Lebanon: Unknown sources sending mysterious surveys to people affected by the war

During the recent Israeli war on Lebanon, displaced individuals were sent mysterious surveys. Many of these questionnaires had no discernable sender or origin. Most alarmingly, the Lebanese authorities have yet to address this phenomenon, apart from a brief directive issued by the Council of Ministers.

The Council’s directive requested “all public administrations, public institutions, municipalities, and unions of municipalities to refrain from proceeding with any project involving electronic platforms in collaboration with foreign and non-governmental organizations before conducting technical inquiries about these platforms, their personnel, and their objectives.”

However, to date, no legal action has been taken against this threat to displaced persons’ data privacy or to identify those responsible for this exploitative data collection operation.

Lebanese residents also received Israeli warning calls and messages on their mobile phones during the war, urging them to evacuate marked locations immediately. Lebanese authorities were unable to stop these communications, identify their sources, or issue security guidelines for citizens to protect themselves.

The lack of response has raised concerns about the absence of a security plan to protect digital sovereignty. It is particularly distressing given the context of a brutal war where cyberattacks played a significant role.

In 2019, the Lebanese government approved the National Cybersecurity Strategy, but it has not been updated meaningfully. The Lebanese state employs very modest digital technologies, meaning that its cyber-security systems are lax. State-launched digital projects and platforms, most developed in partnership with the private sector, are therefore not well secured. This includes the COVID-19 pandemic public health platform, the “Nafaa Platform” for vehicle registration, and the General Security platform for booking appointments to issue passports.

Unknown Source Links Spread Even After the War

The questionnaires sent to displaced people were distributed by but were not limited to WhatsApp. The surveys were also distributed by manual requests in areas where the displaced were concentrated, particularly in Tripoli and other regions of North Lebanon.

In an interview with SMEX, a journalist (who preferred to remain anonymous) stated that an online form was circulated to register displaced individuals in Tripoli during the war. The municipality set up a call center and gave out a phone number for displaced persons to call to register their personal information and receive aid. He also said, “I learned from the call center that the collected data is fully shared with associations that request it. As for electronic forms, displaced individuals are forced to agree to a clause allowing the sharing of their information with donor organizations.”

Once the war ended and the displaced returned home, other random forms began circulating among people. An unknown entity claimed that affected individuals would receive aid by filling out the requested forms, soliciting detailed information about home repairs and the extent of damage to their properties. The origin and purpose of these surveys remain uncertain.

The Disaster and Crisis Management Chamber of Beirut’s Governorate announced the launch of an electronic form. Its purpose is to register displaced persons and returnees residing within the governorate’s jurisdiction. This procedure aims to update data after the ceasefire and other developments. SMEX tried to contact the media office of the Ministry of Interior and the Director General of Local Administrations and Councils (Mrs. Faten Abu Hassan), but did not receive any response.

Moreover, a source from the government’s Emergency Crisis Committee told SMEX that “according to the emergency plan, the responsibility for collecting personal information of displaced persons falls on the governorates, the Ministry of Social Affairs, and the unions of municipalities. This should be carried out in coordination with the Ministry of Education, as it oversees the management of shelter centers in collaboration with the Red Cross.”

When asked about the possibility of data breaches, the source responded: “The data of displaced persons has not been breached, and no personal information collected by the state has been shared. Data-sharing was limited to numbers, distribution, and the names of centers, and this was done with UN institutions and international and local organizations as part of the government’s humanitarian response plan to provide support to displaced persons. This was conducted with full adherence to protecting personal information in compliance with laws and international standards.”

Regarding the directive issued by the Council of Ministers, the source explained that it was “based on lessons learned from the Beirut Port explosion on August 4, 2020, aimed at preventing any entity from collecting data for its own benefit and ensuring strict protection and regulated use of information.”

The Emergency Committee operates through the Disaster Management Chambers in the governorates. The committee relies on two main methods for conducting the surveys in collaboration with the governorates and municipalities. The first method involves direct registration, which is coordinated with shelter center managers under the supervision of the Ministry of Education, the Ministry of Social Affairs, and the Red Cross. The second method is self-registration via an electronic link provided by the Disaster Management Chambers of the respective governorates in collaboration with the Red Cross, who help facilitate the process and ensure that services reach all beneficiaries.

The source also emphasized that the Disaster Management Chambers are exclusively responsible for conducting the surveys and securing the data collected. This includes the Disaster Management Chamber at the Grand Serail and the Disaster Management Chambers of the respective governorates. The source stressed that this operation is conducted within a “tight framework that ensures the confidentiality and protection of data, free from any external interference.”

The Council of Ministers’ directive was issued to protect the personal information of displaced persons. However, it did not clarify the mechanisms for addressing the mysterious forms of unknown origin. According to the same source, the directive’s aim is to combat the spread of unknown-source links. This responsibility falls directly within the Emergency Committee’s jurisdiction to ensure the organization and protection of data collection processes.

Our source confirmed that the committee follows a specific procedure to guarantee data protection. “The Disaster Management Chamber at the Grand Serail is the entity directly responsible for managing the data stored on a central server located at the Council of Ministers. A data protection protocol and strict measures are in place to prevent unauthorized access.”

In case of a data breach concerning the displaced, the source explained that “it is possible to resort to appropriate legal measures under Law No. 81/2018, the Electronic Transactions and Personal Data Law.”

Insufficient Personal Data LawThe “Electronic Transactions and Personal Data Law” was passed by the Lebanese Parliament in September 2018, but it is incomplete and inadequate. SMEX has previously analyzed the law and highlighted its gaps and shortcomings.

For example, the requirements for data collection outlined in Article 87 of the law are vague and ambiguous. They permit data collection without specifying a clear purpose for the process or requiring that it be relevant to the stated goal. The article does stipulate that data collection should not exceed the declared objectives and must be conducted honestly for lawful, defined, and explicit purposes. However, it fails to define what these objectives are.

It appears that the Lebanese state has not learned any lessons from the crises and challenges that have shaken the country in recent years, at least not since the most recent economic crisis and the outbreak of the COVID-19 pandemic. This failure extends even to legislative efforts to protect people’s data.

Now, more than a month after the ceasefire was announced in Lebanon, what is the fate of all the data that has been collected? And does the government intend to acknowledge the magnitude of the damage? Will the government address it before it’s too late—if it isn’t already?

The “Digital Safety Helpdesk” presents a series of tips to help you avoid falling victim to phishing links:

  • Phishing links often appear strange or disguised to look like legitimate links that don’t raise suspicion. For example, instead of http://google[.]com, a phishing link might be http://googl[.]com (missing the letter “e”). Avoid such links!
  • If you receive an email containing a link, you can check where it will take you by hovering your mouse over the link. This will reveal the IP address or web address in a small yellow or white box at the bottom or top of your screen (depending on your browser). This technique can help you identify phishing links.
  • Phishing emails often try to evoke fear or excitement in the recipient, such as: “If you don’t click this link, your email will be deactivated,” or “You won’t get these free gifts.” If these messages are unexpected, they are likely phishing attempts.
  • Complex domain names with multiple dashes, numbers, and dots are often fake links and may be part of a phishing campaign. For instance, a link like http://freeticket-xn--8973.smexclub[.]win is likely a phishing link.

Don’t forget that you can always reach out to the Digital Safety Helpdesk at SMEX if you have been exposed to, or suspect that you are a victim of, any form of digital violence through:

Signal/WhatsApp: +961 81 633 133Email: helpdesk@smex.org

Main image by AFP.
The post Lebanon: Unknown sources sending mysterious surveys to people affected by the war appeared first on SMEX.