August 21, 2015
The second IGMENA Google Hangout of 2015 addressed the issue of privacy and personal data protection laws. The focus of the debate was the different ways to balance cyber security laws and policies with end-users’ online security. The debate was moderated by Mr. Hamza Ben Mehrez, The Policy Analyst Lead at IGMENA. There participants in this debate were:
- Mr. Omar Isbaitan, Head of the Information and Communication Technologies Department at the Palestine Standards Institution
- Ms. Yosr Jouini, Civil Society Activist, Blogger, and Software Engineering Student
- Ms. Hiba Abass, Regulatory Affairs Specialist at Zain Sudan
- Waleed Al Saqaf, Postdoctoral Researcher in Media and Communication at Stockholm University
To open this discussion, Hamza Ben Mehrez asked participants to reflect on the public perception of privacy and data protection.
Omar Isbaitan said that personal data protection is not a topic of focus in Palestine because there are many other complex issues that Palestinians are facing. He shared that a big concern regarding ICTs is Israeli control of communications gateways (including the Internet) and practices related to surveillance and monitoring by the Israeli government. According to Isbaitan, it is not possible to secure data and protect privacy in such circumstances.
Yosr Jouini said that in Tunisia, people generally have one of three perspectives regarding privacy and data protection. Some Tunisians think back to surveillance activity before the revolution and are therefore concerned about privacy. Others are focused on terrorism and recognize that privacy laws may change. A third group are unsure what to think. Civil society is constantly debating issues of privacy and data protection, especially following recent revelations about the use of surveillance software.
According to Hiba Abass, the laws in Sudan clearly protect privacy, but in practice privacy is not always protected and respected. There is general awareness that the government filters and monitors Internet activities, but people tend to be more concerned about their general protection and security than about Internet privacy and online data protection specifically.
Waleed Al Saqaf said that it is difficult to reflect on public perception without looking at the demographics of the people in question. According to Al Saqaf, there is a split between the general population of Internet users and people who produce sensitive political content online. As part of his dissertation, he surveyed 5000 people about whether they valued surveillance circumvention tools and online anonymizers. In Yemen, for example, there is a very small number of activists who are extremely conscious about data privacy and the threats against them. The general population is less focused on privacy. In a second survey with a more regional focus (Syria, Tunisia, and Egypt) Al Saqaf found that found that there was a spike in concern about online privacy during and after the Arab Spring. This study provided evidence that people in the Middle East are increasingly concerned about protecting their privacy.
Hamza Ben Mehrez asked the group whether the Snowden revelations about government surveillance practices changed people’s perception of privacy and data protection issues.
According to Hiba Abass, people used to see popular online platforms as cost-free tools to use for advocacy, but they now see that there are real costs to using these tools. After the Snowden leaks, people will start relying on other platforms and services for their communication, because they see that the US is not better than Sudan with respect to privacy and that, in fact, the two governments are in collaboration. Abass said that activists do not feel as secure as they did before. She shared that for the more general population of Internet users, the revelations about US government surveillance were not as much of a concern because people are accustomed to the Sudanese government conducting surveillance and monitoring people.
Omar Isbaitan said that there are surveillance cameras and checkpoints everywhere in Palestine that are used to monitor people’s activities. The revelations did not affect Palestinian society because people are already living under heavy surveillance and this monitoring is a prominent part of their lives.
Waleed Al Saqaf said that based on personal interactions with his contacts, he thinks that people feel vindicated. They had the sense that their online activity was being monitored and now they have evidence that surveillance has been taking place. According to Al Saqaf, it was disappointing that it was the US conducting surveillance, because the US government says that it supports democracy, freedom of expression, and due process, but it is violating the fundamental right to privacy by monitoring communications.
Al Saqaf continued that many people in the Arab world use popular cloud services because they are convenient. It is becoming clear, however, that if you want security you need to sacrifice convenience. The tools that are secure are less easy to use. This is a problem because many activists are not tech savvy enough to, for example, encrypt traffic end-to-end. The Snowden revelations may not actually change the way people use services, but it proves that people’s suspicions are founded and that these services are not safe.
According to Yosr Jouini, people are now discussing surveillance at the global level, but they are also talking about it at the local level in Tunisia. People want to know what kinds of surveillance activities are happening in their own country. Jouini pointed to contradictions in the current laws and said that it is important to move towards legal and systematic reform. According to Jouini, WikiLeaks also influenced the discussion, because documents from the American Embassy in Tunisia revealed information about surveillance that took place in the Ben Ali era.
Jouini emphasized that there are discussions underway between different stakeholders and that debate is always healthy. Sometimes these discussions influence the laws and lawmakers and sometimes not, but it is always healthy to have this discourse. According to Jouini, people have a short memory and they sometimes forget what happened in the previous era. Therefore, she feels that it’s important to have these debates and keep advocating around issues related to government surveillance.
Next, Ben Mehrez asked about the current state of policy related data protection and the related institutions.
Hiba Abass said that in Yemen the constitution and regulations say that privacy should be maintained, but implementation is the real issue. The problem is in verifying that practices follow the laws and ensuring that people can address violations in the courts. Under the constitution and the Electronic Transactions Law, government may only access user data with a court order. At the same time, Abass said, security authorities are intercepting data and there is no transparency about these activities.
Omar Isbaitan shared that there are 4.5 million people in Palestine, 1.4 million of whom use Internet and social media. Many are 18 to 25, and because they are young and immature, there are some problems with cybercrime in Palestine. The President formed Cybercrime and Electronic Crime unit with staff that handle issues such as hacking, spam, fraud and money transactions. The Cybercrime law treats online crimes as real crimes, so that a person can take an online crime to the courts. An e-signatures law will soon be introduced in Palestine, as well.
According to Waleed Al Saqaf, the Internet has taken the legal system in Yemen by storm and the government is having difficulty handling it. For example, the judiciary was unable to understand how an email is sent. This reality makes it difficult to handle cybercrimes in the courts. It is very hard to handle cybercrimes in the current legal context. This may explain why Yemen has not yet issued any cyber laws, unlike some of the Gulf States. Al Saqaf said that in one sense, Yemen is behind other countries, but this may be a positive thing because cyber laws have been misused to prosecute bloggers and dismantle dissent.
On the one hand, he continued, it is good to have laws that address cybercrimes and security. On the other hand, it can be difficult to know the consequences of putting such laws in the hands of governments that have a history of prosecuting people. Al Saqaf said that Yemen currently uses the regular penal code to prosecute bloggers and applies concepts that are not appropriate for the Internet. According to Al Saqaf, this is not only a challenge for the Arab world, but a global issue. It is a major challenge to sync laws so that you can successfully stop and prevent attacks and crimes on the global Internet. There needs to be a more comprehensive way to deal with cybercrime.
Yosr Jouini reflected on the fact that Tunisia is in transition. There are old laws and new laws in Tunisia. The constitution of Tunisia (passed in 2014) says that privacy of people should be protected, but the government still works with laws that were in effect under the Ben Ali regime. Jouini said that it is difficult to know the state of the law, even for members of civil society that actively work to understand the laws and institutions that apply to different issues and situations. According to Jouini, the government needs to be more active in introducing new laws and continuing legal reform.
Hamza Ben Mehrez asked the participants to reflect on the roles of telecoms, governments, and civil society in the privacy and data protection discussion.
Waleed Al Saqaf shared that the privacy issue has been growing in Yemen, especially in times of crisis. Al Saqaf used to do trainings with bloggers and journalists about privacy and security, but this is no longer possible because of the war. Without this type of support, more bloggers and journalists have been jailed. Looking more broadly at the question, Al Saqaf said that there is consensus in the activist community that it is critical to empower individuals to take action to protect their privacy and security. He said that the state also has an obligation to protect the rights of citizens, and it is important for them to follow through on those obligations. In addition, technology companies need to work to improve the security of tools, identify vulnerabilities and protect their users. All of these things need to contribute to solutions.
Omar Isbaitan said that technology is evolving and the number of users is growing rapidly, which creates new challenges for privacy and data security. New connected devices are collecting and revealing a lot of personal information about us. Telecommunications companies and service providers face the challenge of putting more security into their networks, supporting new technologies, and taking measures to protect their customers.
Hiba Abass shared that, in her opinion, the major issue is transparency about information that is collected. Business must protect users but also follow government regulations, including regarding surveillance. She said that activists and civil society are vulnerable, because they cannot be sure that they will be protected by the laws and they have limited access to tools and services outside of Sudan due to US sanctions. Finally, she is concerned that as a person in Sudan, it is unclear who is going to protect her rights and rectify problems if companies violate her privacy.
Yosr Jouini said that in Tunisia is important to address the conflicts between laws and increase engagement among stakeholders. She emphasized that the private sector needs to engage more with civil society on issues related to user privacy.
Hamza Ben Mehrez closed the discussion with asking participants how policies and laws could better protect end-users.
Waleed Al Saqaf said that no single government could address the problem alone. The Internet is global and so are related issues of privacy and security. Having only national level laws may not be enough, which is why the importance of global multistakeholder governance is growing. The Internet Governance Forum provides a new opening to deal with some of these issues using a multistakeholder approach. In Yemen, ISOC is creating multistakeholder dialogue at the national level.
Omar Isbaitan said that the Palestinian Basic Law of 2003 (amended in 2005) addresses issues of privacy, journalism, and publishing. Palestine does not have a legislative council since 2008 to issue laws on data protection, privacy, or security. There are some data protection laws, including a new law on e-transactions. Isbaitan said that in order to better protect data, people in Palestine can use SSL encryption. Big companies in Palestine also use their own methods of securing data.
According to Hiba Abass, the main issue is not policy but increasing awareness and including more stakeholders in the dialogue. People need to understand the impact of data protection issues and become more active digital citizens with respect to privacy and security. Without significant support from more people, it will not be possible to change the laws and the system.
Yosr Jouini said that the laws related to privacy and access to information in Tunisia need to be reviewed. Terrorism and cybercrime are real concerns but citizens must understand that there does not need to be a trade-off between security and privacy. She emphasized that citizens must push for transparency as a best practice for government institutions.