The Legality of Accessing Blocked Websites and Using Web Proxy Servers

The regulatory process of blocking websites and accounts is relatively novel, procedurally and legislatively. This novelty of the procedures makes the interpretations of legislative texts related to some practices uncertain, such as blocking websites. Since the enactment of the Anti-Cyber and Information Technology Crimes Law, increasing questions have been raised regarding the legality of accessing blocked websites and using web proxy servers. Inaccuracy and ambiguity of some technical terms used in the law, in addition to the absence of the legal interpretations related to its executive regulation, contributed to raising more questions.

A number of internet users in Egypt have approached Masaar with a number of questions regarding blocking and encryption. These questions were mostly about some of the restrictions imposed on accessing some websites, the incrimination of having a software with intent to commit a crime, and the possibility of having a web proxy server being a crime. Therefore, this article addresses the difference between the crime of illegal access on one hand, and using web proxy servers on the other. The article also touches upon the service provider’s responsibility for the blocking, and the legality of having and using web proxy servers like VPN.

The Difference Between Illegal Access and Bypassing Blocked Websites

The legislator has designated a special chapter in the penalties set out in the Anti-Cyber and Information Technology Crimes Law No. 175/2018. The chapter addresses crimes related to violating the security of networks, systems, and technologies of information. It also demonstrates different forms of crimes that might constitute a trespass on websites and online accounts, be it personal or state-run. The chapter hasn’t included an explicit provision criminalizing or prohibiting accessing blocked websites. However, the chapter included a special text entitled, “the crime of illegal access,” as article 14 states:

individuals who gain access to or hack a website, private account, or prohibited information system, and stay wrongfully, whether intentionally or unintentionally, may be penalized with imprisonment of no less than a year and/or a fine of EGP50,000–100,000.

If the hacking leads to the damage, erasure, altering, copying, or redistribution of data or information on that website, private account, or information system, the term of imprisonment would be for no less than two years and/or a fine of EGP 100,000–200,000”

The wording of article 14 refers to providing legal protection to different forms of websites and accounts, from violation-related crimes such as hacking crimes and web design infringements. The text here differentiates between two outcomes. The first is fulfilled when an individual unintentionally gets access to an account or a website they are not authorized to access. However, the crime is only true if the individual stays on the account or the website. The legislator, however, wasn’t specific about the duration, through which the user stays on an account or a website they don’t own or are actually responsible for running. It’s implied that the act of staying is an ongoing process until discovered, or in the absence of any evidence proving the immediate withdrawal after unintentionally accessing the account or the website. For this picture to be fulfilled, harm to information as an outcome of accessing is essential not to have happened.

As for the second outcome: the severe picture of illegal access crime. It’s fulfilled when information is harmed as a result of intentional access to these websites or accounts. An example of that is damage, erasure, altering, copying, or redistribution of data or information on that website or account.

A detailed reading of the article makes clear that it is, in no form, associated with accessing blocked websites. Nevertheless, the way the article is drafted may lead to some misunderstanding, as the legislator used such a phrase as, “a website, private account, or prohibited information system.” Using a term associated with prohibition of access doesn’t have to do with blocked websites, as the article addresses accessing an information system, a website, or an account requiring a permission to access (password, passkey… etc), so that authorized individuals would be able to make changes like erasing, altering, causing damage to the system, or acquiring and redistributing data or information. Moreover, the legislator didn’t use the term blocked. He used the term prohibited instead, as the term blocked is stated clearly in article 7 that used the term “blocking websites” in reference to preventing the audience from accessing a certain website or account, and the legislator didn’t use the term “prohibiting websites.”

Restricting access to websites that are to be blocked is the service provider’s responsibility, not the user’s.

Egyptian legislation addresses the regulatory process of website-blocking, and establishes the legal liability related to guaranteeing the implementation of the blocking order. And even though the service provider is mostly held responsible, the law sometimes put the liability on the owners of some websites and accounts ـــas different reasons and forms of blocking are regulated in the law, along with the role service providers and website/account managers play in implementing the blocking process, the procedural mechanisms in relation, and the penalties to be imposed in case the blocking order has not been implemented.

Account and website blocking is done two ways; the first is the one stated in the Anti-Cyber and Information Technology Crimes Law and refers to the blocking as a preliminary measure, if there are evidences that a website broadcast, inside or outside the State, is displaying words, numbers, images, films, any publicity materials or other, that would be an offence of those stipulated in the present law, jeopardize the national security or economy, the concerned investigation body may order to block the website(s). In such cases, it’s obligatory that the National Telecom Regulatory Authority is informed so that the service provider would be notified of the blocking order1 ــــــ whether it’s issued by the investigation body or the inquiry and law enforcement bodies (police).

It’s evident from the texts of the Anti-Cyber and Information Technology Crimes Law that the service provider is solely and directly responsible for implementing the blocking order, and that each service provider refrains from implementing the judgement issued by the competent criminal court, which is blocking a website, link or content referred to in the first paragraph of article 7 hereof shall be punishable of imprisonment for no less than one year and a fine of no less than five hundred thousand Egyptian Pounds and no more than one million Egyptian Pounds, or by one of these two penalties2.

The second way of blocking is regulated by the Press and Media Regulation and the Supreme Council for Media Regulation Law No 180/2018. The blocking, in this case, takes the form of administrative punishments on the account or the website in general or personal websites and accounts with 5000 or more followers, if they publish or broadcast false news or anything promoting or inciting a violation of the law, violence or hatred; discriminating between citizens; advocating racism or intolerance; including defamation or slander of individuals; or containing insults to religions or religious beliefs3.

Press and Media Regulation Law, and its executive regulations, did not specify the controls related to obligating service providers to implement the council’s decisions related to blocking websites or accounts. However, the obligation is implied, as the decisions of the Supreme Council for Media Regulation are effective, and by which all government agencies must abideـــ the National Telecom Regulatory Authority included.

The licensing regulation issued by the Supreme Council for Media Regulation has also added a text obligating foreign media outlets and their websites, or foreign websites, to immediately implement the decisions of the Supreme Council upon notification, and to provide a mechanism for blocking harmful content or that incites violence, hatred, contempt of religions; promotes pornography; or violates intellectual property rightsــــ within twenty-four hours of the blocking notification4. This means that, sometimes, media outlets themselves become responsible for implementing the Council’s decisions of blocking.

Accordingly, there’s no direct responsibility on the user for accessing the blocked content or website. Not to mention that, up to the moment, there have been no judicial implementations addressing interpretations that end up criminalising the bypassing of the blocking.

Having and Using a VPN to Access Blocked Websites

Having and using certain softwares, including the ones that help users bypass the blocking, is not criminalised. However, the Anti-Cyber and Information Technology Crimes Law criminalises the ownership and the usage of some softwares, with certain conditions and controls, as stated in article 22 of the law:

Anyone who possesses, acquires, procures, sells, makes available, manufactures, produces, imports, exports or trades, by any way whatsoever, any devices, equipment or tools, or designed, developed or transformed software, or passcodes, ciphers, symbols or any similar data, without obtaining the permission of AUTHORITY or holding a credential in fact or in law, and it is proved that such act was aimed at using any of the foregoing for committing or enabling the commission of any crime provided for in this Law, or for concealing the traces or evidence thereof, or that such use, enablement or concealment took place, shall be punishable by imprisonment for no less than two years and a fine of no less than three hundred thousand Egyptian Pounds and no more than five hundred thousand Egyptian Pounds, or by one of these two penalties.”

The way in which article 22 of the Anti-Cyber and Information Technology Crimes Law is drafted might have contributed into thinking that the law might be criminalising the ownership of web proxy servers, along with other softwares. However, the stated restrictions on owning these softwares are governed by two complementary conditions that must be jointly met for the crime to take place. Firstly, to own without obtaining the permission of AUTHORITY or holding a credential in fact or in law. Secondly, to be proved that such act was aimed at committing any of the crimes provided for in this law, or for concealing the traces or evidence thereof.

It’s evident from the controls on using some softwares without permission, among of which are some VPN services, that the criminalisation of using such softwares is associated with having a special purpose represented in the ownership being for the aim of committing any of the crimes provided for in the Anti-Cyber and Information Technology Crimes Law. That purpose to be proved is the investigation body’s responsibility. Given that accessing blocked websites is not a crime/violation, as there’s no text criminalising users for bypassing the blocking ـــ as previously stated ـــ, it’s difficult to say that having web proxy servers for accessing blocked websites is illegal.

————————–

1 Article 7 of the Anti-Cyber and Information Technology Crimes Law No 175/2018 regulates the procedures and orders issued in relation to site-blocking requests, stating that “If there are evidences that a website broadcast, inside or outside the State, is displaying words, numbers, images, films, any publicity materials or other, that would be an offence of those stipulated in the present Law, jeopardize the national security or economy, the concerned investigation body may order to block the website(s), subject matter of broadcasting, where applicable from the technical point of view. The investigation body shall submit the blocking order to the competent court, held at council chamber within twenty-four hours along with a memorandum of its opinion. The court shall issue its decision on the substantiated order, either by admitting or dismissing such substantiated order, in no more than seventy-two hours as of the date of submitting the substantiated order to the court. In case of summary matters due to a current risk or imminent harm, the inquiry and law enforcement bodies may notify the AUTHORITY which shall immediately notify the Service Provider of the temporary blocking of the website, content, websites, or links set out in the First Paragraph of this Article and in accordance with its provisions. Upon its receipt, the Service Provider shall implement the content of the notice. The inquiry and law enforcement body that gave the notice shall file a report establishing the procedures made in accordance with the provisions of previous Paragraph. Such report shall be submitted to the investigation bodies within forty-eight hours as from the date of notice given to AUTHORITY. Regarding this report, the procedures set out in the Second Paragraph of this Article shall be applied. In this case, the competent court shall issue its decision, either by admitting or dismissing the procedures of blocking. If the report set out in the previous Paragraph is not timely submitted, the blocking shall be deemed null and void. During the consideration of the action or based upon the request of the investigation body, AUTHORITY or relevant parties, the trial court shall issue an order terminating or amending the scope of the blocking decision. In all circumstances, nullification of the block decision shall take place by issuing a criminal lawsuit dismissal order or a final judgement of acquittal.”

2 Article 30 of the Anti-Cyber and Information Technology Crimes Law No. 175/2018 establishes the scope of criminal liabilities of service providers to block websites, stating that, “Each Service Provider refrains from implementing the judgement issued by the competent criminal court, which is blocking a website, link or content referred to in the first paragraph of Article (7) hereof shall be punishable by imprisonment for no less than one year and a fine of no less than five hundred thousand Egyptian Pounds and no more than one million Egyptian Pounds, or by one of these two penalties. If refraining from implementing such judgement results in the death of one or more person or damaging national security, such Service Provider shall be punishable by rigorous imprisonment and a fine of no less than three million Egyptian Pounds and no more than twenty million Egyptian Pounds. Further, the court revokes the license of practicing the activity.”

3 Article 19 of the Organisation of Press and Media Law permits the Supreme Council of Media to block websites and accounts, stating that, “a website is blocked if it publishes or broadcasts false news or promotes or incites a violation of the law, violence or hatred, discriminates between citizens, advocates racism or intolerance, includes defamation or slander of individuals or contains insults to religions or religious beliefs. In exception to the provision of the first article herein; every personal website, personal online blog, or personal online account with 5000 or more followers abides by the provisions of the article herein. Without prejudice to the legal liability resulting from violating the provisions of the article herein, the Supreme Council must take appropriate action in response to the violation, and for that purpose, it may suspend or block the site, blog, or account.”

4 Article 22 of the licensing regulation, issued by Resolution No. 26/2020, regarding the issuance of the licensing regulation of the Supreme Council of Media, establishes the conditions related to granting foreign media outlets and websites a license. The article stipulates, in its seventh item, that, “7- Providing a mechanism for blocking harmful content that incites violence, hatred and contempt for religions; promotes pornography; and violates intellectual property rightsــــ within twenty-four hours of the blocking notification.”