UAE Cracks Down on Fraudulent VPNFederal Law Amended to Combat Cyber Crime
The new federal decree issued by the President of the UAE, Shaikh Khalifa Bin Zayed al Nahyan, states that a punishment of temporary imprisonment and a fine of not less than US$136,000 and not more than US$545,000 will be imposed on whomever uses a fraudulent VPN address by employing a false or third-party address or by any other means for committing a crime or preventing its discovery.
Security leaders say UAE has taken a logical approach, especially when enterprises and citizens are open to risk and vulnerabilities while browsing websites illegitimately.
VPN is used by most organizations to enable their users to access corporate applications and networks in a secured manner. The services allow users anywhere in the world to connect to a private network via the internet. In parallel, VPN services are being used to access blocked services or websites, which can only be done with a VPN or proxy, and is considered fraudulent use to commit a crime.
"Using VPN is increasing the risk for data due to unauthorized traffic monitoring or snooping through malicious networks," says Dubai-based Dhruv Soi, chairman, Open Web Application Security Project, Middle East and North Africa.
An IB Times report says the law was earlier restricted to prosecuting people using VPN as part of an internet crime. But the law has been changed to enable UAE enforcement group to go after anyone using VPN to access blocked services, which is considered to be a fraudulent use of an IP address. For instance, VPNs are also often used in conjunction with the Tor anonymity network to access websites hidden on the Dark Web.
Although VPN traffic was considered a secure tunnel for organizations to allow users access to corporate applications and networks, Dr. Jassim Haji, CIO of Gulf Air says, "The use of VPNs or proxying to run and access banned applications such as Skype, WhatsApp, Viber and others makes it difficult for regulators and law enforcing agencies to monitor and filter authentic traffic from malicious traffic and apply policies based on the country's regulations."
Security practitioners argue that while VPN services offer flexibility for users to protect online privacy by hiding user location, they also spell increased risk of cyberattacks.
"Cybercriminals use VPN-based traffic to circumvent different laws and regulations covering different geographies; also, local ISPs face immense challenges to market their legacy/traditional voice applications and communications," says Haji.
Soi agrees, "Unauthorized VPN pose a high risk, as monitoring users' traffic, recording their calls, even recording net banking transactions are possible by hosting an illegal VPN and recording when the traffic leaves VPN devices towards the actual server."
He considers VPN a challenge while tracking cybersecurity incidents. Normally, residents make a call via VPN, but don't disconnect the VPN after finishing, resulting in vulnerabilities of providing easy access.
Qatar-based security expert Samir Pawaskar says, "The same offence has existed since 2012. But the amended law will increase potential fines ... The focus is to deter cybercriminals using VPN to hide their digital prints."
Impact on VPN Service Providers
Many argue this act will impact Voice over IP technology services, which offer voice calls over the internet for free, as well as affect telecom operators.
One media report says VPN are widely used in the UAE to access websites and applications blocked by the UAE Telecommunications Regulatory Authority and to allow access to Whatsapp, Viber, Skype and other VoIP services.
In response, in a statement released to the media, TRA assures businesses and the public that it is fully committed to the safety and smooth flow of economic activities for UAE-based companies and institutions, highlighting that there are no regulations preventing using VPN technology by organizations to access their internal networks through the internet. However, business users are held accountable if it is misused.
TRA re-emphasized the actual violation mentioned in the law - "using a false IP address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery" - to understand the law correctly, where the punishment is exclusively linked to the mentioned fraudulent act and the intent to commit a crime or prevent its discovery.
Commenting on media reports about VPN, H.E. Hamad Obaid Al Mansoori, Director General of TRA said: "UAE's proud of being one of the countries that encourages investment and openness to ICT-based economic activities. Any misuse of licensed and organized services in the UAE will lead to legal accountability. The laws target those misusing the services and not those activities consistent with UAE's laws," he says.
Securing VPN Services
The new law has only empowered enforcement groups to take criminals to task.
Offering tips on security, Soi warns against using VPN services not hosted by one's own or the association organization: "Do not trust anonymous VPNs, free VPNs, free proxies meant to trap and record public traffic and even claim to provide it as a paid service."
Gulf Air's Haji outlines security measures for corporate VPN users:
- The VPN gateway must use accredited and authenticated SSL certificates acquired by a trusted certificate authority provider;
- It should use an approved strong encryption algorithm by the regulator and authority;
- The Fully Qualified Domain Name of the VPN gateway must be registered under the corporate name;
- The regulator might mandate multifactor authentication as additional security measures by the corporate to differentiate their traffic from other free VPN.
"However, the challenge is managing grey traffic, stopping black traffic and keeping an up-to-date list of all the bad and good traffic," says Haji.
"While it is difficult to monitor and inspect the traffic - only possible if the keys are shared with the regulators and law enforcement authorities - such a law will combat serious cyber frauds," he says.