A woman in Beirut was driving while trying to ignore a man who was pestering her from his car. A few minutes later, she received a phone call from him. Before she hung up, the man informed her that he knows her home address. Where did he get this information from? Her license plate number.
How did this happen? In 2014 in Lebanon, anyone could get access to your name, home address, phone number, and other personal data, such as your blood type, just by punching your car’s license plate number into a mobile app.
It’s a scary story — but it’s not atypical when it comes to many countries across the Middle East and North Africa (MENA). As Access Now’s latest report reveals, the lack of strong data protection laws in MENA countries is leaving people vulnerable to abuse and exploitation of their most personal information. It is hurting individuals and communities who are already the target of attacks, discrimination, and oppression, including women, people living under occupation, refugees, and LGBTQ+ people. While COVID-19 continues to spread, governments are using the pandemic as an excuse to disregard privacy, while private companies continue to violate people’s private data for profit — all with near-impunity. In some cases, these privacy invasions are putting lives in danger.
Data protection in MENA
Our report, Exposed and exploited: Data protection in the Middle East and North Africa, provides an overview of the laws in four MENA countries: Jordan, Lebanon, Palestine, and Tunisia. We offer case studies for each country to show how the lack of adequate data protection is harming people, sharing the results of our independent investigations and research with local partners and organizations, including Arab Advancement for Social Media (7amleh), Social Media Exchange (SMEX), and Jordan Open Source Association (JOSA). We also shed light on the latest developments emerging throughout the COVID-19 pandemic by examining the use of COVID-19 contact-tracing apps and comparing their privacy and data protections in the four MENA countries, mapped to our recommendations for these apps. Finally, we offer a set of policy recommendations for governments, private actors, and international organizations.
Jordan: Collection of refugees’ biometric data by international organizations
In 2016, the World Food Program and the United Nations High Commissioner for Refugees introduced an iris scan payment technology to Zaatari and Azraq refugee camps, where refugees were required to share their biometric data in exchange for access to food and cash. The technology relies on UNHCR’s database which collects iris scans of refugees upon registration. The closed source technology is privately-owned and implemented, and little is known about how it works, how secure it is, and to what extent it guarantees privacy and protection for the refugees’ biometric and sensitive personal information.
Lebanon: Mishandling voters’ personal data ahead of elections
Ambiguous language in legal frameworks requires the Ministry of Foreign Affairs and Expatriates to “publish and circulate” the lists of names of voters residing outside of Lebanon “by all possible means” in order to ensure that expatriates’ identity matches the information in personal status records.* The personal information of thousands of Lebanese citizens — such as religion, gender, and contact details — has been exposed, and placed directly in the hands of third parties who can do with it what they will.
Palestine: Al Munasiq app and abusive collection of Palestinians’ information by Israeli defense forces
In 2019, Israeli authorities launched an app offering Palestinians living in occupied territories digital access to services, mostly related to stay and entry permits for Israel. Users are required to consent to the collection and use of their data — including access to the phone’s camera — “for any purpose, including for security purposes.”* The terms of service state the use and storage of users’ data is at the discretion of the Israeli authorities. Palestinian residents and workers in Israel were forced to download and use the app during the COVID-19 pandemic.
Tunisia: Robots and drones used to patrol the streets of Tunisia during COVID-19 lockdown
Since March 2020, the Tunisian Ministry of Interior has used robots and thermal imaging cameras to monitor citizens’ compliance with COVID-19 social distancing measures. The number of surveillance robots deployed on the streets is unknown, and the manufacturer, Enova Robotics, told the BBC it was a confidential matter. One robot, however, was spotted patrolling and interrogating citizens in the streets in Tunisia’s capital city, Tunis.*
These case studies represent just the tip of the iceberg of privacy violations in MENA, which not only threaten people’s rights but also put democratic processes and national cybersecurity in jeopardy. When our personal data are not sufficiently protected under the law, everyone suffers. Our hope is that by bringing these stories to light, we can support people fighting for their right to privacy and gain control over their personal data across MENA.
Finally, Access Now invites our readers, journalists, civil society organizations, private companies, and policy-makers for collaboration to further advance data protection in the region. We developed our policy guidance in this report based on the work we do globally on data protection, including on the European Union General Data Protection Regulation (GDPR). Access Now stands ready to assist stakeholders in implementing that guidance.
*Interview with SMEX, 2020.