Why Oman’s new cybercrime law has little to do with cybercrime

Every time a new cybercrime law is introduced somewhere in the SWANA region, it is often explained using the same premise. Governments present these laws as necessary to fight hackers, protect national security, and curb online fraud. But upon a closer look at the law itself, and not the government’s statement around it, you notice that  these laws often reach far beyond hacking, fraud, or other technical offenses.
Over the years, these laws have been used to arrest journalists and activists over  tweets and social media posts. None of them were hacking anything. Oman’s new Law on Combating Information Technology Crimes, enacted in 2026, reads less like a law against cybercrime and more like a law against the internet itself.
Broad definitions expand the law’s reach
The language is where the trap is set. Cybercrime statutes rely on terms like “misuse of technology,” “harmful content,” “misleading information,” and “threats to public order” as if these were precise legal concepts. In practice, these laws are conceived in a way that is broad enough to cater to whatever a prosecutor decides to pursue.
Article 20 of the law is a good example of how this works. It criminalizes producing, storing, broadcasting, sending, or re-publishing anything that “undermines public order or public morality,” and anything constituting “rumors or misleading information, directly or indirectly.” The prison sentence ranges from one month to three years, with fines between 1,000 and 3,000 rials (the equivalent of around USD 2,600 and USD 7,802) and rises to three to ten years if the intent is deemed to be “inciting strife, hatred, racism, sectarianism, or division.”
None of the terms such as “public order, public morality, misleading information, strife” are defined anywhere in the law. Undefined terminology transfers the power of definition from the legislature to the prosecutor and the judge, who get to arbitrarily decide as a result what content crossed the line. 
A journalist sharing a video of a government failure can be framed as “undermining public order.” Similarly, a citizen commenting on an official’s conduct can be prosecuted for spreading “misleading information.” There is no reliable way of knowing in advance that you were breaking the law at all.
The region has already seen, case after case, what arbitrary interpretation does to people. It is not a hypothetical risk, rather, it is a documented practice, and that is how self-censorship is manufactured at scale.
Article 20 of the Omani Cybercrime law directly violates Articles 19 and 20 of the Universal Declaration of Human Rights, which guarantees freedom of opinion, expression, and peaceful assembly. It also opposes Article 9 of the International Covenant on Civil and Political Rights, since such a vaguely worded criminal provision, applied at prosecutorial discretion, opens the door to arbitrary arrest and detention.
Article 23 criminalizes “false or tendentious news, or inflammatory propaganda” intended to harm the reputation, prestige, or standing of the state or its institutions, or to undermine confidence in financial markets, or affect security, social, or health stability, directly or indirectly.
The word doing the heaviest lifting here is “tendentious” (مغرضة) because it has no legal definition. “False” is at least verifiable, but “tendentious” is a judgment about motive and it is a political characterization dressed up as a legal standard. Harm to the “reputation or prestige of the state” describes any act of critical journalism, like reporting on corruption or investigating institutional failure.
And in moments of crisis, the stakes escalate dramatically. Under Article 30, providing “false or misleading information” that damages state interests already carries up to three years, but if committed during states of emergency, wartime, disasters, or epidemics, the prison sentence increases to between 5 to 15 years and fines up to 100,000 rials ($260,000 USD). Article 25 applies the same escalation to publishing on Oman’s military movements or internal security.
Cybercrime and speech control
In many SWANA cybercrime laws, provisions on hacking and fraud sit in the same statute as rules about content that “offends religion,” “harms national unity,” or “disturbs public morals.”
Routing the prosecution of political speech through a cybercrime law, rather than a direct censorship law, gives the government a technical-sounding cover. The word “cybercrime” makes what is essentially a speech offense sound like a security matter, which means that criticizing a minister or reporting on a protest can land someone in court under a law branded publicly  as a tool to protect them against hackers.
The law builds an entire perimeter of what can be called “deference offenses” around these provisions. Article 32 imposes three to ten years for challenging “the rights and authority of the Sultan, or defaming him personally,” extending the same shield to the Sultan’s wife, crown prince, and children. The terms “rights and authority” are broad enough to capture political speech as such, not merely personal insult. 
Article 27 punishes content that “publicly undermines the required respect for the judiciary in a way that casts doubt on its integrity,” which turns accountability journalism about courts, reporting on a politically motivated prosecution, or documenting procedural irregularities, into a criminal act. 
 In the same vein, Article 24 criminalizes “contempt” (ازدراء) for the currency, flag, emblem, or national anthem. Contempt is a subjective standard that captures satire, protest imagery, and artistic work that is squarely protected under international freedom of expression standards.
The UN Human Rights Committee’s General Comment No. 34 is unambiguous on this. The protection of Article 19 of the ICCPR covers even expressions that may be regarded as “deeply offensive,” subject only to the strictly defined restrictions that the Covenant permits.
Article 26 extends the courtesy abroad. It criminalizes challenging or defaming foreign heads of state and accredited diplomats, or publishing content that “harms Oman’s foreign relations,” with six months to three years in prison. Omani citizens may not criticize their own ruler, their own courts, their own laws, and now, they cannot criticize anyone else’s either.
Article 44 closes this section with a blasphemy provision: five to ten years for content that affronts the Divine Being (God, الذات الإلهية), insults the Quran or distorts it, insults Islam or its rituals, or affronts any Prophets of any religion.
Enforcement that bypasses courts
Many of these laws concentrate enforcement power in executive agencies (interior ministries, security services, specialized cybercrime units) rather than independent courts. Account suspensions, arrests, content removal orders can all move quickly and with minimal judicial oversight.
Two things happen when enforcement bypasses the courts. First, you lose transparency. There is no public record of the reasoning, no written judgment to scrutinize or challenge. Second, you lose the ability to fight back. The due process that is supposed to separate law from arbitrary power gets quietly bypassed, and not many people notice until it is being used against someone they know.
Article 4 allows the Ministry of Transport, Communications, and Information to obtain electronic data from any entity, government or not, inside or outside Oman, on a Public Prosecution or court order, with a threshold of merely “sufficient reasons to believe” a cybercrime occurred. And because the content offences are defined by undefined terms, “sufficient reasons” can be assembled from almost any post.
These enforcement mechanisms oppose Article 14 of the ICCPR which guarantees the right to a fair and public hearing before a competent, independent, and impartial tribunal. Where blocking orders, account suspensions, or summonses escalate into deprivation of liberty without judicial oversight, they also violate Article 9’s prohibition of arbitrary arrest and detention.
Article 21 imposes three months to three years for using information technology to “incite or advocate for gatherings, strikes, sit-ins, or marches in circumstances other than those licensed.” Oman has a documented history of violating the right to peaceful assembly, despite having recently acceded to the ICCPR, whose Article 21 protects that right. When licensing is unavailable, “unlicensed” means “all,” and the article becomes a wholesale criminalization of online civic organizing. Calling for a sit-in through a WhatsApp group, or sharing a post announcing a demonstration, falls within its scope.
Article 31 goes further in the same direction: three to ten years for online advocacy aimed at obstructing or promoting disregard for “the Basic Law of the State, applicable laws, royal decrees, sultanic orders, judicial rulings, or orders issued by a body with judicial character.” Calling for the repeal of a law online is promoting disregard for it. Criticizing a royal decree is promoting disregard for it. 
This is the core work of human rights defenders and the entire practice of legal advocacy that this cybercrime law is trying to censor.
Governments that do not hold platforms accountable
Cybercrime laws in the region typically include provisions obligating social media platforms and internet providers to comply with government removal requests, with fines, liability, or being blocked as consequences for non-compliance.
Governments tend not to follow through against major platforms, and these platforms know it. What develops instead is a quiet, ongoing arrangement. Platforms comply with enough requests to stay accessible in the market while governments get the specific removals they care about most. The law exists more as leverage and is activated when the government wants something specific (a particular profile taken down or a particular account identified).
The result is that platforms are neither actually regulated nor held accountable. They operate comfortably within this ambiguity. Under Article 60 of the Omani law, courts can permanently or temporarily close any information system, website, or premises where an offense was committed or attempted, with duration set “in light of the circumstances of the crime.” Circumstances defined by undefined terms like “public order” and “state prestige.”
The “public order” excuse
Clauses invoking “public order” or “social stability” appear across SWANA cybercrime legislation as justifications that can be applied to almost anything. What makes them useful to authorities (and dangerous for everyone else) is the absence of a harm requirement. No one needs to demonstrate that actual damage occurred. A post does not need to have hurt anyone, it just needs to have made someone in power uncomfortable.
“Public order” sounds serious, like it carries weight. In practice it functions as a legal blank check or a justification that requires no evidence, no causal link between a post and any real-world damage, and no objective standard a court could apply. It just needs to be invoked.
A law that criminalizes privacy 
Some laws restrict anonymous accounts, others create mechanisms that make it easier for authorities to unmask users. These provisions are usually framed as anti-fraud measures, but their application is rarely limited to fraud.
Article 12 criminalizes possessing, importing, selling, or trading any device, software, password, or data “designed, developed, or modified” for committing an offense under the law, or for “concealing its digital traces or evidence,” with fines from 3,000 to 15,000 rials (around $7,800 to $39,000 USD) and six months to three years in prison. The concealment clause is where the danger is. The law does not require that a tool was actually used in a crime, but only requires that it is capable of concealing traces of one. A VPN, the Tor browser, an encrypted messaging application, which means the basic operational security toolkit of journalists, activists, and human rights defenders, can all be characterized as instruments of concealment.
These tools are not only used by human rights defenders. A VPN is what protects an ordinary person checking their bank account over open Wi-Fi, and encrypted messaging is simply how modern communication works (or should work).
Furthermore, Article 14 stipulates six months to one year for refusing to hand over “secret codes” to judicial officers. A password does not unlock only the allegedly criminal content, and compliance means surrendering the full contents of a phone or computer. For a journalist, that is the entire source network. For anyone else, a phone today holds banking applications, medical records, family photographs, work correspondence, and years of private conversations. For a dissident, a whistleblower, a survivor of gender-based violence, or an LGBTQ+ person, anonymity online is not a preference but a condition of safety.
An “exemption” that endangers the most vulnerable
One of the law’s most troubling features is tucked inside what looks like standard privacy protection. Article 5 criminalizes unauthorized access to devices, including modifying, deleting, publishing, or disclosing personal data, but removes all liability for a “guardian, trustee, or caretaker” who does any of this to protect the interests of a person under their care with “diminished legal capacity.”
The law does not define what diminished legal capacity is. Under Omani personal status law, that category extends to women where a male guardian’s authority is recognized. A husband, father, or brother who accesses a woman’s phone, deletes her communications, or publishes her private data could invoke this exemption by claiming a protective purpose.
The Arabic phrase for caretaker is also broad enough that an employer of a migrant domestic worker under the Kafala system could attempt to invoke it.
Meanwhile, Article 2 establishes extraterritorial jurisdiction over offenses committed outside Oman if they harm Omani interests or if the criminal result “occurs or was intended to occur” inside the country, theoretically placing Omanis in the diaspora, foreign journalists reporting on Oman, and international civil society organizations within the law’s reach.
For nearly 15 years, the 2011 Law on Combating Information Technology Crimes was used as legal cover to detain journalists and activists. In December 2025, Talib Al-Saedi was detained and prosecuted under Article 19 of that law for expressing personal views online about a local tragedy in the Al-Amarat district. He was sentenced to three months in prison, fined, and had his phone confiscated. Activist Awad Al-Sawafi was charged under the same framework with “incitement” and “misuse of social media” for tweets criticizing the concentration of power in government.
Civil society documented these cases and called for change. In July 2025, the Omani Centre for Human Rights and Democracy, in a joint submission with the Gulf Centre for Human Rights to Oman’s Universal Periodic Review, called on the state to bring the 2011 law into line with international standards.
The state’s answer was the 2026 law, which keeps every provision used against Al-Saedi and Al-Sawafi, adds the criminalization of encryption, felonizes calls for legal reform, shields the Sultan, the judiciary, and foreign leaders from criticism, and hands guardians a legal safe harbour to surveil the women in their care.
The timing makes it even harder to ignore. Oman acceded to the International Covenant on Civil and Political Rights, and within months, the country adopted a law that violates it systematically. 
Oman is also a signatory to the Arab Charter on Human Rights, whose Article 32 guarantees freedom of opinion and expression, and whose Article 21 prohibits arbitrary interference with privacy, both flatly contradicted by this law. 
Oman also ratified the Convention on the Elimination of All Forms of Discrimination against Women (CEDAW) in 1994, Article 7 of which protects women’s participation in public life and freedom of expression.
The obligations Oman has assumed under international law, and together with the commitments it has accepted through the universal periodic review process, provide a clear standard against which this legislation must be measured, and by that standard, the law falls very short.
The post Why Oman’s new cybercrime law has little to do with cybercrime appeared first on SMEX.