(Beirut) – Lebanon’s general prosecutor should investigate reports of secret large-scale surveillance tied to a Lebanese intelligence agency, ten human rights and media organizations said today. Privacy and surveillance researchers on January 18, 2018, released a report alleging that a malware espionage campaign responsible for stealing hundreds of gigabytes worth of personal data was tied to a building owned by Lebanon’s General Security agency.

Researchers at Lookout and the Electronic Frontier Foundation, stated that an actor “believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut” was responsible for stealing hundreds of gigabytes of private data. According to the report, the espionage campaign has been running since 2012 and was ongoing at the time of publication, affecting thousands of people in more than 20 countries, including activists, journalists, lawyers, and educational institutions.

“If these allegations are true, this intrusive surveillance makes a mockery of people’s right to privacy and jeopardizes free expression and opinion,” said Lama Fakih, deputy Middle East director at Human Rights Watch. “Lebanese authorities should immediately end any ongoing surveillance that violates the nation’s laws or human rights, and investigate the reports of egregious privacy violations.”

The report alleges that the espionage was primarily carried out through mobile devices that were compromised by fake messaging applications, allowing attackers to take photos, retrieve location information, and capture audio. The researchers said the mobile focus of the espionage campaign was one of the first they had seen on a global scale. The private data they said were captured includes SMS messages, call records, browsing histories and bookmarks, and audio recordings, and was available on the open internet because operators allowed public access to the data.

A 2015 report had identified General Security as one of two agencies in Lebanon using FinFisher, a sophisticated spyware system. In 2016, SMEX, a Beirut-based nongovernmental organization, published a report mapping the digital surveillance landscape in Lebanon.

In response to the report, Abbas Ibrahim, the director general of General Security, told Reuters: “General Security does not have these type of capabilities. We wish we had these capabilities.” On January 19, local media reported, Interior Minister Nohad Machnouk said that reports of Lebanon spying were exaggerated but not necessarily incorrect. On January 20, Ibrahim admitted in a media interview that General Security was conducting surveillance.

Lebanese law 140 of 1999 protects the confidentiality of communications from eavesdropping, monitoring, or disclosure, except in cases provided by law. However, it also authorizes the interior minister, who oversees General Security, and the defense minister, to order the interception of specific communications based on a written decision approved by the prime minister, for the purpose of combatting terrorism, crimes against state security, and organized crime.

International human rights law prohibits any arbitrary or unlawful interference with privacy, including private communications. And any government interference with privacy must be necessary to achieve a legitimate aim and must be carried out in accordance with both international and domestic law. Any law allowing secret surveillance must be “sufficiently clear in its terms to give citizens an adequate indication as to the circumstances” in which the monitoring may take place. Human rights law also provides that governments in most circumstances must notify people whose private information has been the object of surveillance. If an individual’s fair trial, privacy, or other rights are violated, the government must provide an effective remedy.

“Allegations that stolen data was left on the open web are particularly concerning, and would put people’s privacy at further risk,” Fakih said. “There is no justification for arbitrary large-scale surveillance, but leaving people’s private information exposed on the internet would be beyond the pale.”

Signatory Organizations:

Access Now

Alef – Act for Human Rights

Alkarama Foundation

Electronic Frontier Foundation

Helem

Human Rights Watch

Lebanese Center for Human Rights (CLDH)

Media Association for Peace (MAP)

SKeyes Center for Media and Cultural Freedom

SMEX