In September 2021, the Ministry of Social Affairs and IMPACT, the Central Inspection’s e-governance platform, launched DAEM, a program that aims to financially support struggling families in Lebanon. Following its launch, SMEX conducted a surface technical security and privacy analysis on the platform and found crucial vulnerabilities.
The platform asks for too much identifying personal information, and while some are justified, others are not. Thus, IMPACT needs to answer publicly why there is lack of clarity on who is responsible for the data collected, where it will be stored, and how it will be protected and accessed.
In terms of hosting, our analysis shows that the serving IP of the DAEM webpage is being served from a Lebanese server hosted by Ogero telecom. This is a good initiative to isolate data in the Lebanese territorial vicinity, however this is not the full truth.
Updated Technical Security, yet…
Just like other services by IMPACT, such as the Covid-19 Vaccine pre-registration website and the curfew permission website, DAEM is another application provided by IMPACT, one that uses the same set of infrastructure components and dependencies of the developing company.
SMEX’s Tech Unit conducted a surface analysis run through daem.impact.gov.lb to check and see if any of the previous recommendations were taken into consideration. IMPACT implemented our recommendations regarding the security isolation measure and patched the load balancer to a newer version. Previously, a reverse-proxy was used to isolate internal data processing server IP from public access, and it was only accessible through the Nginx reverse-proxy.
When it comes to hosting, IMPACT provided SMEX’s Tech Unit with the backend infrastructure document, stating they have migrated to a Lebanese server from the German SaaS. However, the Unit’s findings do not confirm this statement but are not conclusive. The mail server of IMPACT is still on the German Hosting provider, which indicates that the service is still active. SMEX’s Tech Unit has serious doubts around the actual server IPs, whether these are on Lebanese servers or are still on the German SaaS Leaseweb with only the Nginx reverse proxy placed on a Lebanese IP to cover the real location.
After thorough analysis, SMEX discovered that the reverse-proxy receiving web requests is located in Lebanon–and this applies to all the services provided through the IMPACT platform–via a Lebanese IP registered at Ogero Telecom. Finally, SMEX would like to note that it does not have the ability to technically check what is behind a reverse proxy.
With these many security updates, SMEX still demands IMPACT’s transparency around the location of the data and how the infrastructure is managened behind the reverse proxy.
A Legal Muddle…
According to the Legislative Decree No. 115/59, “Establishment of the Central Inspection,” dated 12/12/1958, with amendments made on 05/03/1963, the role of the Central Inspection includes conducting various types of inspection to oversee public administrations and institutions and municipalities, seeking to improve administrative processes, offering advice to administrative authorities voluntarily or upon request, coordinating joint operations between different public administrations and carrying out research, investigations and work assigned to it by authorities.
Its role as explained on the IMPACT platform is to “operate the Public Administrations General Inspections module on the platform and provide access on this module to inspectors who need to audit public administrations. It also audits other sectoral activities that are within its mandate using IMPACT dashboards.” On the same FAQ page, IMPACT explains that the data governance on the different services provided by the platform are also the responsibility of the General Inspection which “ensures that the GDPR principles and equity, security, privacy, transparency, and accountability principles are properly enforced on the platform.” The page also states that the “ultimate owner of the data is the Government of Lebanon.”
In the midst of all this legal ambiguity, the following questions arise:
- Based on Article 104 of E-Transactions and Personal Data Law 81/2018, does the work that IMPACT undertakes in the different services provided, fall under the Central Inspection’s mandate?
- Why does the Daem platform ask for all this detailed personal information like the car plate numbers and evidence of ownership, clear face photos, as well as lifting banking secrecy?
- Does the central inspection have the right to collect and process such data?
- Where is this data stored?
- The “Government of Lebanon” is identified as the “ultimate data owner” on IMPACT’s FAQ page and the webpage’s Privacy Policy, but which institution or entity within the government will be held accountable for any data abuse or use?
- What is the accountability mechanism on IMPACT’s platforms?
We are ready to help with new apps and websites looking to fortify their privacy and security, and we will – in partnership with Friedrich Naumann Foundation (FNF) in Lebanon and Syria – expand our work on serving as a watchdog over citizens’ digital data on Lebanon’s government platforms.
