Referring Telecom Data to Security Agencies Breaches the Lebanese Law

News Abed Kataya data traffic, E-Transactions and Personal Data Law, handing over data to authorities, law no. 140, Lebanon, metadata, Najib Mikati, Privacy, Right To Privacy, Right to privacy, security agencies October 26, 2021 October 26, 2021

On October 4, Lebanese Annahar Daily reported that the latest Lebanese Prime Minister formed a ministerial committee to “look into granting security agencies and armed forces full access to all telecommunication data.” Although this is not the first time that successive governments have established such a committee, it remains unclear why Cabinets (especially those presided by Najib Mikati) insist on doing so. What data can telecommunication companies gather and keep about their subscribers, and how can we reduce data collection?

The reason behind forming a committee consisting of the Ministers of Interior, Defense, Justice, Telecommunications, and Transport remains unknown. Such a decision can be dangerous considering that security agencies in Lebanon rarely adhere to the law or await judicial orders before collecting identification information. On the contrary, they often abuse their access to data, as in the case of the espionage campaign facilitated by mobile applications dubbed “Dark Caracal,” a global malware whose operations were traced back to the Lebanese General Security building in Beirut.

Political Rivalry Eclipses Residents’ Privacy

This is not the first time that a Lebanese Cabinet forms a committee to provide the security agencies with telecom data. Under Prime Minister Saad Al-Hariri, who resigned in light of the October 17 protests in 2019, the Cabinet established a ministerial committee entrusted with the same task.

Cabinet members often argued when discussing granting security forces access to telecommunication data, yet their disputes were always political. Their discord was never related to the privacy and security breaches involved in such decisions. During PM Najib Mikati’s previous Cabinets, clashes over telecommunications data and their handover to security agencies have been a recurring incident. Between 2012 and 2013, some Members of Parliament had called on PM Najib Mikati’s government to hand over all telecommunication data to security agencies.

According to media reports, in February 2013, Mikati declared that handing over telecommunication data falls within his jurisdiction. The Cabinet thus approved the implementation of Law No. 140/1999, which “aims to maintain the right to the privacy of correspondence carried out through any means of communication” (Article 9). According to media reports, Mikati only approved the interception of communications at a specific time and for a limited duration, and only if the request was submitted administratively. He had not intended to hand over all telecom data. After political polarization on this topic waned in 2014, the former Telecom Minister in PM Tammam Salam’s Cabinet, Boutros Harb, relayed all telecommunications data to security agencies.

The Government is Breaching the Data Disclosure Law 

Lebanon is yet to respect the right to privacy, whether in legal texts or in practice. According to SMEX’s Legal Unit, the following is a glimpse of the most prominent laws which tackle data, its preservation, and handover to the Judicial Police.

Law No. 140/1999 which “aims to maintain the right to the privacy of correspondence carried out through any means of communication” affirms in Article 1the right to secrecy of internal and external correspondences carried out by any means of wired and wireless communication.” In Article 2, it stresses that “the interception of correspondences must only take place by virtue of a judicial order” and “in cases of extreme necessity.

On another note, Law no. 81/2018 on “Electronic Transactions and Personal Data” addresses communications traffic rather than its content as in Law No. 140. As such, Law No. 81 is considered the reference in this case.

Article 86 of the same Law states: “No judicial or administrative order requiring an assessment of human behavior, can rely on the automatic processing of data only, to determine a person’s traits or evaluate some of their personality aspects.” Article 121 states that “seizing informational evidence shall be carried out as per Public Prosecutor’s Office decision or competent judicial authority,” and not by virtue of a Cabinet decree. It also forbids access or review of data that is not directly related to the criminal proceedings in question, stating that “Privacy should be respected in regard to the effect of information, particularly data and photos, which is not related to the criminal proceedings,” even though it does not clarify how to respect this privacy.

Article 97 of Law No. 81 allows other ministries to supervise the processing of personal data, for any data related to the “state’s internal and external security,” without providing a clear definition of the term, thus expanding the powers of ministries in this scope. It is important to note that the Ministry of Interior is known for its mismanagement of personal data, such as exposing the personal data of registered voters during the 2018 elections and leaking personal records from the vehicle registration center.

Article 94 states that data processing conducted by people of public right, each within their jurisdiction, “does not require any statement or license request to process personal data.

As for Metadata, the Lebanese Law calls on service providers to maintain it, as Article 72 of Law No. 81/2018 on E-transactions and Personal Data, calls on IT service providers to “maintain information related to data traffic for all people using their services, which will help identify them, as well as other technical data related to communications for three years starting from the date of service implementation.” The same Article also indicates that the Judicial Police may act on the above, as part of the investigations in a criminal proceeding, upon notifying “the competent judicial authority.”

Article 76 of the E-transactions Law also stipulates the cooperation of internet services providers and data hosts with “the competent judicial authorities identified in Law No. 140/1999 and within limits, in order to reveal the truth in every investigation it conducts or every pending lawsuit before the same.

Therefore, any Cabinet decision that requires service providers to share all data related to communications traffic or data is considered illegal. Why then, do successive Cabinets continue to disregard these laws, and instead breach them by choosing to hand over all data traffic to security agencies?

What Can Communication and Internet Companies Find out about their Users?

Telecommunications companies are also Internet Service Providers, and thus they require a specific IP to communicate with the Domain Name System (DNS). The DNS is considered to be a record and guide to websites, allowing Internet Service Providers to find out about every request leaving your device, referred to as “data traffic,” including all the details mentioned below, in addition to any identification information available on your device.

According to research conducted by SMEX in 2018, there are only three companies in Lebanon that have their privacy policy published, albeit lacking and only available in English.

Our technical team has summarized the information that telecommunications and internet companies can know about their users as follows: 

  • Mobile telecommunications companies can track the geographical movements of mobile devices through their central networks that require access to location and time to connect to different cell towers.
  • They can determine the telephone number, the email address associated with the device, the type of devices connected to the Internet, the International Mobile Equipment Identity (IMEI) number, and the “Internet Protocol” (IP) number of each device. 
  • They can identify the numbers with which users communicate via regular telecom network and Short Message Service (SMS) and read the content of their correspondences. 
  • They can determine the websites you browse, cell applications you use, websites you recurrently visit, the time spent on a specific website, the content of websites (provided they are not encrypted by a Hypertext Transfer Protocol Secure (HTTPS)), and the time and date of access. For instance, they can monitor how much time users spend on Facebook, at what hour, when they log out , and from which geographical location.e.
  • Telecommunication and internet companies can find out the duration, time, and date of internet use.
  • Telecom companies can track the movement of internet activities even if it was encrypted. For instance, the company can know which users utilize  Virtual Private Network (VPN) applications or other services. Through this data, digital configurations can be established to allow for a deeper understanding of users’ behaviors and digital interests.

Some Means of Protection

Data gathered by applications and internet services providers can be reduced by adopting several tactics. While they do not ensure maximum protection, the below recommendations can definitely offer an extra layer of privacy: 

  • Make sure that the sites you visit use the encryption Hypertext Transfer Protocol Secure (HTTPS). Although HTTPS Protocol is assumed to have become fully implemented on the web, a quick look at some official Government websites in Lebanon can reveal the magnitude of negligence in website security, even in minor details. 
  • Use Virtual Private Network (VPN) applications to encrypt data traffic so that Internet Service Providers cannot see them. In turn, using a VPN application does not mean you are fully secure, since Internet Service Providers can find out you are using a VPN (using these applications to overcome censorship is forbidden in some countries by law, but not in Lebanon). Some free VPN applications can take advantage of your data to sell it, so reliable VPN applications like Psiphon, TunnelBear, and Proton VPN should be used.
  • Use secure Internet browsers such as Firefox and make sure to constantly update them. Some people may need to use browsers that leave no trace on the internet like “Tor” which encrypts all communication channels with the Domain Name System (DNS) through unidentifiable secure IP.
  • Use search engines that don’t gather and store data such as DuckDuckGo
  • Reduce the quantity of information that applications gather about you.
  • Use encrypted messaging applications between both parties (such as Signal) that don’t gather metadata like WhatsApp, which reduces the information collected about your messages.

We urge the Lebanese State, its government, and its agencies to respect residents’ privacy, whereby the latter must be the rule, not an exception. We also call on the government to implement and adhere to the law, while prioritizing the right to privacy and digital human rights among Lebanon’s residents.  

    

This page is available in a different language العربية (Arabic) هذه الصفحة متوفرة بلغة مختلفة

Avatar photo

Abed Kataya

Digital Content Manager at SMEX. Digital safety trainer and freelance journalist. Interested in technology, economics and entrepreneurship. Follow him on Twitter @kataya_abd.