New study: Jordanian ISPs violate customers’ privacy

Full study in English here.

Customer privacy is routinely violated by the most prominent Jordanian ISPs, reveals a study conducted by ImpACT International for Human Rights Policies (London) and Access Now. The research showed that ISP companies are collecting often intrusive user information, without prominently disclosing that fact or explaining how the data are used.

“Although the study was conducted based on our observation and assumption that customers usually pay a high price for subscription to internet services, the results were shocking and raise significant concern about the extent to which internet users’ privacy in Jordan is violated,” says Sami Zeno, IT specialist at ImpACT International.

This study focused on five of the largest ISPs in Jordan — Zain, Orange, Umniah, TE Data, and Damamax. In addition to visiting the companies’ websites and posing as callers to their customer-service hotlines, the researchers attempted to survey a sample of ISP staff and customers on awareness of company practices and the importance of personal data protection.

“ImpACT International and Access Now found that some ISPs clearly violate their customers’ privacy and that most customers have no idea this is occurring,” says Hussaini. 

The research showed that Zain, Orange, Damamax, and TE Data do not clearly divulge the personal information they collect from customers on their websites. Umniah is clear — if  customers notice the link at the bottom of its home page — but the company says nothing about how it will use the extensive information it collects: “Each time you visit one of our sites or use one of our apps we will automatically collect the following information: ‘technical information, including the type of mobile device you use…and information stored on your device, including contact information, friends lists, login information, photos, videos, or other digital content, check ins, any other information stored on your device.’”

“The study examined and answered important questions that need to be addressed, on whether internet users and customers of ISPs have an actual control of their data or not,” says Dima Samaro, MENA policy associate at Access Now. 

“The study has additionally established clear guidelines for the Jordanian government and telecoms companies, that will guarantee adequate protection of personal data”

Meanwhile, the survey of customers confirmed that they subscribe to these services without checking their privacy policies.  

Zain was the only ISP that clearly stated that it collects such personal information so it can market tailored promotions and offers to customers. Like all but one of the companies, Zain does not address customers’ right to compensation if their rights are violated. In contrast, Umniah comes right out and states that by subscribing, customers relieve the company of any legal responsibility for misuse of their data. Its policy states, “If you do not agree with this policy, or you are not satisfied with the site and/or services, or you have any claims whatsoever against the company in respect to the site and/or services, your sole and exclusive remedy under this policy is to discontinue using the site and/or services.”

ImpACT International for Human Rights Policies and Access Now conclude that none of the ISPs examined in this study fully respect and comply with human rights principles, and that Internet users in Jordan face a real threat to their privacy. However, this is not just a concern for Jordanian citizens. ISP companies doing business in the country process personal data for E.U. citizens visiting or working in Jordan as well. This means these companies should comply with the General Data Protection Regulation (GDPR), which came into force in May 2018 and was designed to give individuals’ control over their personal data.  

ImpACT International for Human Rights Policies and Access Now call on Jordanian ISP companies to modify their privacy policies to include clear explanations of personal information collected, and who uses it, where, and how. 

Furthermore, they demand, a public statement must be made about whether any personal customer information is shared with third parties and for what purposes. The legal liability of any third parties must be defined, along with customers’ rights to compensation in case of loss or theft.

Finally, ImpACT International and Access Now call on the Jordanian government to prioritize passage, implementation, and enforcement of its draft data-protection law.