Matt Nash

Providers tracking customers’ Internet use

June order from Public Prosecutor demands Internet providers keep one-year record of users’ online activity

They’re watching.

Internet service providers (ISPs) and some locations that offer Internet access in Lebanon are now keeping detailed records of users’ activity and storing those records for one year, according to an order from the Public Prosecutor’s office and sources familiar with the order and its implementation.


The order, issued on June 7, 2013, instructs “all landline and wireless internet service providers for homes and companies and from all cafés and stores providing their clients with devices through which they can access the Internet” to “do whatever it takes to activate and save all Internet log files going through their servers and routers, and prepare a periodical backup copy to save these files from being lost, for at least one year.”


It further stipulates that “these data should include, at least and for each individual use, the username, user’s IP address, the websites to which s/he connected, and the protocols used in the process, in addition to specifying the user’s location.”


Antoine Hayek, an advisor to Caretaker Telecommunications Minister Nicholas Sehnaoui, and the CEO of an ISP, who requested anonymity to discuss security-related matters, told NOW that providers are only keeping traffic logs and not the content of users’ online activity.


“They can see that you’ve requested access to a site at 4 p.m. on the 21st of November and were on the site for 20 minutes, for example,” Hayek said, adding that information about a user’s interaction with the site “is unknown.”


The ISP CEO told NOW that, when it comes to emails, his company is only keeping record of who emails whom, not the content of the messages.


Hayek said that social networking sites like Twitter and Facebook – as well as email providers like Gmail – use secured encryption, preventing easy access to users’ passwords. The ISP CEO also said that passwords are not being swept up in the data collection.


While the order clearly stipulates that “all cafés and stores providing clients with devices through which they can access the Internet” must comply by keeping records, it seems few are complying.


A telecommunications engineer told NOW that one of his company’s clients, a hotel in Beirut, is currently purchasing equipment to comply with the order. Two other hotels and a separate telecommunications engineer denied that equipment in private enterprises is being installed on a wide scale as of today.


That said, one of the engineers and the CEO explained to NOW that requiring private establishments that offer Internet access to keep traffic logs makes sense if the goal of the order is to pinpoint individual users should the need arise.


When an ISP provides Internet to a café – which in turn offers customers WiFi access – it cannot “see” the actions of each individual user the way it can when it provides Internet to an individual person’s home, the sources said.


For example, if a person went to a café and began a cyber attack against a Lebanese bank, the ISP would be able to determine that the attack was being launched from the café, but could not find out which person at the café was involved. Requiring the café to keep logs means the individual user can be identified, the sources said.


All sources interviewed for this article said the reason for storing traffic logs was related to security – i.e., having records that could be used to help fight crime. Hayek, the ministerial advisor, noted that Law 140 protects Internet users’ privacy and forbids companies from selling or making commercial use of the data they store. The law, however, gives security forces the right to access such data if needed in criminal investigations.


The CEO NOW interviewed welcomed the order because it standardized record collection, which was previously being done in a haphazard way.


“Previously, [records] were stored for nothing or six months,” the source said. “Now we store it for a year.”


To access these records, security agencies must first get the Public Prosecutor’s office to issue an order detailing what information is needed from which ISP, ministerial advisor Hayek told NOW.


The CEO added that most requests his company deals with come from the Cyber Crimes Unit within the Internal Security Forces and deal with one person allegedly defaming another. The Cyber Crimes Unit and other ISPs did not respond to interview requests for this article.

Internet service providers and locales offering customers Internet access are legally required to keep one-year records of users’ online activity. (AFP Photo/Jay Directo)

"While the order clearly stipulates that “all cafés and stores providing clients with devices through which they can access the Internet” must comply by keeping records, it seems few are complying."