This article was originally published on the website of APC member SMEX.
In Lebanon, the legal framework for privacy and data protection is in limbo, cybersecurity is minimal to non-existent, and citizens’ rights are neglected. SMEX has been following these issues closely, and now, we are expanding our work to serve as a watchdog over citizens’ digital data on Lebanon’s public and private institutions’ platforms.
Prior to the COVID-19 crisis, Lebanon was subject to government espionage campaigns, official attempts and projects to dive into citizens’ mobile data, in addition to other data collection projects from digital ID to device seizure.
Lebanon also has a weak legal framework for the protection of personal data. In 2018, the Lebanese parliament passed Law 81/2018 on Electronic Transactions and Personal Data. Upon implementation, this flawed law would concentrate power in the executive branch, the Ministry of Economy and Trade, which acts as the de facto data protection authority. Nevertheless, the Ministry didn’t have the capacity to assume the new responsibilities.
The pandemic has transformed the way users interact with each other and with the internet, and most importantly it opened the door for many semi-public initiatives, from health to education and the environment, among others. But the challenges and threats are still there, legally and in practice, putting people’s data at risk in Lebanon.
On September 1, 2020, Lebanon introduced “Ma3an – Together Against Corona,” a contact-tracing application intended to slow the spread of COVID-19. Few months later, the Central Inspection Board, an oversight body affiliated to the Presidency of the Council of Ministers, launched the Inter-Ministerial Platform for Assessment Coordination and Tracking (IMPACT), in partnership with a private company. IMPACT is used for three main purposes: register and track travelers coming to Lebanon; request permissions to leave home during lockdown; and register for the anti-COVID vaccination program.
As part of our vision and mission to enhance digital rights and privacy, we have been closely following most of the apps and websites launched by the government or private sector. We want to ensure the safety, privacy, and security of these tools while providing tech and policy tips to the stakeholder and informing the public about this work.
For instance, after publishing our analysis of the Ministry of Public Health’s (MoPH) Ma3an app, the Ministry was very responsive and applied some of the recommendations suggested by our security team. However, we are working on another analysis to publicly check the updates and recent glitches in the official contact-tracing app. Similarly, when the General Inspection first launched IMPACT, we urged them to publish a dedicated privacy policy for all their services in English and Arabic. IMPACT then published them consecutively.
Now, with the mitigation of COVID-19 measures and concerns raised about data collected during the pandemic-response period, including the safety of the servers, new challenges have emerged. We are ready to help with new apps and websites looking to fortify their privacy and security, and we will – in partnership with Friedrich Naumann Foundation (FNF) Lebanon and Syria – expand our work on serving as a watchdog over citizens’ digital data on Lebanon’s government platforms.