Lebanese, UK government deny claims of Lebanese user data sale to British firm

The Lebanese government and UK embassy in Beirut denied any misuse of Lebanese residents' data after a Lebanese newspaper raised concerns about user privacy on a Lebanese e-government platform.

The newspaper, Al-Akhbar, claimed that the head of Lebanon's central inspection bureau sold user data to a British company, Siren Associates, in exchange for $US3 million in foreign aid funds. The head of Lebanon's central inspection Bureau, Judge George Attieh, denied the claim.

The newspaper alleged that users' data on Lebanon's e-governance platform, IMPACT, was unsecured and that the process of its funding by the UK development office did not follow the usual procedure.

IMPACT is an e-governance program that provides a variety of functions in Lebanon, including allowing people to sign up for COVID vaccines and to receive social support from the Lebanese state.

The launching of the platform in 2020 was meant to facilitate services for residents, as well as promote transparency around the government and its activities.

Lebanon's government is notorious for corruption, misuse of public funds and a lack of transparency. There is generally a lack of trust between the country’s residents and the government.

"We fully stand by the really important work we did with the IMPACT platform, which has had a really positive impact in terms of improving accountability … and also milestones like the COVID vaccine rollout," Alice Moss, a spokesperson for the UK embassy in Beirut, told The New Arab.

Moss continued that the embassy "refuted" a lot of the claims in the article. She further clarified that no money had been given to the central inspection bureau directly, but rather was given to Siren Associates to implement the e-governance project.

Concerns about user privacy were first raised by the Beirut-based digital rights organisation SMEX, which said there is a lack of clarity about where user data is stored.

User data was initially stored on a German server, but according to Siren Associates, was transferred to Lebanese servers in October 2021 under the supervision of an auditing body.

According to Carole al-Sharabati, director of research at Siren Associates, "no scenario exists where [siren staff] would be able to export or use IMPACT data for any purpose beyond those agreed upon by the Government of Lebanon."

Al-Sharabati also told TNA that any time a Siren staff member accesses the IMPACT database, the activity is logged by the third-party auditing body and central inspection.

The IMPACT platform hosts sensitive data, which in certain cases includes pictures of users, vehicle registration and banking information.

SMEX also questioned why the central inspection bureau, a body meant to audit other agencies in the government, was implementing the IMPACT project.

"How can you be an inspection bureau and your role is to audit other employees, then suddenly you are hosting data? Who is going to audit you? This is where there is a conflict of interest in theory," Mohammed Najem, the executive director of SMEX, told TNA.

Siren Associates, which is supporting the central inspection bureau, is audited by a third-party firm, but it is unclear whether the Central Inspection Bureau itself is audited by any third parties.

Judge Attieh issued a statement on 10 January saying that the IMPACT program had been approved by the Council of Ministers of Social Affairs.

The judge also denied that central inspection sold any data, saying that he had a "proven record of integrity."

Lebanon's constitution indirectly recognises the right to privacy, but it does not have an independent data protection regulator. Digital rights activists have said that "the legal framework for data protection is weak" in the country and have recommended stronger privacy laws.