Introduction

In the Middle East and North Africa (MENA), many journalists, bloggers and Internet activists are imprisoned, exiled or silenced for exercising their fundamental right to freedom of expression. The Gulf Centre for Human Rights (GCHR) has reported on numerous digital rights violations against human rights defenders, including several emblematic cases which document these violations ranging from jailing bloggers to monitoring critical journalists via intrusive technologies, to the systematic criminalisation of digital expression in the name of national security or public order.

While Yemen, Libya and Kuwait each illustrate in their own way the effects of inadequate or circumvented legal frameworks on cyberspace, other countries in the region such as Iran, Qatar, Jordan, Saudi Arabia, Bahrain, the United Arab Emirates or Iraq are distinguished by the adoption of more elaborate legislation on cybercrime, which, far from guaranteeing freedom of expression, often institutionalise its repression through vague legal provisions, extensible and incompatible with international standards.

Background

Looking at a series of cases in the MENA region, a recurring pattern has emerged: vaguely-worded and interpretable laws against cybercrime are being diverted from their original purpose of protection into highly-repressive instruments. This phenomenon is not limited to an isolated state, but reflects a structural trend allowed by an international legal vacuum. Indeed, since the Budapest Convention (of 2001) on cybercrime, the regulation of cyberspace has mainly focused on the technical aspects related to digital offences (such as fraud, illegal access to computer systems…), without a clear framework of the guarantees necessary for the protection of fundamental freedoms. This normative vacuum leaves the field open to authoritarian national legislations that, under the guise of morality, national security or preservation of religious values, criminalise digital expression. In this context, journalists find themselves at the mercy of vague legal frameworks that justify arbitrary prosecutions, often without effective judicial guarantees.

The objective of this report by GCHR is to understand how this instrumentalisation of laws against cybercrime in the MENA countries stifles critical voices currently, while proposing avenues for an appropriate international legal response. This analysis builds on GCHR’s 2021 report co-authored with the International Human Rights Law Clinic at the University of California, Berkeley, School of Law, Who Will Be Left to Defend Human Rights?, which documented 225 cases between 2018 and 2020 where governments across the MENA region (including Bahrain, Saudi Arabia, the UAE, Jordan, and others) used cybercrime and other vaguely worded laws, often enforced by specialised security units, to silence online expression. The report highlighted how such legislation has been systematically weaponised to detain, prosecute, and intimidate journalists, bloggers, and human rights defenders in violation of international human rights standards.

The framework of cyberspace in international law remains largely insufficient, fragmented and ineffective in the face of authoritarian excesses. No universal treaty specifically governs cyberspace, leaving room for a plethora of scattered norms from public international law (such as the United Nations Charter), international human rights law (notably Articles 17 and 19 of the International Covenant on Civil and Political Rights (ICCPR)) protecting privacy and freedom of expression. This last article specifies that this right includes the freedom to seek, receive and disseminate information without regard to borders.

In practice, this principle is often circumvented by national laws on cybercrime drafted in a vague or excessive manner, or due to the fact that international humanitarian law (in the case of cyber conflict), and regional conventions such as the Budapest Convention on Cybercrime (adopted by the Council of Europe), are not ratified by the Gulf countries, Iran or Yemen.

In the absence of a clear and binding lex specialis, each state remains sovereign in its regulation of cyberspace, allowing de facto the adoption of vague and repressive laws based on vague concepts such as the attack on morality, religion or national security. More recently, in December 2024, the UN General Assembly adopted the UN Convention Against Cybercrime, which will be open for signatories in October 2025. With Russia as its standard-bearer, supported by some South countries, this Convention – once it becomes part of international law – could reinforce the trend to repress freedom of expression by giving a simulacrum of legitimacy to repressive laws, under the guise of digital security.

This lack of a clear normative framework opens the way to massive surveillance and repression practices. This fragmentation generates a high degree of legal uncertainty and conflicts of laws, as digital content escapes the traditional borders. There is no dedicated international court to effectively challenge digital rights violations, and UN mechanisms remain dependent on ratification and cooperation of states.

At the third Summit for Democracy in March 2024, Finland, Germany, Ireland, Japan, Poland and Korea joined a US-led joint statement to work collectively to counter the proliferation and misuse of commercial spyware. The US banned commercial spyware use by federal agencies. Israel’s NSO Group and Candiru were added to the banned Entity List in 2021, and Canada’s Sandvine in 2024. In April 2024, the US State Department announced visa restrictions on 13 people involved in the development and sale of spyware who “have facilitated or derived financial benefit from the misuse of this technology, which has targeted journalists, academics, human rights defenders, dissidents and other perceived critics, and US Government personnel.” In January 2025, members of the UN Security Council met informally to discuss the threats that commercial spyware pose, including to diplomats, and various nations joined the United States and pledged to take action for victims. In 2023, the PEGA committee was formed at the EU Parliament to investigate spyware use.

Current initiatives, such as the UN expert groups or the Declaration on the Future of the Internet, remain purely declaratory and non-binding. As a result, cyberspace has become a breeding ground for mass surveillance, the criminalisation of dissent, and digital impunity, reinforcing the urgent need for a harmonised and binding international framework to protect fundamental freedoms online. 

Since the COVID-19 pandemic, many governments have increased their control capacity through health tracking technologies, sometimes repurposed for political purposes, as reported by GCHR in two reports published in April and December 2021. Although several Gulf constitutions recognise the protection of personal data, their application remains inconsistent. The current context thus reveals the worrying tangle between legal arbitrariness, technological opacity and political repression. This trend is part of a global phenomenon.

In Iran, the use of spyware against dissidents has been documented by the Pegasus Project, an international investigative initiative led by Forbidden Stories and Amnesty International. This project revealed that the Pegasus spyware, developed by the Israeli company NSO Group, was used to target journalists, human rights defenders, and political opponents across several countries, including Iran. The investigation uncovered a list of over 50,000 phone numbers selected for potential surveillance, highlighting the extensive reach of such cyber-espionage activities.

These technologies have been used to monitor journalists or to track critical voices, as in the tragic case of the assassination of the Saudi journalist Jamal Khashoggi. In February 2024, Access Now and Citizen Lab published an investigative report on the wholesale use of Pegasus spyware to spy on large swaths of Jordanian journalists and civil society organisations.

In response, this report aims to document the repressive uses of digital technologies and the legal loopholes that allow them.

From this context emerges a central question: how the absence of a binding international normative framework for the regulation of cyberspace allows the States in this region to instrumentalise cybercrime laws to arbitrarily restrict freedom of expression and violate journalists’ fundamental rights?

To read the full report, click to download: