Encryption Law in Oman

January 27, 2019

According to the telecommunications law, using any form of encryption in communications is illegal in Oman without a licence from the Minister of Transport and Communications. This legal provision is impossible to enforce and sends the wrong message about the importance of encryption and security to members of the public.

Encryption is a fundamental aspect of the Internet, and we expect that the messages we exchange with our friends and family on social networks, the credit card details we upload to online stores, and any other meaningful data we share on the Internet to be communicated confidentially without the ability of any person to intercept it.

The law is currently written in extremely wide terms that simply state that the use of ‘any encryption in communications’ is prohibited. This can be anything from using a virtual private network (VPN) to sending a password protected zip file in an email message.

An Internet user can at times voluntarily use encryption services for a variety of purposes. For example, an Internet user may use VPN to access a geographically restricted website or may encrypt a confidential PDF document for work purposes.

However, most Internet users probably do not know that they are required to use encryption, whether or not they want to, on a daily basis. For example, it is not possible to use WhatsApp, Gmail, Facebook, or even YouTube without using encryption since these services rely on encryption technologies to protect the data and privacy of their users.

In fact, the websites of the Telecommunications Regulatory Authority (TRA) and the Information Technology Authority (ITA) both use SSL encryption to ensure that the communications between the servers on which their websites are hosted and the browsers from which these websites are viewed are secured.

It is extremely fundamental for everyone to encrypt as much of their communications as they can, especially when using public Internet networks such as those found in cafés, hotels, and other public places since using these networks without any encryption makes users easy targets for cyber criminals and identity thieves.

From a national security point of view, the government would like to intercept and monitor all communications it deems relevant when that becomes necessary, and allowing individuals to use any encryption technology they choose would make it impossible for the government to undertake investigations when an incident takes place.

This, however, should not be a justification to expose all Internet users to risk. The law should strike a balance between the need of the government to take precautions, and the rights of individuals to protect themselves, to have privacy, and to ensure that their communications remain confidential. The law as it stands is impossible to enforce, and this impossibility normalises breaking the law since users automatically break it every time they use WhatsApp, Gmail, or Facebook. The law also sends a message to members of the public that encryption is bad, when the law instead should encourage them to take precautionary measures to protect themselves.