If the Arab Spring highlighted one phenomenon about digital upheaval, cyber-activism and democratization, it was this: the wave of uprisings that shook the Middle East starting in 2011 have fallen victim to the very same factor that initially served as their catalyst—technology.
One of the places where this has occurred is Lebanon, whose citizens today face serious technological threats to their freedoms, and where intrusions on citizens’ privacy are pervasive and often conducted without proper judicial oversight.
Tensions between citizens and the government intensified during the October Revolution protests—which began in 2019 and are ongoing—when protestors who were detained raised the issue of security agencies seizing protestors’ phones and demanding the passwords to unlock them. Although some perceive the protest movement to be anti-austerity, the protesters’ wide range of demands point to a revolutionary goal of redefining Lebanon's sectarian political system, which is plagued by patronage, partisanship, duplicity and poor governance, amongst other issues. Along with pressing for women’s rights, a stable economy, the provision of jobs and public services, demands have also touched upon online freedoms, such as: “I want to tweet without being arrested”.
Lebanese security agencies are also known for their use of invasive spyware. The Lookout and Electronic Frontier Foundation (EFF) published a report in 2018 which revealed the existence of “hundreds of gigabytes of exfiltrated data” that violated the very basic privacy rights of Lebanese citizens. Perhaps the most shocking of the report's allegations was the assertion that the global cyber espionage crusade called “Dark Caracal” that has targeted 21 countries since 2012, an advanced persistent threat-level (APT) level global campaign, was believed to be “administered out of a building belonging to the Lebanese General Security Directorate in Beirut. APT groups are organizations that spearhead “attacks on a country’s information assets of national security or strategic economic importance through either cyberespionage or cybersabotage” and also prey on megabusinesses. They generally avail themselves of various mechanisms to extract important data/intelligence on white-collar crimes, including the acquisition of ransom or cyber vandalism.
Given its consumerist and proxy nature, the spyware program that has spanned more than 20 states and external (non-state) catalysts has been deemed “government surveillance as a paid service.” It has been alleged that Dark Caracal, using simple hackware and age-old ‘phishing’ tricks, has been able to invade fully encrypted correspondence on social media applications, including Whatsapp.
Some argue that surveillance technology prevents crime and helps maintain law and order and low-intensity discipline, including in domains such as education. But some human rights activists claim that the surveillance program was used to target thousands of people, including activists and journalists.
A statement refuting the EFF report was issued by Lebanese General Security Directorate (GDGS) Director-General Abbas Ibrahim, who is known as “the eyes and ears of the Lebanese state.” Ibrahim said that “General Security does not have these type of capabilities. We wish we had these capabilities.”
Rights groups have also previously documented the directorate’s use of the spyware FinFisher. FinFisher possesses the capability to wiretap various social media applications —including Whatsapp, Viber and Skype—and access private details, including location, passwords, call log, text messages, files, photos, videos and calendar events.
What does Lebanese law say?
The legal aspects of surveillance regulation are a conundrum in itself and have been interpreted in various ways. The Telecommunication Interception Act of 27 December 1999, more commonly known as Law 140/1999, upholds the privacy of Lebanese citizens, barring in emergencies, such as criminal activity. Article 14 of the Lebanese Constitution ordains that “The citizen's place of residence is inviolable. No one may enter it except in the circumstances and manners prescribed by law.”
Even so, it is not to be taken for granted that a “citizen’s place of residence” is a separate entity from a citizen’s intangible presence and privacy on their electronic devices. These two domains are yet to be connected—or distinguished from each other—in the eyes of Lebanese law. For many people who find themselves attached to their phones in a country where the majority of the population uses the internet, the digital realm is, in fact, a home of sorts. Legal protection for privacy should be expanded to include one’s electronic devices and online communications, rather than just one’s “residence.”
According to Article 14, a “judicial or administrative order” has to be decreed to allow the surveillance of communications. This ruling is ineffective as a means of keeping the intelligence agencies accountable and in check, because they come directly under the authority of the Ministry of Interior, which also possesses the authority to sanction interception.
Article 9 of the Interception Act ordains that administrative approval can be given by the Minister of Interior or the Minister of Defence, after the Prime Minister ratifies the act and manner of the interception. This type of investigation, which cannot exceed a period of two months, can only be allowed in exceptional circumstances, such as to combat terrorism, organized crime or security threats to the state. The loophole, however, is that any of these crimes can easily be associated with activists or dissidents.
Meanwhile, activists and common citizens can try to protect their online privacy by downloading digital safety software such as Detekt and by reporting abnormalities to the authorities. Naturally, however, the latter is useless if the authorities themselves are involved in extrajudicial surveillance and breach of privacy.
Lebanon has historically maintained its reputation as a country that is more liberal than other Arab nations. In what seems to be a wave of efforts by state agencies grappling with, or denying, digital privacy, interference with online human rights is a concern.
To fundamentally secure digital rights, old laws will have to be amended or new laws created to limit intrusions on citizens’ privacy and to allow for strong independent oversight of surveillance practices Only then will the citizenry be assured of genuine digital privacy, freedom and security.