CAIRO — Egypt’s Ministry of Interior recently announced that its General Directorate of Information Technology had arrested the creator of a computer program “designed to steal confidential data from Facebook accounts (phone numbers and email addresses linked to the accounts).” The suspect now faces accusations of “selling stolen data to other parties for money and using it for marketing and advertising on social media websites.”
The case has raised questions about data mining, privacy and the inconsistent application of Egypt’s cybersecurity laws — whereby the state and large corporations are given leeway while smaller outfits find themselves targeted — and further highlights the complexities surrounding issues of personal online data and who is allowed to benefit from its collection and sale.
In its statement, the Interior Ministry identified the suspect only as “Ahmed M. M., born in 1992, a company director.” He has, however, subsequently been recognized and officially identified by thousands of followers, who have expressed dismay at his fate. Ahmed Maher is more commonly known as “the International,” a nickname given to him by customers of his digital marketing software organization. Maher regularly speaks at digital marketing conferences and makes appearances on Egyptian national TV. His peers are members of a Facebook group called “the Internationals,” which appears to have been deleted after his arrest. The hashtag #be_an_international is often accompanied by the hashtag #in_solidarity_with_engineer_Ahmed_Maher.
Thousands of Maher’s customers have since denounced his arrest in comments on the Interior Ministry’s official statement. Many have claimed that the data Maher collected from Facebook through the digital marketing software that is a core facet of his business was publicly available, and that gathering such information is not a crime. In making these assertions, they seek both to defend Maher against accusations of theft and privacy violations but also, perhaps, to uphold in a broader sense the ability for non-state players or smaller corporations to access and make use of data with the same freedom as their larger counterparts.
One of the comments describes him as “a talent that needs to be supported and put to use rather than humiliated, arrested and defamed.” Another commenter, a former parliamentary candidate, claims that he had purchased a CD from the police containing the names and telephone numbers of all registered voters in order to target them in his election campaign, arguing that, in this sense, Maher is just doing what the Interior Ministry already does.
Another comment encapsulates the opinion of many supporters: “Anyone who publicly inquires about a product or service from an online page assumes responsibility if they then hand out personal data, such as a mobile number or an email address. In doing this, they give implicit authorization for that data to be used without prior permission.”
Yet Maher went further and also collected data that was shared within closed groups and not made fully public, raising questions about violations of privacy not dissimilar to the Cambridge Analytica scandal, which sparked an international uproar after the firm was exposed for harvesting millions of people’s Facebook profiles (who did not opt-in to share their data) and using the information in controversial political campaigns.
The act of collecting and assessing data is not hacking.
Maher’s arrest came a few months after the passage of a new cybercrime law, seen as part of a broader government campaign to control the internet and the use of digital communication spaces that helped spark the January 2011 revolution.
Hassan al-Azhary, a lawyer in the field of digital rights at the Association for Freedom of Thought and Expression, believes that Maher may have violated the provisions of the law that concern the protection of user data. In his opinion, however, the actual goal of such laws is not to protect user data, but rather to forbid people like Maher from doing things that both the state and large corporations want to continue to do themselves.
What did Maher do?
The digital marketing program Maher created — AMControls — costs LE15,000 ($840) for users to purchase, according to the statement by the Ministry of Interior.
Several tutorials are available on YouTube demonstrating various features of the program. The user logs in using their Facebook account. Through this account, the program collects a huge amount of personal data from the accounts that the user is connected with — including pages liked by the user’s friends, groups they have joined, the profiles of other followers of these pages, and other members of those groups, names, mobile numbers, email addresses, the governorates in which these people live, their social profiles and their professions. The user is also able to perform wide searches using keywords so as to identify the accounts, pages or groups they are searching for. They can also transfer all of this data into organized and categorized text files or spreadsheets.
The ministry’s statement describes the program as “hacking.” However, Ahmad Gharbeia, a specialist in information technology and digital privacy, disputes this characterization, explaining that “the act of collecting and assessing data is not hacking.”
Technically, the correct description of the program’s function would be “scraping,” a process whereby the program extracts all the data it can access via the user’s Facebook account. Some of the data it collects is public and available to all users, while other data has been made available by the owner only to their friends and contacts, or a subset of them. When the program extracts the second type of data into its database, it does so without the consent of the owners.
This particular situation is further complicated by the fact that Maher made copies of all the data obtained through the program’s user accounts, in order to sell it. The terms and conditions of AMControls stipulate that “all activities performed and all data obtained by the user fall under the sole ownership of the company [which owns the program].” Moreover, the company “collects any and all available data.”
Customers typically use the data in a variety of ways, such as targeting potential customers with tailored advertising, or voter profiling in election campaigns. One of the program’s users, who works in digital marketing, made a video demonstration in which he showed himself using the program to search for Toyota owners in a Saudi Arabian city, who were selling their cars for more than SAR100,000 ($26,660). According to him, the purpose of this search is to find “people of a certain financial bracket” to whom he “can sell something expensive.”
It is also possible that this data may be used for other purposes. According to a programmer and specialist in the field of digital marketing, speaking to Mada Masr on condition of anonymity, Maher used to send spam messages to many of those whose data he obtained and would punish those who objected. “He personally sent these spam messages. And by spam, I mean a message every 15 minutes,” says the programmer. “And if you got fed up and reproached him, I assure you that you’d have to change your number because of the amount of messages you’d get.”
As such, Maher’s behavior was problematic in many different respects. But the fact remains that he was aiming to compete in a market where the latitude given to large corporations to maximize profit is not granted to smaller businesses like his.
Did Maher go too far?
Facebook’s terms of service clearly prohibit developers from conducting any data extraction and migration to any advertising network, data broker or similar service. Violation of these conditions may result in account suspension. Maher’s users know this and are aware that Facebook tries to track down data scrapers all the time. For this reason, the program offers the ability to slow down the scraping process in an attempt to bypass Facebook’s controls.
Unlike Maher’s software, Facebook does not share with advertisers any data that would enable them to personally identify users, according to Facebook’s privacy policies. It does, however, have the consent of their users to collect such data, the programmer points out.
Because of Maher’s questionable data-extraction practices, lawyer Hassan al-Azhary believes that he may be in violation of certain articles of the cybercrime law. Article 21, for example, stipulates a penalty of no less than six months in prison and a LE100,000 ($5,580) fine for anyone who “unlawfully conducts electronic processing of private data” pertaining to a computer network. In addition, according to Article 25, whoever “sends a copious amount of emails to a specific person without his consent, or gives away data to a system or website to promote goods or services without his consent,” stands to receive a punishment of no less than six months in prison and a LE50,000 ($2,800) fine. According to Azhary, the wording of these articles appears to justify Maher’s conviction, especially because the law’s executive regulations have not yet been issued and there are no relevant legal precedents on this issue.
The question is more complicated than it may first appear.
However, what Maher is being expressly forbidden from doing is, in fact, common practice by the state and large corporations. All major websites use their own tracking tools or acquire them from specialized companies. These tools combine all the data they can collect in an attempt to create a fingerprint for each user. The goal is to construct a unique profile for each user, which is achieved by collecting as much data as possible from browsers, devices, and accounts. This is why tracking tools collect everything — they sequence the numbers of computer or mobile parts, note the operating system, language used, geographical location, nearby cell towers, and vast amounts of other data. Facebook and Google are the most advanced in this arena, thanks to their large user base, yet the practice itself is widespread and extends far beyond the most prominent companies in the market. For example, anti-tracking add-ons show that the Youm7 news website loads thousands of tracking tools if you open a page on their website for several minutes. It does not alert its visitors to this practice in any way, nor does it obtain their consent.
Meanwhile, Egyptian authorities have taken steps to try and secure access to online user data. In 2016, the government blocked Facebook’s free internet project after the company refused to disclose customer data, as reported by Reuters. It also entered into negotiations with ride-sharing companies Uber and Careem in 2017, hoping to gain access to customer data, including live location data for all journeys, according to the New York Times. Uber rejected the government’s request and no cooperation agreement with Careem could be reached. However, the two companies were forced to hand over at least some of their data after the passing of a new law regulating their work, which gives the authorities the right to access their data at any time, without the need for a court order.
In a world where it is the modus operandi of large companies to try to collect and monopolize data, and in which state leaders have no compunction about trying to gain their share of this data, many parties are calling for a re-examination of data scraping. During a hearing on privacy and access to data before the Federal Trade Commission last August, the Electronic Frontier Foundation, a non-profit organization dedicated to digital rights, defended the collective right to extract data from the internet. According to the foundation, scraping is merely a form of web browsing, conducted in a machine-automated manner. “There is nothing that can be done with a web scraper that cannot be done by a human with a web browser,” says the foundation.
In 2016, the government blocked Facebook’s free internet project after the company refused to disclose customer data.
The foundation also argued that web scraping is practiced by everyone, including companies that prevent other parties from extracting their users’ data. Facebook and Google, for example, have tracking codes in 25% of the top one million web sites, according to statistics the foundation disclosed during the hearing.
In such an environment, Azhary believes that the current legislation does not really aim to protect user data or privacy, but rather to assert government control over digital spaces.
Meanwhile, Gharbeia notes that Maher’s activities did not violate privacy in a traditional sense, before the internet and the explosion of digital content changed the notion of what personal privacy entails. “The current definition of privacy violation takes into account the comprehensiveness and the great capacity with which systems are able to collect data from different sources, as stated in the preamble to the 13 principles of communication surveillance,” Gharbeia says. Based on this new concept, the violation becomes serious “whether it was committed by Facebook or other parties that were able to exploit the data Facebook accumulated.”
User agreement is a fundamental point, Gharbeia points out, but current efforts aim to determine the boundaries of the user agreement and the obligations Facebook and its peers need to provide in return for this agreement, as well as the mechanisms for transparency and accountability needed, all of which were stated in the Santa Clara Principles.
Maher’s sheer ability to extract large amounts of data may have tempted him to use the data itself improperly. His case also shines a spotlight on the enormous potential for the misuse of data by social media giants like Facebook or the Egyptian state that collect people’s personal information on a far larger scale. According to Azhary, legislation regulating data protection that applies equally to everyone is thus imperative. Until this happens, people like “the Internationals” will continue to be singled out while the state and large corporations are allowed to continue operating with impunity.