clear

Source: Personal study

Moreover, the current Act contains no specific article that clearly declares if this Act applies to expatriates living in the United Arab Emirates or not. It's notable that the word "minor" has been mentioned only twice through this Act specifically in articles (12) & (13) in case of that the minor was the victim. But what if the "minor" was the perpetrator himself? This means that all types of crimes mentioned in the Act are not applicable to minors! Does that apply to reality? And how should these minor offenders be treated and punished?

Not any of the articles discussed the issue of cross border cybercrime. What if the perpetrator was from outside the UAE? What procedures should be taken and what would be the punishment for such situation?

Indeed, there is no single article that criminalizes minors in case they commit any type of crimes presented in the Act. As well as, it is true that none of the articles presented in the cybercrime Act clearly describe any kind of compensation for cybercrime victims. Providing that, there are no clear benchmarks or studies determine the effectiveness of this law and the results achieved since it was placed into use. As cybercrimes can be broadly categorized into three categories namely- crimes against persons, property and government, the existing law does not provide sufficient coverage against more recent computer-related crimes such as: 1. Against persons:

Defamation Cyber-stalking Harassment through e-mail Indecent exposure

2. Against property: Transmitting virus, worm, Trojan or spyware

Computer vandalism Hacking/cracking Violation of intellectual property right Phishing Online gambling

3. Against organizations: Hacking & Cracking Transmitting virus, worm, Trojan or spyware Distribution of pirated software Discreditation Cyber terrorism against the government organization Violation of intellectual property right

According to the points stated above, these points should be taken into account if any coming amendment happens in the future as more and more sophisticated types of crime are developing every day. Speaking at AusCERT 2011, Kaspersky Labs founder and security expert, Eugene Kaspersky argued that "cybercrime now is the second largest criminal activity in the world" (Barwick, 2011). As cybercrime was proving difficult to fight due to a combination of its secretive nature and underground forums along with a lack of cooperation between international anti-cybercriminal police forces (Barwick, 2011). However, it is still recommended to have few more amendments in order to include explicit topics such as viruses, malware, online gambling, Data diddling and spam email attacks which are considered as the main motives behind the cyber criminals nowadays due to its huge financial returns (Dwyer, 2010, Hopkins, 2003). According to Dwyer (2010), dealing with cybercrimes requires decisive security awareness. The Middle East region, especially Gulf Cooperation Countries including the United Arab Emirates, lack many of the awareness

programs, training and education in the field of cybercrime due to the late interest in this topic. With sufficient training programs and campaigns and the involvement of parties starting from IT professionals, to organizations decision makers and also the general public, the level of awareness will gradually increase which in turn leads higher levels of protection that users might take into consideration.

Opportunities
The United Arab Emirates enjoys great economic position among other countries in the Middle East region which requires her to take stronger and quicker steps to use all available opportunities to improve its current Cyber Law status to increase the level of security in a fertile environment replete with e-businesses. As discussed earlier in the strengths section, and as provided by Robert et al. (2010), the country could attract a more diverse economic environment to take place that supports both consumers and organizations performing electronic businesses. Therefore, with more solid and specific defined cybercrime laws, the country could attract more electronic based services. The government still has the chance to update its cyber law and make the necessary amendments to cover any loopholes and include new sophisticated topics and other types of upcoming cybercrimes. Several steps have been taken. The Ministry of Justice, in order to combat cybercrime in the UAE, new "Cybercrime" courts with specialist judges have been established to expedite litigation and serve litigants more effectively (Zawaya.com, 2010). And, the creation of a Computer Emergency Response Team (aeCERT) for the detection and prevention of cybercrime in the country will help improve the efficiency and the effectivity of the current law. In addition, hosting international conferences will help the UAE government benefit from international expertise which will contribute in boosting the level of knowledge related to cyber security and provide access to the latest findings and results in the field of cyber security.

"A solution to the problem might be that, in addition to having police agencies investigate cybercrime, an Internet Interpol (international police) could be established." -- Kaspersky founder Eugene Kaspersky One of the suggested solutions to slow down or stop the increasing growth of cybercrimes is an online (ID) identification to verify people engaging in such acts. The founder of Kaspersky suggested that (Barwick, 2011). Cybercrimes are now spread worldwide and there is no single country to be considered immune against it. There has been a considerable growth in cybercrimes in the Middle East during the last couple of years. This growth has resulted from lack of regulations, trainings and awareness. UAE should take this opportunity to build more solid base for their cybercrime courts through trainings and organizing awareness campaigns throughout the nation for professionals and general public (Dwyer, 2010). They could also introduce special certifications with alliance to worldwide standards in the digital forensics field and develop stronger cybercrime knowledge base. This could also lead the UAE to be the leader in the region and assist other governments to develop similar laws and strategies in defending against the cybercrimes. In addition, it could be a start to creating a cybercrime convention to better define international cooperation (Hopkins, 2003). Last but not least, public and private organizations should build their security policies and cyber security awareness precautions in harmony with the government's plans and strategies in order to create a safe cyber community.

Threats
The Telecommunications Regulatory Authority (TRA) has done a survey during the course of 2010 (TRA.gov.ae, 2010) reporting that the number of internet users in the country was estimated to 65% of the population and the ratio can increase significantly. This means that half of the UAE population is prone to the risk of cybercrime, especially lots of hacking tools are freely available and downloadable from the Internet. In addition, sluggish responsiveness in taking corrective actions to cover the existing loopholes in the current law would result in negative consequences. Information revolution era makes it even easier for hackers to share hacking details and techniques. This produces a more skilled breed of Cyber Criminals that continuously introduce new types of crimes which leave governments behind in coping with technology related laws (Ghosh, 2010). Due to the lack of the awareness discussed earlier, many of the victims are unwilling to report cybercrimes. Therefore, educating people on how to deal with cybercrimes at the time of occurrence is necessary to make users report such incidents. This could help TRA recognize most frequently committed crimes and their time of occurrence and to produce important statistical surveys that could help fight such crimes.

Conclusion
The cyber-world is full of immediate changes that can't be predicted. As a result, all cyber laws are limited. Since cyber laws are limited, it must be up-to-date and need continuous improvement and follow-up. Accordingly, UAE cyber law has to be amended to include other types of computer-related crimes like cyber-stalking, email harassment and defamation. Similarly, the aforementioned articles in Table 1. need more clarification and justification in terms of fine and imprisonment to miss up the opportunity on law breakers through benchmarking with other cybercrime laws of other countries like the United States, the

United kingdom and India. Furthermore, the concept of the perpetrator (offender) has to be redefined to include minors not only adults, taking into consideration the scope of the law. In fact this research paper is one of the few papers if not the only that is written on the UAE cybercrime law, therefore, it is advised that more studies need to be done on this law to shape different views and for better outcomes. Finally, it can be said, that there are countries doing bold moves in developing their own national policies and laws to defend against this new type of e-crime coming from the cyber world. And the United Arab Emirates is one of these countries. Above all, the UAE seeks to be proactive as the country is thriving economically, which requires the state to build a safe, secure, and supportive environment for electronic based services.

Future Work
This paper should be followed by more analytical studies that will contribute to the explanation of the articles mentioned in the cyber law of the UAE.

References
Aecert.ae. (2006, Jan 30). The Federal Law No. (2) of 2006 on The Prevention of Information Technology Crimes. Retrieved from http://www.aecert.ae/preventionoftechcrimes.php

Ameinfo.com. (2008, Dec 29). Zayed University launches eight new graduate programs in collaboration with international universities. Retrieved from http://www.ameinfo.com/179824.html

Bednarski, G., Chen, P., Chen, K., Jovanovich, A., Osman, H. (2003). International Cybercrime: Law, Trends, and Treaties. (p. 23)

Barwick, H. (2011, May 17). AusCERT 2011: Eugene Kaspersky calls for Internet Interpol. Retrieved from http://www.computerworld.com.au/article/386790/auscert_2011_eugene_kaspersky _calls_internet_interpol_/

Chan, N., Coronel, S., & Chiat Ong, Y. (2003). The Threat of the Cybercrime Act 2001 to Australian IT Professionals. Proceedings of the The First Australian Undergraduate Students' Computing Conference (pp. 25-33).

Clark, N. (2011, March 9). Business counts the cost of cyber crime. Retrieved from http://www.independent.co.uk/news/business/analysis-and-features/businesscounts-the-cost-of-cyber-crime-2236158.html

Dwyer, P. (2010). Cyber Crime in the Middle East. Retrieved from www.paulcdwyer.com

Ghosh, S. (2010). Cybercrimes: A Multidisciplinary Analysis. New York: Springer.

Harley, B. (2010, March 23). A Global Convention on Cybercrime?. Retrieved from http://www.stlr.org/2010/03/a-global-convention-on-cybercrime/ Hopkins, Shannon L. (2003). Cybercrime Convention: A Positive Beginning to a Long Road Ahead. J. High Tech. L., 2(1), 101-122.

Khaleejtimes.com. (2006, Aug 25). 202 nationalities in labour market. Retrieved from http://www.khaleejtimes.com/DisplayArticleNew.asp?section=theuae&xfile=data/the uae/2006/august/theuae_august735.xml

Lieberman, D. (2011, March 6). Cyber Crime Costs Over $1 Trillion Globally?. Retrieved from https://www.infosecisland.com/blogview/12352-Cyber-Crime-Costs-Over-1Trillion-Globally.html Lunjevich, M., Al Shaikh, O. (2010, Jan 18). UAE To Establish Specialist Cybercrime courts. Retrieved from http://www.zawya.com/Story.cfm/sidZAWYA20100118085552/UAE%20To%20Estab lish%20Specialist%20Cybercrime%20Courts/ Robert, E., Okonigene, & Bola, Adekanle. (2010). Cybercrime in Nigeria. Business Intelligence Journal. 3(1), 93-9

Plewes, A. (2010, May 21). Cybercrime costs UAE enterprises $2m each year. Retrieved from http://blogs.orange-business.com/live/2010/05/cybercrime-costs-uae-enterprises2m-each-year.html

TRA.gov.ae. (2010). ICT in the UAE. Retrieved from http://www.tra.gov.ae/download.php?filename=ICT_Survey%20English%202010.pdf

Thenational.ae. (2010, Sep 28). Zayed University to host cyber-crime conference Retrieved from http://www.thenational.ae/news/uae-news/education/zayed-university-to-hostcyber-crime-conference

UAEinteract.com. (2007, April 5). UAE creates team to fight cyber crime. Retrieved from http://www.uaeinteract.com/docs/UAE_creates_team_to_fight_cyber_crime/24690. htm