State of Privacy Lebanon

A study of privacy and surveillance issues in Lebanon. The State of Privacy project was last updated on January 2019, unless otherwise provided on specific pages.

State of Privacy
Lebanon

Table of contents

Introduction

Acknowledgment

The State of Privacy in Lebanon is the result of an ongoing collaboration between Privacy International and SMEX

Key privacy facts

1. Constitutional privacy protection: The Lebanon constitution does not explicitly mention the right to privacy.

2. Data protection law: The Electronic Transactions and Personal Data law regulates the protection of personal data, yet the legal framework remains weak.

3. Data protection authority: Lebanon does not have a data protection authority.

4. Data breaches: in the runup to the 2018 elections, it was reported that Lebanese embassies had exposed the personal data of thousands of Lebanese citizens abroad, who had registered to vote.

5. Recent scandals: EFF recently reported that malware-infected messaging apps have been operating since 2012, possibly involving a nation-state actor.

6. ID regime: Biometric passports and residence permits are being issued without a clear legal framework being in place.

 

Right to Privacy

The constitution

The Constitution of Lebanon does not explicitly protect the right to privacy. Article 14 only protects the inviolability of the home, stating: "The citizen's place of residence is inviolable. No one may enter it except in the circumstances and manners prescribed by Law."

Articles 8 and 13 of the Constitution indirectly guarantee individual liberty and freedom of expression, respectively. Some legal experts have interpreted that these laws could protect the secrecy of all means of communications, both mail and telephone calls, but this protection is not explicit.

Regional and international conventions

Lebanon is a signatory of a number of treaties with privacy implications, including:

  • the Universal Declaration of Human Rights;
  • the International Covenant on Civil and Political Rights;
  • the International Convention on the Elimination of All Forms of Racial Discrimination (with the exception of Article 22);
  • the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment;
  • the Convention on the Rights of the Child;
  • the International Covenant on Economic, Social and Cultural Rights;
  • the International Convention for the Protection of All Persons from Enforced Disappearance;
  • the Convention on the Rights of Persons with Disabilities;
  • the United Nations Convention against Transnational Organized Crime;
  • the Cairo Declaration on Human Rights in Islam; and
  • the Arab Charter on Human Rights.

 

Communication Surveillance

Introduction

As of 2016, approximately 76 percent of Lebanese residents and citizens use the internet and there are 53.43 broadband subscriptions per 100 inhabitants. Following a decree from the Ministry of Telecommunication in July 2014, touch and Alfa, the two telecommunications companies in Lebanon, lowered broadband prices between 44 and 68 percent. Moreover, these companies also increased the capacity of broadband packages by almost 300 percent. After a one-day boycott of the two companies in 2017, Jamal Jarrah, the telecommunications minister, promised to lower the rates. In January 2018, users are able to purchase 500 MB for $10.

Surveillance laws

Telecommunication Interception Act

Several articles in a Lebanese law limit surveillance, but there is a gap between the law and its enforcement. In 1999 Lebanon was the first Arab country to introduce a legal framework for the interception of communications, with the Telecommunication Interception Act of 27 December 1999 (thereafter referenced as Law 140/1999), although the Cabinet did not adopt the law until 2009.

Law 140/1999 relates to the protection of secrecy of communications, stipulates that the right to secrecy of communications, both internal and external, wired or wireless (landlines and mobile of all types including mobile telephone, fax, electronic mails) is guaranteed and protected by law and cannot be subjected to any forms of tapping, surveillance, interception or violation except in cases of extreme urgency and upon obtaining a judicial or administrative order.

The judicial authorisation process, as outlined in Article 2 and Article 3 of the Law, states that interception may be authorised by court order in cases of emergency, provided the targeted individual is the suspect of a crime. The court order should specify the means of communication, subject matter of the procedure, the crime subject matter of the prosecution or the investigation, and the duration of interception, which may not exceed 2 months.

In accordance with Article 9, communications interception can also occur on the basis of the administrative authorisation of either the minister of interior or the minister of defence, after obtaining the approval of the Prime Minister in order to gather information aimed at combating terrorism, crimes against state security, and organized crime. To be lawful, such decisions must be approved in writing, duly justified and approved by the Prime Minister and should specify the means of communication, subject matter of the procedure, the subject matter of the prosecution or the investigation, and the duration of interception, which may not exceed two months.

Lebanese Code of Civil Procedures

Article 98 of the Lebanese Code of Civil Procedures regulates the regime regarding searches and seizures.

Data retention

An order by the Public Prosecutor's office in 2013 required all internet service providers (ISPs), and some internet cafes that offer internet access, to retain the data of their users' activity for a period of one year. The order instructed "all landline and wireless internet service providers for homes and companies and from all cafés and stores providing their clients with devices through which they can access the Internet" to "do whatever it takes to activate and save all Internet log files going through their servers and routers, and prepare a periodical backup copy to save these files from being lost, for at least one year." The order also outlines the type of user data that must retained including the username, user's IP address, the websites to which they connected, and the protocols used in the process, in addition to specifying the user's location.

 

Surveillance actors

The Security Agencies

There are several state institutions with power to conduct surveillance and access user data, including the General Directorate of General Security; the Directorate of the Internal Security Forces (ISF); and the Army Intelligence Directorate. The General Directorate of General Secrutiy is overseen by the Ministry of Interior.

The General Directorate of General Security was founded in 1921, and became a branch of the Ministry of Interior in 1959. The Directorate not only gathers intelligence and attempts to uphold national security, but also "[participates] in judicial investigations within the limits of threats against internal and/or external state security." Additionally, is also responsible for issuing passports and residence permits.

The General Directorate of Internal Security Forces (ISF) are the national police and security force of Lebanon. The Intelligence unit was founded in 1991 and under Law No. 17. It directly reports to the Ministry of Interior.

The Cybercrime and Intellectual Property Rights Bureau, established in 2006, officially operates under the umbrella of the ISF but its legality is contested, given that it was established under a memorandum of service rather than by Law or Decree. The Bureau has been accused of acting as a censorship authority, mainly targeting journalists, bloggers and online activists. Its powers raise concerns as to the lack of safeguards protecting privacy and regulating the powers of the Bureau. On 2 October 2016 the leadership of the bureau changed after, Major Suzanne Hajj Hobeiche, the former bureau chief who had regularly targeted bloggers and activists, was asked to step down. Major Albert Khoury, a former lieutenant colonel in the ISF, replaced her.

 

Surveillance capabilities

Spyware Software

In January 2018, EFF and Lookout reported that Dark Caracal, "a prolific actor with nation-state level advanced Advanced Persistent Threat (APT) capabilities" was being "administered" out of a General Directorate of General Security building in Beirut, and has been active since 2012. While it remains unknown if General Security is running Dark Caracal, EFF was able to conclude that it has extracted "hundreds of gigabytes of data" and targeted thousands of victims in 21 countries. EFF found that Dark Caracal has obtained data from both mobile and desktop devices, with a particularly advanced focus on Android mobile devices. Dark Caracal obtained access to these devices through more traditional hacking means (eg phishing, social media pages, physical access), and it developed a surveillanceware - which EFF dubbed Pallas - that has the capability to extract information including SMS messages, texts from private messaging apps, images, screenshots, audio recording, contacts, and WiFi access points and SSIDs. The operation also used malware, including kinds never before seen by EFF, that has targeted Windows, OS X and Linux systems. Dark Caracal also used the previously-known FinFisher: malware usually installed via email or a fake software update. In the past, researchers had only observed Finfisher attacks on Desktop devices, but EFF noted that it targeted mobile devices as well.

According to EFF, Dark Caracal's targets did not fit under one umbrella, but included "military targets, utilities, financial institutions, manufacturing companies, and defense contractors" as well as "military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions."

Prior to the EFF report, a 2015 report from Citizen Lab at the University of Toronto revealed that both General Security and the ISF had used FinFisher.

The Bulk Collection of Telecommunications Data

Since March 2014, the Cabinet has given the ISF and other agencies unhindered access to telecommunications data for periods of between six months and one year. When the Cabinet first awarded the ISF access to this data, Judge Awny Ramadan, head of the Lebanese accountability agency, said that the blanket and arbitrary government requests for the communication data of the approximately 5 million Lebanese citizens violated Law 140/99 given that every single citizen cannot be a suspect of a crime. Also, the decision permitted full access for a period of six months, which is far beyond the two months permitted by the Law 140/99 under Article 9. In October 2017, the Cabinet again gave security agencies full, unrestricted access to the electronic communications data of all Lebanese citizens for four months, a shorter period than any other previously granted.

This form of authorization started in December 2012, when the Information Branch of the ISF sought the interception and retention of all SMS text messages sent in Lebanon from 13 September to 10 November 2012 as part of its investigation into the car bombing that had occurred on 19 October 2012 in Beirut, which killed Wissam Al Hassan, the head of ISF. A leaked document from the Ministry of Information showed that the types of data requested included 2G and 3G data subscribers in Lebanon, including log files, IP addresses, usernames, phone numbers, addresses, names, and passwords. Lebanon's Telecommunications Minister, Nicolas Sehnaoui, refused the request but it was reported that the government nevertheless obtained access to this data.

The United Nations International Independent Investigation Commission (UNIIIC), and the Special Tribunal for Lebanon (STL), set up to investigate the assassinations that have taken place in Lebanon, and in particular that of the late Prime Minister Rafiq Hariri in 2005, have also taken advantage of communications interception powers to permit the ISF unregulated access to private data of Lebanese citizens from an array of sources including university archives, medical records, and mobile phone records. As of January 2018, there is at least one case pending before the Special Tribunal for Lebanon where the expansive access to user data is being challenged.

General Directorate of General Security's Relationship with Hacking Team

In 2015, Wikileaks revealed that General Security had been exchanging emails with Hacking Team, a surveillance company, since 2012. In February 2015, General Security emailed Gamma Group, another offensive surveillance company, and Hacking Team, inquiring specifically about Hacking Team's Galileo Remote Control System, which infects mobile devices and intercepts their communications. The firm produced a demo for the software and General Security later signed a 450,000 euro contract for hacking team to hack 50 individuals.

Internet Filtering System

In January 2013, Citizen Lab published a research brief in which it reported that researchers had discovered three Blue Coat PacketShaper installations in various countries including Lebanon. PacketShaper is a technology that allows for the surveillance and monitoring of users' interactions on various applications such as Facebook, Twitter, Google Mail, and Skype. While such tools can be used for legitimate aims, such as controlling bandwidth costs, they can be used for filtering, censorship, and surveillance. Citizen Lab noted they had identified two installations of PacketShaper. One was found on "a netblock associated with IncoNet Data Management." An additional PacketShaper installation was identified by a Google search on a netblock associated with "Virtual ISP Lebanon" (VISP)." The discovery of the installations came as the government was drafting a regulation pertaining to the public morals of online content. Although this draft regulation was later abandoned, the researchers noted that this was a curious coincidence given that Lebanon did not have a history of internet filtering prior to the publication of the draft regulation.

Cameras in Beirut

In June 2016, 2,000 cameras were installed across 350 surveillance points as part of the Beirut Surveillance Project. The municipality approved the $33 million project in 2014 and the Beirut-based company Guardia Systems, a subsidiary of MG Holding, installed the cameras. Two control rooms with fifty operators monitor these cameras and two data centers are able to store up to 10,000 terabytes of video footage.

Surveillance oversight, checks and balances

The judiciary is tasked with overseeing surveillance practices under Article 16 of Law 140/99, but this rarely happens. Based on information Al-Akhbar, a Beirut-based media outlet, obtained from the retired President of the Court of Audits, it appears that the actual role of the judiciary in authorising or overseeing the administrative authorisation of interceptions is merely symbolic. In practice, the Prime Minister routinely circumvents the requirement for judicial authorisation by directly authorising intercepts himself.

As a safeguard against abuse, Article 16 stipulates that such administrative decisions must be verified by an independent judicial commission, which consists of the first president of the Court of Cassation, the president of the State Shura Council, and the president of the Court of Audits, or three judges from separate and independent judicial bodies.

Despite this safeguard, it seems this provision is not oftenrespected in practice. High-level judicial and parliamentary sources told al-Akhbar that "all security services, without exception, continue to illegally operate their own wiretapping divisions of unknown nature and scope…This means that there are no guarantees the security services are not eavesdropping on the Lebanese without any legal oversight." In addition, the media outlet quotes a senior judicial source saying, "the security services themselves do not trust each other. If they all operated through the surveillance centre run by the Ministry of Interior in accordance with the law, everyone will be able to see what other security services are up to. Because they sometimes compete, away from national interests, each agency has its own 'centre' away from the law."

Surveillance case law

Examples of surveillance

Foreign agents

There have been reports of attempts by the Israeli government to recruit people to work with them through social media, particularly Facebook, and to infiltrate the Lebanese telecommunication system. On 12 December 2017, General Security posted a warning on its Facebook page advising users to beware of fake pages like LIOR ANONYMOUS TEAM, which it had claimed were associated with Israeli Mossad and actively trying to recruit Lebanese citizens. Furthermore, in December 2011, February and July 2012, and September 2014, the Lebanese authorities announced that they had discovered Israeli spying equipment, which the Israelis subsequently destroyed.

In 2012, Kaspersky Lab, a Russian multinational computer security company, published a report showing they had discovered Flame, a nation-state created malware, in Iran and various other countries in the Middle East and the majority of the infected machines were in Lebanon. The research was unable to determine whether the bank component of the malware was used to spy on financial/banking transaction or steal money.

In May 2018, the Kaspersky Lab also reported a cyber espionage campaign, referred to as ZooPark, which targeted the Android mobile devices of users of various Middle Eastern countries, including Lebanon. Following the report, an independent hacker dumped some of the data, which indicated that 169 individuals were targeted. The Kaspersky Lab stated that the operation primarily targeted both Kurdistan Referendum supporters and employees of the UN Relief and Work Agency for Palestinians in the Near East (UNRWA). Zoopark has been active since at least June 2015 and continued to operate till as recently as May of 2018. The latest version of the malware has the capability to extract data such as SMS messages, browser data, GPS location, call log information, log in credentials, audio recordings, images, information about installed third party applications and two factor authentication messages. 

In August 2018, The Telegraph reported that the UAE contacted the Israeli NSO Group,  to tap into Prime Minister Saad Hariri’s telephone among a list of other targets. Although it is unclear whether the technology was able to hack his phones, the NSO Group, who repeatedly claimed its technology is only used to prevent crime, has been discovered to be actively partaking in illegal surveillance. NSO Group has also recently come under fire due to its Pegasus Spyware also alleged to be in operation in Lebanon.

 

Data Protection

Data protection laws

In September 2018, the Lebanese parliament passed The Electronic Transactions and Personal Data law explicitly regulating the protection of personal data, yet the legal framework remains weak. The law (E-Transactions Law), originally introduced in 2004, is the most comprehensive law regarding personal data. The five sections of Chapter 5 V (General Provisions Concerning the Protection of Personal Data, Collection and Processing of Personal Information, Actions Required to Implement Processing, Right of Access and Correction and Penal Provisions) of the law address personal data issues. The law is somewhat outdated as it does not reflect the reality of online data. The law fails to adequately protect Lebanese citizens’ and residents’ data by putting in place weak safeguards and only granting authority to the executive branch. 

The Articles in the E-Transaction law are riddled with vague and open-ended provisions. Article 87, which sets out the general right to data collection, presents no clearly defined rationale behind permitted data collection. Instead, Article 94 defines specific instances that do not meet the criteria of needing a license for data processing. The law also fails to define key issues such as consent, and regulation and enforcement for the conduct of data processing officers. 

There is little distribution of power as authority is almost exclusively held by the Minister of Economy and Trade, without any oversight given to judicial or legislative branches. Article 95 gives the Ministry the authority to make decisions concerning third party access to data and transfers to foreign states. The Ministry of Economy is also unprepared to process this data, according to a reputable source, as it has neither hired any additional personnel nor set up a website or other mechanism for citizens and parties to file requests for data processing. Although Article 97 of the law gives limited oversight to other ministries, such as the Ministry of Interior and Ministry of Defence, these provisions still leaves citizens and residents vulnerable to abuses of power. The two ministries are able to grant licenses to collect data regarding “external or internal security of the state,” which is undefined in the law, without informing the affected individual, meaning private companies with good ministerial connections could have easy access to data based on the authority of the Minister of Economy and Trade as well as the Ministry of Interior and Ministry of Defence.

Privacy is regulated by other various provisions including various articles in Law 140/99, Article 2 of the Banking Secrecy Law of 3 September 1956 (the Banking Secrecy Law), and the Penal Code under articles 579, 580, and 581 relating to the violation of secrets. The recent Right to Access Information Law“prevents public institutions from providing anyone with private and personal information about Lebanese citizens.” More specifically, Article 7 of the Code of Medical Ethics (Law no. 288 of 22 February 1994) protects the confidentiality of physician and patients relationships, and Articles 51 and 58 of the Consumer Protection Code (Law no. 659 of 4 February 2005) states that that suppliers must not disclose data without the consent of the consumer.

Law 431/2002, which regulates the telecommunications sector, does not address the protection of personal data at all.

Accountability mechanisms

On 19 January 2017, parliament ratified the Access to Information law, which, in theory, compels government agencies to "publish key documents such as an annual report, orders and decisions, and office expenditures" and allows both individuals and organizations to request and obtain access to government information. The law also proposed the creation of an Anti-Corruption Commission (ACC), but this still does not exist. This is a major issue because the law states that the ACC would rule on the requests that the government must fulfill and as long as the ACC does not exist, there is no independent body that is regulating these requests. When SMEX requested information about Inmobiles, the company contracted to register IMEI numbers, in August of 2017, the government did not respond.

 

Data breaches: case law

Our research has not yet identified any private related issues relating to examples of data breaches in Lebanon. Please send any tips or information to: [email protected]

Examples of data breaches

Hack of OGERO, Banks and Security Services 

In July, it was revealed that hacker Khalil Sehnaoui, who is a member of a powerful political family in Lebanon, and another hacker had hacked OGERO, banks, and multiple branches of the security services. They were able to obtain banking data, criminal records, and entry and exit logs at the Beirut airport.  From OGERO, the hackers had the ability to “intercept fixed line calls” and were able to extract passwords for banks and credit cards as well.  Sehnaoui claimed that although they had the ability to manipulate billing data in OGERO, they never took advantage of this feature. Moreover, they not only had the ability to collect this data, but in some cases he was able to manipulate it. While the hackers targeted institutions, they also targeted individuals, including a director of a security agency. Newspaper Al-Akhbar has dubbed this hack “the largest electronic privacy scandal in the history of Lebanon.” 

Online voter registration

In May 2018, Lebanese citizens residing outside of Lebanon will be able to vote abroad for the first time. On 20 November, voter registration closed with over 90,000 Lebanese registering to vote. Immediately after the closure of this registration period, Shada Wehbe, a social media trainer and blogger, noticed that the site for voter registration, Lebanese Diaspora Vote (LDV), was using cookies to track visitors without asking for their consent or providing any disclosure about what this data may be used for. Double-click, a company owned by Google, and Facebook's Pixels owned the cookies attached to the LDV website. Both of these tools track users browsing habits.

Additionally, In April 2018 it had been reported that Lebanese embassies had exposed the personal data of Lebanese citizens abroad, leaving data easily accessible to third parties. The Embassy in the UAE emailed Lebanese expats a spreadsheet containing personal details of more than 5,000 Lebanese citizens who has registered to vote in the upcoming election. Similarly, the Lebanese embassy in the Hague also sent a mass email containing a spreadsheet with personal data. Furthermore, the email addresses of each recipient were visible as the embassies did not use the bcc field. The spreadsheets included each voter’s full name, mother’s name, father’s name, sex, date of birth, religion, marital status, and address. Lebanese law does not protect citizens’ data, but instead Article 32 and Article 115 of Law No. 44 actively require the dissemination of private voter information. Article 32 states that the preliminary voter list should circulated locally. Likewise, Article 115 requires list of voters abroad to be published and circulated by all available means to confirm the authenticity of the voters registered, without any regard to maintaining privacy of the voters. 

American University of Beirut

In 2014, a hacker leaked information about the mismanagement of the American University of Beirut (AUB). The leaked information included data from American University Hospital (AUH), and the hacker confirmed to a reporter that they were able to access medical files from AUH, not just files about mismanagement. AUB itself had acknowledged that "the technical environment … is not secure." Moreover, a third party, FTI consulting, also noted that the information systems adequately protect patients' private information.

Personal Cell Phone Numbers

Alfa and touch, the two state-owned mobile phone operators in Lebanon, sell users' data to businesses and advertising agencies. Whether users in Lebanon buy a prepaid or postpaid line, these two companies exploit their data. Neither company provides a service to opt-out from these messages, though users can block specific numbers. SMEX found that businesses pay $11,000 to send 500,000 SMS messages and $430 to send 360,000 emails on average. These messages are not always sent en masse, as touch identifies target groups based on usage behavior, enabling businesses to send targeted advertisements.

License Plates

Information linked to license plates numbers are leaked from the vehicle registration center on an annual basis. Some of this information includes names, addresses, phone number, dates of birth and license plates numbers. The data is leaked on CD-ROMs without any form of encryption. 

In an investigative report produced by Al-Jadeed TV, “The Customs  Rally: The Tax Evasions Race” exposed the ease in which these CD-ROMs can be purchased. Despite the privacy and security repercussions, the government has not taken any action to prevent these continuous leaks

Min Msakar, an application designed using the purchasable data reported by Al-Jadeed, aims to help mitigate congestion in Beirut by granting individuals access to phone numbers registered to licence plates. The intent of the application is to allow users to contact the owners of parked cars blocking traffic. This is not the first app of its kind, with previous attempts such as Cars 961, also exploiting the same data.  Although these apps seem to be eventually removed, new versions pop up and the data released remains available to the public.  This is a serious privacy violation as a database of phone numbers is now available. With over 100,000 downloads, this allows strangers to contact random individuals, which could lead to harassment.

Government applications

In June 2018, Eye Police, a new mobile application was launched. Created by the Ministry of Information and developed by CyberWaves, a local software company, the applications allows users to report issues or incidents which will then allegedly be published on the state-owned National News Agency.  Cyberwaves is a private company with little publicly available information and no disclosure about the measures it takes to protect user data. The list of permissions required gives Eye Police great access into users private information, with no clear safeguards in place. For example, it grants access to record audio and also allows for both Cyberwaves and the Ministry of Information to track devices. 

WhatsApp

Lebanese WhatsApp users have been hacked and had their information stolen, according to a June 2018 statement from the Lebanese Internal Security Forces (ISF). The unknown hackers gained access to the accounts by using the SMS activation codes. Once they gain access to the account, they prevent the owner from accessing their WhatsApp data and send abusive messages to the owner’s contacts. They, then demand payment in order to relinquish control of the account. Although WhatsApp has enabled a two-step verification process, this has not been advertised by the application and leaves users vulnerable. 

 

Identification Schemes

ID cards and databases

Biometric passports and residence permits

In 2013, the Directorate of General Security announced that it would start using biometrics passports as a result of a request by the United Nations agency International Civil Aviation Organization (ICAO). ICAO had notified the Directorate on 31 December 2012 and set a deadline of 24 November 2015 for all of its members to adopt biometric technologies. In August 2015, the government began issuing biometric passports. The Directorate stated that it waited until 2015 because various Lebanese embassies had received noticed that their host countries were only going to accept machine-readable passports going forward.

Inkript, a Lebanon-based subsidiary of Resource Group Holding (RGH), which submitted a joint offer with Gemalto, a digital security company with its headquarters in the Netherlands, won the tender to supply Lebanon with security-print biometric passports. Inkript manages the programming and software development in-house, and Gemalto is in charge of manufacturing the passports and matching the programme's interface with the coding machines.

In 2017, the government began issuing biometric residence permits as well. These permits are similar to the passports, but they are for residents, not citizens.

SMEX asked the Directorate of General Security about the methods and systems it uses to protect the personal data from the biometric passports and residence permits, the parties that have access to this data, and the types of coordination between Lebanon and the countries of foreign nationals who live in Lebanon, and the data-sharing relationship between the Directorate and the UNHCR. In response to these questions, the Directorate replied the biometric passports and residence permits are a "technological and organizational development consistent with the Directorate's policy of constantly developing its work." The letter also stated that coordination with the UNHCR follows protocols outlined in a memorandum of understanding from 2003 and that "all eligible foreign nationals, including Syrians" are using the biometric passports.

In the absence of a clear legal framework regulating the adoption of biometrics as a form of identification, few safeguards exist to limit and control their use. Currently, the data can potentially be used as a tool for surveillance.

An additional concern is the use of private companies, Gemalto and InKript, which raises questions as to the ownership of this data, the responsibility, and accountability of the government to protect the data from abuse, theft, and loss. Given that Lebanon does not have a comprehensive data protection law, it is essential for the government to take necessary steps to ensure the protection of its citizens' personal data when engaging with third parties. Gemalto claimed that their office network had been the target of attacks in 2010 and 2011, "probably" by the NSA, the U.S. intelligence agency, and GCHQ, the British intelligence agency; altough in this case it was claimed by Gemalto that they only got access to the encryption keys of 2G SIM cards. It is important to note how such companies have now become the target of intelligence agencies.

Voter registration

In September 2017, the Cabinet approved biometric election cards for the May 2018 election, but due to time and resource constraints, these was not introduced in time for those elections. Nonetheless, they remain on the agenda for future elections. 

SIM card registration

In December 2017, it was reported that the Cabinet planned to introduce biometric SIM card registration, which would force Lebanese citizens and residents to provide a thumbprint to purchase a SIM card. Al-Jadeed TV reported that the government is introducing this measure because 20% of the phones in the country do not actually belong to their listed owners. Al-Jadeed also reported that the government cited security reasons

Similarly, the Lebanese government reintroduced a proposal for IMEI registration, mandating that everyone who purchased a phone to have their identity attached to the IMEI number of the device. In April 2017, Jamal Jarrah, the current telecommunications minister, reintroduced the proposal and awarded the contract to Inmobiles, a subsidiary of Resource Holding Group. IMEI registration was briefly implemented in Lebanon, when Nicolas Sehnaoui, a former telecommunications minister introduced it in 2013 in an effort to prevent theft and fraud. However, Boutros Harb, the subsequent telecommunications minister, ended this policy, stating that it was ineffective and costly. 

As of September 3rd 2018, a directive has come into effect which makes citizens responsible for ensuring that their IMEI registration complies with Global System of Mobile communications.  Smartphones purchased outside of Lebanon can work normally for a period of 90 day, after which additional fees will be levied onto users’ monthly bill. 

 

Policies and Sectoral Initiatives

Cybersecurity policy

Our research has not yet shown any specific examples of privacy issues related to cybersecurity policy in Lebanon. Please send any tips or information to: [email protected]

Cybercrime

Our research has not yet shown any specific examples of privacy issues related to cybercrime in Lebanon. Please send any tips or information to: [email protected]

Encryption

Our research has not yet shown any specific examples of privacy issues related to encryption in Lebanon. Please send any tips or information to: [email protected]

Licensing of industry

Our research has not yet shown any specific examples of privacy issues related to the licensing of industry in Lebanon. Please send any tips or information to: [email protected]

E-governance/digital agenda

Our research has not yet shown any specific examples of privacy issues related to e-governance and the digital agenda in Lebanon. Please send any tips or information to: [email protected]

Health sector and e-health

Our research has not yet shown any specific examples of privacy issues related to the health sector in Lebanon. Please send any tips or information to: [email protected]

Smart policing

Our research has not yet shown any specific examples of privacy issues related to smart policing in Lebanon. Please send any tips or information to: [email protected]

Transport

The Uber App in Lebanon lacks a key privacy feature which keeps phone numbers of the driver and passenger anonymous. Phone numbers are not masked in the in-app calling feature as it is in other countries. Uber did not directly answer our request for comment, but a representative from the company posited that it could be because Twilio, the cloud communications company, does not operate in Lebanon or because of local Lebanese laws. Uber has not employed a different company to protect Lebanese users. The lack of an in-app calling feature has led to harassment by drivers if a passenger is thought to have filed a complaint.

Careem, a Middle East based competitor of Uber, discovered that data was compromised in January but only informed users of the breach in April. Hackers were able to access personal data of 14.5 million customers including name, phone number, email address and trip data; however it appears credit card details and passwords remained secure. The compromised data allow hackers to track where users go on a regular basis, a useful tool security forces could hope to access.

 

Smart cities

In September 2017 OGERO, the telecommunications service provider, and Data Consult, a privately owned technology company announced that Beit Misk was the first "smart city" in Lebanon. Beit Misk itself is a small, manufactured city, intended to replicate a traditional Lebanese village, but as a smart city it now has the capability to measure "water levels, energy consumption and environmental conditions." The decision making process did not involve civil society actors, though Marc Nader, COO of Data Consult, stated that Data Consult was not using this data for any other purpose at a launch event for the Lebanon IGF.

 

Migration

Our research has not yet shown any specific examples of privacy issues related to migration in Lebanon. Please send any tips or information to: [email protected]

Emergency response

In August 2014, the government cut off access to mobile internet services in Arsal, a town in the northeast of Lebanon, after fighters from ISIS and al-Nusra entered the town. The shutdown lasted three years and mobile internet service was not made available until September 2017.

Humanitarian and development programmes

Our research has not yet shown any specific examples of privacy issues related to humanitarian and development programmes in Lebanon. Please send any tips or information to: [email protected]

Social media

In 2015, SMEX reported that the state blocked eight gambling websites, 23 websites for offering escort services, five pornographic websites, 11 Israeli websites, two websites for breaching copyright and one LGBT website.

They have also been unconfirmed reports of extralegal methods used to identify anonymous online users, but most victims do not report these incidents and often choose to keep these incidents secret, according to a report from Open Society. Due to the nature of these incidents, the Open Society report does not go into further detail.

Related learning resources
More about our partner