The Framework That Never Named VPNs
Saudi Arabia has not passed a law that explicitly bans VPNs. This is not an oversight — it is a more durable enforcement strategy. By leaving virtual private network use in legal ambiguity, the Communications, Space and Technology Commission (CST, formerly CITC) and the Public Prosecution can prosecute users not for the act of encryption, but for whatever they accessed while encrypted.
The legal foundation is the Anti-Cyber Crime Law, promulgated by Royal Decree No. M/17 on March 26, 2007. Article 3 penalises unauthorised access to electronic sites with up to one year imprisonment and fines up to SAR 500,000. Article 6 escalates penalties to five years and SAR 3 million for content that "violates public order, religious values, or public morals." Article 7 reaches ten years and SAR 5 million for anything touching national security or terrorism. The law contains no mention of VPNs — which means the entire penalty structure applies through the content accessed, not the tool used to access it.
The human rights group Together for Justice, in a December 2023 report, warned that Saudi authorities have invoked this deliberate vagueness to characterise VPN use as potentially constituting "joining terrorist organisations and harming national security" — a framing that activates Article 7's harshest penalties. The group described the legislation as relying on "imprecise and broad terminology," treating that as a design feature, not a flaw.
What Is Actually Blocked
The CST maintains content filtering infrastructure across more than 90 classification categories. What Saudi users routinely encounter as unavailable includes pornography, gambling, VoIP services (historically protected by telecom operator lobbying), content deemed critical of the government or Islam, LGBT+ material, human rights reporting, and significant swathes of foreign media. Freedom House's Freedom on the Net 2024 report scored Saudi Arabia 25 out of 100 — firmly in the "Not Free" tier — documenting blocked outlets including Middle East Eye and Al-Araby al-Jadeed, alongside systematic filtering of opposition and civil society platforms.
The filtering is not passive. Saudi ISPs deploy deep packet inspection (DPI) to identify VPN protocol traffic — including OpenVPN, IKEv2, and L2TP signatures — and either block or throttle those connections. The websites of major VPN providers, including Tor, are themselves blocked. Under Article 38 of the Telecommunications Act, ISPs face fines up to $6.7 million for failing to enforce government content bans, creating a direct financial incentive for aggressive DPI deployment.
The Users in the Crossfire
Despite the enforcement apparatus, roughly 29% of Saudi internet users access the web via VPN at least monthly, according to GlobalWebIndex data cited in multiple legal analyses. Saudi Arabia has one of the highest VPN adoption rates globally, driven directly by the depth of its content restrictions.
The 99% internet penetration rate recorded in the CST's Saudi Internet Report 2024 — with mobile connectivity at 99.4% — means almost the entire population engages with a filtered network. A country where nearly everyone is online, and where roughly one in three online Saudis regularly uses circumvention tools, faces an obvious enforcement paradox: mass prosecution would be practically impossible and politically catastrophic, but tolerating VPN use wholesale undermines the information-control framework.
The existing approach resolves this paradox by making enforcement selective and unpredictable. Corporate users connecting to international business systems are generally tolerated. Individual users accessing political content, human rights material, or blocked media face the law's full weight. Freedom House documented users receiving multi-decade prison sentences for social media activity; no published statistics exist on VPN-specific prosecutions, which is itself a chilling effect mechanism.
The Vision 2030 Contradiction
The Saudi government's own ambitions sharpen the contradiction. Vision 2030 has positioned the Kingdom as a regional technology hub, with the digital economy contributing an estimated SAR 495 billion — approximately 15% of GDP — and ambitious growth targets. The ICT sector surpassed SAR 180 billion by 2024. The December 2022 Telecommunications and Information Technology Act (TITA) was explicitly designed to foster competition and private investment in connectivity.
Yet a digital economy that requires circumvention tools to access the global internet is not a structurally competitive one. Foreign knowledge workers, researchers, and multinational employees operating inside the Kingdom routinely use VPNs to do their jobs — and their liability under the current framework depends entirely on what their corporate systems happen to route through. That legal gray zone is not a stable foundation for a tech ecosystem.
What Proportionate Regulation Looks Like
To steelman the government's position: content controls serve some legitimate purposes. Child protection, counter-terrorism, and intellectual property enforcement are regulatory goals that many democratic jurisdictions also pursue, often through blocking orders or platform liability frameworks. Saudi Arabia is not uniquely wrong to filter certain categories of content.
But the mechanism matters. The Anti-Cyber Crime Law's broad language conflates accessing a blocked foreign newspaper with supporting a terrorist organisation. Article 7's ten-year maximum cannot coherently apply to a knowledge worker connecting to a company intranet — yet the current statutory text leaves exactly that interpretation available to prosecutors. That is not proportionate regulation; it is a blunt instrument whose breadth creates chilling effects far beyond any legitimate objective.
A proportionate framework would explicitly define which content categories trigger which penalty tier, carve out licensed and commercial VPN use, and require the CST to publish its blocking criteria so users know where the line is. Legal clarity is not a concession to censorship critics — it is a precondition for the commercial trust that a Vision 2030 tech economy requires. At 99% internet penetration, Saudi Arabia's network infrastructure is built. The remaining question is what kind of internet it chooses to run on top of it.