2021 was an important year for stories relating to human rights and technology. A series of revelations around a single company, NSO Group, stood out. Reports linked its Pegasus spyware to the murder of Jamal Khashoggi along with the infiltration of devices belonging to activists, journalists, and dissidents.
These revelations deserve the global attention they gained; however, they show an underlying willingness for states to use cybersecurity tools for repression and coercion. Where mass popular movements once used the digital space to organise in the region, most famously during the 2011 Arab Spring, states are working to take back and dominate this space.
Cybersecurity’s Two Sides
Translated into action, it means a 14-year old boy and 16-year old girl in Bahrain can be arrested and detained for simply celebrating on Twitter having a day off school.
One way states in the region currently push to dominate the digital space is through the vague concept of ‘cybersecurity’. Like many political terms, it has two meanings. First, it refers simply to the ability of an organisation or individual to protect their information in the digital space. But its second meaning is more political, defined solely by the state’s interest with no reference to human rights. Cybersecurity, in this definition, means whatever the state wants it to mean. Anyone familiar with the use of the term ‘national security’ will understand how ‘cyber security’ can be used to threaten individual liberty.
For instance, Article 6 of Saudi Arabia’s Cyber Crime Law makes illegal the ‘Production, preparation, transmission, or storage of material impinging on public order, religious values, public morals, and privacy, through the information network or computers’. This vague law sanctioned the arrest and detention of Saudi women’s rights activists Maya’a al-Zahrani, Alam al-Harbi, Shadan al-Anezi, Samar Badawi, Nouf Abdulaziz, and Loujain al-Hathloul for their online activism.
In Bahrain, the department in charge of combatting cybercrime is reported to have 16 employees constantly monitoring social media that helps prosecute over a thousand cybercrimes a year. Article 260 of the Bahrain Penal Code gives the state broad discretion to punish ‘international misuse of telecommunication mediums’ for anyone who criticises ministerial corruption once or maintains sustained human rights activity like Abduljalil al-Singace or Ebtisam al-Saegh.
The same is true for the UAE under Articles 24, 28, 29, and 30 of its 2012 New Cyber Crime Law, Oman under Article 19 of the 2011 Cybercrime Law, Article 8 of Qatar’s 2014 Cybercrime Prevention Law, and Articles 4 and 6 in Kuwait’s 2015 Cyber Crime Legislation.
While the restrictive nature of the laws is nothing new in the Gulf Cooperation Council (GCC) states, what is unique is their capricious use of them. Joyce Hakmeh, Senior Research Fellow at Chatham House, noted the “creative interpretation on the part of the GCC governments to include new behaviours that may not have been anticipated.” Translated into action, it means a 14-year old boy and 16-year old girl in Bahrain can be arrested and detained for simply celebrating on Twitter having a day off school. Needless to say this extends to countless more political activities.
The Billion Dollar Trade
Given the severity of GCC states’ cybercrime laws, one might expect the international community to withdraw support for them; instead, they have profited immensely.
Global trade in cybersecurity is highly lucrative, especially with the GCC states that spend large amounts of state revenues on military and security equipment. UK trade statistics show that trade in information security systems and equipment to the Gulf since 2011 is worth almost £6 billion. In the case of the UAE, this trade increased dramatically after the 2011 Arab Spring protests from a million- to a billion-pound trade.
One of the British companies dealing in cybersecurity in the Gulf is illustrative of the importance the industry holds in the region. A struggling maritime security company rebranded itself in 2012 as Protection Group International and diversified into cybersecurity. However, struggling to finance itself, the company sold a majority stake in 2014 to a subsidiary of MB Holding Company, a company owned by Omani billionaire Mohammed al-Barwani.
While government-backed companies continually make staggering profits, ultimately, it is the human rights defenders and dissidents in the Gulf that bear the greatest costs.
Since then, it worked in all six GCC countries developing their national cyber security centres and is only one of the many companies the British government actively supports in the region. In this single instance, a private company, supported by both UK and Omani governments, profits from a trade that helps centralise digital authoritarianism across the GCC.
But this is only one instance of a broader trend that governments like the UK are supporting. The unaccountable Gulf Strategy Fund lists as one of its main areas of priority cybersecurity, with plans to appoint a ‘Cyber Ambassador’ to the GCC to promote cooperation and trade in cybersecurity. In short, public money helps support private profit and foreign oppression. This is a commitment that Foreign Secretary Liz Truss doubled down on in her December 2021 meeting with Gulf Foreign Ministers.
While government-backed companies continually make staggering profits, ultimately, it is the human rights defenders and dissidents in the Gulf that bear the greatest costs.
Hacking Opponents, Silencing Dissent
To understand how a profit-motivated private sector and autocratic states work together, another company can lend an example.
Dark Matter is a private cybersecurity company in the UAE that bills itself as ‘providing secure, trusted, and integrated cyber protection services to government agencies and businesses alike’. However, in 2021, it was discovered that three American intelligence officers worked for Dark Matter as digital mercenaries. They helped the UAE government in their focus to hack ‘Emirati dissidents and journalists’. Their expertise went towards the development of a ‘zero-click’ hacking system that provided unauthorised access to tens of millions of smartphones.
But it isn’t only Emirati dissidents subject to UAE’s state hacking campaign. Loujain al-Hathloul, one of the previously mentioned Saudi activists, is now suing the three intelligence officers for their alleged involvement in hacking her phone which led to her arrest in the UAE and her rendition to, and torture in, Saudi Arabia.
This is just one case made public purely by chance in an environment where countless violations occur without knowledge or scrutiny. Freedom House’s Freedom on the Net Reports compile cases annually that reach public attention, and of the three GCC countries they report on—Saudi Arabia, UAE, Bahrain—they rank them at the bottom globally for violation of users rights and total freedom score.
Security for Whom Against What?
It is important to revisit the definition of cybersecurity. The question that naturally arises is security for whom? Clearly, it doesn’t apply to human rights defenders and dissidents; their devices are fair game for hacking and intrusion. Instead, the ‘security’ cybersecurity ensures is the security of the state against the people. Where criticism and activism are crimes against the state, cybersecurity will continue being a weapon of state coercion.
Similarly, in the Gulf, cybercrime is not when the government utilises technology, purchased by public money, to hack into the devices of the public. Instead, cybercrime is only defined by the caprice of the public prosecutor or cyber intelligence officer at any given time. Vague laws and powerful technology have empowered the most serious breaches of human rights, all of which have been given shade by the innocent term cybersecurity.