Cybersecurity represents an increasingly important priority for states’ strategies and policies all over the world, whether they concern their internal, or foreign affairs and the direction of their international relations. On the other hand, cybersecurity is becoming a major concern for many private entities of all kinds and sizes. These entities are increasingly oriented toward adopting clear strategies and policies for cybersecurity and tackling cyberthreats.
Additionally, individuals are more aware of the dangers of cyberthreats, and the extent of the serious damages they may inflict. Individuals are also more aware of how the strategies and policies enacted by governments and private sector entities under the title of cybersecurity may raise the potential violation of their rights and freedoms, especially the rights to privacy and free expression.
Egypt is no exception in this concern. However, the context of dealing with the field of cybersecurity in Egypt has its conditions and characteristics. The increasing interest of the Egyptian state in this field was contemporaneous with the 2011 Egyptian Revolution and the political instability in its aftermath. While the intersection of cybersecurity anywhere in the world with the ability of citizens to enjoy their digital rights is always an area full of contradictions and conflicts of interest, such contradictions are generally more severe in the Egyptian case.
This paper seeks to explore the different characteristics of the intersection of cybersecurity and digital rights in Egypt. It starts with an explanation of how cybersecurity intersects with digital rights and introduces the right to cybersecurity. The paper proceeds to discuss the main features of cybersecurity in Egypt through the cyberthreats faced by it, as well as the legislative and institutional frameworks for dealing with these threats, and the political exploitation of cybersecurity in Egypt.
The paper also sheds light on the impact of strategies, policies, and measures applied in Egypt within the context of cybersecurity on the practice of Egyptian citizens using the Internet for their rights to privacy and freedom of expression.
The Intersection of Cybersecurity and Digital Rights
The area of interest for this paper is the intersection of cybersecurity and digital rights within the Egyptian context in particular. This intersection can be observed on two main levels: first, the right to cybersecurity in general, and second, the impact of the different policies, practices, and procedures applied in the name of cybersecurity on individuals’ ability to practice their digital rights.
While the right to cybersecurity is not one of the rights recognized formally either internationally, regionally, or domestically, the term may work as a wide umbrella that covers recognized rights such as the right to privacy, the right to free speech, the right to free access to information and other rights within the context of cybersecurity.
This paper uses the term ‘right to cybersecurity’ as a tool for determining the responsibility of different parties in the ability of individuals to practice these rights under the conditions created by cyberthreats on one hand, and the strategies, policies, and measures set and applied by these parties to tackle these threats on the other hand.
The right to protection against cyberthreats
Individuals deal generally with two kinds of information systems based on their ownership and the ability to control them. These are information systems that individuals have no control over them, and information systems whose security is their owners’ responsibility.
In the first kind, individuals deal with information systems that are owned by others, thus they have no control over them beyond the abilities the owner entities provide and are limited exclusively to their use.
The obvious example is social media platforms like Facebook, which billions of people deal with daily. No Facebook user has any control of its management policies, including cybersecurity policies.
The entity owning the information system allows its users some control over protecting their accounts and data through some settings and options. On the other hand, individuals use information systems that they own, so theoretically they have full control of them. Such systems are represented by computers and similar devices like smartphones for instance, and the software working on them.
The concept of the right to cybersecurity differs between these two kinds. In the first case, the meaning is that individuals have the right to expect that the entity that controls the information system will take all necessary measures to protect it from unauthorized access by third parties. The controlling entity is responsible for guaranteeing the confidentiality, privacy, integrity, and access to individuals’ personal data stored on the information system. The user also has the right to have full control of their data stored on the information system by the provision of the controlling entity of user interfaces that allow the user to modify the setting of their data privacy, confidentiality, and access permissions.
On the other hand, in the second case, while securing system information is to a great extent a responsibility of its owner who theoretically controls it, the manufacturers and sellers are responsible for devices, equipment, and software constituting information systems owned by individuals. Individuals have the right to have guarantees that such devices, equipment, and software are provided with means of protection and free of faults that may allow unauthorized access of third parties. Individuals also have the right that companies manufacturing, developing, and supplying devices, equipment, and software provide them with means for full control of their security. This includes providing suitable hardware and software user interfaces, along with adequate, clear, and intelligible documentation of how to use these interfaces for adjusting the settings for securing the information system.
The right to not have individuals’ rights violated due to cybersecurity policies
The great expansion of the cybersecurity field, especially its extension to states’ interests and their national security as well as individuals’ interests and their rights and freedoms, has led to a potential conflict of interests among different parties. This conflict shows in the context of setting and implementing legislation, strategies, policies, and procedures concerning cybersecurity.
Among the phenomena arising due to cybersecurity expansion is the lack of a unified and accepted definition of its concepts, including the concept of a cyberthreat or danger. The understanding of the state’s institutions and apparatuses of such concepts differs in many cases from experts’ and researchers’ definitions. In particular, state institutions and apparatuses understand cyberthreat or danger as anything that may harm or explicitly or implicitly threaten the state’s interests or its national security and emanates from cyberspace and the different activities practiced by its users.
This wide definition contradicts the prevalent understanding among most experts, who limit the concept of cyberthreat or danger to the activities directed at information systems. Such activities may seek unauthorized access to systems to access data or information that is confidential or protected by the right to privacy, control access to data depriving its owner of it, manipulating data by modifying, damaging, completely obliterating, publishing, or exploiting it in any manner, causing damages to the information system itself, or using it to damage any systems connected to, or controlled by it, including management and maintenance systems of infrastructure, or industrial, military, or security facilities.
The wide definition of the concept of cyberthreat or danger adopted by most security agencies leads to considering many of the activities practiced by ordinary Internet users as potential sources of such threats. This includes publishing information or opinions that these agencies consider their publishing damaging to national security in one way or another.
This definition also differs to some extent between the states with authoritarian regimes and democratic ones. The first may consider the revealing of information about governmental corruption or repressive practices and human rights violations, as well as publishing opinions opposing them or calling for their removal as national security threats. While democratic states may define a narrower range of users’ practices as national security threats such as publishing false information, or opinions supporting what they deem to be destructive ideologies, including those adopted by terrorist groups.
In all cases, state agencies related to cybersecurity seek to get the right to surveil content published and exchanged on the Internet with the pretext of the need for early discovery of cyberthreats (as per their definition). These agencies also seek to get the right to access the private and personal data of ordinary Internet users, whether they were individuals or private entities, with the pretext of monitoring and tracking sources of threats or discovering cyber crime perpetrators (once again as per their definitions of such crimes).
Some states issue legislation that allows their security agencies wide prerogatives or incriminates a wide range of activities. This allows security agencies to put the practitioners of such activities under legal persecution, monitoring and surveilling them in several ways. On the other hand, security agencies in other countries seek to obtain such prerogatives either by deceit or by circumventing laws.
In either case, Internet users are exposed to violations of their rights to privacy as well as to freedom of expression due to publishing certain information or opinions. In addition to the violation of the right to access information due to the practices of blocking access to content that the agencies of one state or another deem damaging to its interests or national security.
General Characteristics of Cybersecurity in Egypt
Like other countries in the world, the Egyptian state institutions have felt the importance of cybersecurity. This stems from hands-on experience that has demonstrated the serious damage and losses that such threats and cybercrimes can cause, including harm to the state’s interests and national security, as well as the operations and resources of public and private institutions, and the interests, security, and rights of individuals.
On the other side, the state’s approaches toward cybersecurity have been characterized by a number of features that reflect the political, economic, and social conditions prevalent in the aftermath of the 2011 revolution. It can be said that the interest of the Egyptian state in cybersecurity has double-folded after the revolution.
Multiple reasons draw interest, but foremost is the belief that the online activities of the former regime’s opposition played a large and determining part in inciting the revolution. For this reason, in addition to the authoritarian nature of the ruling regime in Egypt, the main approach governing strategies, policies, and practices of the Egyptian government in the context of cybersecurity is concerned with achieving control over the flow of information through different information systems, facilitating access and infiltration of security agencies into them and to their users through them.
The interest in cybersecurity in Egypt expands to cover fields other than what may be called political security. This is reflected by several phenomena, including the annual Cybersecurity and Data Integration Systems Conference and Expo (CDIS), whose latest version was held on May 16-18, 2023. As per press releases of experts in information security and digital transformation, the conference in this version has attracted more than 1000 participants from the governmental sector, specialized companies, and scientific and academic institutions. Some international tech companies like Microsoft, IBM, Symantic, and Cisico have also taken part in the conference.
Cyberthreats and dangers
According to statements from the National Telecommunication Regulatory Authority (NTRA) vice president, which he made on the margin of the fourth CDIS conference, the statistics rank Egypt among the 20 countries most vulnerable to cyber attacks. The frequency of cyberattacks experienced by Egypt has increased by 49% in the first quarter of 2023.
In the same context, press sources have quoted Amin Hasbiny, the head of a global research analysis team in the Middle East, Turkey, and Africa, that is part of Kaspersky, who said his company intercepted and prevented around 13 million cyber attacks in Egypt in the first quarter of the same year.
In a survey conducted by Kaspersky, 31% of the participants from Egypt said they have incurred financial losses due to threats related to cybersecurity while using banking or smartphone wallets through the Internet. The loss of 88% of those users was less than 1000 USD each, while they were more for 12% of them.
According to Kaspersky, of the 1.8 million cyberthreats that the company was able to block in the Middle East, 342,163 of them were in Egypt. These threats aimed to steal banking information such as credit card numbers or secret identification data needed to access online bank accounts. Most of these attacks relied on social engineering to lure their victims.
In the jurisprudential philosophy of the Egyptian legislator, both privacy and data protection are seen as separate albite highly related concepts. This is reflected in existing legislation as well as in the body of legislation issued by the Egyptian state in the last decade and focused particularly on cyberspace.
Some legislation issued in the last decades has provisions protecting the right to privacy and sanctity of private life in criminal and civil Egyptian laws. This was before the issuance of the Personal Data Protection Law. A provision of explicit punishments for violating the right to privacy was added to the Egyptian Penal Code in 1996 (Penal Code, articles 309 bis and 309 bis A).
Before issuing the first Egyptian legislation concerned with cyberspace, its security, and the activities practiced through it, which is the Anti-Cyber and Information Technology Crimes Law, some legislation had provisions related to the Internet like the Telecommunications Regulation Law, and the Anti-Terrorism Law.
In 2018, the Anti-Cyber and Information Technology Crimes Law was issued, known in the media as the Cybercrime Law. The Egyptian state’s objectives of issuing the law were combating crimes related to information networks and technologies, and protecting government and private data and information, among other objectives. In 2020 the Personal Data Protection Law was issued, which is concerned with protecting electronically processed personal data.
The High Council for Cybersecurity (formally, High Council for Telecommunication and Information Technology Infrastructure Security), was established on December 16th, 2014, by a Prime Minister Decree (2259/2014), at the time, Eng. Ibrahim Mehleb. The purpose of establishing the Council, as per its website, is “protecting the informational infrastructure of the state and reinforcing cybersecurity, setting national strategies, policies, regulatory frameworks, and standards for cybersecurity, reinforcing cyber awareness, reinforcing cooperation with the private sector and other related state institutions, and regional and international cooperation for unifying visions and exchanging information in combating cyberthreats.”
The Council is under the supervision of the Cabinet and is formed under the presidency of the Minister of Communications and Information Technology. It includes in its membership, as per its establishing Decree, representatives of the ministries of defense, foreign relations, interior, petroleum and mineral resources, electricity and renewable energy, health and housing, water resources and irrigation, supply and internal trade, communications and information technology, general intelligence agency, and the Egyptian Central Bank. The Council also includes in its membership 3 experts from academia and the private sector. A decision to appoint them shall be issued by the Minister of Communications and Information Technology based on the Council’s nomination of them.
In 2016, the Prime Minister at the time issued decree 1630/2016 that determined the competencies of the Council in more detail (13 different competencies). The decree has also established an executive bureau and a technical secretariat for the Council.
The decree has determined the formation of the executive bureau of the Council to be headed by one of its members and the membership of the representatives of the ministries of defense, foreign relations, interior, communications, and information technology, and the general intelligence agency. Concerning the technical secretariat, the decree stipulated that it is headed by the executive director of the Egyptian Computer Emergency Readiness Team (EG CERT), and the membership of the representatives of the ministries of defense, interior, communications and information technology, and general intelligence agency.
Additionally, the decree stipulated that an expert is assigned to the Council secretariat defining its competencies, It also stated that the Council should be convened periodically at least once every three months, while the meetings of both the executive bureau and the technical secretariat are held monthly.
In 2017, the Prime Minister issued a new decree concerning the High Council for Cybersecurity, which is decree 994/2017. The decree obliged “all government bodies on all levels as well as public sector companies to implement the decisions and recommendation of the High Council for Cybersecurity.” The decision also stipulates that every employee or worker who violates the Council’s decisions will be held disciplinary accountable.
Political Exploitation of Cybersecurity in Egypt
A paper titled Manipulating Uncertainty: Cybersecurity Politics in Egypt argues that cybersecurity provides the Egyptian government with a means for what the paper calls manipulating uncertainty to promote its interests. What is meant by uncertainty is the state where ruling political regimes are in a position of control in the political field, but this control is still threatened all the time so that neither the authorities nor their opposition is fully certain that the status quo will continue to hold.
As per the paper, the Egyptian government uses cybersecurity policies, practices, and technologies to make its opposition more predictable while preserving or increasing the freedom of movement allowed to it. This is because cyberthreats have two characteristics; First, they can’t be denied, and second, it is difficult to define them exclusively and decisively as they are always changing quickly as technology evolves. This flexibility of the cybersecurity field means that its policies and technologies are ideal for political strategies that seek to exploit the state of uncertainty.
The political exploitation of cybersecurity directed toward repression of opposition in general as well as the oppression of minorities can be observed in all Egyptian state’s relevant practices. This shows in legislation issued under the umbrella of protecting cybersecurity and data which constrains rights and freedoms on the Internet and only serves the regime’s need for persecuting its opposition and others under the pretext of violating the law.
Cybersecurity Practices and Digital Rights in Egypt
The practices related to cybersecurity undertaken by various parties, most notably state institutions and security agencies, produce direct and indirect effects on the ability of citizens who use the Internet and other means of communication to exercise their rights and enjoy their freedoms.
While these effects touch on a wide range of rights and freedoms, this paper focuses in the following two sections on dealing with the right to privacy and the right to freedom of expression. In each section, the paper examines the impact of legislative practices and the practices of institutions and executive bodies in the context of cybersecurity on each of these rights.
Right to privacy
The legislative practices of the Egyptian state through laws concerned with cyberspace have a great impact on the practice of individuals of their right to privacy. Many local and international human rights organizations have condemned several provisions of the Cybercrime Law. These provisions represent a direct and explicit violation of the right to privacy while opening the door for practicing these violations under the protection of the law.
Article 2 of the law obliges service providers to keep and store information systems or any means of information technology records for 180 consecutive days. The data determined to be kept and stored include “data enabling the identification of services users, the content of the information system, communication exchanges, and terminal devices.”
This is in direct violation of the service users’ privacy. Storing and keeping personal communications data of users is itself a form of surveillance and unauthorized recording of these communications, which is prohibited by the Egyptian Constitution. Keeping such data, including that may identify their owners, for such a long period exposes it to potential unauthorized access, which is a grave threat to its owners’ right to privacy. This doesn’t only violate the right to privacy of the service users but that of their correspondents as well.
Right to free expression
The article provides the competent investigation bodies (which are not necessarily judicial) the right to order the block of a website or several websites as long as it can be technically doable, and they have evidence that the website is broadcasting from within the country or abroad any statements, figures, images, advertisements, or similar content that constitute a crime of the one set by the same law.
The phenomenon of blocking websites is one of the most vicious forms of violation of the right to freedom of expression and the right to free access to information.
It is worth noting that most of the cases of websites blocking in Egypt are perpetrated extra-judicially, even after the issue of the Cybercrime Law that legalizes the practice. The number of blocked websites in Egypt at the time of preparing this paper was 606 websites, in addition to 32 alternative links.
Moreover, Article 25 of the Cybercrime Law, punishes by incarceration for no less than 6 months, and a fine of no less than 50,000 EGPs and no more than 100,000 EGPs, or either of the two, whoever violates the principles and values of the Egyptian family. Such a loose statement that lacks any explicit boundaries represents in itself a direct violation of the right to freedom of expression.
The text of Article 25 allows persecution and threatens with freedom depriving penalty whoever publishes an opinion about or discusses social issues in general, as it is impossible to determine what any other person may consider an assault on the values of the Egyptian family, and it can’t be determined what a court of law may be convinced with such allegations.
In practical practices, many internet users, especially social media users, have already been persecuted using cybersecurity-related laws. This persecution comes as a result of publishing opinions or content that these laws allow punishing those who publish them through its loose formulation, like the crime of intentionally disturbing others using means of communication, the crime of dissemination of false news, and other acts criminalized by legislation issued originally for combating cyber crimes, protecting personal data, or protecting cybersecurity in general.
There is no doubt that cybersecurity is highly important for states and their people in the digital era in which we currently live. However, the cybersecurity field is one of the most likely to produce strategies, policies and practices that may negatively impact the ability of citizens to practice their digital rights, especially the right to privacy and the right to freedom of expression.
Balancing the provision of adequate guarantees for protecting the state, institutions, and individuals from the threats and dangers emanating from cyberspace on one hand and the protection of digital rights of everybody from any violations resulting from seeking to provide such guarantees will continue to be an arena for debate, conflicts as well as serious work to achieve it.