syria surveillance|

Syria’s new “cybercrime” law adds salt to injury

Syria’s dictator, Bashar Al-Assad, ratified a new draconian cybercrime law (Law 20/2022) on April 18, replacing an older one from 2012 (Law 17/2012). In a country dubbed  “one of the most dangerous places to use the internet in the world,” Syria’s cybercrime law will clamp down further on digital spaces and add a legal cover to the regime’s mounting human rights violations, online and offline.

Why is Syria updating this law now?

As described in its preamble, the new law aims to curb the “misuse of technology,” and combat “cybercrime” as use of new technologies advances. As such, the law redefines “cybercrime” to include acts of slander, defamation, and online harassment as well as “crimes against decency or modesty, and crimes against the Constitution and undermining prestige” — in other words, the Syrian regime will weaponize these elastic and vague definitions to prosecute any expression it frowns upon.

Furthermore, the law introduces harsher penalties for “cybercrimes” that target public officials or employees, entrenching  impunity for corrupt and abusive officials and public employees.

Harsh punishments for vague “crimes”

Online civic space in Syria is already heavily controlled by the Syrian government that regularly violates Syrians’ rights to privacy, freedom of expression and opinion, and access to information, as well as the personal safety of millions of people. The newly minted Syrian cybercrime law introduces overly broad and vaguely worded provisions that further undermine these rights.

Article 24, for instance, criminalizes “electronic slander” online, including such content privately shared on messaging apps. The punishment increases if the act of slander was shared publicly. The punishment doubles if slanderous content is directed at public employees.

Article 26 also criminalizes actions or content that violate “decency and modesty online” with a fine of one to two million Syrian Pounds (SYP) for those who doctor or alter photos, videos, conversations, or audio recordings of individuals, or circulate or use these photos to blackmail or threaten individuals.  While this can be seen as an attempt to deter online harassment, doxxing, or cyber-bullying, bad actors have weaponized similar clauses in the past to target and jail young women.

Most dangerously, the law criminalizes “crimes against the Constitution” — which includes publishing content “with the intent of provoking actions aiming or calling for changing the Constitution by illegal means, or excluding part of the Syrian land from the sovereignty of the state, or provoking armed rebellion against the existing authorities under the Constitution or preventing them from exercising their functions derived from the constitution, or overthrowing or changing the system of government in the state.” According to Article 27, anyone who establishes or manages a website or publishes such content online can be sentenced from seven to 15 years in prison and a fine from 10 to 15 million SYP.

Other articles listing ambiguous crimes that threaten the right to freedom of expression and opinion include Article 28, which prohibits the publication of false news that “undermine the prestige of the state or national unity,” and Article 29, which penalizes anyone who creates or manages a website or publishes digital content that undermines the financial position of the state.

No privacy under dictatorship

The Syrian regime is notorious for surveilling citizens, at home and abroad. The new cybercrime law holds private companies hostage to their surveillance requests. Internet Service Providers (ISPs), telecommunications companies, and web hosting services must now retain users’ data and hand them over to the authorities whenever requested.

Article 5, for example, obligates applications service providers to save a copy of online content exchanged through the application as well as data that identifies the person who posted or shared the content. They must also publicly list “in a prominent place” on their websites the website or app owner as well as manager or the administrator including their email address, home address, and contact information.

Companies that fail to save a copy of online content, hosted data, or any data that helps identify persons responsible for posting content on the internet will be punished by a prison sentence from one to six months and fined between two and four million SYP.

This is extremely dangerous, especially in a context where there is no rule of law or due process. Since the March 2011 demonstrations demanding democratic reform in Syria, tens of thousands of civilians, protesters, journalists, activists, and human rights defenders have gone missing — detained or forcibly disappeared, tortured, or killed for peacefully exercising their rights.

Fighting cybercrime or an open license to violate human rights?

Syria’s new cybercrime legislation is a prime example of how states weaponize fighting cybercrime to criminalize speech, crack down on peaceful dissent, and violate people’s human rights and fundamental freedoms. It, therefore, should be rescinded.

As the United Nations is currently in the process of deliberating a global convention on cybercrime, member states must take note. Combating the use of the internet and information systems for criminal purposes must not come at the expense of people’s ability to freely exercise their rights, online and offline.