Oman Cybercrime Law

The Law for Combating Cybercrime (the Law) issued by Sultani Decree 12/2011 last month seeks to address a wide array of illegal activities involving a computer device, computer system or network. A cybercrime can be two-pronged: (i) a crime that targets a computer device or network; or (ii) a crime that is facilitated by a computer device or network.

The Law does not attempt to offer a ‘capture-all’ definition of ‘cybercrime’ but merely states that each crime listed in the Law would constitute a cybercrime. The designated authority for combating cybercrimes is the Information Technology Authority established a few years ago.

The Law defines each form of cybercrime and prescribes a penalty which ranges from a fine to imprisonment from a month to fifteen years. The cybercrimes described below are defined in the Law.

Crimes targeting computer networks or devices

Hacking: is described as intentional and unauthorised access of a website, computer system, or computer network. Varying levels of punishments are prescribed depending on the severity of the crime. For example, the following instances of hacking evoke heightened penalties:

• introduction of a virus, data interference or an intrusion that results in modification, damage, destruction or reconfiguration of a data or an information system
• hacking of a computer system or database of a governmental agency, bank or financial institution for theft of classified information
• unauthorised access, alteration or destruction of electronic medical data
• unauthorised modification or destruction of a website
• illegal interception or transmission of data or information
• denial of service (DoS) attack attempting to make a computer resource unavailable to its intended user or deactivating access to a service provider

Malicious Software or Malware: The production, sale, purchase, import, distribution or display of software or a computer resource (widely termed ‘Malware’) designed to access a computer system for committing a cybercrime is a punishable offence under the Law.

Crimes facilitated by computer networks or devices

Phishing: The Law appears to have treated rather lightly this important tactic of obtaining vital information from internet users by persons masquerading as a trustworthy source in the cyberspace. It is typically carried out using bogus emails or instant messaging and most of these mails can be tracked to sources outside the country. Some of these bogus emails manage to elude the spam filters installed by service providers in individual email accounts for filtering out these emails. Recently, Oman’s premier telecom service provider, Omantel, issued an alert to internet users to be watchful of suspicious emails, particularly those seeking personal or sensitive information such as username, password, credit card or account details. An attacker could use the information caught using these baits for accessing and using the victim’s account for fraudulent purposes or for spamming. Many affected authentic sources now consequently deem it necessary to add a line to their emails and messages stating that they will never seek ‘password’ or ‘billing information’ from their customers via emails.

Internet Fraud and Forgery:  is defined as a fraud or forgery committed via a computer device or network would be classified as cybercrime.  This would include modifying electronic data or information with the intention of committing forgery, which attracts the highest punishment under this Law of fifteen years of imprisonment when committed against the government.

The Law defines an electronic fraud as intentional and unauthorised introduction, modification or cancellation of data or information or deactivation of a computer system or network with the intention of committing fraud or causing damage to an end-user or for an illegal gain.

Identity Theft: is defined as the forgery or unauthorised use of a credit card or debit card or the use of a computer resource for gaining illegal access to information in a financial card or unlawful gains made through any of these means are all classified as cybercrimes.

The Law also characterises the following ‘real-world’ crimes are cybercrimes when committed via cyberspace:

• money laundering
• unlawful dealing in drugs and psychotropic substances
• gambling
• copyright infringement
• theft of art and cultural artifacts
• illegal arms dealing
• human trafficking
• illegal trading of human body parts
• dealing in pornographic materials
• cyber-stalking
• cyber bullying
• breach of privacy
• obscene or offensive content
• cyber-terrorism

The Law also addresses ‘white-collar’ corporate crimes facilitated by computer devices or networks.  While it is difficult for lawmakers to anticipate and address every conceivable crime, this Law constitutes a much-needed beginning to stave off superficial attempts to extrapolate existing criminal laws to apply an increasingly complex cyber-world.  This Law also exemplifies the need for individual states to legislate for computer and internet crime laws to facilitate an overarching international treaty for combating multi-jurisdictional cybercrimes.