Arab Treaty on Combating Cybercrime

The Arab Treaty on Combating Cybercrime [الاتفاقية العربية لمكافحة جرائم تقنية المعلومات] was ratified by Oman earlier this month. This treaty is an Arab League international agreement that was adopted in December 2010 and entered into force in February 2014. It appears that the ratified members of this treaty at the moment are Jordan, UAE, Sudan, Iraq, Palestine, Qatar, Kuwait and Oman.

The main objectives of the treaty are to create an obligation on its members to implement in their national legislation provisions that criminalise a set of online offenses as well as put procedural rules in place to facilitate the prosecution of cybercrimes and the collection of digital evidence. The treaty also has a section for facilitating the cooperation between its members in dealing with transnational cybercrimes. Continue reading Arab Treaty on Combating Cybercrime

Online Privacy – A Fundamental Right For Oman

Privacy on the Internet is more important to us than ever now that all of our photographs, phone numbers and the location of our every single move are all recorded and shared by many web services.
Privacy is not considered as a fundamental right in Oman for which each individual has an entitlement to, unlike the freedom of expression, the freedom to practice religion, and many of the other freedoms provided for in the Basic Statute of the State.

There are a few instances where a limited right of privacy is protected by the Omani law such as the guarantee to maintain the confidentiality of communications, the protection of the sanctity of family life from violation by technological means such as camera equipped mobile phones, and the protection against misuse of personal data by institutions regulated by the electronic transactions law.
These limited instances of the protection of privacy are not a substitute for the protection of privacy as a wider concept, which can be violated through electronic and traditional means and without necessarily disclosing that information to the public.

Private information is now extremely valuable to companies as their knowledge of our habits and personal details can help them target potential consumers. Many companies now try to collect as much personal information about us as they can, and this puts us at a risk when they collect this information without our knowledge or when they do not handle this information with care while dealing with extremely sensitive information about us such as our health and medical conditions, family life, and business transactions.

Attempting to draw a clear scope for the right of privacy is not as easy as it sounds due to the fact that this right needs to be balanced against the security interests of the state in acquiring information in order to avert crimes. These interests are legitimate, but they are not always applied reasonably. For example, the telecommunication law in Oman prohibits the use of any encryption method without acquiring the prior permission of the minister for that use. This provision is unrealistic and has no practical value because we use encryption on the Internet to do many simple daily tasks such as checking our online banking account, paying our bills, and even sending messages using Gmail.

There are some legislative issues in the area of privacy in Oman, but there is little that local legislation here can do to mitigate the risks of the violation of privacy on the Internet due to the fact that the majority of web businesses do not have any presence in Oman and therefore will not be bound by the laws of this country.

We as individuals must take precaution when giving out our information on the Internet. We need to familiarise ourselves with the privacy aspects of the services that we use and must be aware of how much information we are sharing because it is impossible to retract information we share publicly once it gets on the Internet.

Spam Soon To Be Banned in Oman

The Telecommunication Regulatory Authority has finally decided to address the issue of spam in Oman and is now in the process of drafting new regulations that will make it illegal for anyone to send unsolicited advertisements by any electronic method in Oman without acquiring prior consent from the person to whom the advertisement is sent.

Spam has been slowly growing into a problem in Oman due to the realisation of many companies of the ease at which advertisements can be pushed to a large number of people at extremely low costs. Many companies see this as an opportunity to promote their products, but from the point of view of consumers, this constitutes a breach of their privacy and can affect the way they use e-mail and SMS. These messages can be extremely repetitive, irrelevant, sent at inappropriate times, impossible to block, and make it very difficult for users to reach messages that they need to read, when their inbox is filled with unsolicited spam advertisements.

The current law in Oman does not provide individuals the right to stop others from sending them unsolicited advertisements. The telecommunications law only prohibits offensive, untrue or harmful messages, and not genuine advertisements that were sent without consent. The Basic Law of the State is the closest document we have in Oman to a constitution. It guarantees many rights for individuals such as the right for the freedom of expression and right for religious freedom, but it does not guarantee privacy as a right for individuals in Oman.

A report by Symantec last year, claiming that Oman had the highest percentage of spam messages in the whole world coming into the country, led the TRA to make statements soon after that it will work on combating spam. TRA is now working on new regulations for combating spam that will make it illegal for any person in Oman to send advertisements by any electronic method to anyone without acquiring the explicit prior consent of that person, and anyone who violates these new regulations may be fined up to RO1,000.

TRA will consider a message to be spam message for which the sender will be penalised, even if only one message was sent to one person, as long as that message was an unsolicited advertisement. The only exception to this rule is when an existing relationship can be established between the sender and recipient, such as the relationship between a hospital and patient. Even in such circumstances, individuals will have the right to have such messages stopped and an offence would be committed if a message is sent after an individual has indicated his wish to not receive any more of these messages.

Even though it will be impossible to stop all spam messages coming into the country, it is a great development for Oman to have in place local regulations that ban the transmission of spam in the country and one which would help ensure that local companies do not participate in this unacceptable practice. It will also surely provide us consumers with great comfort knowing that we can use our e-mail accounts more efficiently and that we can finally stop these ridiculous SMS about the latest gym discounts.

The public consultation period for new spam regulations had just finished last week. It is unknown how long it would take TRA to issue these regulations, but when they do come, these regulations would surely fill a serious gap in the telecom regulatory framework in Oman.

Public Consultation on Anti-Spam Regulations

The TRA has finally decided to take action about the spread of spam in Oman and is seeking public consultation about their upcoming anti-spam regulations [PDF].

The new proposed regulations will require businesses to have the explicit consent of any person to whom they send a commercial message using any medium. The regulations will provide an exception for institutions that have an existing relationship with a person and will enable individuals to have the right to stop receiving such messages.

The TRA is proposing a system where an offense would be established even if only one message has been sent without consent, will provide individuals with the right to complain to the TRA, and will provide the TRA with the right to impose sanctions that include imposing a financial penalty not less than RO 1000.

The regulations will also provide guidelines as to the content of the message, its size, and will require the header to include words such as “Commercial” or “ad”.

These regulations are still in the public consultation stage and there is no guarantee that they will be officially passed.

You can read the PDF document issued for public consultation at this link. The last date for submitting your opinion on these documents is the 25th of July.

VPN For Security?

The legal status of VPN in Oman still remains a grey area. The telecommunications law prohibits the use of any method of encryption without acquiring an explicit permission from the government beforehand, but this law has no practical implication because encryption is a fundamental aspect of the Internet. Without it we cannot log into our e-mail accounts, pay our bills online or check our online banking services.

A Virtual Private Network (VPN) is a method by which a computer can securely connect using a public connection to a private network located elsewhere. Once a connection is established to the VPN, the administrator of the public connection cannot have any control over what content is delivered through the VPN to the remote computer and cannot monitor or intercept any of that traffic.

VPNs are regularly used by companies to connect their branches to their head office, thus ensuring that their communications remain secure. VPNs are also used by consumers all around the world to ensure that their connections are secure when using untrusted public connections such as those available in cafes, hotels and other public venues.

The authorities in Oman do not like VPNs because using a VPN circumvents all the censorship and regulations imposed over the Internet. If you connect to a VPN using a local ISP such as Omantel or Nawras, you can view any website, even if that website is blocked by the local ISP which you are using to connect to the VPN. Using VPNs also allows users in Oman to connect to blocked services such as Skype.

In 2010, the TRA sought public consultation over draft regulations that would have made VPN totally illegal for private use and would have required establishments to acquire a license from TRA to use VPN for commercial use. These draft regulations never materialised and the feedback the TRA received about them was never published.

While it is understandable that TRA would not be happy to have the public circumvent all the restrictions that it imposes on the Internet by using a VPN, it would be unreasonable for TRA to ban the use of VPN for private use. This is because using VPN in certain situations is fundamental towards ensuring that the user is protected from Web criminals and identity thieves.

It is extremely common for people to log into public networks in cafes and hotels, and using a VPN in these circumstances can be the only guarantee that your connection would not be compromised by the administrators of these networks or by anybody else who manages to take control over that network. Taking such precautions in certain countries where there is a high risk of Internet scams is a serious necessity, and it is not logical to stop consumers from taking such precautionary measures.

Instead of making more futile attempts at censoring the Internet, TRA should accept that this is an impossible task to accomplish. The position of the law in regard to encryption as it stands is pointless. TRA should focus on improving the Internet and providing us with rights that guarantee that our privacy will be protected instead of creating more barriers to connecting with the rest of the world.

Location-Based Social Networks

More than a few people seem to be intimidated by the rise of location-based social networks and consider it as the clearest example of how social networks have gone a step too far in a way that violates the privacy of individuals and subjects their safety to risk. I am not one of these people and I think that these new location-based services could add a great value to our online social life.

A lot of social networks are adding location aspects to their services: Twitter has allowed the capability to geo-tag each tweet so that you can link the tweet to the physical location from which the update was made, Facebook has also recently introduced a “Places” feature that allows its users to ‘Check-in’ at known venus to inform their friends of their whereabouts. Foursquare and Gowalla are some of the few services that focus exclusively on providing location-based services to allow users to share their location with their friends.

The idea behind these services is to provide users with an easy method for sharing their location with their friends so that they can easily get together when they know where their friends are physically located at any time and get notified when they enter a location at which one of their friends have already been.

Opponents of location-based services think that the risks of sharing their location is a risky action that should not be done and it could lead to putting their property in danger as burglars can use the service to know that they are not at home.

I personally think that these risks are exaggerated and unrealistic. Location-based services available at the moment do not provide real-time information about the movement of its users- it merely provides a manual method for its users to ‘check-in’ at a location when they want to share that piece of info with their friends and makes it easy to post notes to other friends in relation to actual physical locations. The mere idea of telling your friends about your location is not new at all as users of Twitter regularly update their followers about their location by tweeting that they are at a specific place and the same goes for Facebook. It should be noted that location-based services are also identical to other social networks as they provide their users with various privacy settings that allow them to have their location updates as private or public.

I do not think that the safety risk argument against location-based services is a serious argument because the fact that you are not at your home does not necessarily mean that nobody else is there. Tweeting that you are not at home would also not on its own inform a burglar about the location of your house except if you posted its location as a public venue which you should not do by any chance.

Location-based services do provide a new way to socialise and interact with your friends and can be great fun to use, but even though I am a regular user of Foursquare, I still do not make updates about every single location I go to. The emails you write, the blog posts you make, and updates published on Facebook could cause you harm and embarrassment if you do not use common sense when using their services, location-based services are not different than any of these.

Response to the VPN Regulation Public Consultation

I just sent an email with my response to the TRA’s public consultation paper on the upcoming ban of VPN in Oman. I’m basically suggesting that they make a more precise definition for VPN and introduce an exemption for students to use VPN if they have to.

You can read my response here [PDF].

The deadline for responding to the public consultation paper is September 20th, if you have something to say to the TRA this is your chance to do it.

Private Use of VPN to be Prohibited in Oman

The Telecom Regulation Authority (TRA) has recently published a draft regulation on the use of Virtual Private Networks (VPN) (Arabic text) in Oman. The TRA is seeking public opinion on the matter before passing this regulation as law. The short summary of this regulation is that the use of VPN by individuals will be illegal, a fine of RO 500 will be charged for personal use and RO 1000 for commercial use.

The use VPN specifically wasn’t regulated before, but it could be argued that it’s use has always been illegal as a form of unlicensed encrypted communication. This new regulation makes it clearly an offense to use VPN at home, and allows it only to private and public institution who have to apply for TRA’s approval before using VPN, the TRA also retains to right to object to any grant this approval without provide reasons for this objection.

It it easy to understand why the TRA is prohibiting the use of VPNs as their primary use in this country is to bypass ISP censorship and the prohibition of the use of VOIP. A few also use VPN service to fake their IP location in order to use services offered in a region only (e.g. Hulu).

However, there are companies and institutions that rely on VPN services to conduct their business as security measures and communications with their international partners require the security of VPN network, for this specific purpose the use of VPN by companies will be allowed upon registration with the TRA.

I think there is a small case to argue that the use of VPN is necessary for individuals who study on long-distance programs as some universities offer access to their subscription based educational resources (e.g. Lexis Nexus and Westlaw) and blackboard through university VPN. When I was doing my masters at Southampton university I couldn’t access the university’s VPN when I was in Oman.

According to Article 1 of the regulation VPN is defined as follows: “a private information network  for private use made through the use of connections with a public communications network.”

It should be noted that this definition of VPN is wide and could catch uses which have nothing to do with bypassing the regulation, for example, you cannot establish a VPN to connect to your computer wirelessly through your mobile phone in order to share files between your computer and your phone. It might also cover networks created for multiplayer gaming.

Though a big worry for users of VPN, there isn’t much that can be done about this regulation as it seems to be in accordance with the telecom law and the general censorship policy in the country.

If you have any suggestions to make to the TRA on how this regulation should be amended you can send them an email at fpconsulting@tra.gov.om by the 20th of September 2010.

Living in Public

Long ago people used to live in small villages where every member of the village used to know everything about everybody else even when they were not close – each had a role to play in such a small community and the availability of information was vital to the survival of the village. As society grew bigger and more complex, it became impossible to learn about what everyone else was doing and as our societal roles became more encapsulated there was no need for us to have that knowledge anyway. Consequently, we developed this sense of individuality and privacy which now makes us feel fundamentally entitled to be left alone.

Fast-forward into a world dominated by social networks and services that allow you to stream every aspect of your life (with geotagging if you really wanted to). Suddenly everybody knows everything about everyone else just like the old days of the village. Many of us belong to new communities and tribes, not ones based on race or ethnic groups, but ones which are based on the shared interests and thoughts of its members regardless of age, sex, or nationality. We are no longer limited by our physical location or the group of people around us, we can be connected to the rest of the world if we are willing to engage with it.

It is not true that social networks and popular methods of electronic communication are leading to the demise of the human touch in our lives, but on the contrary, it is helping enhance the way many of us communicate face-to-face with each other as we can easily understand each other through the information we share through these networks.

Not every one of us is an artist or a novelist, so these random, mundane, and intimate status updates we make could be our method to express ourselves. It might not be the most elegant or sophisticated, but it is our only way to fulfil our need for expressing what we think. It is true that we might also do it to seek validation of what the actions we take on a daily basis, or to feel connected to someone, or anyone when we are alone – but none of that changes to the fact that it speaks to many of our basic human needs.

Privacy is not dead, but the sphere of what we consider “public” life is expanding to unprecedented levels both in amount and reach. We have to be careful not to out those who are not ready to participate in this new community and we must be careful not to breach our professional obligations to keep information confidential, but we also must realise that we are potential public figures as we become spokespersons for our countries, employers, and families on this new reality where everyone lives in public.

Facebook Privacy Concerns

Facebook officially launched its new controversial privacy settings which will have a significant instant impact on the extent to which private information is shared on it. Facebook claims that these new changes will help make it easier for users to decide what to share and with whom, but the reality is that the amount of information that can be set to private has been reduced and the default privacy settings are now configured to have most content shared with the everyone on Facebook and beyond.

The original success of Facebook over other social networks such as MySpace is believed to be attributed to the high levels of privacy it allowed its users to have. Previously, users had the option to share some of their personal data, such as their profile picture, with certain groups of users, such as friends only, however, profile picture, gender, current city, networks, the pages the user is a fan of, and some other personal information, are all now treated as publicly available information which cannot be hidden from anyone if the user chooses to put them on Facebook.
Another major change in the new privacy scheme is that default settings for writing new status updates and sharing pictures and other content, are set to be shared with everyone instead of friends only. This means that when you make a new status update this update will be visible to everyone whether or not you have them as friends, and as a lot of content on Facebook can be indexed by search engines such as Google, this means that even people not on Facebook may find your status updates if they make a relevant search. While privacy settings for such a feature could be configured to a more private option, the majority of users do not check their settings and very few people would realize that their old default settings were changed to the new default settings for sharing everything with everyone without them taking any action!

The new changes in privacy settings do have some new options that could allow users to have better privacy. For example, users now have the option to have per-status update privacy restrictions so that you post an item that you share only with your close friends or only with your work colleagues without affecting the rest of your updates.

It is widely believed that the new changes in Facebook privacy settings were made to push people to share more information with everyone, while this might not be in the interest of the majority of the users, Facebook hopes that this would enable it to compete with services such as Twitter – which by default makes users share their micro status updates openly. However, the purpose of Facebook is totally different from that of Twitter and Facebook’s attempt to expand into Twitter might be faced with a backlash.

If you are on Facebook and you regularly share private pictures of your family and friends, you might want to make sure you check the new privacy settings of Facebook and set your content to be viewable only by the groups of people you desire. If you would not like everyone to know that you are a fan of a certain page, you have no option but to unsubscribe from that page. The same goes for your profile picture, and other information classified as publicly available information, which you will have to remove completely from Facebook if you do not want everyone to see it.

The nature of Facebook is changing and this might be a reflection of the increased willingness of people to share more things online, but I doubt that the majority of people appreciate the impact this information could have on their social and professional life. It is still very unwise to share private information without any restrictions as it would be very hard, if not impossible, to get them off the internet afterwards.