Association of Freedom of Thought and Expression

Internet without surveillance .. How can the Egyptian government end the policy of mass surveillance?

 

Prepared and written by Research Unit in the Association for Freedom of Thought & Expression

Executive summary

When the newly-elected parliament started its sessions in 2015, its Communications Committee paid due attention to passing laws to regulate the use of cyberspace. Subsequently, the Law on Combating Information Technology Crimes No. 175 of 2018 and the Personal Data Protection Law No. 151 of 2020 were passed. These laws have contributed to strengthening surveillance practices. Nevertheless, the monitoring of online activities, such as emails, surfing the internet, phone conversations, and social media, has been practiced for many years, even before the two laws were passed. This helps us understand the context in which these laws were passed. The Egyptian government adopts a policy of random mass surveillance, as evidenced by the fact that the security services arrested lots of internet users after monitoring their online activities. The Egyptian authorities can stop these practices by introducing legislative amendments and stopping the illegal practices of security services, including the purchase of spyware.

Introduction

Ten years after the 25 January revolution, during which internet services were cut off all over Egypt, according to Article 67 of the Telecommunication Regulation Law No. 10 of 2003, the government – especially the security services – is still imposing mass surveillance on the internet, thus breaching public and private privacies in the digital sphere. These practices have been practiced over the years, based on specific legal texts or completely outside the framework of law. This comes as the internet has been increasingly used as a last window for expressing opinions about public affairs. According to the summary report on communications and information technology indicators issued by the Ministry of Communications, the number of internet users in Egypt reached 62.3 million by the end of September 2020.

In this context, the paper discusses the Egyptian government’s policy in monitoring internet users, in light of laws that the security agencies use to control user data. When the Personal Data Protection Law No. 151 of 2020 was passed, debate surfaced again as to how to protect citizens’ digital privacy, especially as the law aims primarily to protect user data. The paper analyzes the Egyptian government’s practices and the extent of their relevance to a public policy that relies on the use of surveillance to protect security and enhance stability, and the implications of that policy on internet users in Egypt, in addition to its negative impact on investment.

This policy can be changed by stopping the monitoring of internet users and enhancing the rule of law, thus paving the way for more investments and enabling citizens to engage in public debates. In the meantime, the top priority should be given to the protection of user data and the provision of services to the public.

Background .. How has everyone become monitored?

The policy of mass surveillance depends on the purchase of spyware, in addition to passing laws that allow the security services to monitor and arrest users. In 2013, the Egyptian authorities purchased proxySG software from the American company Blue Coat Systems, which uses the “deep packet inspection” technology. This software enables telecom service providers to know a lot about user behaviours, such as geolocation and tracking. It monitors and filters internet content en masse[1]. In the same year, the Ministry of Interior announced Decision No. 22 of 2013/2014 on limited practice, under the name “Public Opinion Measurement System”, through which a tender was conducted to supply and operate software aimed at monitoring the cyberspace.

In response to this, several human rights organizations filed a lawsuit in 2014 before the Administrative Judiciary Court to revoke the Ministry of Interior’s decision regarding limited practice[2]. The lawsuit was rejected in 2017 for reasons related to the lack of link between the plaintiffs and the contested contract. Therefore, the court rejected the case in form, without addressing the importance of its content which is related to the privacy of citizens.[3]

In 2017, the United Arab Emirates purchased the Cerebro spyware and provided it to the Egyptian government. This software, which uses the deep packet inspection technology, enables the Egyptian authorities to comprehensively monitor communications, including voice calls, text messages, emails, instant messages, various social media platforms, and search engines.[4]

The Ministry of Interior’s affiliates, such as the General Administration of Information Technology[5], in coordination with the National Security Agency, monitor social media users. There have been increasing arrests for reasons related to sharing content, writing a comment, liking a post, or managing a page on social media. AFTE documented at least 300 of such arrests during the period from the second half of 2013 until the first quarter of 2021. Moreover, the Public Prosecution, which is part of the judiciary, has created a unit to monitor social media users.

Mass surveillance of social media makes users afraid of visiting certain websites or expressing their opinions, which creates a state of self-censorship over what users could write or like. This applies to users’ accounts on Facebook, Twitter, Instagram, and TikTok, after it was limited to private messages.

As a result of surveillance and the absence of legal guarantees to protect the right to privacy, users sometimes resort to technical tools that enable them to enjoy privacy and communicate securely over the internet. They, however, might be referred to prosecutions because of this, as the Telecommunication Regulation Law criminalizes the use of encryption tools either by service providers or by users.[6]

It should be noted that all electronic means, from emails to social media, use encryption protocols to transfer data[7], which means that the legislator is confused about concepts. However, this article can be understood in the context of the authorities’ endeavours to block websites that provide VPN services, as they blocked the “i2p” and “free internet” websites that provide anonymity to internet users.

The Egyptian authorities, moreover, have tried to block encrypted private chat applications, such as Signal. On 16 December 2016, the authorities tried to block Signal, and the application tweeted: “We’ve been investigating over the weekend, and have confirmed that Egypt is censoring access to Signal.”[8]

These practices are based on a general policy adopted by the Egyptian authorities to consider surveillance as a tool to protect national security, without being bound by respect for human rights and the rule of law. This policy affects Egypt’s international relations. For example, the German police in 2017[9] cancelled a training course for the Egyptian police on monitoring extremist websites for fear that the latter would use it to monitor Egyptians. It, moreover, affects international companies operating in Egypt, which may be exposed to pressure to share their users’ data with the Egyptian authorities.

From among several alternatives, ending the policy of mass surveillance is the best solution

The Egyptian government still prefers to use mass surveillance, technology, legislation, and security services in order to achieve its goal. The development of surveillance technologies has enhanced the government’s ability to collectively monitor communications and online activities. According to a digital security expert, highly-sophisticated artificial intelligence software is used to analyse patterns and language, which means that huge user data is collected and analysed to help determine users’ interests and political orientations based on the pages they use.[10]

Since these practices govern the laws that followed, the Law on Combating Information Technology Crimes allows the government to obtain user data from telecommunication companies and store it for six months. Therefore, the government uses the legislation to maintain mass surveillance[11], thus enhancing its capabilities to impose comprehensive monitoring measures[12]. This is backed by the state’s ownership of the telecommunication infrastructure and the central administration of this vital sector[13]. The transparency report of Vodafone Egypt in the United Kingdom, before it was sold to Saudi STC, stated that the company could not disclose any information related to its business in Egypt, otherwise its license would be revoked.[14]

Some lawmakers and experts may advocate a somewhat different policy that avoids user monitoring and focuses only on the protection of personal data, in order to provide an attractive investment climate. This trend has emerged when the Personal Data Protection Law was passed. The government announced that one of the key objectives of the law is to create a legislative climate that encourages investment in the giant data center industry[15], and to raise Egypt’s ranking in the human rights index[16], without taking any measures regarding the monitoring practices carried out by executive and security agencies.

It was expected that the law would regulate the process of using and sharing data, and protect users from violating their privacy by multiple parties. However, the law excluded national security agencies and entities subject to the Central Bank from the provisions of the law[17], which negates the law’s primary objective of protecting data privacy. In addition, the executive regulations of the law have not yet been issued, which raises concerns about the investment climate, especially as a number of international companies, such as Google and Microsoft, expressed concerns about the law at the time of its discussion[18]. This approach, moreover, does not show ways to deal with the purchase of spyware and the monitoring of internet users by government agencies.

We suggest that the Egyptian government adopt a policy based on an immediate halt to surveillance and a commitment to privacy protection. The government should stop using or purchasing spyware, and introduce legislative amendments, by launching an extensive discussion with telecom experts, companies, and civil society organizations, in order to determine the destination and goals of these laws. It should also provide stronger guarantees to protect the users’ right to privacy, to ensure that the control imposed on internet and telecommunication service providers is stopped, and that the security services comply with the law.

This policy would provide legal ways to deal with any threats to national security and rein in the security services that infringe on citizens’ privacy, thus enhancing political and social stability. On the other hand, the introduction of legislative amendments that prevent monitoring practices would encourage investors and major companies to work in Egypt. This policy would also allow the Egyptian government to boost its international relations by strengthening its commitment to the protection of privacy, thus giving more opportunities for cooperation and training with democratic countries.

Recommendations

AFTE believes that the Egyptian government can end the monitoring policy through several recommendations, which can be summarized as follows:

  • The Prime Minister should issue a decision to immediately stop the use of spyware by the government and security agencies, and prevent ministries from purchasing new software.
  • The Ministry of Interior should review security measures related to the monitoring of social media, including the referral of users to the Supreme State Security Prosecution.
  • The House of Representatives should abolish the Law on Combating Information Technology Crimes No. 175 of 2018, as the law allows security services to carry out mass surveillance. Penal and criminal laws should be used in crimes committed via the internet.
  • The Egyptian government should ask the House of Representatives to amend the fifth paragraph of Article 3 of the Personal Data Protection Law, so that all agencies will be subject to the rule of law, and that the exception of some agencies will be limited to specific cases as per judicial orders.
  • The Egyptian government should ask the House of Representatives to amend Article 20 of the Personal Data Protection Law, to exclude security agencies from forming a data protection center.
  • The Egyptian government should ask the House of Representatives to amend Articles 64 and 67 of the Telecommunication Regulation Law, to prevent security agencies from continuing mass surveillance and imposing control on telecom companies.

Conclusion

The importance of ending surveillance increases as the use of technology and the internet expands in all aspects of life. The Egyptian government can protect privacy and enhance the rule of law rather than getting involved in surveillance practices that violate human rights. The adoption of a new policy would enhance the protection of privacy and therefore enhance the chances of stability at the political and social levels. It would also help attract investments and major companies, thus serving the development plans announced by the Egyptian government for the coming ten years. Furthermore, it would enable citizens to participate in public debates. The government can propose legislative amendments that serve these goals.

References

[1] Access now, “Egypt: A Long History of Internet Surveillance,” October 2020, link: https://www.accessnow.org/%D9%85%D8%B5%D8%B1-%D8%AA%D8%A7%D8%B1%D9%8A%D8%AE-%D8%B7%D9%88%D9%8A%D9%84-%D9%85%D9%86-%D9%85%D8%B1%D8%A7%D9%82%D8%A8%D8%A9-%D8%A7%D9%84%D8%A5%D9%86%D8%AA%D8%B1%D9%86%D8%AA-%D9%88%D8%A7%D9%84%D8%A7/

[2] AFTE, Lawsuit filed before the Administrative Court against the Interior Ministry to stop social media surveillance, September 2014, link: https://afteegypt.org/en/uncategorized-en/2014/06/19/7953-afteegypt.html

[3] Judgment of the Administrative Court in Case No. 63055 of Judicial Year 68, 2017, link: https://www.madamasr.com/en/2017/02/28/news/u/administrative-court-rejects-lawsuit-against-interior-ministrys-social-media-surveillance-project/

[4] Access now, op. cit.

[5] Al-Watan, Admin of Facebook page that incites the killing of army and police personnel arrested in Minya, 2016, link: https://www.elwatannews.com/news/details/1533410

[6] Article 64 of the Telecommunication Regulation Law No. 64 of 2003: “Telecommunication services operators, providers, their employees and users of such services shall not use any telecommunication services encryption equipment except after obtaining a written consent from each of the National Telecommunication Regulatory Authority (NTRA), the Armed Forces and National Security Entities, and this shall not apply to encryption equipment of radio and television broadcasting. With due consideration to inviolability of citizens private life as protected by law, each operator and provider shall, at his own expense, provide within the telecommunication networks licensed to him all technical potentials including equipment, systems, software and communication which enable the Armed Forces, and National Security Entities to exercise their powers within the law. The provision of the service shall synchronize in time with the availability of required technical potentials. Telecommunication service providers and operators and their marketing agents shall have the right to collect accurate information and data concerning users from individuals and various entities within the State.”

[7] Amnesty International. “Encryption: a matter of human rights”. 2016. Available at: https://www.amnestyusa.org/reports/encryption-a-matter-of-human-rights/#:~:text=The%20briefing%2C%20Encryption%3A%20A%20Matter,to%20privacy%20and%20free%20speech

[8] Masar, “Internet surveillance in Egypt”, December 2020, link:

https://masaar.net/en/internet-censorship-events-in-egypt-timeline/

[9] HRDO Center for Digital Expression, “Telecommunication and Internet Surveillance Policy Brief”, 2020, link: https://hrdoegypt.org/?p=4485

[10] Telephone conversation with a digital security expert, April 2021

[11] AFTE, “Digital Freedoms.. Basic Concepts,” 2013, link: https://afteegypt.org/wp-content/uploads/2013/02/afte001-20-02-2013.pdf

[12] OHCHR Report, “The Right to Privacy in the Digital Age,” June 2014, link: https://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session27/Documents/A-HRC- 27-37_en.doc

[13] OONI, AFTE. “The state of internet censorship in Egypt”. 2018. Available at: https://afteegypt.org/wp-content/uploads/Egypt-Internet-Censorship-AFTE-OONI-2018-07.AR_.pdf

[14] Mada Masr, “Telecommunications surveillance .. How will the State’s attempts to control cyberspace end?”, May 2015, link: https://www.madamasr.com/ar/2015/05/21/feature/%D8%B3%D9%8A%D8%A7%D8%B3%D8%A9/%D9%85%D8%B1%D8%A7%D9%82%D8%A8%D8%A9-%D8%A7%D9%84%D8%A7%D8%AA%D8%B5%D8%A7%D9%84%D8%A7%D8%AA-%D9%83%D9%8A%D9%81-%D8%B3%D8%AA%D9%86%D8%AA%D9%87%D9%8A-%D9%85%D8%AD%D8%A7%D9%88%D9%84%D8%A7%D8%AA-%D8%A7

[15] Explanatory note on the Personal Data Protection Law No. 151 of 2020

[16] Masar, “Personal Data Protection Law.. Enhancing the Right to Privacy, or Illusion to Improve the Legislative Environment”, 2020, link:  https://masaar.net/en/personal-data-protection-law-does-it-really-aim-at-bolstering-the-right-to-privacy/

[17] Article 3 of the Personal Data Protection Law No. 151 of 2020: “The provisions of the annexed law shall not apply to the following:

  1-Personal data of third parties which is held by natural persons and processed for personal use

  2-Personal data which is processed for the purpose of obtaining official statistical data, or in application of a legal provision

  3-Personal data which is processed exclusively for media purposes, provided that it is true and accurate, and not used for any other purpose, without prejudice to the laws governing the press and media

  4-Personal data relating to judicial records, investigations, and lawsuits

  5-Personal data which is held by the national security authorities, and whatever determined by them for other considerations. Upon the request of national security authorities, the Center shall notify the controller or the processor to modify, delete, hide, make available, or circulate personal data within a specified period, according to national security considerations. The controller or processor shall comply with the notification within the specified period therein

  6-Personal data which is held by the Central Bank of Egypt and entities subject to its control and supervision, with the exception of money transfer companies and currency exchange companies, provided that the rules set out by the Central Bank of Egypt in relation to handling personal data are observed.”

[18] Al-Araby al-Jadid, “Egypt: Google and Microsoft concerned about Personal Data Protection Law,” 2019, link: https://www.alaraby.co.uk/%D9%85%D8%B5%D8%B1-%D9%82%D8%A7%D9%86%D9%88%D9%86-%D8%AD%D9%85%D8%A7%D9%8A%D8%A9-%D8%A7%D9%84%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA-%D9%8A%D9%82%D9%84%D9%82-%22%D8%BA%D9%88%D8%BA%D9%84%22-%D9%88%22%D9%85%D8%A7%D9%8A%D9%83%D8%B1%D9%88%D8%B3%D9%88%D9%81%D8%AA%22

You might also like