State of Privacy Jordan

Jordan

Table of contents

Introduction

Acknowledgement

The State of Privacy in Jordan is the result of an ongoing collaboration by Privacy International and 7iber.

Key privacy facts

1. Constitutional privacy protections: Article 18 of the Jordanian constitution contains an explicit mention of privacy.

2. Data protection laws: There is currently no data protection law in Jordan.

3. Data protection authority: Jordan has not data protection authority.

4. Recent issues: The World Food Programme has started introducing iris scans for purchasing goods in refugee camps.

5. ID systems: Jordan has an ID system with a smartcard, with a chip containing an iris scan and fingerprints.

Right to Privacy

The constitution

The Constitution of Jordan contains a specific provision concerning privacy. Article 18 states:

"All postal and telegraphic correspondence, telephonic communications, and the other communications means shall be regarded as secret and shall not be subject to censorship, viewing, suspension or confiscation except by a judicial order in accordance with the provisions of the law."

Regional and international conventions

Jordan is a signatory to a number of international instruments with privacy implications. These include:

Communication Surveillance

Introduction

Surveillance laws

Several laws provide for the monitoring citizens' activities in Jordan.

1. The Telecommnications Law

The Telecommunication Law allows the monitoring of communication pursuant to a judicial or an administrative request. Article 29 of the law states: "that the licensee should commit to provide the necessary facilities to the competent authorities for the implementation of court and administrative orders that have to do with tracking communications specified in these orders."

2. The Anti-Terrorism Law

The Anti-Terrorism Law, on the other hand, authorizes the general prosecutor to subject a person to surveillance based on "reliable" information that links him or her to "terrorist activities" without any clear language prescribing what "reliable" or "activity" means.

Article 4 of the law states: "If the Prosecutor General received reliable information indicating that a person or group of persons is connected to any terrorist activity, the Prosecutor General can impose surveillance over the residence of the suspect, his movements, and his means of communication."

The most recent amendment to Article 6 of "Instructions/Guidance for regulating the work of internet cafes and centers, and the basis of their licensing and amendments (2016)" requires internet cafe owners "to take all procedures and arrangements" to make sure that internet users are not engaging in terrorism-related or any illegal activities while browsing the internet. While internet cafes are relatively less popular than before, this article would allow for internet cafe owners to surveil the activities of internet users, not specifying the exact "procedures and arrangements" that the cafe owner must follow or the exact activities he or she should prevent users from pursuing.

The guidance further stipulates that the cafe owner is required to check the identity of all users and to keep their browsing history for six months. The cafes are routinely visited by a committee of representatives from General Intelligence Department, Public Security Directorate, Communications Ministry and others. This committee has the right to check these records and make recommendations to the specialized governor.

Recently, people are being tried under the anti terrorism law for "supporting terrorist groups online". Charges of many reported cases were based on person's Whatsapp conversations, or saved content on their mobile phones or personal computers. Examples include:

  1. In October 2017, a person was tried for "supporting terrorists group online" after sending a joke on Whatsapp to an unidentified number of which was reported to the intelligence. The joke insinuates "a call for men to a get a peace of mind through getting rid of their wives and asking them to join ISIS". The man was held under investigation for three months and then released after getting a non guilty sentence. (Oct 2017)
  2. In January 2018, a 17 years old was released after being held under investigation for seven months with a charge of "supporting terrorist groups online" for sharing and "liking" content on Facebook

The Code of Criminal Procedure (CCP)

Article 82 of the Code of Criminal Procedure (CCP) gives the Public Prosecutor the right "to search all places where there is a possibility to show truth". The law requires the presence of the defendant during any raid or confiscation of material (articles 33, 34,36). However, article 85 explains the conditions for searching non-defendant houses, which gives the Prosecutor General the right to search such places as well. Regardless of the defendant status of the targeted person, article 88 allows the Prosecutor General to "confiscate at the postal offices all correspondence, letters, newspapers, prints, packages, and at the telegram offices all telegram messages. It also allows the monitoring of phone calls whenever it is useful in showing the truth".

Surveillance actors

Since the early 2010's, the state's role in surveilling its citizens has become more apparent as more charges derived from surveillance are being pressed against activists. The trials would take place at the State Security Court, whose activity has increased greatly after Jordan's involvement with the US-led coalition fighting the Islamic State militant group. Many of those brought before the court have been charged with "supporting terrorist groups using the web."

Their alleged crimes vary from sharing materials produced by the Islamic State group on social media websites to writing comments or exchanging messages that are deemed to harm Jordan's relations with its allies.

While it is not clear whether the posts in these cases were "private" or "public," one of the posters was convicted for sharing material over the chat application WhatsApp for a message that that read "[Egyptian President] Sisi is more criminal than [Syrian President] Bashar".

Although it does not grant the right to surveil citizens per se, Article 12 of the Jordanian Information Systems Crimes law accords the Judiciary Police the right to "enter the crime scene that the evidence leads to" after acquiring permission from the specialized Public Prosecutor or the specialized Court. This article gives the Judiciary Police the power to access the accused's information systems and devices and the right to confiscate them and retain the information they hold.

Surveillance capabilities

A leak of emails from the Italian surveillance malware vendor Hacking Team has shown that the Jordanian government is interested in developing its surveillance capabilities. Emails dating back to mid-2011 show direct, regular correspondence between Jordanian officials in the General Intelligence Department and Hacking Team's key managers.

It is unclear whether Jordan benefitted only from the Skype monitoring solutions it requested or if other services were also provided by Hacking Team (HT). In an email to a Jordanian officer, HT explained that their product, "Remote Control System, is designed to attack, infect and monitor target PCs and Smart-phones in a stealth way. Supported PC platforms are: Windows XP/Vista/7 (32 & 64 bit) and MacOS. The Smartphones' platforms are Windows Mobile, iPhone, Symbian and Blackberry. Once a target is infected RCS allows accessing a variety of information, including: Skype traffic (VoIP, chat), MSN traffic (VoIP, chat), Keystrokes (all Unicode languages), files, screenshots, microphone eavesdropped data, camera snapshots, etc. Invisibility features include full resistance to all the major and most common endpoint protection systems."

The beneficiaries of Hacking Team's services were Jordan's General Intelligence Department, the police and the army.

Surveillance oversight, checks and balances

Surveillance case law

We are not aware of any specific examples of surveillance case law in Jordan. Please send any tips or information to: research@privacyinternational.org

Examples of surveillance

In November 2016, the Anti-cybercrimes Unit of the Public Police Department announced the launch of its new project "Online Patrols" with the aim of "protecting citizens' rights and freedoms by monitoring social media for material that violates citizens' rights or illegal content like incitement to racial or religious sectarianism in accordance to cyber crimes law

Data Protection

Data protection laws

Laws concerning the data of citizens and customers in Jordan include :

  • the draft Data Protection Bill — Currently there is no data protection law in Jordan. The Ministry of Communications submitted a draft bill for data protection in 2014. A committee was formed for the purpose of discussing the law that included the Ministry of the Interior, Ministry of Labour and Ministry of Communications, in addition to the Telecommunications Regulatory Commission, the Central Bank and Information and Communications Association of Jordan (INTAJ). Civil society group 7iber — in cooperation with other agencies — has studied the proposed law and has provided recommendations based on international practices and data protection laws in other countries.
  • the Credit Information Law — Articles 8 and 18 concern customer privacy. In article 8, the law stipulates that the customer's written approval has to be sought prior to any disclosure of information about his or her credit situation. However, the same article stipulates that a company is allowed to disclose information about the customer if the party that requested information is "a bank or an insurance company or any other party approved by the governor." Article 18 also allows for the exchange of information between licenced companies with the approval of the governor, for a charge or without.
  • the Freedom of Information (FOI) law — In article 13, subclause و or f, it is stated that information about correspondence between governmental entities and other parties shall not be disclosed regardless of the means of communication. Setting aside correspondence between governmental entities, there is no mention about whether correspondence between citizens can be disclosed or not. But in the cyber crimes law, Article 5 demonstrates that surveillance or monitoring communications sent using information systems or the internet is punishable by up to 1,000 Jordanian dinar (over 1,000 British pounds).

The Penal Code

While the penal code penalizes the dissemination the content of private messages by up to three months in prison, the telecommunication law's penalty for unauthorised surveillance ranges between a month and a year in prison, or a 100 to 300 dinar fine. These penalties are only imposed on people whose job is to transfer calls; public persons in security institutions are exempted.

Article 384 of the Penal Code states: "Responding to the complaint of the victim, one is penalized for not more than three months in jail for breaching the private lives of others by eavesdropping, peaking, or any other medium including recording audio. The penalty is multiplied in case of repetition."

Article 356 of Penal Code states: "Anybody who spreads the content of a private call within the capacities of his position in the telephony service will be penalized for six months or charged with 20 JOD."

Accountability mechanisms

Jordan's freedom of information (FOI) law was passed in 2007. Article 3 of the law stipulates that an "Information Assembly" is to be established to oversee the provision of information. The assembly comprises officials from the Army, Ministry of Interior, Ministry of Justice, Human Rights Commission, and others.

The person requesting information must provide his or her name, address and "other information required by the assembly" (Article 9). A response is expected within 30 days, and in Subclause D, it is pointed out that not responding to the request is considered a rejection if it is within the specified period. The same subclause states that there have to be valid reasons for a refusal, but it does not explicitly require the agency to offer a justification for its rejection.

There are several exceptions to disclosure that are outlined in Article 13 of the law. These include but are not limited to; classified information about the country's foreign relations, state secrets, correspondence between governmental entities and foreign countries and organisations. Information about pending investigations and proposals to officials, as well as information that could violate intellectual property rights or expose banking/medical records is also exempted. Also, the law does not identify what "classified" information entails. Previously unclassified information can also be made classified in response to an information request.

Consumer protection rules

The Consumer Protection Law includes an article outlining the duties of the Consumer Protection Society, including protecting consumers, providing assistance during complaints and establishing a database related to consumer protection to help the Society to carry out research and publish it (Article 15). It is unclear whether the sort of data that the Society can gather involves consumer's data (and if so, how personal the data will be) or whether it will be limited to data concerning the products and suppliers.

Data breaches: case law

We are not aware of any specific examples of case law related to data breaches in Jordan. Please send any tips or information to: research@privacyinternational.org

Examples of data breaches

We are not aware of any specific examples of data breaches in Jordan. Please send any tips or information to: research@privacyinternational.org

Identification Schemes

ID cards and databases

According to ID4D, Jordan's Civil Registration system has been operating since 1954. Identification cards have been issued since 1955 but the National ID number comprising 10 digits was issued only after the merger of the Passports Directorate with the Civil Status Directorate. When IDs are issued for the children of Jordanian women, their national ID numbers (as well as their mother's) and the number of their ID cards are published on the Civil Status and Passport Directorate website.

In 2016, the Department of Civil Status (Ministry of Interior) and the Ministry of Information and Telecommunication Technology introduced a new smart national ID card. The new card does not include the "religion" of the holder. In addition to the information of the old card, the new cards will include a chip (144 KB) to store biometric data like an iris scan and fingerprints. In later stages, the card will include information about such issues as health insurance, pension, and voting activities.

There is still no information available on the centralization of the database and the entities that are allowed access to such information other than the Civil Status department as such integration would "depend on the readiness of the different governmental entities", according to officials speaking to civil society organisation 7iber. The Law of Civil Status does not include provisions to regulate the privacy of information and penalize illegal access to the database. Article 49 of the law penalizes "anyone who intentionally counterfeits, changes, scratches, ruins, deletes a civil status record, or the family records, or the national ID". The penalty is one month to a year in prison for a regular citizen, or one to three years in prison with hard labor if the offender was an employee of the Civil Status department.

At the end of 2017, the Department of Personal Status (Ministry of Interior) announced March 2018 as the final date for citizens to exchange their old national ID with the new smart one. The Department announced that, as of the end of 2017, only three million (out of 4.5 million) citizens has converted to the new ID, and after that date no official or private entities will acknowledge any other forms of identification.

The government hopes to increase the use of these cards, and is looking to include driving licence information and health insurance data in the card.

Voter registration

In the 2013 parliamentary elections in Jordan, voter cards were delivered by electronically-linked centres, but no biometric data was collected. One must have an identity card to obtain a voter card.

SIM card registration

SIM card retailers will require a Jordanian ID card, or a passport for foreigners, to activate a new prepaid SIM card. SIM card registration prevents phone users from having anonymous phone conversations; the practice has been criticized by the UN Special Rapporteur on Freedom of Expression.

The Telecommunication Regulatory Commision announced in January 2018 that it will develop new regulations that will require new owners of SIM cards to submit their fingerprints to authenticate their lines.

Policies and Sectoral Initiatives

Cybersecurity policy

The Ministry of Information and Technology has published the National Information Assurance and Cyber Security Strategy (NIACSS). This document, approved by the cabinet in September 2012, explains the vision and prospective programs that will be developed and customized by the regulatory and advisory governmental entity, the National Information Assurance and Security Agency (NIACSA). The document mentions repeatedly the need for cooperation with international partners and the private sector but it does not specify who those partners would be.

In February 2016, the Strategic Planning Department of the Jordanian Armed Forces in collaboration with NATO held a conference to review the NIACSS. The conference was attended by security agencies, banks, telecommunication companies and NATO experts.

Cybercrime

An Information Systems Crimes Law was passed in 2012. The criminal activities outlined in this law include illegal access to websites, allowing minors to access pornographic material, promoting terrorism and prostitution and human trafficking, as well as accessing information not intended for the public.

Like many laws in Jordan, the law does not provide many details regarding what exactly is considered an offence. Article 3, for instance, does not clarify what "entry without permission" means when it states that "entry to websites without permission or while violating permission" would lead to punishment. It appears as if the electronic crime scene is treated as a physical one. After gaining permission from a court, it is possible for the judicial police to retain the right to control or restrict access to the information systems, the devices and the data used to commit the crime (Article 12). Additionally, Article 11 does not define what "public safety" or "national security" are, which leaves the possibility open that arrests will be carried out for trivial matters, especially when coupled with the previously mentioned Anti-Terrorism Law of 2006 which vaguely defines the offenses that merit prosecution. For instance, two subclauses of Article 3 in the the Anti-Terrorism Law are often cited when accusing Jordanian journalists and citizens of terrorist activities. The subclauses are e / هـ (which mentions the use of the internet and other media outlets to spread terrorism) and b/ ب (which labels "disturbing Jordan's relations with foreign states" as terrorism).

As mentioned above, the anti-terrorism law's vagueness has facilitated the arrest of people who were exercising their right to freely express their opinions. One example among many is that of Tariq Abu Al-Ragheb, who was accused under this law because of his posts on Facebook criticizing Arab countries. These were interpreted as a threat to Jordan's friendly relations with the countries in question.

The Jordanian government has proposed a cybercrime bill amendment draft, which as of January 2018 is waiting to be discussed by the Parliament. The proposed amendments are mainly the following:

  1. Penalizes anyone that publishes or republishes "Hate Speech" with 1-3 years in prison and a fine between 1000 - 5000 JOD(1500 - 7500 USD). The amendment defines "Hate Speech" as any "statement or "act that would incite discord, religious, sectarian, ethnic or regional strife or discrimination between individuals or groups".
  2. Intensifies penalties for the following crimes: "unauthorized access to a website", "unauthorized access to data", "fraud" and "hacking" with a prison sentence of a minimum three months and a maximum of one year (from a minimum of a week to three months),, or a fine of a minimum 500 to 1000 JOD (700 - 1400 USD)
  3. Penalizes violating people's privacy from three months to three years in prison
  4. Penalizes creation and the publication of any "pornography content"
  5. Adds "search" to the powers of judicial police that already include "retain the right to control or restrict access to the information systems, the devices and the data used to commit the crime (Article 12)."

Encryption

There does not appear to be a formal encyption policy in Jordan, yet the intention to devise one has been outlined in two documents.

The first dating to 2008 concerns the internal procedures to be followed by all government entities and their staff, and the other is the National Information Assurance and Cyber Security Strategy (NIACSS). The latter document, which dates to 2012, defines a "National Encryption Center" that was supposed to be established. As of September 2016, this centre has yet to be established or publicly revealed. The centre's duties reportedly include managing, controlling, planning, monitoring, and enforcing the national strategic encryption policies and, later on, producing indigenous national algorithms and keys. In the two documents, encryption is discussed as a necessary procedure to protect information that is sensitive or classified, rather than as a tool for citizens to secure their data.

Licensing of industry

We are not aware of any specific examples of privacy issues in industry licensing in Jordan. Please send any tips or information to: research@privacyinternational.org

E-governance/digital agenda

The electronic government's URL is "jordan.gov.jo". It offers tens of online services that are arranged according to the service's relevant ministry. A full list of services is available online. Some of the services such as applying for residency using the Ministry of Interior's website require a user log-in to sign up. The aim of the government is to have 350 integrated e-government services operational by the end of 2019.

E-government agendas are concerning when data is collected beyond what is strictly necessary and when it is not adequately protected. It is also problematic when those who do not wish to use online platforms - or do not have access to the internet - are excluded from government services.

In 2018, Jordan launched E-Gov services, and many official procedures became completely paperless. These services allow citizens to inspect taxes, renue work licenses, and pay for traffic tickets. While payment gateways are secure, several security issues were identified in the creation and authentication of these accounts. The main issue is authentication. In many of the launched egov apps, citizens are only required to enter their National ID number and their national card number (the unique number of the physical ID card) in order to create an account. This means anyone with a copy of a national id can create an account on behalf. The government has put forward a bid to implement digital signatures, a project that aims to authenticate users through their mobile phones. The technical specification of this signature are not clear yet.

Health sector and e-health

In 2009, Jordan began implementing the Hakeem national e-health health records programme. This programme, implemented by the Jordanian non-profit organisation Electronic Health Solutions, creates a database of patients' medical histories, including the diseases they suffer from and all tests and procedures they have undergone. The system links patients to their national ID number and is also designed to help future research and statistical analysis.

Smart policing

We are not aware of any specific examples of smart policing in Jordan. Please send any tips or information to: research@privacyinternational.org

Transport

The traffic department, in collaboration with municipalities around Jordan, have been installing cameras on main roads with the aim of monitoring traffic and registering speed violations. In 2017, the number of installed cameras in Amman, the capital was reported to be 70, and another 80 in other governorates.

Smart cities

In 2015, the Greater Amman Municipality signed a 3-year institutional agreement with Microsoft Jordan "to provide modernity and advanced technology" and to turn Amman into a "smart city".

Migration

According to UNHCR figures, by the end of 2015 there were over 600,000 refugees in Jordan, mostly from Syria. Their biometric data, including fingerprints and iris scans, are taken at registration upon entering Jordan.

80% of refugees live in urban areas and 20% in camps. Jordan was the first country in the world to use iris scans to enable refugees to pick up cash payments in urban areas from iris-enabled ATM machines. Iris scanners are also used within camps with funds for shopping provided by the World Food Programme.

However, there are concerns about the system. While the refugees theoretically have the possibility to refuse to use the system, few seem to be aware that this is an option. There are also broader concerns that the data from refugees will be used for other purposes, for example, by European intelligence agencies. The Head of Field Operations in Jordan, while insisting that the UNHCR has strong measures in place, admits that "[t]he possibility of either manipulating identity or using it to target, particularly for harmful actions, will always be there in some shape or form."

Emergency response

We are not aware of any specific examples of privacy issues in emergency response in Jordan. Please send any tips or information to: research@privacyinternational.org

Humanitarian and development programmes

The World Food Programme started implementing the iris scan test in February 2016. This iris scan replaces vouchers and cards used to purchase food and other necessities in refugee camps. The WFP further explained that "[o]nce the shopper has their iris scanned, the system automatically communicates with UNHCR's registration database to confirm the identity of the refugee, before automatically continuing to the Jordan Ahli Bank through the Middle East Payment System financial gateway to determine the refugee's remaining balance. It then confirms the purchase and prints a receipt for the refugee." The WFP aims to expand this service to all Syrian refugees who live in camps, and possibly to those living outside of them.

Social media

In January 2017, Jordanian civil society group 7iber reported the government's intention to draft a new law to regulate social media use. Speaking to 7iber, a government spokesperson reportedly said that the law would make it possible to stop those using social media to spread "hate speech, sedition, incitement and to disturb public order."