Thanks to the launch of the 4G technology, in addition to the arrival of new MVNO operators such as Lycamobile, the Tunisian internet market has evolved remarkably. In fact, the mobile penetration rate approches 63,2% while the fixe rate is about 16,3%, according to the National Telecommunication Authority « INT » (french acronym) report for may 2016 [pdf]. However, no big change in the usage, as the 49% of the population who have access to the internet, continue to spend their online time on social media platforms, mainly Facebook with 5.7 million subscribers.
During these few months of January 2015 to end may 2016, Tunisia faced several terrorist attacks, a result of which the legal context has evolved into further draconian laws, principally on 25 July 2015, the Tunisian Parliament adopted, by 174 votes, the counterterrorism and money laundering law. This law introduces innovative measures to address crimes associated with ICTs, but it also gives a « carte blanche » to the return of surveillance practices and in some cases content censorship. This new Act, strengthens the existence of law enforcement agencies such as the Technical Telecommunications Agency « ATT ». Also it sets out the terms of video surveillance « CCTV », which is still not limited by the data protection law of 2004. In addition, this act punish, by harsher sentences, whistleblowers and hackers, without any difference in the nature of the committed « crime », even more, young people have been already arrested for hacking foreign-websites, are waiting to be judged under this new law.
- Damages inflicted upon telecommunication networks and computer systems [commonly « hacking »] punishment ranges from 10 to 20 years in prison plus a fine of 50,000 to 100,000 dinars.
- Chapter 5 of the new counter-terrorism law lays out the legal framework for interception and surveillance practices. Article 54 of the law permits surveillance without the obligation to seek authorisation.
- Article 34 penalises the host of any website for entities identified as terrorist organisations, punishment is up to 20 years imprisonment plus a fine of 50,000 to 100,000 dinars.
- Article 62 : whistleblowers who expose information concerning investigations into terrorism-related crimes are considered as criminals and could face a 10-year prison sentence.
A controversial law that led to a subsequent campaign « No to terrorism, yes to human rights » by a group of associations, and enabled and/or legalized, in 2015, the creation of new structures for stalking the so-called « pro-terrorist » content.
A special [cyber] surveillance unit called “brigade 5” was created at the Ministry of Interior. 30 engineers mandated to track cybercrime and practice cyber-surveillance. The Brigade 5 established by an internal order (not publishable) of the Minister of the Interior, is similar to that of the special service of the French National Guard. (see video report below).
An investigation published in the print version of “Akher Khabar” newspaper N-194 of 24 May 2016 (in its page 10), confirms that the ICTs related crimes apparatus, is also composed of two units in charge of interception. The first is under the supervision of the National Guard and is responsible for cyberterrorism, the other one is part of Special Services, and works on cybercrime. Also during december 2015, the former head of the coordination between the dictatorship cyber-police and the Tunisian Internet Agency “ATI”, Colonel N. Dhaoui was appointed Head of Technical Services at the Ministry of Interior, from within the same department in charge of surveillance.
It seems that, after the announcement of « Ammar 404 » (french acronym for censorship and surveillance agency) dismantling in 2011, it was rebuilt again. With a mission that to date appears to be a targeted -and not mass- surveillance, the apparatus is decentralised, operating legally, rather than the arbitrarily way as under Ben Ali regime, except in the case of cybercrime.
Cybercrime which have no specific legal framework, but some texts scattered among the Penal Code and Telecoms Code, as the bill is being drafted by a special commission at the Ministry of Communication Technologies and Digital Economy « MTCEN ». So they are working on a new « Tunisia’s Digital Code » that takes into consideration the digital rights and freedoms too.
Report on cybercrime and cyber-terrorism in Tunisia, details on Brigade N5
However, not everything is negative!
Reacting to our request, the MTCEN updated the decree of establishment of the Strategic Council of Digital Economy « CSEN » by allowing representatives of civil society and other communities two seats, thus created an inclusive governance model in the ICT sector, in charge of the National Strategic Plan “PNS”. Furthermore, during September 2015 meeting, the Council approved Tunisia’s decision to apply for membership of the Cybercrime treaty “Budapest Convention” to the Council of Europe.
Another action decided during the same meeting focused on the very complex and criticized project of the unique identifier of citizens (and companies) « IUD ». Indeed, the National Authority for Personal Data Protection « INPDP » has then inherited the role of supervisor of the IUD implementation. Unfortunately, the management of this project was given to the Ministry of Local Affairs (department-like of the Ministry of Interior) because it’s in charge of the next elections. In parallel, the Ministry of Interior has progressed in the projects related to the IUD as the biometric passports and biometric national ID of which amendment to the existent decree was drafted without any real consultation of INPDP.
Moreover, the INPDP, with a new president and members of its board of directors (MPs) in office, the new team applied for the accession of the country to the data protection « Convention 108 » of the Council of Europe, the latter officially invited Tunisia to amend its Data Protection Act of 2004, as well as the status of the Authority, so membership will be effective. However these reforms are hampered since the amendments draft has not yet been proposed to the debate either by cabinet or parliament. The INPDP has, in the meantime, started its communication and outreach campaign.
Another goal was reached after a long battle between, the government that had withdrawn its law draft, and the media, associations and even the Parliamentary Committee for Rights and Freedoms. On March 2016 the Access to Information Act (or freedom of information act) entered into force after publication in the official journal.
On the international level, the absence of Tunisia at the 2015 edition of the Freedom Online Coalition conference, was negatively noted. Nevertheless, the country remained leader in the MENA region for digital rights according to Freedom House « Freedom on the Net » 2015 report.
Among the other undertaken actions during this period, and in addition to approving the Africa Union’s convention on cyber security and protection of personal data « Malabo » and the different applications for CoE conventions’ membership, the security situation in Tunisia, has improved the international cooperation on combatting cyber terrorism. Indeed, after a first demand declined by Facebook, the MTCEN had sent the day after the terrorist « Bardo Attack », a request for information of 48 accounts / users, this is what reveals Facebook transparency report for the first half of 2015. International security cooperation also focused on the flow of information with neighbouring countries and material donations (Surveillance equipments for borders) and immaterial (training for special security forces), mainly from three countries France, UK and the United States.
Very few information available about the intelligence equipments « offered » to Tunisia, however, early July 2015, « Hacking Team » the Italian surveillance and decryption solutions provider, has been hacked and among his customers list was found the Tunisian Internet Agency « ATI ». Hacking Team offered a test / demo contract from the period of the revolution, during which emails and social media accounts of Tunisians have been hacked. Other recent leaks confirmed that Tunisia, the test lab for different surveillance providers, tried during the revolution – and certainly after – the advanced technology for communications interception « IMSI catcher » offered by a UK supplier.
Still, on this mixed record on digital rights, the citizens’ awareness about their basic rights, primarily the right to privacy and the obligation of the state to protect their personal data, are almost nonexistent . This finding is even stated on the website of the INPDP:
« No action of awareness or education, or any media presence has helped initiate a culture of personal data protection and privacy among Tunisian society ».
An authority that, with limited ressources, was able to publish two transparency reports, also conducted a poll whose results disclosed on 30 May 2016, were chocking but reflected the sad reality, that of a lack of interest by ignorance of the protection of personal data on the internet. 43% of the respondents voluntarily publish private information online, while 77% are careful about what they publish and 65% think that protecting such information would be, for example, to sort their friends list on Facebook!
Unfortunately this problem isn’t the only one related to the use of the internet and social networks, as we note a clear growth of online hate speech, defamation and harassment, uttered by some users against of others who often are from minority groups (religious minorities and LGBTQ communities) or against those who defend these minorities.
On the other hand, the government continues to communicate the need to concede fundamental rights (right to privacy and confidentiality of correspondence) and other freedoms (of expression and information) to get more security, under the counterterrorism battle.
This will be reinforced in the coming months and the influence – inspiration by – draconian actions to be taken after some tragedies related to terrorism.
To be continued…