Global Partners Digital (GPD), a UK-based social purpose company committed to protecting human rights in digital spaces, maps legislation that impacts the use of encryption technologies, highlighting the key articles that limit or restrict the use of these technologies. To help GPD expand its World map of encryption laws and policies to include countries in the Middle East and North Africa, SMEX used the CYRILLA database of global digital rights law to explore encryption laws in Algeria, Egypt, Iraq, Jordan, Lebanon, Morocco, Saudi Arabia, Syria, Tunisia, and the United Arab Emirates.
The GPD research guidance asks researchers to assess the overall environment for encryption regulation in a country, analyzing six indicators:
- the general encryption law,
- minimum or maximum encryption standards,
- licensing and registration requirements for encryption technologies,
- import and export controls,
- provider assistance provisions, and
- the power of the government to enforce decryption.
In most of the Arab League countries, relevant information about encryption legislation is not readily available in a single law, but spread across an array of laws, including telecommunications laws, anti-cybercrime laws, anti-terrorism laws, intellectual property laws, and, in some cases, stand-alone encryption laws. Moreover, depending on the country’s political system, these provisions do not always appear in independent statutes, but can also be found in amendments, regulations, and decrees.
Navigating CYRILLA By Keyword Filter
To find the relevant legislation, SMEX initially selected the “encryption law” keyword on the right toolbar to filter the stand-alone encryption laws and started the research with the two countries that had them: Morocco and Tunisia. SMEX also learned that many countries did not have a stand-alone encryption law. Instead, we expected, that the telecommunications laws, information crimes laws, and potentially other types of laws would have language that dealt with encryption technologies. Even in the countries that did have stand-alone laws, we suspected that other laws also contained provisions that affected encryption. Therefore, to ensure that our search was as comprehensive as possible, we expanded our search to include terms related to encryption and across a number of laws.
Using Full-Text Search
To find the encryption provisions in laws that do not exclusively deal with encryption, SMEX used the platform’s full-text search function to find laws that contained the words “encryption,” “cryptography,” “decryption,” and “التشفير,” the Arabic word for “encryption.” From this search, SMEX was able to identify many more telecommunications laws, information crimes laws, and electronic transactions laws with articles that related to encryption.
After taking these steps for countries with and without independent encryption laws, SMEX noticed that the report lacked information about the licensing, import, and export of encryption technologies. To remedy this problem, SMEX added the search terms “import,” “export, “licensing,” and “registration,” and their corresponding Arabic translations. This expanded search allowed SMEX to find articles that did not mention encryption directly, but still applied to the import and licensing of encryption technologies. For example, Article 44 of Egypt’s Telecommunications Law “prohibits the import, manufacture or assembly of any telecommunication equipment without a licence from the National Telecom Regulatory Authority.”
Through CYRILLA, SMEX was able to locate the articles that permitted or restricted encryption and provide copies of the relevant laws to GPD in Arabic, French, and English. Most of the laws required for this research were readily available in CYRILLA, with the exception of a few specific data protection regulations in Tunisia, which researchers had not found in previous research. After locating the regulations online, SMEX added them to the database.
Throughout the process, there were a couple of structural challenges. Most notably, some of the PDFs are snapshots and not text-searchable; therefore, the search function only found laws that contained the terms in their metadata, which prevented SMEX from searching the full text of some laws. For these laws, SMEX had to spend more time reading through the law. While technology exists to make English language PDFs text-searchable, the same technology does not exist for Arabic language PDFs. HURIDOCS, the developer of Uwazi, the platform on which CYRILLA is built, is working to solve this problem.
Keeping the laws in the database up-to-date remains a challenge as well. When SMEX identified a few of the missing data protection regulations in Tunisia, they also realized that the database did not have the most current amendments of a couple laws that these regulations referenced. Once SMEX came to this realization, they were able to find the most recent amendments online and add them to the database. Not only did finding the laws take additional time, but SMEX realized that some of their initial analysis needed to be revised.
As CYRILLA evolves, research projects and other practical use cases help us ensure that the information on the platform is up to date and encourage us to think more critically about the best way to present, sort, and contextualize the data. This project, in particular, pushed us to consider how CYRILLA should index and display keywords as we improve the current version. For example, some telecommunications laws contain importation and exportation requirements for all telecommunications-related equipment, which can include encryption technologies, but does that mean that this law should be categorized as an encryption law? Does the platform need a hierarchy for keywords? As a first step, the CYRILLA Collaborative will convene at the Berkman Klein Center at Harvard University this week to develop a draft digital rights law taxonomy that will improve the navigability and data structure of this database and perhaps others.
If you would like to be notified about future use cases, contribute to the draft taxonomy, or otherwise get involved, or if CYRILLA has been helpful to your work or research in any way, please let us know at firstname.lastname@example.org.