State of Privacy Egypt

Table of contents

• Introduction
• Right to Privacy
• Communication Surveillance
• Data Protection
• Identification Schemes
• Policies and Sectoral Initiatives

Introduction

Acknowledgment

The State of Surveillance in Egypt is the result of an ongoing collaboration by Privacy International and its partners.

Key privacy facts

1. Constitutional privacy protection: The constitution contains an explicit protection of the right to privacy.

2. Data protection law: In August 2018, the Cabinet approved a draft Data Protection bill. The draft (as of November 2018) still awaits approval by an open session of Parliament.

3. Data protection agency:  Egypt does not currently have a data protection agency.

4. Recent scandals: In December 2017, at the Cairo International Exhibition for Communications and Information Technology, the head of Egypt Post, Mr. Essam El Sagheer, declared that his department was using “unconventional methods” to collect customer data, based on what seems to be an independent system for automating the reading of national ID cards, fingerprints and iris recognition, and linking them to the financial accounts of customers.

5. ID regime: First introduced in 1996, Egypt has a National ID Card system mandatory for all citizens aged 16 and older.

Right to Privacy

The constitution

Egypt adopted a new Constitution in a referendum in January 2014. The document guarantees the right to privacy.

Article 57 states that:

“Private life is inviolable, safeguarded and may not be infringed upon. Postal, telegraph, e-correspondence, telephone calls and any other means of communications are inviolable and their confidentiality is guaranteed and they may only be confiscated, examined or monitored by causal judicial order, for a limited period of time, and in cases specified by the law.

The state shall protect the rights of citizens to use all forms of public means of communication, which may not be arbitrarily disrupted, stopped or withheld from citizens, as regulated by the law”

Furthermore, Article 99 of the Constitution stipulates that:

“.. any assault on individual freedom or the inviolability of citizens’ private lives and any other public rights and liberties guaranteed by the Constitution shall be considered a crime.”

Regional and international conventions

By virtue of Article 93 of the Constitution, the state is committed to international agreements, covenants, and conventions that Egypt ratifies. It is signatory of a number of treaties with privacy implications, including: 

• The Universal Declaration of Human Rights;
• The International Covenant on Civil and Political Rights;
• The International Convention on the Protection of the Rights of All Migrant Workers and Members of Their Families;
• African Charter on Human and People's Rights;
• African Charter on the Rights and Welfare of the Child;
• The United Nations Convention Against Transnational Organized Crime;
• The Cairo Declaration on Human Rights in Islam.

Communication Surveillance

Surveillance laws

The interception of telecommunications in Egypt is permitted under the Telecommunication Regulation Law No 10 of 2003. The law grants the  National Telecommunication Regulatory Authority (NTRA) - a body chaired by the ICT minister and  composed of government representatives -  the authority to regulate ISPs and mobile network operators.

Article 64 of the law "mandates telecommunications operators to provide all technical equipment, systems, software and communications, which enable the armed forces and national security agencies to exercise their powers within the Law." The same article also bans the use of encryption.

The adoption, in August of 2018, of the Cybercrimes Law, provides authorities with further leeway to conduct comprehensive surveillance of communications. The law authorises the National Telecommunications Regulatory Authority to request ISPs to retain any “other data”, forcing broad collection of data even that not specifically provided for in the law.

Surveillance actors

i. Armed forces and national security entities

There are three main intelligence-gathering agencies in Egypt.

1) The General Intelligence Directorate (GID) is Egypt’s intelligence agency responsible for national security intelligence, both domestic and foreign, with a counter-terrorism focus. One of the oldest intelligence gathering agencies in the world, the Mukhabarat, as it is commonly known, works under the direct authority of the president.

2) The Egyptian Military Intelligence  (also known as el Mukhabarat el-harbeya) is under the authority of the Ministry of Defense.

3) Homeland Security (or Ketaʿ El Amn El Watani) is responsible for counterintelligence, internal and border security, counter-terrorism, and surveillance. The agency works under the authority of the Interior Ministry. It was established in 2013 to replace the now-defunct State Security Investigations Service (also known as SSIS or Mabahith Amn ad-Dawla), which had carried out various human rights violations during the government of President Hosni Mubarak.

Homeland Security has, however, quickly acquired much of the previous agency's infamous reputation in recent years. After General Abdel Fattah el-Sisi swept into power in a military-led coup in the summer of 2013, the agency spearheaded a campaign of violence leading to a bloody crackdown against alleged members of the now-banned Muslim Brotherhood.

ii. Investigating judges, public prosecutors and judicial officers

Article 58 of the Egyptian Criminal Code and Article 150 of the Criminal Procedure Code allow prosecutors and investigative judges, at their own discretion, to issue warrants authorizing judicial officers to intercept and record communications when investigating a possible crime.

The said warrants can cover a period of up to 30 days and can only be renewed once.

Furthermore, authorised members of the armed forces or security agencies may issue communications surveillance warrants, according to Article 95 of the Criminal Procedure Code.

The Telecommunications Act authorizes (Article 69) the National Telecommunications Regulatory Authority (NTRA) — the telecommunications industry regulator—, the Armed Forces and intelligence agencies to appoint judicial officers to conduct investigations that may involve the interception and recording of communications for the purpose of investigating a suspected crime.

iii. Other government agencies

The Administrative Oversight Authority (AOA), an anti-corruption government body, has interception capabilities, according to the Telecommunications Act.

Privacy International has also identified the existence of a little-known agency, the Technical Research Department (or TRD). The agency is thought to be responsible for running telecommunications monitoring centres on behalf of the Interior Ministry.

iv. Telecom operators

The Telecommunications Act details how telecommunications providers should cooperate with law enforcement agencies:

Article 64  states that each operator is expected to  “provide all technical potentials including equipment, systems, software and communication which enable the Armed Forces, and National Security Entities to exercise their powers within the law.”

Article 67 further states that authorities can “subject to their administration all Telecommunication Services and networks of any Operator or Service Provider [...] in cases concerning National Security.”

Article 2 of the 2018 Cybercrime law also forces telecommunications providers, specifically ISPs, to provide technical assistance to surveillance operations conducted by law enforcement agencies and to collect data, including personal identifiers, metadata and “other data” not specified by the law and store them for a default period of 180 days.

Surveillance capabilities

Internet monitoring

In 2014, as part of a transparency effort, Vodafone, the largest mobile provider in Egypt, published its first “Law Enforcement Disclosure Report”, a document identifying the surveillance laws and policies to which it is subjected in the 29 countries in which it operates.

In Egypt, the report suggested widespread government interference and unrestricted access to communications data over its networks by the armed forces and national security agencies, who enjoy broad latitude to intercept communications with or without an operator’s control or oversight. The report prompted speculation that other network operators in the country might be subjected to similar arbitrary surveillance.

In Mars 2016, Privacy International discovered that the Technical Research Department (TRD), an obscure Egyptian intelligence service, had purchased a sophisticated monitoring equipment from Nokia Siemens Network, a joint venture between Siemens AG and Nokia. The equipment apparently included wide-ranging interception capabilities, in addition to a monitoring system for fixed and mobile networks.


In April 2016, the Italian authorities decided to strip Hacking Team, a Milan-based electronic surveillance vendor, from its license to export outside of the European Union. Hacking Team’s dealings with repressive regimes, including the Egyptian TRD, came under media scrutiny following the hack of their internal systems in 2015 revealing that they had sold surveillance technology to some of the world’s most authoritarian states.


In early 2017, subsequent to a joint letter to the Italian export authorities by a coalition of rights groups including Privacy International, Italy revoked authorization from surveillance company Area SpA to sell equipment to Egypt’s Technical Research Department.

Intrusion malware

The Citizen Lab has been able to document the use of Finfisher and RCS intrusion malware products in Egypt.

Packet inspection

In 2010, under President Hosni Mubarak, Egypt bought mass surveillance equipment from Anglo-German company Gamma for an estimated €287,000. The contract was discovered after protesters stormed the Interior Ministry’s headquarters during the Arab Spring in 2011.

The contract was apparently not renewed during President Mohamed Mursi’s short rule (2011-2013).

Under President Mubarak's administration, Egypt also purchased packet inspection technologies from US technology company Narus.

Similarly, research by The Citizen Lab has identified that US technology company Blue Coat's packet inspection technologies were used on Etisalat networks.

After President el-Sisi was swept to power in a military coup in 2013, French company Nexa (formerly known as Amesys) reportedly installed a new monitoring system in Egypt named CEREBRO, an upgraded version of a system sold to former Libyan dictator Muammar Gaddafi known as Eagle.

Other surveillance capabilities

Other commonly used surveillance methods include surveillance cameras (CCTV), which are widely used in public place.

In March 2018, UK media reported that the British government has approved sales of £70m of surveillance equipment to countries including Saudi Arabia, Bahrain, and Egypt. The Independent news website reported that international delegations attended a government-sponsored annual surveillance week, which included a Security and Counter Terror Expo in London.

Companies showcasing their products included BAE, Gamma, Oxford Wave Research and Panoptech.

In July 2018, a report published by Paris-based human rights group FIDH revealed that at least 8 French companies, with the active support and lobbying of the French government, have supplied Egyptian security services and law enforcement agencies with sophisticated military and surveillance equipment helping “establish an Orwellian surveillance and control architecture that is being used to eradicate all forms of dissent and citizen action.”
The report estimates that French arms deliveries to Egypt (including the export of dual-use surveillance technology) increased from € 39.6 million in 2010 to € 1.3 billion in 2016.
The report identifies at least 5 French companies involved in selling surveillance technology to Egyptian security services. They include AMESYS/NEXA/AM Systems (individual surveillance), SUNERIS/ERCOM (mass interception), IDEMIA (personal data collection), Safran (crowd control and drones) and AIRBUS/THALES (surveillance satellite).

Surveillance oversight, checks and balances

Victims of illegal wiretapping or any other privacy violation can file a civil case for damages and seek to have illegally obtained evidence dismissed. However, as Vodafone's Law Enforcement Disclosure Report points out, the armed forces and security agencies are largely exempt from any control or oversight by the telecoms regulatory authority.


Furthermore, there is no judicial oversight over the NTRA’s own use of its investigative powers (as per Telecommunications Regulation Act No. 10 of 2003, Article 69 and Articles 2 and 4 of the 2018 Cybercrime Law).

 

Surveillance case law

Privacy International is not aware of any specific surveillance case law in Egypt. Please send any tips or information to: research@privacyinternational.org

Examples of surveillance

Surveillance in Egypt is traditionally linked to the Emergency Law that has been frequently applied and repeatedly extended since its first enactment in 1958. The continuous state of emergency was one of the major grievances for demonstrators giving rise to the Egyptian Revolution of January 2011 against the government of former president Hosni Mubarak.

While the state of emergency was eventually lifted in November 2013, it was re-enacted in North Sinai amid an increasingly violent Islamist insurgency in the region. It has been extended in the peninsula ever since.

The law allows the state to conduct unwarranted searches of persons, places and correspondence without being restricted by the provisions of the Criminal Procedure Code.

In early March 2011, following the downfall of the Mubarak regime, protesters fearing that incriminating documents might be destroyed raided several State Security Investigations Service (SSIS) buildings across Egypt.

Protesters were able to secure some of the agency’s internal documents showing the agency’s alleged involvement in rigging elections, widespread surveillance of citizens as well as evidence of torture practices and the use of secret detention centres. Most incriminating documents are feared to have already been destroyed.

The documents were shared widely on the internet, leading to popular outrage and forcing the interim government to dissolve the SSIS on March 15, 2011.

On July 3, 2013, President Mursi, the first democratically elected head of state in Egyptian history, was removed from office in a military coup led by General Abdel Fattah el-Sisi, who went on to win the May 2014 presidential election with more than 93% of the vote, becoming the sixth President of Egypt.


El-Sisi escalated his clampdown on civil society groups ever since.

In short succession, laws restricting basic rights were passed, including a controversial Anti Terror Act which bans anti-government protests, sidelines judicial supervision over the police, the military and intelligence services, legalizes emergency police powers and expands military court jurisdiction over civilians.

 

Throughout 2015 and 2016, human rights activists have reported having their emails and private communications leaked and published on public forums or printed out and left on their doorsteps as a way of intimidation.

 

A television programme in Egypt, entitled 'Black Box' also broadcasted phone calls of activists to document how they were supposedly engaged in treasonous activities. The programme was suspended during the summer of 2014 amid other controversies. 

Between November 2016 and early February 2017, a number of Egyptian human rights activists, journalists, bloggers and local rights organisations reported being the target of a seemingly coordinated campaign of phishing attacks. The University of Toronto’s research group the Citizen Lab which uncovered the attacks called the operation “Nile Phish.” The Citizen Lab documented over 92 such phishing attempts during that period. Sophisticated phishing messages were sent to targets attempting to lure them into revealing their account credentials.


Although the Citizen Lab says it is “not in a position to conclusively attribute Nile Phish to a particular sponsor,” the scale of the campaign and its persistence in the particular political context in Egypt has further compounded the already difficult situation faced by NGOs in the country.


Later in February 2017, the Citizen Lab said it received evidence that the Nile Phish operator has engaged in phishing of 2-factor authentication codes and announced a future follow up on its report.


In July 2017, Egyptian activist Ola Shohba said that many of her online accounts were reset and taken over after her SIM card registered with Vodafone had been deactivated and unlawfully issued to another person.

In December 2017, the Paris Prosecutor’s office opened a judicial investigation into the sale of surveillance equipment by French company Nexa Technologies (formerly known as Amesys) to the Egyptian government. The investigation follows a request by rights groups FIDH, LDH and the Cairo Institute for Human Rights Studies who hope it could lead to charges being brought for complicity to torture and enforced disappearances.


The request was prompted by revelations in the French press of a €10 million contract signed in 2014 between Nexa Technologies and al-Sisi regime for the sale of a mass electronic surveillance equipment. Code name of the transaction: "Toblerone".


Back in 2011, Nexa Technologies (then named Amesys) had sold a similar surveillance system named “Eagle” to the Libyan government under Muammar Gaddafi. Using Deep Packet Inspection, the system would have allowed the Libyan regime to track down, hunt down and torture opponents.

In the summer of 2018, the Egyptian Parliament passed a law on Shops and Restaurants (popularly referred to as the Camera Bill), introducing special provisions forcing the owners of cafes and shops to install indoor and outdoor surveillance cameras before they can obtain a license to operate their business.


“Surveillance cameras will be installed in 561 main streets across 38 neighborhoods, which will include 44,132 shops,” the governor of Cairo, Mr. Atef Abdel Hamid said in a statement to local media.


Critics of the law voiced their concerns. “ It is just another step towards a totalitarian state,” said one prominent Egyptian human rights defender.

Data Protection

Data protection laws

In August 2018, the Minister of Communications and Information Technology, Mr. Amr Talaat, announced that the Egyptian Cabinet had approved a draft Data Protection legislation.

During his statement to the media Mr. Talaat said that the law, if approved, would establish a Data Protection Agency (which he named the “Center for Protecting Personal Data”). The center would be hosted by the Information Technology Industry Development Authority, a branch of the Ministry of Communications and Information Technology.

The bill was referred to Parliament for final approval.

In the absence of specific legislation, however, a number of provisions outline confidentiality obligations relating to criminal investigations, employee information, markets data and banking secrecy.


Article 113 of the Egyptian Criminal Code no. 58/1937 imposes criminal penalties on the unauthorized collection of images or recordings of individuals in private places.


Article 309-bis of the same law provides for: “a penalty of detention for a period not exceeding one year [...] inflicted on whoever encroaches upon the inviolability of a citizen's private life, by committing one of the following acts in other than the cases legally authorized, or without the consent of the victim:

 

• “Eavesdropping, recording, or transmitting via any instrument whatever its kind, talks having taken place in a special place, or on the telephone.
• Shooting and taking or transmitting by one of the instruments, whatever its kind, a picture of a person in a private place.”

The Labour Law (enacted in 2003) makes it mandatory for employees to provide personal information to employers, including name, address, military and social status. Employers must then keep a file for each employee which includes their personal data. The information is kept in the employee’s file and reviewed periodically by the relevant government authority. Although Article 77 of the law stipulates that only authorised individuals can have access to personal employee data, little is known about the legal and technical protections in place to protect databases from abuse.


Article 97 of the Banking Law stipulates that all bank customer data shall remain confidential, including account numbers and related dealings. They may not be disclosed even in the event of severance of relationship between the customer and the bank.


However, in the case of a transaction deemed suspicious, the Anti-Money Laundering Law prohibits banks from disclosing to clients or beneficiaries any information suggesting that such transaction is under investigation.


Article 13 of the Egyptian Civil Status Law no. 143/1994 protects the confidentiality of data recorded on the civil status of citizens.
The Capital Markets Law protects against insider dealings by prohibiting the exploitation of any confidential information for personal gain or for the account of a third party, or the divulging of information to a third party, whether directly or indirectly.


There seems to be no laws restricting the transfer of data offshore.


The Mortgage Finance Law has clauses which provide for the confidentiality of the data of the clients of mortgage finance companies.


The Egyptian Telecommunications Law protects the privacy of telecommunications and imposes penalties in some cases on the unauthorized violation of such privacy.

 

Accountability mechanisms

i. Freedom of Information

Human rights groups in Egypt have long demanded greater transparency from the government. Those demands culminated after the 2011 revolution, when activists called for greater access to publicly held information to ensure that past abuses are not repeated.

Article 68 of the 2014 Constitution recognizes that state information, data, statistics, and official documents are the property of the people, and that every citizen has a right to access this information.

As early as January 2013, the government announced the drafting of a Freedom of Information Act and plans to establish a national council for information, inviting public input on the draft law.

In December 2016, the government announced the establishment of a new committee headed by the Prime Minister tasked with completing the draft law.

As of December 2017, a Draft Freedom of Information Act was still under discussion between the journalist union, media professionals and the National Council for Human Rights before its anticipated referral to the House of Representatives for final review.

ii. Consumer protection

The Egyptian Consumer Protection Act, enacted in 2006, does not provide for the specific protection of consumers’ personal data.

The law does not provide for a transparency mechanism that would define who processes the private data of consumers and the means by which they can exercise the rights of information, access, rectification, cancellation or opposition.

The Consumer Protection Agency does receive complaints from consumers through various means, including a dedicated Facebook page, an official website and a call centre hotline.

The telecoms regulator, NTRA, is entitled by virtue of the Telecommunications Regulation Act of 2003, to protect the rights of the customers of telecom operators. However, those rights remain vaguely worded and our research has not identified any specific examples in which the NTRA has intervened to protect the rights of consumers vis à vis their personal data.

And although the Consumer Protection Act does not have specific provisions which regulate electronic marketing, the Consumer Protection Agency has referred Orange and Vodafone to prosecution for misleading ads in June 2017.

iii. Legal remedies

Individual data subject may raise a civil liability claim before Egyptian courts in connection with any perceived violation of the individual's’ right to privacy. However, according to Egyptian law, the onus is on the victim to establish the unlawful act, the damage that occurred and the causal relationship between the unlawful act and the damage before the competent court.

Data breaches: case law

Privacy International is not aware of any case law related to data breaches in Egypt. Please send any tips or information to: research@privacyinternational.org

Examples of data breaches

Egyptian law does make mandatory the reporting of data security breaches or losses to the authorities or to data subjects.

Though not a data breach, Egypt has seen a number of important leaks of classified information. In February 2015, an Egyptian court has put ousted president Mohamed Mursi on trial on charges of endangering national security by leaking state secrets to Qatar, furthering a state crackdown on the outlawed Muslim Brotherhood. The public prosecutor accused Mursi and his aides of “leaking documents which exposed the location of and weapons held by the Egyptian armed forces” to Qatari intelligence.

 

Identification Schemes

ID cards and databases

i. National ID card

The National ID Card currently in use is machine-readable. First introduced in 1996, it was re-issued in 2000. It is mandatory for all citizens aged 16 and older, and is required in most daily transactions such as accessing medical care in hospitals, employment, education, banking, and for acquiring property.


In its current format the National ID card is not suited for recording biometric features. It does contains an ID number, a photo, the full name, gender, birthplace, birthdate, address, religion, marital status, parents’ names and signature of the cardholder.


In November 2014, during his official visit to Paris, president Abdel Fattah al-Sisi contracted Morpho, a French electronic security company (subsidiary of Safran) specialized in “identity management solutions” to produce national biometric ID cards (or eID cards).


As of December 2017, it is not known when the deployment of the electronic ID cards will be completed or what specific data will be collected on them.

ii. Egyptian Passport

In 2008, Egypt introduced its first machine-readable passport (MRP) in lieu of the previous passport which was handwritten and easily forged. In its current format the Egyptian Passport is not suited for recording biometric features.

The passport contains personal information digitally printed on an ID page. Personal information includes the passport number, the photo, full name, date and place of birth, nationality, sex, the National ID number, profession, marital status, military status and postal address of the passport holder. No signature is required.

A scannable barcode stores additional information that can be decoded by special software.

In December 2016, the Egyptian civil aviation authority (known as the Egyptian Holding Company for Airports and Air Navigation, EHCAAN) began applying a biometric ID system for employees in Hurghada and Sharm El-Sheikh airports.
The system was installed “to better monitor the activities of employees, and automate their entrance and exit of the airport,” according to Mr. Mohamed Saeed Mahrous, head of the EHCAAN, who also announced that the system was to be deployed at Cairo International airport.
The measure comes after an EgyptAir mechanic was suspected of planting a bomb on a Russian passenger plane which exploded shortly after take off from Sharm El-Sheikh in October 2015, killing all 224 people on board.

 

iii. Egypt Post

In December 2017, at the Cairo International Exhibition for Communications and Information Technology, the head of Egypt Post, Mr. Essam El Sagheer, declared that his department was using “unconventional methods” to collect customer data, based on what seems to be an independent system for automating the reading of national ID cards, fingerprints and iris recognition, and linking them to the financial accounts of customers.

It is not clear whether this system was sanctioned by the competent authorities. In the absence of a proper legislation or of a data protection authority, little is known about how the collected information is protected against use beyond its intended purpose.

 

Voter registration

Voting is compulsory in Egypt. Article 87 of the Constitution guarantees citizens’ right to vote, run in elections, and express their opinion in referenda. [Article 87 of the Constitution, on Citizen participation in public life]

The state reserves the right to “enter the name of every citizen in the voter registration database without request from the citizen himself, once the citizen meets voting requirements.” The state retains the right to “purge this database periodically in accordance with the law.”

 

In 2014, during the constitutional referendum, the government deployed a system of touchscreen tablets for electoral purposes provided by the company Morpho. In the absence of a data protection authority, little is known about the government’s data management and storage policy for electoral data.

 

SIM card registration

Egypt has a policy of compulsory SIM card registration. Starting in May 2010, NTRA embarked on a campaign that culminated in 2014 requiring that all SIM cards in the market are registered. As a result, operators were obliged, that year, to wipe clean their subscribers databases off unregistered SIM card holders.

Operators then required their clients base to provide them with personal data including ID card copies and numbers. SIM cards were suspended pending a verification process that required customers to call the operator to activate their suspended line.


Mobile operators are required to review the personal data they hold in order to correct, update and complete the data of their customers. This requirement means that operators have access to at least parts of the civic registry database of their clients. Bulk access to the database, however, is not permitted under Article 13 of the civic registry law 143/1994.


In February 2005, it was reported that the Ministry of the Interior ordered internet cafe managers to provide access to the personal data of internet users of interest to the Ministry. The Ministry reportedly threatened to close establishments if managers did not comply. In August 2008, this practice became a policy whereby the government demanded that internet cafe customers provide their names, email addresses and phone numbers before being given permission to use the Internet café facility.

Policies and Sectoral Initiatives

Cybersecurity policy

 

Eg-CERT, the Egyptian computer emergency response team, was established in April 2009 under the authority of NTRA, the telecoms regulator.

Eg-CERT is charged with providing computer and information security incident response and support to government and financial entities.

Eg-CERT is also tasked with providing an early warning system for cyber attacks against critical information infrastructure.

In 2015, Eg-CERT reported 464 incidents and attacks against critical information infrastructure, including a large number of malware infections, phishing attempts and SQL injections.

Cybercrime

In August 2018, a controversial Cybercrime Law was ratified by President el-Sisi. The law, condemned by international human rights organisations as an attempt to curtail online freedoms, grants authorities with virtually unrestricted powers over the internet in Egypt.
The law authorizes broad censorship of the internet and, in what appears to be a direct violation of Article 57 of the Egyptian Constitution, grants the armed forces, the Interior Ministry and the General Intelligence Directorate with larger discretionary powers allowing them to conduct comprehensive surveillance of communications.


Under the law (Article 2), ISPs are required to provide those agencies with the technical assistance and to keep and store data that allow the identification of users, including records of phone calls and text messages, logs of websites visited and applications used.


The law further authorises the NTRA to request ISPs to retain any “other data”, which may force companies to collect data not specifically provided for in the law.


Article 4 of the law authorises the exchange of personal data with foreign countries without insisting on any requirements for data protection which may expose Egyptians to possible violations of their right to privacy by third countries.


Human rights organizations have pointed to the vaguely worded language of the legislation which authorizes the conviction of any person under the pretense of defending “national security”, “family values” or for the protection of “public morals.”


In August 2018, another controversial legislation, the Media Regulation Law, was approved by the Egyptian Parliament. The law seriously curtails freedom of expression online considering any user with more than 5,000 followers —on social media or with a personal blog or website— as a media, subject to the same regulations and supervision imposed on registered journalists and established media organizations.


These newly approved laws are the culmination of a process of restrictive legislation (Law on Civil Society Organisations, Press and Media Law, Protest Law) started after the legislative elections of 2015 and is apparently designed to restrict the space available for civil society.

Encryption

The use of encryption is strongly regulated in Egypt by the 2003 Telecommunication Regulation Law, as seen in article 64. It states:

“Telecommunication Services Operators, Providers, their employees and Users of such services shall not use any Telecommunication Services encryption equipment except after obtaining a written consent from each of the NTRA, the Armed Forces and National Security Entities, and this shall not apply to encryption equipment of radio and television broadcasting.

With due consideration to inviolability of citizens private life as protected by law, each Operator and Provider shall, at his own expense, provide within the telecommunication networks licensed to him all technical potentials including equipment, systems, software and communication which enable the Armed Forces, and National Security Entities to exercise their powers within the law. The provision of the service shall synchronize in time with the availability of required technical potentials. Telecommunication Service Providers and Operators and their marketing agents shall have the right to collect accurate information and data concerning Users from individuals and various entities within the State.”

Licensing of industry

With the largest population in the Middle East, Egypt boasts one of the biggest telecom market in the region. Still, the country suffers from one of the slowest internet speeds worldwide ranking in the bottom five countries for broadband and 95th for mobile.

The body regulating the telecom sector in Egypt is the National Telecommunications Regulatory Authority (NTRA). It was established in 2003 in accordance with the provisions of the Telecommunications Regulation Act.

Several operators compete for the market:

Telecom Egypt (also known as TE, or El Masreyya le-l Ettesalat) is the historic operator. It controls the terrestrial fixed infrastructure shared in part with the Egyptian Electricity Transmission Company (EETC) and the national railroad company (ENR): TE owns and operates a 15,000 km long fiber-optic backbone extending to nearly all populated areas in the country in addition to the copper line network.


In the summer of 2016 TE entered the mobile market after being granted a 4G license. It participates in the internet retail market through a subsidiary, TE Data, which controls 75% of the ADSL Market and leases internet capacity to several internet service providers including the three major mobile operators, in addition to Raya, Link, and Internet Egypt, among others.

Three major operators compete for the mobile market. They include Vodafone, which holds the largest share of the market. It is owned by Vodafone Group which holds a 55% share in the company, with the rest held by the state-owned Telecom Egypt. Orange (previously, Mobinil), the second largest mobile operator, is owned by French company Orange S.A. Etisalat Misr, owned by Etisalat in the United Arab Emirates, also operates in Egypt.

All three mobile operators also have internet subsidiaries.

The high demand for more bandwidth led the government in 2011 to introduce a new strategy for broadband: the e-Misr National Broadband Plan.

Between August and October 2016 the NTRA started granting 4G licences to all the operators who were tasked with extending the long-delayed broadband services across the country’s territory and into the rural communities. The early commercial operations of 4G services were subsequently launched in early October 2017.

The NTRA has also announced plans to open the fixed-line voice and internet services markets to existing GSM operators.

E-governance/digital agenda

Privacy International is not aware of any privacy issues related to e-governance in Egypt. Please send any tips or information to: research@privacyinternational.org

Health sector and e-health

Privacy International is not aware of any privacy issues related to the health sector and e-health in Egypt. Please send any tips or information to: research@privacyinternational.org

Smart policing

Privacy International is not aware of any smart policing issues in Egypt. Please send any tips or information to: research@privacyinternational.org

Transport

In June 2017, the New York Times reported that a bill under review in the Egyptian Parliament would require ride-sharing services Careem and Uber to place their server computers inside Egypt and to provide the government access to their internal data concerning customer and driver movements, “a recipe, some worry, for intrusive and sweeping surveillance,” the newspaper commented.

The law has since been confirmed in Parliament and it may have serious consequences for the privacy and safety of millions of Egyptians who use the service (Uber has an estimated 4 million users in Egypt and over 150,000 drivers).


Article 9 of the law requires that all data collected by ride-hailing companies to be made readily available to authorities and that (Article 10) all information be stored on local Egyptian servers.

Smart cities

Privacy International is not aware of any smart city issues in Egypt. Please send any tips or information to: research@privacyinternational.org

Migration

Privacy International is not aware of any privacy issues related to migration in Egypt. Please send any tips or information to: research@privacyinternational.org

Emergency response

Privacy International is not aware of any privacy issues related to emergency response in Egypt. Please send any tips or information to: research@privacyinternational.org

Humanitarian and development programmes

Privacy International is not aware of any privacy issues related to humanitarian and development programmes in Egypt. Please send any tips or information to: research@privacyinternational.org

Social media

Upwards of 17 million Egyptians use Facebook on a regular basis, making up almost one-quarter of all users from the Middle East.

The social network played a central role in fueling the popular uprising that eventually led to the overthrow of the Mubarak regime in early 2011. It has ever since been at the epicenter of the government’s attempts to control the internet.

In 2014, the Ministry of Interior publicly announced that it had a plan to monitor social media use in Egypt. The Ministry claimed that its aims were to monitor security hazards by tracking new security issues that spread on the internet through social media, private conversations and messaging apps.

Alarmed by the move, activists denounced the plan as unconstitutional and an attempt to neutralize political mobilization through social media.

In January 2016, days ahead of the fifth anniversary of the popular uprising in Egypt, police reportedly raided thousands of apartments in downtown Cairo and asked people about their Facebook accounts.

Since the fall of 2014, hundreds of activists have been arrested, some disappeared in secret detention facilities and charged in relation to content they posted on social media sites, according to various rights organisations.

Starting on May 2017, the government launched an unprecedented crackdown against hundreds of critical news sites (more than 500 websites blocked by March 2018) and the disruption or outright blocking of encryption and circumvention tools.

To circumvent government surveillance and censorship, Egyptians started relying on end-to-end encrypted texting apps like Signal.

In December 2016, the government blocked access to Signal prompting Signal to introduce a circumvention feature called “domain fronting” to its Android app allowing users to conceal and encrypt their traffic inside of Google’s servers.

In late April 2017, voice over internet protocol (VoIP) services like Skype, Facebook Messenger, WhatsApp, Apple’s FaceTime and Viber were repeatedly disrupted, ostensibly for security reasons. The services have since been blocked intermittently despite the NTRA denying that the VoIP calls had been restricted.

As early as July 2016, authorities have reportedly infiltrated social media apps such as Grindr to entrap gay and transgender Egyptians, some of whom were subsequently arrested and charged with “debauchery” under a 1961 law that is used to prosecute men for homosexuality and women for prostitution.

In April 2017, parliamentarians considered radical new proposals to restrict Egyptians' access to social media.


The process culminated in August 2018 with the approval by the Parliament of the new Media Regulation Law. The new legislation considerably restricts freedom of expression, especially on social media where accounts with more than 5,000 followers are to be subject to the same regulations and supervision imposed on registered journalists and media organisations.


Accordingly, the Supreme Media Regulatory Council, the body tasked with enforcing the law, can now block accounts that violate the legislation or those that are deemed to be spreading “false news”.