By Dhouha Ben Youssef, translated by Vanessa Szakal.

The new counterterrorism law (N°26 of 6 August 2015) was adopted by the Assembly of the Representatives of the People (ARP) on 25 July with 174 votes for and a mere 10 abstentions. This new Act replaces the Law of 2003 with added provisions pertaining to information and communication technologies (ICT).

Hacking should not be a crime
Although Article 13, paragraph 7 of the new law designates it a terrorism-related crime, hacking should not be considered among «damages inflicted upon telecommunication networks and computer systems» for which punishment ranges from 10 to 20 years in prison plus a fine of 50,000 to 100,000 dinars. At the very least, the Justice system should differentiate between hacking which serves to alert those concerned about failures in their computer security systems (White Hat Hacker) and that which is cause for damage, information theft, and illegal entry into systems to pirate accounts (Black Hat Hacker). It is worth recalling here that Articles 199 bis and 199 ter of the present penal code as well as Article 4 (preparatory work) of the former counterterrorism law of 2003 (modified by law N°65/2009) were used by the Ben Ali regime to stifle voices of opposition at the time.

Our focus should instead be to optimize the technical capacity of cybersecurity through the work of the same individuals which the law treats as criminals: hackers. The call for the expertise of these experts must come as much from the public sector (government) as the private sector, since these cyber-skills will help to better protect our cyberspace.

Interception, surveillance and protection of personal information
In an era of hyper-connectivity, the battle against cyber-terrorism and other computer crimes seems to be a priority for most countries including Tunisia. In the new counterterrorism law, this priority is apparent in articles throughout the text where the practices of interception and surveillance are presented as security and crime evidence mechanisms.

The notion of national security, however, is vaguely defined in legal texts and therefore open to a wide range of interpretations and opinions. While some believe that technology is the best means for reinforcing national security and are willing to accept the use of interception and surveillance at the expense of personal privacy, others appreciate the imperative of protecting the right to privacy (Article 24 of the constitution) and are not prepared to sacrifice this right on the altar of a promised security.

The Tunisian government has taken its stance on the subject, as is indicated in chapter 5 of the new counter-terrorism law which lays out the legal framework for interception and surveillance practices. Article 54 specifies the type of information that can be gathered by the Technical Telecommunications Agency (ATT), telecommunications operators, and internet service providers. On paper, this is nothing new given that a number of already existing texts, including the telecommunications code and decree concerning the activities of internet service providers modified in 2014 (Articles 11 and 14) stipulate that actors throughout the sector are subject to the gathering of information and its transmission to pertinent authorities in the context of security investigations.

Similarly, Article 47 of the Law of 2004 concerning the protection of personal information permits the provision of personal data to police services and public authorities upon request. Articles 55 and 56 of the counterterrorism law describe methods of storage and analysis of information collected in investigations. If such data does not represent overwhelming evidence concerning the case in question, it will be treated according to existing law concerning data protection.

Big Brother is Watching You
Article 61 pertains to surveillance, including wire-tapping and video surveillance, for which the duration cannot exceed two months and is renewable one time via the prosecutor’s request for extension. The information collected is subject to the same provisions that apply to data obtained via interception. Article 54 of the law concerning the protection of personal information permits authorities to carry out «mass» surveillance without the obligation to seek authorization from the National Authority for Protection of Personal Data (INPDP) since the use of such surveillance is regarded as exceptional. Citizens are not able to exercise the right to access to these files since they are, by virtue of this law, non-publishable.

The allowance of such practices has been condemned by a collective of associations who denounced «the powers of surveillance and monitoring, at once vast and vaguely defined, which the law affords security forcesARP deputy Samia Abbou expressed during discussion of the law in parliament:

⬆︎ Translation «S. Abbou: At home, the center of private life, audiovisual and especially visual surveillance is unacceptable.»

As the door is held open to former surveillance practices, the law for data protection remains broadly ineffective, subject to new legal and technical challenges and yet cited throughout other legal texts such as the decree which governs the Technical Telecommunications Agency. If this law might have represented the only safeguard against potential abuses which threaten the private life of Tunisians, it cannot fulfill this function so long as the public sector, represented by the very authorities in charge of interception and surveillance, is free to operate without going through the INPDP or obtaining authorization beyond that of the prosecutor in order to obtain the information sought. Furthermore, the authorities in question are themselves protected from any form of monitoring or sanctions.

It is, of course, the citizen who will pay the price for this power granted the public sector. To the end of public security, national defense, and criminal prosecutions in the fight against terrorism, authorities will handle personal information without any real limitation, and without there being a real guarantee or protection for Tunisian citizens. The implementation of the Digital Identification System (IUC) will make their work and access to personal information even easier.

Another point worth noting is that Article 62 can be interpreted to treat as criminals whistleblowers who expose information concerning investigations into terrorism-related crimes. Individuals in this category could face a 10-year prison sentence. The government’s recent retraction of the draft law concerning access to information prompts questions about its willingness to break with practices of the past, even though Article 32 of the new constitution protects citizens’ right of access to information against all possible abuses by authorities who, in the context of the current law, appear to have been afforded free rein in this domain.

There is also cause for concern in the last paragraph of Article 51 which holds that the court of first instance in Tunis, via special judges appointed to the Judicial Office for the Fight Against Terrorism, has the power to decide upon «the withdrawal or censorship of one part or the whole of a sequence from an audio, video, or other digital publication or information which constitute terrorist crimes or are used to commit crimes.» One wonders to what censorship the passage refers given that this type of content is not even hosted in within Tunisia, as is the case with large social media sites such as Facebook, Youtube, and Twitter. Paragraph 2 under Article 34 of the law further penalizes the host of any website for entities identified as terrorist organizations: their punishment is 10 to 20 years imprisonment plus a fine of 50,000 to 100,000 dinars. In this case, authorities have no other choice than to address these foreign enterprises.

International cooperation and private sector partnership
Section six of the law in question mandates the creation of a special commission dedicated to the fight against terrorism which is to be composed of government representatives, not to include the National Authority for the Protection of Personal Data (INPDP). The commission nonetheless reserves the right to consult experts and civil society representatives in order to carry out its different missions, notably that of international coordination including treaties, conventions, and other agreements (Article 69).

The scandal around Snowden’s revelations represents a skewed vision of international cooperation in the domain of information and communication technologies. The coordination of intelligence services in countries affiliated with Five Eyes was used by the National Security Agency (NSA) for surveillance of its allies and others. The same is true for countries which signed and have used the treaty in order to keep watch—illegally—over their citizens. Again, this surveillance has not been effective as multiple terrorist attacks have proven. On the contrary, this alliance has permitted the United States and the United Kingdom to violate the national sovereignty of other countries.

Tunisia’s international efforts should begin with the ratification of two important conventions of the Council of Europe, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the “Budapest” Convention on Cybercrime. As for public-private sector partnerships, it will be necessary to build alliances with the giants of the latter. We should also keep in mind that for a number of countries, recruitment occurs primarily via Internet and social media networks, even if, in a study on the geo-localization of Islamic State supporters on Twitter (March 2015) Tunisia ranked last (of eleven countries) in this category.

In the face of virtual terrorist propaganda, Google, Facebook, Twitter, and their equivalents have consistently adapted their policies of use and adjusted their relations with intelligence agencies and governments. In the fight against cyber-terrorism, government requests for information submitted to these companies are studied before the latter share personal data from pages or accounts. Notably, this process and the results yielded are published in a Transparency Report. Transparency, as we observe in Tunisia’s case, is precisely what the government fears. Although the Minister of the Interior and the individual who presides over ICT have announced that they are already collaborating with those in charge of social media platforms, there have been no solid steps to formalize this coordination. The proof is that Tunisia does not appear in a single Transparency Report since 2011 even though press releases issued by the Ministry of the Interior refer to the arrest of presumed terrorists on the basis of investigations exploring the profiles of suspects and their posts (on Twitter and Facebook) which glorify terrorism.

Article 31 of this law criminalizes the glorification of terrorism by any act, person, group, organization on the territory or abroad and through any means including information and communication technologies. Any person who glorifies terrorist crimes on social media networks potentially faces 1 to 5 years in prison and a fine of 5,000 to 10,000 dinars. This article can also be considered as a threat to and restriction of freedom of expression which is among the most important (if not the single most important) of gains following the departure of the former regime.

On the surface, the counterterrorism law of 25 July 2015 appears to introduce innovative measures to address crimes associated with new technologies. A number of these provisions, however, contain flaws including vague definitions, the privilege of immunity granted to investigators, threats to fundamental rights to privacy and access to information, and the exclusion of the National Authority for the Protection of Personal Information from the special commission in the fight against terrorism.

In its obligation to provide security for its citizens, the Tunisian government—like the French government through its intelligence law, seems to have elected to impose a restriction on the citizenry’s constitutional rights and at the same time to restore an opaque framework conducive to the elusive functioning of the infamous Ammar404 (nickname for the surveillance and censorship machine of the Ben Ali era). Our best defense? To update the Law of 2004 concerning the protection of personal information and to engage in combatting the real causes of terrorism by reforming the security apparatus, including cybersecurity.