How the Cybercrime Law Imposes Several Responsibilities on Website Administrators

 

On this page:

The Anti-Cyber and Information Technology Crimes law (no. 175/2018) deals with different forms of the means by which some traditional crimes might be committed, the legislator has re-arranged them in new crime forms, once their committal was connected to different communication technologies. The law has set up divisions of these crimes enumerating their forms, and tried to distinguish between them. Within this framework, the law has specified a separate division for the crimes committed by website administrators and the penalties they might face in case such crimes were committed. These crimes vary between direct crimes that may occur through website activities, which makes the one responsible for administering the website accountable for the crime, and in the form of crimes related to shortcomings in procedures that should be carried out by websites administrators. Before discussing the different forms of responsibilities regulated by the law we should first explain who are the website administrators meant by the Anti-Cyber and Information Technology Crimes law, and what is specifically meant by the term “websites”.

How the law defines websites administrators

The law has specified a number of terms related to its application, one of these is the definition of the website administrator. The legislator has expanded this definition, as it includes the persons who organize and publish website content. The law also considers as website administrators those who carry out the tasks of maintaining, monitoring and ensuring users access to a website, in addition to the task of organizing and administering the website.

The law has also specified what is meant by websites, defining them to be “a virtual space, or place with a specific address over an information network, that is meant for making data and information available for public and private consumption.” While the legislator has sued the term “website administrators”, the responsibilities specified by the law however are not limited to website administration only, as they expand to administering private pages and email, which will become clear when aspects of responsibility and liabilities related to website administration are explained.

General responsibilities related to administering and using websites, accounts and emails

Website administrators and users are generally subject to the same rules of accountability stipulated by the law, but the legislator adds a further dimension of these rules applicable to website administrators. The law specifies provisions incriminating any act related to website administration if its purpose was committing a crime punishable by law. Legally punishable crimes means committing any crime specified by Egyptian penal laws, such as the crimes specified by the Criminal Law for example. The legislator has used in the beginning of Article 27 the statement “in cases other than those specified in this law”, and it’s to be understood that Article 27 is not applicable in case a crime specified by the Anti-Cyber and Information Technology Crimes law was committed.

Example: Article 27, related to website administrators’ responsibilities, is applicable in the case of a crime that is not specified by the Anti-Cybercrimes law, provided that the crime was committed using a website or an account created for the purpose of committing it.

The law has distinguished the rules meant for website administrators and the legislator tried to enumerate incrimination forms including:

  • The crime of creating a website with intention of committing a crime punishable by law.
  • The crime of administering a website with intention of committing a crime punishable by law.
  • The crime of using a website with intention of committing a crime punishable by law.

Oddly, the legislator has made equal who created, administered, or used a website, as motives related to committing a crime, and the possibility of proving it are different. In addition to the lack of proportionality of incrimination forms and their penalties, as the one creating a website and the one using it face the same penalty that can be imprisonment for no less than two years and a fine of no less than 100 thousands EGP. Adding to this, the expansion of website administration definition includes persons who might use the website for carrying out limited technical tasks, which makes it difficult to imagine that they have any actual, or complete control or their jobs being distinguishable from others thus justifying their being accountable for crimes punishable by any law.

Article 27 which deals with the process of administering a website with the purpose of committing a crime specified by law, is additionally considered a complex crime that needs several elements and conditions, some of them are already included within other provisions incriminating a specific act different from website administration, which makes this crime even more complicated. For starters, the legislator used the statement “every one who creates, administered or used a website or a private account on an information network, with the purpose of committing a crime punishable by law”. The semantic context related to the term “with the purpose of” is different from other terms for the materialization and conclusion of a crime. Purposefulness is a primary act by which the materialization of a crime is not conditioned. It is a part of criminal intention that has to be materialized, which is something generally difficult to prove, and need a legally sustainable condition constituted by more than one act so that purposefulness act can be proved. Also, the occurrence of a crime does not require proving the act of purposefulness, as the criminal act might occur accidentally for one time, with no purposefulness or repetition.

Example: A website or a web page has published content amounting to a libel crime. Such crime is established if its aspects were verified, but this does not necessarily mean that the website or the page that published the statements amounting to libel for some person, was created or is administered with the purpose of committing acts of libel, as there is a difference between the two things.

Responsibilities related to negligence, short comings or failing to implement security and protection measures

The law imposes some responsibilities basically on website administrators, as per Article 29, dealing with two forms of responsibilities:

  • First, relevant to implementing security procedures and precautions, and the penalties pursuant to negligence of them, escalating up to imprisonment for no less than six months, and/or a fine of no less than 10,000 EGP, and no more than 100,000 EGP. The law’s provisions delegated technical provision related to security precautions to the executive regulations of the law, Article 2 has enumerated the provisions and procedures that should be observed by website administrators.
  • Second, a general form for responsibility on failure. Article 29 penalizes website administrators in case of exposing the website, a private account or email, or information system to any of the crimes specified. It is understood by the text of the law, as there is no judicial applications so far, that what is meant here is failing to implement required measures for protecting the website. This is not limited to implementing security procedures only, thus the article mentions other undefined forms of negligence. The final say here depends on causality link between a specific outcome, i.e the website being the target of any of the specified crimes, and this being due to negligence or failure to activities by the website administrators.

Example: Hacking a website, account, or email may be connected to failing to implement required protection procedures, but the law includes other forms of attacks that may take place, such as sabotage, obstruction, or slowing down of an email or a website, or tampering with the design of websites. The article’s text here assumes that the website administrator failed to take suitable legal and technical measures to prevent the mentioned crimes.

Responsibilities related to hiding or tampering with digital evidence

The legislator did not stop at mentioning the forms of direct or incompetence responsibilities relevant to administering websites, accounts, or emails, but went on to impose one more obligation on website administrator related to incriminating hiding or tampering with digital evidence in case of a crime taking place on the website, account or email. The legislator imposed two conditions of establishing such crime:

  • First, hiding evidence should be related to the occurrence of one of the crimes specified by the law.
  • Second, hiding or tampering with evidence should be meant for obstructing the work of competent official agencies, which might require getting into technical details to make sure it is true.

The responsibility for hiding or tampering with digital evidence by any means, is related to the responsibilities of negligence, short comings or failing to implement security and protection procedures, as the legislator incriminates the failure of a website administrator to implement required protection procedures or provisions, puts him/her in charge in case the website, account or email was subject to any crime, this may motivate the website administrator to hide or tamper with the evidence. Despite the connection between the two responsibilities, the legislator has separated them, which may in future allow different interpretations, which is a recurrent issue with most of the law’s articles.

In conclusion, the multiple responsibilities imposed by the Anti-Cyber and Information Technology Crimes law, and the expansion of the definition of website administrators, expose people in charge of websites to severe penalties. Additionally, determining the nature of different tasks requires highly technical experience, which might be difficult to provide, in case of making charges based on this law. It is then necessary to ensure making contracts defining the authority and jobs of website administrators, such contracts should include a clear distinction of different jobs, in addition to clarifying the areas of overlapping job roles, or the ability of third parties to carry on the same tasks.