When the Lebanese Central Inspection launched the IMPACT platform, it resolved one issue but gave rise to another. While IMPACT did help in managing the COVID-19 pandemic, it needed to answer more questions about the data it collects and the role of the Central Inspection. Who oversees the Central Inspection’s processing of this data? And how can third parties access it?
SMEX has been closely monitoring the various technical, legal, and policy aspects of the platforms issued by the Lebanese government in response to the COVID-19 pandemic. We have publicly informed the relevant parties of our findings, including the Central Inspection, the Ministry of Health, the Ministry of Social Affairs, and others.
On several occasions, these parties considered our recommendations. For example, the Central Inspection published the privacy policy of the covid.pcm.gov.lb website, through which citizens and residents could submit mobility requests during the lockdown period in Lebanon.
Our analysis of the IMPACT vaccination registration platform revealed numerous concerns related to data security and storage location (in Germany previously), the storage location of backup copies, and the shared hosting of the websites in question.
Whenever the Lebanese Ministry of Health or the Central Inspection launched a new platform, we conducted a technical and policy analysis. We shared our findings with them, indicating that data security and privacy were not thoroughly considered in developing these platforms. For example, we found that the Ministry of Health’s GrabAJab platform suffered serious vulnerabilities before it was eventually shut down.
The Central Inspection launched the IMPACT platform for vaccination and mobility requests during the pandemic, and later the DAEM platform to support vulnerable families. Thousands of households registered on these platforms and entered personal and highly sensitive information. DAEM required people to enter details about their financial, familial, and social situation, including vehicle license plate numbers, property deeds, clear photos of their faces, and even bank information.
Similar to the previous platforms, our analysis revealed that although Central Inspection and the team working on DAEM’s platform provided security improvements, some of IMPACT’s services are still hosted by a German service provider (some websites are still on LeaseWeb). This raises alarms concerning users’ data locality. However, IMPACT does indicate that the Lebanese government owns the data.
In its response to SMEX, the Central Inspection stressed that its role in data collection and processing is purely “legal.” It stated that it determined the type of data that users are required to submit on the platform based on a decision issued by the Council of Ministers at the time. The response also stated that citizens may “object before the data processing officer at the Central Inspection or submit a complaint to the Central Inspection Board.”
However, the Central Inspection is yet to answer a few important questions. It must specify the official Lebanese party that holds the data and the official and unofficial third parties that have access to it (organizations, security agencies, donors, etc.). It must also provide the reason for granting them such privileged access. In addition, Central Inspection must explain why a German service provider still hosts some services by IMPACT.
In light of the above, SMEX demands that the Lebanese government enacts a comprehensive privacy law that endorses best practices for data protection and privacy, and makes them statutory requirements rather than relying on foreign laws.
