The United Arab Emirates (UAE) has announced a ban on Virtual Private Networks (VPNs). A royal edict directly from the President of the UAE has announced that for the crime of using a VPN or proxy server, one could face temporary imprisonment and a fine of up to two million dirhams (£412,240).
Federal Law No. 9/2012, altered by the royal edict, states that, “Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dh500,000 and not exceeding Dh2,000,000, or either of these two penalties.”
The UAE is a federation of seven different emirates, each governed by a monarch of which one is selected as president. The current president/king of the UAE is Khalifa Bin Zayed Al Nayhan, whose regime has put a heavy emphasis on cyber-security as a growth sector for the UAE.
Policies enacted under his presidency have truly accelerated the UAE's path to becoming the cyber-hub of the Middle East, including introducing smart city projects in Abu Dhabi, the nation's political capital, and making advances in securing the country's national infrastructure.
So it might seem strange that a country so set on making a mark on the cyber-security landscape would deny people one of the basic tools of privacy.
Privacy International technologist Christopher Weatherhead told SCMagazineUK.com, “Tools such as VPNs are paramount to protecting people's privacy online. With governments and companies engaging in practices designed to track and surveil online activities, VPNs offer one of the few methods of mitigating some of the risk that this poses.”
One can see why one might need to hide from the watchful eye of the government in a country like the UAE. Freedom of speech is far from absolute and criticism of the government and the ruling families of the country is prohibited. If expressed on the internet, certain kinds of dissenting speech count as cyber-crime and are punishable by imprisonment.
This does go towards completing the picture of authority the UAE gov already has over the internet, Steve Armstrong, managing director of Logically Secure, told SC. “One thing the authorities do have in their pocket is the traceability they have of visitors and citizens in country – even buying a mobile in the UAE requires either a national identity document or a visitor's passport. So with such visibility and national monitoring of raw internet, the removal of the VPN hole in their visibility is a logical step.”
Aside from the implicit privacy one might be denied by a ban on VPNs there are more practical considerations for a country that is supposedly trying to wean its economy off its reliance on oil.
“Businesses are often the primary users of VPN technologies, as it allows remote working of staff, and secure communications between sites,” Weatherhead told SC. “With these safety features removed, it can lead to poor data handling policies by companies, as they have no straightforward method of handling their customer data between sites securely, further infringing on the individual's right to privacy.”
“Apart from it being a bizarre piece of legislation, it seems counterproductive, in that technically it's designed to improve security”, Graham Mann, managing director of Encode Group UK, told SC. “If it's interpreted in the way it reads, it's going to affect secure connectivity to our clients, particularly our managed security services clients.”
Dimitris Lambrou is managing director for Encode in the Middle East. He too is surprised by this spanner-in-the-works move by the UAE government: “We want to believe that this is only applicable to the general public using VPN connections for circumventing internet access policies set by the government and more specifically commercial VoIP applications.”
Lambrou added, “If the UAE government apply the same across without exceptions then cyber-security companies, especially, will have a major impact on their daily operations.”
SC tried to contact a number of cyber-security companies currently operating within the UAE, but they all declined to comment.
Armstrong added to SC that how this change in legislation will affect companies is not yet clear: “It depends upon the implementation of the block: a block of previously non-interceptable traffic may have more of an impact. If they are only blocking VPN ports (1194, 60000, 5001 etc) then both cyber-security companies and attackers will quickly find ways around the block by utilising non-standard ports or TLS/HTTPS tunnels.”Reports suggest that the ban on VPN and proxy servers is a move to hand power to the UAE's top two telecommunications companies, Etislat and Du. Both have banned VoIP, the proxy service that allows users to make free phone calls using services like WhatsApp, further tightening the companies' hold on the country's telecomms market.