Introduction

The First Circuit of the Shebin El-Kom Criminal Court (Appellate Criminal Division) issued its ruling in 2025 on Appeal No. 1561 of 2024, concerning the accusation of an individual for electronic extortion and threats via the WhatsApp application. The Court ruled to accept the appeal both procedurally and substantively, overturning the first-instance court’s judgment that had convicted the defendant to five years’ imprisonment, and acquitted him instead. The Court also ordered the deletion of the digital records in dispute, based on the invalidity of the primary evidence in the case.

This case is of particular significance as it is one of the rare rulings in Egyptian courts that clearly addressed the issue of the evidentiary value of digital evidence under the Anti-Cyber and Information Technology Crimes Law (Cybercrime Law) No. 175 of 2018 and its executive regulations. The ruling highlighted the legal consequences of failing to comply with the technical and procedural safeguards stipulated therein.

This paper aims to provide a detailed analysis of the reasoning behind the judgment by reviewing the legal arguments relied upon by the court to invalidate the digital evidence that formed the basis for the defendant’s conviction before the court of first instance. It also seeks to identify the judicial principles governing the nullity of evidence when technical or procedural safeguards are violated.

In addition, the paper clarifies the legal implications that arise when law enforcement and investigative authorities fail to comply with the procedural requirements established in the law and its executive regulations. Finally, it presents a brief comparison with selected international standards and comparative experiences regarding the evidentiary value of digital evidence and the procedures for its collection.

Case Facts and Proceedings

Circumstances of the Incident

The Public Prosecution charged the appellant (the defendant) with the following:

On October 12, 2023, within the jurisdiction of the Ashmun Center – Monufia Governorate, he threatened the victim through written messages sent via WhatsApp. These messages attributed dishonorable matters to the victim and were linked to a demand for money (extortion) in exchange for not publishing photos and video clips of an indecent nature involving the victim. The Prosecution also brought additional charges against him, including: disclosing the victim’s private secrets, attempting to obtain benefits through threats, and deliberately harassing and distressing him by misusing telecommunications devices.

The Public Prosecution based the attribution of the charges on what it described as digital evidence, which included images of the blackmail-related messages and clips, in addition to the statements of witnesses (the victim himself), police investigations, and a technical forensic examination report.

First-Instance Judgment

The Criminal Court of First Instance examined Case No. 7315 of 2024 (Ashmoun Felonies) and, on 7 October 2024, issued a judgment convicting the defendant. It sentenced him to five years’ imprisonment, ordered him to pay court costs, and mandated the confiscation of the seized devices and the deletion of the recordings used in the extortion.

In reaching its decision, the court relied on digital forensic evidence, including WhatsApp messages and images attributed to the defendant, which was supported by police investigations linking the phone number used in the incident to him at the time. The judgment’s reasoning did not address the procedural safeguards stipulated in the Cybercrime Law No. 175 of 2018 or its executive regulations. Instead, it treated the submitted evidence as a single unit, without providing a detailed account of the technical procedures followed in collecting or extracting the digital evidence.

The Defendant’s Appeal

The convicted defendant appealed against the first-instance judgment, specifying several grounds for appeal and defense. His primary arguments before the appellate court revolved around the alleged invalidity of the digital evidence presented against him. He argued that the forensic material did not comply with the technical and procedural safeguards explicitly mandated under the Cybercrime Law and its executive regulations.

In addition, the defense advanced the contention that the incriminating messages and video clips may have been fabricated by the complainant himself or in collusion with others. This argument was reinforced by an official statement from the telecommunications company, which confirmed that the phone number attributed to the defendant had in fact been deactivated on 25 July 2023—months before the alleged incident—and reassigned on that same date to another subscriber. Such evidence, if accepted, effectively undermines both the factual and legal basis for attributing the messages in question to the defendant.

These arguments confronted the appellate court with a fundamental question regarding the reliability of the digital evidence presented and the validity of the procedures followed in its collection, examination, and analysis.

Defense Arguments on the Invalidity of the Digital Evidence and the Court’s Response

The defense centered its submissions on the claim that the primary digital evidence in the case — namely, the WhatsApp messages and the images forming the basis of the accusation — suffered from two fundamental defects:

1. Procedural/Technical Defect: The evidence was collected and examined without adherence to the statutory technical safeguards prescribed by law.
2. Substantive/Reliability Defect: Serious doubt exists as to whether the evidence can be attributed to the defendant at all.

First: Non-Compliance with Technical and Procedural Safeguards in the Collection of Evidence

The defense emphasized that the Cybercrime Law and its executive regulations establish a strict framework governing the handling of digital evidence. They set forth conditions and procedures that must be satisfied for such evidence to acquire the probative force of material evidence in criminal proceedings.

It argued that the authorities responsible for collecting and examining the evidence—namely, the police and the forensic digital expert—had wholly disregarded these safeguards: they failed to document the collection process and neglected to preserve original or identical copies. They also failed to employ certified tools to ensure data integrity and prevent tampering. Consequently, the defense called for the exclusion of the technical report prepared by the investigating officer, because it was fundamentally tainted by procedural invalidity.

Second: The Defendant’s Lack of Connection to the Digital Medium Used

According to the case record, the mobile number from which the blackmail messages were sent had previously been registered under the defendant’s name. However, an official certification issued by the telecommunications provider (Vodafone) confirmed that the service registered to the defendant was terminated on 25 July 2023—well before the incident—and that, on the same date, the service for that number was transferred to another individual.

Accordingly, by 12 October 2023, the date of the alleged offense, the defendant was neither the lawful subscriber nor the actual user of the line through which the threats were sent.

From a technical standpoint, this means that even if the messages originated from that number, they cannot be legally or factually attributed to the defendant, as the line was owned and used by another person at the time. The defense strongly emphasized this point, expressing surprise that the first-instance court disregarded such conclusive official evidence.

The defense further reinforced its argument with testimony from the victim’s brother, who suggested that the victim may have fabricated the messages with the assistance of the new line owner due to personal disputes.

The Court’s Response

In light of these submissions, the Court of Appeal undertook a reassessment of both the evidence and the procedures followed, and summoned the technical officer (the digital evidence expert) for examination. In the reasoning section of its judgment, the court adopted the defense’s central premise regarding the necessity of strict compliance with the statutory safeguards governing digital evidence. At the outset of its analysis, the court emphasized:

“While both the Public Prosecution and the court of first instance had overlooked any reference to Law No. 175 of 2018 and its executive regulations, the provisions of that statute cannot be disregarded, for they lay down the overarching rules governing the very concept of digital evidence and its probative force.”

In its reasoning, the court invoked Article 1 of the statute, situated within the General Provisions, which sets out key definitions, including ‘service user’, ‘service provider’, and ‘digital evidence’. It clarified that these definitions establish the general framework for understanding the rest of the regulatory controls.

For example, a service user refers to any natural or legal person who uses information technology services in any form, and a service provider—such as a telecommunications company—is obligated to retain user data and communications for a specified period.

Executive Regulations Requirements and the Court’s Application

The court then turned to the substantive technical requirements set forth in the executive regulations of the Cybercrime Law. It examined the text of Article 9, which stipulates that digital evidence carries the same probative weight as material criminal evidence, provided certain prescribed conditions are met. In its ruling, the court explicitly cited two of these conditions:

• Where it is not possible to examine a copy of the digital evidence, and the devices subject to examination cannot, for any reason, be secured, the original must be examined. The entirety of such procedures must be duly recorded in the seizure report or the examination and analysis report.
• Digital evidence must be documented in a procedural report by the authorized expert before examination and analysis processes, including details of where it was seized, stored, handled, and its specifications.

Court’s Analysis of the Provisions

The court clarified that these provisions obligate law enforcement and investigative authorities to adhere to a strict methodology in handling digital evidence. This methodology requires complete documentation of every procedural step, preservation of the chain of custody, and assurance of the integrity of the evidence from its collection to its presentation.

The regulations further mandate the use of reliable technical measures, such as write-blockers and digital hash codes, to prevent alteration or erasure of data and to generate exact replicas of the original evidence. The court stressed that any breach of these requirements undermines the evidentiary value of digital evidence and diminishes its probative force.

The court further underscored that the legislature has established a fundamental rule whereby digital evidence, like all other forms of criminal evidence, must be conclusive, founded on certainty and conviction. It cannot be relied upon where it is tainted by doubt or probability. Thus, where digital evidence merely suggests likelihood without establishing certainty, it cannot serve as a basis for conviction, and any judgment resting upon it is vitiated and subject to annulment.

Application of the Principle to the Facts of the Case

Applying these principles to the facts of the case, the court found that the technical officer’s report, on which the court of first instance had relied, was inconsistent with the required standards in the following respects:

• The report failed to adhere to the mandated scientific procedures in examining the digital evidence.
• It did not provide a clear technical explanation of how the messages in question were attributed to the defendant, especially since the phone number was registered under another person’s name at the time of the incident.
• It referred to the use of undisclosed “secret programs,” which contradicts the requirements of transparency and proper documentation.
• It omitted to secure or extract a forensically identical copy of the WhatsApp messages for independent analysis.
• It failed to record any measures taken to preserve the integrity of the original data from tampering or to document such steps in the official seizure report.

Accordingly, the court held that these deficiencies deprived the technical report of reliable scientific foundations and rendered it devoid of probative value.

The court further affirmed that the defendant’s lack of connection to the phone number at the time of the incident undermined the primary basis of the accusation. It was officially confirmed by the service provider (the telecommunications company) that the defendant was not the user of the line on the day the crime was committed. Therefore, any data derived from the assumption that the defendant had used that number directly contradicted the verified facts.

The court also found that the court of first instance had failed to properly examine this crucial issue, as it relied merely on the apparent contents of the record without adequate scrutiny. It should have verified how the technical officer attributed the use of the line to the defendant despite the transfer of ownership. Additionally, it ought to have addressed the contradiction between the technical report and the official statement issued by the telecommunications company.

Judicial Principles Derived: When Does Digital Evidence Become Invalid?

The ruling of the Shebin El-Kom Criminal Court establishes significant legal and judicial principles concerning the probative weight of digital evidence and the conditions under which it becomes void if the prescribed safeguards are breached. The most notable principles, as set out in the reasoning of the ruling, are:

1.Digital Evidence as Physical Evidence: Certainty as a Prerequisite

The court explicitly affirmed that the legislature intended digital evidence to be treated as equivalent to physical criminal evidence in terms of its probative force. This equivalence, however, is achieved only when the digital evidence is conclusive in nature and generates absolute certainty in the judge’s mind regarding the attribution of the act to the defendant, leaving no room for doubt.

Accordingly, any digital evidence that does not reach this level of conclusiveness—whether due to flaws in the process of collection or the incompleteness of its technical elements—cannot be used as a basis for conviction. If the court finds that the available evidence merely suggests the accusation without conclusively proving it, an acquittal must be entered. In such a case, the evidentiary weight of the material falls to that of a mere presumption or indication, insufficient to sustain a conviction.

The court also clarified the distinction between evidence that creates a firm and decisive conviction in the judge’s conscience and mere presumptions that remain open to interpretation and, by themselves, cannot form the foundation of a judicial decision.

2. Mandatory Compliance with Technical and Procedural Requirements Prescribed by Law

The ruling established an implicit principle that the requirements stipulated in the Cybercrime Law and its executive regulations are not mere formalities, but binding rules to safeguard the reliability of digital evidence. The court stressed that these requirements are mandatory for law enforcement and investigative authorities, and that any breach strips the digital evidence of its legal validity. The key requirements include:

• Use of tools and techniques that prevent data alteration (such as secure storage and hash codes).
• Linking the evidence to a specific incident and ensuring it falls within the scope of the investigation order.
• Collection and examination of the evidence by specialists, with documentation of the tools used and the hash code to guarantee that the copy matches the original.
• Examination of the original is required if taking a copy proves impossible.
• Documenting the process of seizure, preservation, storage location, and the characteristics of the evidence in official records.

The court adopted these five conditions as the governing standard for the validity of any digital evidence. Accordingly, it deemed the evidence in the case at hand void and devoid of probative value, due to the failure to adhere to the prescribed technical procedures.

3.The Court’s Authority to Raise Digital Evidence Controls on Its Own Motion

It is noteworthy that the court relied on the Cybercrime Law and its executive regulations, despite the prosecution not citing them in the referral order. This implicitly establishes that the criminal judge may apply the legal rules governing digital evidence on their own initiative, whenever they are mandatory, to ensure the discovery of truth and the realization of justice.

The court considered this law to fall within the legal framework mandatorily applicable to the case, even if the Prosecution overlooked it. Consequently, any challenge to the validity of digital evidence based on failure to meet its legal requirements is deemed a substantive defense that must be examined, even if not explicitly raised by the parties.

The Legal and Practical Impact of Non-Compliance with Procedural and Technical Requirements by Investigative and Law Enforcement Authorities

The ruling clearly outlines the consequences of failure by investigative and law enforcement authorities to adhere to the procedural and technical requirements stipulated in the Cybercrime Law. These consequences can be summarized as follows:

1. Exclusion of Defective Digital Evidence

The immediate consequence of investigators’ failure to comply with the prescribed safeguards is the loss of probative value or invalidity of the digital evidence. In the present case, the expert’s non-adherence to the established scientific methodology—including the documentation of tools, preservation of copies, and consideration of user data held by the service provider—led the court to exclude the technical report entirely and to refrain from relying on it for conviction.

And since the case file lacked any other compelling evidence, the court acquitted the defendant in application of the principle that doubt is to be resolved in favor of the accused and the presumption of innocence. This clearly illustrates how an investigator’s failure to follow the prescribed legal procedures can strip a case of its evidentiary substance, regardless of the gravity of the charge.

2.Violation of the Rights of the Defendant and Guarantees of a Fair Trial

The ruling implicitly indicated that failure to adhere to these standards is not merely a formal procedural defect, but instead constitutes a violation of fundamental guarantees, such as the right to defense and the presumption of innocence. When the police fail to document the chain of custody of the digital evidence or to demonstrate that it was obtained fairly and transparently, the defendant is deprived of the opportunity to challenge the evidence and question its credibility scientifically.

The court found that the first-instance ruling violated the right to defense for this precise reason. It did not enable the accused to substantiate his core arguments regarding the technical evidence’s invalidity and failed to address them with a convincing response. Consequently, neglecting these procedural safeguards can constitute a violation of the right to defense, thereby rendering the judgment itself null and void.

3. Filling a Legislative Gap through Judicial Interpretation

It is noteworthy that the Cybercrime Law did not expressly stipulate the procedural sanction resulting from non-compliance with the prescribed safeguards, nor did it, for instance, provide for a specific nullity. This gap was one of the procedural and substantive shortcomings previously noted in the law.

However, the ruling under discussion sought to fill this gap by applying the general principle that evidence obtained through a flawed or unlawful procedure is void. Since the safeguards set out in the law are mandatory measures to ensure the reliability of evidence, neglecting them renders the evidence unlawful, or at the very least unreliable, and thus necessitates its exclusion.

The Impact of the Criminal Court Ruling on the Application of Digital Evidence Controls

The ruling issued by the Shebin El-Kom Criminal Court addressed a fundamental issue concerning the application of the safeguards governing digital forensic evidence as set out in the executive regulations of the Cybercrime Law. Since the promulgation of these regulations and up to the date of this commentary, Egyptian courts—across all levels—have generally disregarded the application of such safeguards, despite their nature as essential procedural requirements that cannot lawfully be overlooked.

While it is difficult to ascertain the precise reasons why courts refrain from applying these safeguards, what is more concerning is the judicial trend reflected in some rulings that goes beyond mere disregard. In such cases, courts have implicitly rejected defense arguments challenging the validity of the proceedings and the reliability of the charges on the grounds of breaches in the safeguards governing the acquisition, collection, and preservation of digital forensic evidence.

Despite variations in the wording of these rulings, they have unanimously concluded in substance that these standards are not binding on investigative and law enforcement authorities. This conclusion has been grounded in judicial reasoning articulated in several decisions, as follows:

Since the criminal law did not prescribe a specific method for proving offenses under the Information Technology Law, and given that it is established that the essence of a criminal trial lies in the judge’s conviction based on the evidence presented before them, it is impermissible to require the court to rely on a particular type of evidence except in cases where the law expressly provides otherwise. The law, therefore, grants the judge full authority to assess the strength of the evidence and to base the judgment on any testimony or circumstantial evidence that the court finds credible and convincing.

“It is not necessary for each piece of evidence relied upon in the judgment to establish and prove every individual element of the case on its own. In criminal matters, the evidentiary elements are interrelated and mutually reinforcing, and from their totality, the judge’s conviction is formed. No single piece of evidence should be considered in isolation from the rest, but only as part of a coherent whole leading to the conclusion intended by the judgment. It is sufficient that the finding of guilt be inferred through logical reasoning derived from the circumstances, presumptions, and results revealed to the court, and from the conclusions that follow from them.”

(Cairo Economic Court – First Misdemeanor Division, Case No. 447 of 2024, Economic Misdemeanors – Cairo)

This approach, adopted by the Cairo Economic Court, was not confined to misdemeanor courts or courts of first instance but instead extended to become a prevailing trend in higher courts, including the Egyptian Court of Cassation. In one of the cases before it, concerning the rules governing the application of digital criminal evidence, the authority competent to collect it, and the manner of proving the accuracy of the alleged criminal acts, the Court concluded the following:

“Whereas it is established that the assessment of expert opinions, and the adjudication of objections raised against their reports, lies within the discretion of the trial court, which enjoys full freedom in evaluating the probative force of the expert report submitted before it; and since the court was satisfied with the findings of the report issued by the General Administration for Information Technology, it is not permissible to contest that assessment. Accordingly, the appellant’s challenge regarding the evidence derived from the technical report amounts to no more than a factual dispute over the evaluation of evidence, which is a matter solely reserved for the trial court without review.

Furthermore, the court is entitled to rely, in forming its conviction, on police investigations as corroborative of the evidence already contained in the case file. It may accept those parts of the investigations it finds credible and disregard the rest. Since the contested judgment was based on what the court found convincing from the victim’s statements, the findings of the technical examination report, and the police investigations confirming the occurrence of the offense, the appellant’s argument in this regard is unfounded. Nor does it affect the judgment that the investigations did not definitively establish the appellant’s digital fingerprint associated with the phone line used in the incident, since the appellant did not claim that the line had been stolen or used by another person at the time of the offense.

” It is also established that the assessment of evidence rests with the trial court, and once it is convinced of and satisfied with such evidence, its evaluation is beyond challenge. Since the body of evidence cited by the judgment is sufficient to support the finding that the appellant committed the crimes for which he was convicted, his submissions in this respect amount to a substantive debate over the assessment of evidence, which may not be raised before the Court of Cassation.”

(Court of Cassation – Criminal Division, Sunday “D” Circuit, Appeal No. 11880 of Judicial Year 92, Criminal Cassation)

From this perspective, the ruling of the Shebin El-Kom Criminal Court holds particular importance, as it represents a new judicial approach to interpreting and applying the procedural rules set out in the Cybercrime Law. The significance of these procedural safeguards is especially evident given that many of the law’s punitive provisions remain vague, making it difficult to clearly define the acts or behaviors they criminalize. The risks associated with cybercrimes become even greater in the absence of such safeguards—procedural guarantees that regulate the process of accessing and collecting evidence in cybercrime cases.

Conclusion

The ruling of the Shebin El-Kom Criminal Court marks a significant milestone in the development of digital criminal evidence in Egypt. It demonstrates an advanced judicial understanding of modern legislation and clearly illustrates how the Cybercrime Law and its executive regulations should be applied to digital evidence. Its importance lies in being one of the few explicit and detailed judicial precedents that directly address the consequences of failing to comply with the technical requirements governing digital evidence.

Although several years have passed since the law came into force, few Egyptian court rulings have dealt directly with the effect of breaching these procedural and technical safeguards on the admissibility of digital evidence. This ruling, therefore, constitutes a valuable precedent, as the court expressly invalidated the digital evidence for failing to meet the required technical standards. It affirms that all digital evidence must undergo rigorous examination against these standards before being relied upon to support a conviction.

In this sense, the ruling established a new judicial principle—or, at the very least, strengthened an emerging trend—emphasizing the primacy of digital evidence that meets legal and technical standards, while discrediting or excluding any evidence that fails to do so.