Lebanon's Internal Security Forces (ISF) demanded the content of SMS text messages as well as Internet usernames and passwords of Lebanese citizens, saying it would help generate leads in the investigation of a fatal car bombing in which its intelligence chief, General Wissam al-Hassan, was killed.
(EFF/IFEX) – 7 December 2012 – A controversy arose in Lebanon this past week over revelations that the country’s Internal Security Forces (ISF) demanded the content of all SMS text messages sent between September 13 and November 10 of this year, as well as usernames and passwords for services like Blackberry Messenger and Facebook. The requests were submitted to the Ministry of Telecommunciations.
Lebanon’s Telecommunications Minister, Nicola Sehnaoui, took to Twitter December 3 to rally his followers against the privacy-invasive data request. “RT, SHARE, EMAIL, BLOG,” Sehnaoui urged. “Use ANY means you find fit to say ‘As a Lebanese Citizen I refuse to give up on my Internet Privacy’ #ProtectPrivacy.” Retweeted more than 300 times, his post seemed to capture the attention of those not yet aware that the ISF’s Information Branch had issued this outrageous blanket demand for digital communications data.
The debate is politically charged, and there are many factors at play. But at the end of the day, this ISF request represents an egregious privacy violation of millions of Lebanese citizens.
“To catch a killer, you don’t put everybody under accusation until you find the killer,” says Mohamad Najem, cofounder of an organization that provides social media consulting to Lebanese non-profits for political empowerment. “It is not acceptable for the ISF to dig into who was talking to whom on mobile applications.”
Al-Akhbar, a daily Arabic paper, quoted Sehnaoui’s description of the data request. “They want user data: the usernames and passwords of Lebanese who use the Internet in Lebanon, in addition to information about service providers and entry points to the Internet,” the minister said. “Surely, we cannot agree to making such information available and violate the privacy of Internet users.”
As-Safir, another Lebanese newspaper, reported that the matter had been referred to Lebanon’s Council of Ministers.
While the news about the data request broke this week, the request was made earlier this year. The ISF justified its overbroad request by saying it would help generate leads in the investigation of a fatal car bombing that occurred in Beirut on 19 October. In that attack, the intelligence chief of the ISF and a senior official linked to Lebanon’s anti-Syrian regime camp, General Wissam al-Hassan, was killed.
Rather than request user data only for persons suspected to be linked to the attack, the ISF apparently attempted to collect the information of every single mobile subscriber and Internet user in Lebanon. This constitutes an outrageous violation of privacy, and the hundreds of tweets reflecting the #ProtectPrivacy hashtag demonstrate that Lebanese citizens and supporters around the world are taking a stand against it.
“I don’t think the council of ministers will approve the request,” Najem speculated, “but I’m worried that they will get to a middle ground and hand over the SMS data. If they give them the SMS, it will reveal for 3.7 million mobile users in Lebanon who texted whom, when, and the contents of the messages.”
The ISF’s response to the criticism has been to trot out the oft-repeated false dichotomy between individual privacy and security. According to an As-Safir newspaper article highlighted on the independent news site Lebanon Now, “A high-ranking security source … [who] requested to remain anonymous, told As-Safir that the state has to choose [whether] security in general or preserving [people’s] privacies are priorities.”
Meanwhile, questions about exactly what the ISF asked for – and, for that matter, whether the security agency could even obtain the information it sought simply by asking a Lebanese government agency – seem far from settled.
In an article published on 5 December by The Daily Star of Lebanon, an unnamed senior security official confirmed that the ISF had requested the content of all text messages sent in a two-month time frame overlapping the attack – but denied that the ISF had asked for any Internet-based information at all.
At the same time, the independent news site Elnashra published a set of documents earlier this week that it described as “leaked official documents that specify the request that was provided to the Ministry of Information.” The above link takes you to Elnashra’s news site, where Arabic documents are displayed with relevant English words inserted. The first few lines of the Elnashra article are translated into English below:
“This leaked request asks the Ministry of Information to turn over the contents of all ‘DATA Sessions,’ Meaning the Data sessions of all 3G and 2G data subscribers in Lebanon. These include log files. The log files detail access to Internet websites and IP addresses. Aside from the log files, the requests ask for usernames, phone numbers, addresses, names, passwords, and so on. The request asks for personal information including the applications that are used on the mobile phones of subscribers. The request asks for all data of this nature within the time-frame of 13/9/2012 until 10/11/2012.’”
And Senhaoui has stated that the government doesn’t even have all the information the ISF is after. “There is some data which can be collected by the ministry, but the rest must be gathered directly from the companies involved,” he told Al-Akhbar.
EFF is concerned about the privacy implications of this overreaching request, and stands with Lebanese citizens who are standing up for their right to privacy on the Internet.