Accessibility Tools

Skip to main content

Blog

banner
Correspondence with the Libyan House of Representatives Regarding the Cybercrime Law

    Correspondence with the Libyan House of Representatives Regarding the Cybercrime Law

    |

    The Libya Technology Foundation has contacted the Libyan Parliament to present its comments and proposed amendments to the Cybercrime Law No. (5) of 2022, following a series of dialogue sessions with relevant stakeholders in the technical and legal community.

    The comments included the rewording of several articles to enhance technical and legal precision, such as the definitions of encryption, digital identity, and digital forensic evidence. The foundation also called for the modification of penalties in certain articles to focus on fines instead of imprisonment and to ensure the law aligns with the constitutional declaration and the rights to freedom of speech and expression.

    Additionally, the foundation proposed adding articles related to cyber extortion, cyberbullying, and online defamation, emphasizing the importance of involving technical and legal experts to ensure a comprehensive legal framework that effectively addresses cybercrimes.

    Here is the text of the letter:

    “To: The Honorable Members of the Libyan Parliament – House of Representatives

    Subject: Community Comments Regarding the Cybercrime Law

    Dear Sir/Madam,

    We appreciate your national efforts and the dedication of the teams that continue working tirelessly to maintain the legislative foundations in the Libyan state. We wish you success and always stand with you in support of your endeavors.

    It is important to note that the Libya Technology Foundation, established on August 25, 2020, with registration number 60-2020, has worked alongside many governmental institutions, companies, and local communities. Our teams have acted as a link between the state and society, striving to bridge gaps and enhance collaboration among various stakeholders in Libya.

    Regarding the Cybercrime Law, approved by the Libyan Parliament under Law No. 5 of 2022, which has sparked extensive debate and diverse views within the Libyan tech community, the foundation saw the necessity to initiate discussions with various organizations, bodies, and concerned parties.

    A series of dialogue meetings were organized to discuss the Cybercrime Law, aiming to collect different viewpoints from relevant stakeholders, in accordance with the constitutional declaration, applicable laws in Libya, and global best practices in such laws. During these meetings, various opinions were exchanged, reflecting the foundation’s commitment to supporting constructive dialogue and promoting transparency and cooperation on national and technical issues.

    Official amendments suggested:

    Article NumberAmendment
    1Point 5: Reword the definition of encryption. Point 7: Modify the definition of digital forensic evidence to: “Data that leaves a digital trace and can be prepared, transmitted, or stored digitally through computer systems, communication networks, or various types of digital storage devices, enabling the computer to perform a specific task.”
    1Point 8: Reword the definition of digital identity in a technical and scientific manner. Point 10: Modify the definition of “electronic payments.” Point 12: Modify the definition to “interception or surveillance.” Add a separate definition for “interception” as: “Preventing data from reaching its destination or partially or completely redirecting it.” Additional definitions: National Authority for Information Security and Safety, personal data, privacy.
    6Modify the article to distinguish between literary and scientific works, innovations, and republishing processes.
    7Modify the name of the National Authority for Information Security and Safety. Remove the clause “(except in cases of urgent security necessity)” and amend the article as: “The National Authority for Information Security and Safety may monitor what is published or displayed over the international information network or any other technical system and block anything that stirs racial or regional hatred or extremist religious or sectarian ideas that could destabilize community security or disrupt public peace. Monitoring of emails or conversations is only allowed by court order issued by the competent judge or in urgent cases, with justification for the urgency provided later and accepted by the judiciary.”
    9Modify the text to: “No individual or entity may produce, possess, provide, distribute, market, manufacture, import, or export encryption tools that have been previously prohibited in public publications of the National Authority for Information Security and Safety without obtaining a license or permission from the authority.”
    12Review the penalties in this article by a legal body to include a fine only, without imprisonment.
    13Modify the text: “Anyone who unlawfully intercepts an information system with the intent of obtaining digital data or linking it with other electronic systems will be punished by imprisonment for no less than six months and a fine between 1,000 and 5,000 dinars.”
    21Reword the article to align with the constitutional declaration, preserving the right to freedom of expression and opinion.
    24Review the penalties in this article by a legal body to include a fine only, without imprisonment.
    25Review the penalties in this article by a legal body to include a fine only, without imprisonment.
    26Review the penalties in this article by a legal body to include a fine only, without imprisonment.
    28Point 5: Change the term “electronic money” to “electronic payments.” Add the phrase “with knowledge of this” to all points of this article.
    30Combine this article with Article 21, concerning the mixing or alteration of sound or images, ensuring compatibility with the constitutional declaration and preserving rights to expression and freedom.
    34Modify the text: “Anyone who disrupts or obstructs electronic government work or public authority activities using any electronic means will be punished by imprisonment and a fine no less than 10,000 dinars and no more than 100,000 dinars.” The definition should focus on criminal intent and not affect the government’s or ministries’ definition of disrupting freedom of speech.
    36Modify the text: “Anyone who damages, hides, alters, erases, or tampers with digital evidence will be punished by imprisonment for no less than five years and a fine between 10,000 and 100,000 dinars.”
    37Modify the text: “Anyone who broadcasts or publishes misleading data or information that threatens public safety and security in the state or any other country through the international information network or any other electronic means will be punished by imprisonment for no less than five years and a fine between 10,000 and 100,000 dinars.” These data should be false and not supported by any professional or journalistic references. The right to express facts, reports, and data protected by law and the constitutional declaration should be respected.
    39Merge this article with Article 9.
    41Add this article to Article 28.
    42Review the penalties in this article by a legal body and refer to the Penal Code.
    46Review the penalties in this article by a legal body to include a fine only, without imprisonment.
    47Add the phrase “with intent to harm others.”
    48Review the article by judicial and enforcement authorities.
    50Detail the article by judicial and enforcement authorities.

    General Comments on the Law:

    • The law does not mention specific terms such as “technical, legal, criminal, procedural.”
    • There is no clear methodology in drafting the law, nor was there an explanatory memorandum included in the draft despite our attempts.
    • There is no provision for interpretation in case of disputes.
    • The discretionary power of the judge is not mentioned.
    • No mention of preventive measures.
    • No mention of the duration of the retention of computers and digital evidence.
    • No reference to technical expertise or reliance on cybercrime experts.

    We suggest adding the following articles:

    • Cyber extortion.
    • Cyberbullying.
    • Online defamation.
    • Hosting sites and their legal responsibility.
    • Protection of personal data.
    • Dealing with crimes related to artificial intelligence.
    • Regulation of digital currencies and related crimes.
    • Digital forgery.
    • Protection of witnesses and whistleblowers in cybercrimes.
    • International cooperation in cybercrimes.
    • Issuance of several executive regulations to organize the implementation of this law.

    Legal and Technical Errors in the Libyan Cybercrime Law:

    Based on our research, differing opinions, and extensive studies in analyzing this law, we have identified the following issues:

    1. Inaccurate Legal Drafting: Some definitions and terms used in Article 1 lack legal and technical precision, leading to difficulties in interpreting the provisions. For example:
      • The definition of “cybercrime” is not comprehensive of all types of electronic criminal activity.
      • The definition of “encryption” does not cover all its uses in line with international practices.
    2. Ambiguity and Redundancy in Some Articles:
      • Article (9) regarding the possession of encryption tools does not differentiate between legal usage and encryption for legitimate purposes (e.g., data protection).
      • Article (11) on “unauthorized access” lacks a clear definition of what constitutes hacking.
      • Article (34) about “disrupting government operations” is too broad and could lead to multiple interpretations, such as opinions, content, and legal activities published in digital space.
    3. Contradiction with Human Rights:
      • Monitoring of publications (Article 7) could violate privacy and freedom of expression rights, especially without clear standards.
    4. Lack of Balance Between Penalties
      • Many penalties seem disproportionate to the nature of the crimes, which could lead to unfair enforcement:
      • Imprisonment and heavy fines in Article (19) for producing or distributing pornography, while more severe crimes like human trafficking (Article 43) have similar or lesser penalties.
      • Article (38) on incitement to murder or suicide is vague and does not specify exceptions or how intent should be proven, requiring further clarification.

    5- Lack of Execution Guarantees

    • Article (7), which allows monitoring of what is published, needs clearer guarantees to protect individual rights, as relying on a “court order from a misdemeanant judge” may not be sufficient for monitoring private messages.
    • Article (52) related to judicial officers does not specify criteria for employee selection or the scope of their powers, which could lead to abuse of authority, especially in the cyber domain.

    6- Conflict with International and Domestic Laws

    • Article (3) discusses the applicability of the law for crimes that begin or are committed in Libya but does not take into account international cooperation or agreements signed or being negotiated at the international level.
    • Articles related to blocking websites and encryption (Articles 8 and 9) may conflict with international agreements related to internet freedom and data protection.

    7- Lack of Regulatory Framework

    • Absence of an article clearly defining the responsibilities of the National Authority for Information Security and Safety or licensing standards (as in Article 9).
    • No clear mechanism for enforcing penalties or monitoring implementation.

    8- Outdated or Inconsistent Technical Terminology

    • Some terms, such as “computer viruses,” need updating to include a broader range of malicious software (such as ransomware or malicious bots).
    • No mention of crimes related to artificial intelligence or blockchain technologies.

    9- Omission of Some Modern Cybercrimes

    • The law does not cover some common electronic activities like crimes related to:
      • Online extortion (Ransomware Attacks).
      • Targeted cyberattacks.
      • Forgery using artificial intelligence (Deepfakes).

    10- Issues with Seizure and Deportation (Articles 50 and 51)

    • Seizure and deportation in Articles (50 and 51) could be used arbitrarily without clear mechanisms for appeal or objection.

    11- Conflict with Existing Laws

    • Article (49) states that criminal laws and complementary laws apply but does not specify how the new law coordinates with other laws, potentially leading to legislative conflict.
    • Articles concerning intellectual property (24 and 25) could conflict with national or international laws protecting intellectual property rights.

    12- Lack of Clear Definition of the Responsible Entity

    • The law refers to the “National Authority for Information Security and Safety” without clearly defining its executive powers or its relationship with other entities like the Ministry of the Interior or the judiciary.
    • There is no clarification of the entity monitoring the enforcement of the law and ensuring that the powers granted are not misused.

    13- Insufficient Investigation and Oversight Procedures

    • Article (36) on destroying digital judicial evidence does not provide clear mechanisms for investigating this type of crime, which is technically complex and requires specialized expertise.
    • The law lacks provisions specifying how to protect digital evidence to ensure its integrity and safety during investigations.

    14- Restrictions on Legitimate Technology

    • Article (9) prohibits the possession of encryption tools without permission, which could negatively impact businesses and individuals who rely on encryption to protect their data. No exceptions are made for safe commercial or personal use.
    • Article (39) increases penalties excessively for encryption tools linked to the government and banks without establishing a regulatory framework for legitimate use.

    15- Vagueness in National Security-Related Articles

    • Article (37) on publishing data that threatens national security or public safety does not define what constitutes a “threat” in precise terms, which opens the door for broad interpretations that could be used to restrict freedom of expression.
    • Article (45) about assisting terrorist groups lacks a precise definition of actions considered “assistance,” such as publishing critical articles or political analyses, which should be clarified to avoid wrongful accusations or exemptions.

    16- Inconsistent or Impractical Penalties

    • Article (31) on gambling imposes heavy penalties of up to two years, while crimes like incitement to prostitution or the production of pornography in Article (19) have relatively lighter penalties, weakening the consistency of criminal policy.
    • Article (22) regarding “harassing others” does not clarify how intent or the nature of the act should be proven, leading to potential subjective interpretations.

    17- Insufficient Safeguards for Citizens

    • Articles (7 and 8) on content monitoring and website blocking grant authorities broad powers without clear mechanisms to ensure citizens’ rights are not violated.
    • The law does not specify avenues for complaints or appeals if a website is blocked or content is monitored unjustly.

    18- Lack of International Standards

    • The law does not align sufficiently with international standards on cybercrime laws, such as the Budapest Convention on Cybercrime, which is an international benchmark.
    • There is an absence of explicit references to international cooperation in combating cross-border crimes, despite Article (3) addressing it in part.

    19- Lack of Special Protection for Minors

    • Although there are articles related to the exploitation of minors (such as Article 23), the law does not provide comprehensive protection for minors online, such as awareness or regulation of access to harmful content.

    20- Inadequate Handling of Digital Economic Crimes

    • The law addresses economic crimes in a limited manner, such as Article (44) on money laundering, but does not cover:
      • Tax evasion using digital currencies.
      • Illegal trade on the dark web.
      • Crimes related to suspicious crowdfunding.

    21- Weakness in AI-Related Provisions

    • The law does not address crimes related to the use of artificial intelligence, such as deepfake forgery, which has become a significant threat to personal and institutional security.

    22- Lack of Provisions for Personal Data Protection

    • The law does not stipulate the protection of individuals’ personal data or the penalties for its misuse, which undermines trust in digital transactions.

    23- Omission of Cyberterrorism Crimes

    • Despite mentioning terrorist groups in Article (45), there are no provisions addressing attacks on critical infrastructure (Critical Infrastructure Attacks), which are major cybercrimes.

    24- Failure to Differentiate Between Regular Users and Professional Criminals

    • Some provisions criminalize actions that may be carried out by regular users without criminal intent (such as Article 14 on possessing decryption tools), potentially leading to unjust restrictions.

    25- Lack of Awareness and Prevention Programs

    • The law focuses on penalties without providing provisions that require relevant authorities to implement awareness programs about cybercrime and its prevention.

    Recommendations from the Libya Technology Foundation:

    As a community institution registered with the Civil Society Commission and working in the Libyan tech community to raise awareness of laws, regulations, and policies, we believe this law requires substantial amendments, revision, and reconsideration by specialists, expert houses, and relevant institutions, such as:

    • Ministry of the Interior – Criminal Investigation Department.
    • Ministry of Justice.
    • Office of the Public Prosecutor.
    • General Authority for Information.
    • General Authority for Communications and Information Technology.
    • National Authority for Information Security and Safety.
    • Expert houses and consulting institutions.
    • Civil society institutions.

    Recommendations for the Law:

    • Establish law enforcement bodies, including:
      • An electronic crimes office.
      • An electronic crimes prosecution office.
      • An electronic crimes court.
    • Update legal terminology to align with international standards.
    • Reconsider penalties to align with the nature of crimes.
    • Add legal safeguards to protect basic rights and freedoms.
    • Expand the scope of covered crimes to include emerging threats.
    • Strengthen the regulatory and executive framework to ensure justice and transparency.
    • Redraft ambiguous provisions: define terms accurately and clarify criminal intent.
    • Include digital rights protection provisions: such as adding personal data protection clauses.
    • Introduce new technologies: such as addressing crimes arising from artificial intelligence and digital extortion.
    • Create an independent oversight body: to ensure the fair and transparent application of the law.
    • Strengthen international cooperation: by joining international agreements to combat cybercrime.

    And then reintroduce it for approval – with the mentioned legal and technical amendments – to the Libyan Parliament for potential implementation by the government, ministries, and relevant bodies.

    Ameen Younis Saleh Chairman of the Board Libya Technology Foundation

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Archive