It’s not unusual for law enforcement agencies to monitor social network activity to gather intelligence and monitor threats. In Lebanon, however, authorities are reportedly trying to take things to a whole new level: by demanding access to all Lebanese citizens’ passwords for email and social media sites.
In October, Lebanon’s intelligence chief Wissam al-Hassan died in what appears to be an assassination. The Information Branch of the country’s Internal Security Forces has been aggressively hunting those responsible—a pursuit that included, it has emerged, making a sweeping surveillance request that the country’s judicial authority rejected. Telecom minister Nicolas Sehnaoui told the Daily Star that, in an astonishing move, the security agency had demanded access to “the content of text messages from some 3.7 million Lebanese citizens” during a two-month period between September and November. Sehnaoui was also quoted saying the security agency had requested “all Lebanese citizens’ passwords for email and social media sites.”
Unsurprisingly, the reports have sparked a great deal of controversy. Beirut-born Nadim Kobeissi, the creator of an encrypted chat service called Cryptocat, wrote a blog post calling the demand for passwords “unacceptable” and encouraging Lebanese citizens to download his software as a alternative to Facebook. Writing in Lebanese daily Al-Akhbar, journalist Hassan Chakrani described the request as a “dangerous precedent.” An anonymous security official has since tried to temper the outcry by denying the telecom minister’s statement about the request for the passwords (though he was happy to admit the demand for the text messages).
Given Lebanon’s history in this space, though, many in the country remain skeptical. Lebanon’s security agencies have previously been accused of abusing their authority to conduct wiretapping, fuelled by fears over how the tactic could be used illegally for political reasons. Since 2009 the issue has been simmering, after a high-level dispute over wiretapping as politicians grappled to address the tension between national security and privacy. The latest clash between the country’s judiciary and the Information Branch will reignite that debate. But even if the judiciary were to grant legal approval for the passwords and text messages, it’s not clear whether telecom companies in Lebanon would be capable of handing over the desired data. In the United States, for instance, cellphone companies only store text messages for a few days or weeks, if at all (which, incidentally, law enforcement agencies are looking to change).
The situation may be different in Lebanon, as the country’s two main mobile operators, Touch and Alfa, are state owned. However, even if the texts are sitting on a database somewhere, social network passwords would be held by the social network provider—so unless the security agency has installed sophisticated countrywide surveillance technology capable of spoofing encrypted https connections, the passwords would remain stored on servers belonging to, say, Facebook. And while it’s true Facebook has a dubious record on privacy, it’s hard to imagine even Mark Zuckerberg and co. handing over millions of passwords to a shady security agency in Lebanon.