A Hacker Pays For Egypt's Ambiguous Relationship With Data

Dubbed 'the International,' a young Egyptian computer programmer had built a program to scrape user data from Facebook. But the same practice is routinely done by the government and large corporations.

Online in Cairo
Online in Cairo
Mohamed Hamama

CAIRO — Egypt's Ministry of Interior recently announced that its General Directorate of Information Technology had arrested the creator of a computer program "designed to steal confidential data from Facebook accounts (phone numbers and email addresses linked to the accounts)." The suspect now faces accusations of "selling stolen data to other parties for money and using it for marketing and advertising on social media websites."

The case has raised questions about data mining, privacy and the inconsistent application of Egypt's cybersecurity laws — whereby the state and large corporations are given leeway while smaller outfits find themselves targeted — and further highlights the complexities surrounding issues of personal online data and who is allowed to benefit from its collection and sale.

In its statement, the Interior Ministry identified the suspect only as "Ahmed M. M., born in 1992, a company director." He has, however, subsequently been recognized and officially identified by thousands of followers, who have expressed dismay at his fate. Ahmed Maher is more commonly known as "the International," a nickname given to him by customers of his digital marketing software organization. Maher regularly speaks at digital marketing conferences and makes appearances on Egyptian national TV. His peers are members of a Facebook group called "the Internationals," which appears to have been deleted after his arrest. The hashtag #be_an_international is often accompanied by the hashtag #in_solidarity_with_engineer_Ahmed_Maher.

Thousands of Maher's customers have since denounced his arrest in comments on the Interior Ministry's official statement. Many have claimed that the data Maher collected from Facebook through the digital marketing software that is a core facet of his business was publicly available, and that gathering such information is not a crime. In making these assertions, they seek both to defend Maher against accusations of theft and privacy violations but also, perhaps, to uphold in a broader sense the ability for non-state players or smaller corporations to access and make use of data with the same freedom as their larger counterparts.

One of the comments describes him as "a talent that needs to be supported and put to use rather than humiliated, arrested and defamed." Another commenter, a former parliamentary candidate, claims that he had purchased a CD from the police containing the names and telephone numbers of all registered voters in order to target them in his election campaign, arguing that, in this sense, Maher is just doing what the Interior Ministry already does.

Another comment encapsulates the opinion of many supporters: "Anyone who publicly inquires about a product or service from an online page assumes responsibility if they then hand out personal data, such as a mobile number or an email address. In doing this, they give implicit authorization for that data to be used without prior permission."

Yet Maher went further and also collected data that was shared within closed groups and not made fully public, raising questions about violations of privacy not dissimilar to the Cambridge Analytica scandal, which sparked an international uproar after the firm was exposed for harvesting millions of people's Facebook profiles (who did not opt-in to share their data) and using the information in controversial political campaigns.

The act of collecting and assessing data is not hacking.

Maher's arrest came a few months after the passage of a new cybercrime law, seen as part of a broader government campaign to control the internet and the use of digital communication spaces that helped spark the January 2011 revolution.

Hassan al-Azhary, a lawyer in the field of digital rights at the Association for Freedom of Thought and Expression, believes that Maher may have violated the provisions of the law that concern the protection of user data. In his opinion, however, the actual goal of such laws is not to protect user data, but rather to forbid people like Maher from doing things that both the state and large corporations want to continue to do themselves.

What did Maher do?

The digital marketing program Maher created — AMControls — costs LE15,000 ($840) for users to purchase, according to the statement by the Ministry of Interior.

Several tutorials are available on YouTube demonstrating various features of the program. The user logs in using their Facebook account. Through this account, the program collects a huge amount of personal data from the accounts that the user is connected with — including pages liked by the user's friends, groups they have joined, the profiles of other followers of these pages, and other members of those groups, names, mobile numbers, email addresses, the governorates in which these people live, their social profiles and their professions. The user is also able to perform wide searches using keywords so as to identify the accounts, pages or groups they are searching for. They can also transfer all of this data into organized and categorized text files or spreadsheets.

The ministry's statement describes the program as "hacking." However, Ahmad Gharbeia, a specialist in information technology and digital privacy, disputes this characterization, explaining that "the act of collecting and assessing data is not hacking."

Technically, the correct description of the program's function would be "scraping," a process whereby the program extracts all the data it can access via the user's Facebook account. Some of the data it collects is public and available to all users, while other data has been made available by the owner only to their friends and contacts, or a subset of them. When the program extracts the second type of data into its database, it does so without the consent of the owners.

This particular situation is further complicated by the fact that Maher made copies of all the data obtained through the program's user accounts, in order to sell it. The terms and conditions of AMControls stipulate that "all activities performed and all data obtained by the user fall under the sole ownership of the company which owns the program." Moreover, the company "collects any and all available data."

Customers typically use the data in a variety of ways, such as targeting potential customers with tailored advertising, or voter profiling in election campaigns. One of the program's users, who works in digital marketing, made a video demonstration in which he showed himself using the program to search for Toyota owners in a Saudi Arabian city, who were selling their cars for more than SAR100,000 ($26,660). According to him, the purpose of this search is to find "people of a certain financial bracket" to whom he "can sell something expensive."

It is also possible that this data may be used for other purposes. According to a programmer and specialist in the field of digital marketing, speaking to Mada Masr on condition of anonymity, Maher used to send spam messages to many of those whose data he obtained and would punish those who objected. "He personally sent these spam messages. And by spam, I mean a message every 15 minutes," says the programmer. "And if you got fed up and reproached him, I assure you that you'd have to change your number because of the amount of messages you'd get."

As such, Maher's behavior was problematic in many different respects. But the fact remains that he was aiming to compete in a market where the latitude given to large corporations to maximize profit is not granted to smaller businesses like his.

Did Maher go too far?

Facebook's terms of service clearly prohibit developers from conducting any data extraction and migration to any advertising network, data broker or similar service. Violation of these conditions may result in account suspension. Maher's users know this and are aware that Facebook tries to track down data scrapers all the time. For this reason, the program offers the ability to slow down the scraping process in an attempt to bypass Facebook's controls.

Unlike Maher's software, Facebook does not share with advertisers any data that would enable them to personally identify users, according to Facebook's privacy policies. It does, however, have the consent of their users to collect such data, the programmer points out.

Because of Maher's questionable data-extraction practices, lawyer Hassan al-Azhary believes that he may be in violation of certain articles of the cybercrime law. Article 21, for example, stipulates a penalty of no less than six months in prison and a LE100,000 ($5,580) fine for anyone who "unlawfully conducts electronic processing of private data" pertaining to a computer network. In addition, according to Article 25, whoever "sends a copious amount of emails to a specific person without his consent, or gives away data to a system or website to promote goods or services without his consent," stands to receive a punishment of no less than six months in prison and a LE50,000 ($2,800) fine. According to Azhary, the wording of these articles appears to justify Maher's conviction, especially because the law's executive regulations have not yet been issued and there are no relevant legal precedents on this issue.

The question is more complicated than it may first appear.

However, what Maher is being expressly forbidden from doing is, in fact, common practice by the state and large corporations. All major websites use their own tracking tools or acquire them from specialized companies. These tools combine all the data they can collect in an attempt to create a fingerprint for each user. The goal is to construct a unique profile for each user, which is achieved by collecting as much data as possible from browsers, devices, and accounts. This is why tracking tools collect everything — they sequence the numbers of computer or mobile parts, note the operating system, language used, geographical location, nearby cell towers, and vast amounts of other data. Facebook and Google are the most advanced in this arena, thanks to their large user base, yet the practice itself is widespread and extends far beyond the most prominent companies in the market. For example, anti-tracking add-ons show that the Youm7 news website loads thousands of tracking tools if you open a page on their website for several minutes. It does not alert its visitors to this practice in any way, nor does it obtain their consent.

The question of what actually constitutes consent to collect and use data is in itself more complicated than it may first appear. A recent study conducted by two university professors from the United States and Canada on how users respond to the terms and conditions that govern privacy policies and terms of service, entitled "The Biggest Lie on the Internet," included 543 students from a US university. The students were asked to join a fictitious social network with outlandish terms of service and privacy policies, as part of the experiment. For example, users agree under the terms of service to hand over their first-born child to the company that owns the social network, as payment for using the network. They also agree, under the privacy policy, to share their data with the company's employees and the US National Security Agency. The result was that 93% of students agreed to give away their first child to the company, and 97% to share their data with company employees and the National Security Agency. This is designed to illustrate that hardly anyone reads the terms of service or the privacy policies of a social network. The study asserts that these details are presented in a way that encourages users to ignore them.

Meanwhile, Egyptian authorities have taken steps to try and secure access to online user data. In 2016, the government blocked Facebook's free internet project after the company refused to disclose customer data, as reported by Reuters. It also entered into negotiations with ride-sharing companies Uber and Careem in 2017, hoping to gain access to customer data, including live location data for all journeys, according to the New York Times. Uber rejected the government's request and no cooperation agreement with Careem could be reached. However, the two companies were forced to hand over at least some of their data after the passing of a new law regulating their work, which gives the authorities the right to access their data at any time, without the need for a court order.

In a world where it is the modus operandi of large companies to try to collect and monopolize data, and in which state leaders have no compunction about trying to gain their share of this data, many parties are calling for a re-examination of data scraping. During a hearing on privacy and access to data before the Federal Trade Commission last August, the Electronic Frontier Foundation, a non-profit organization dedicated to digital rights, defended the collective right to extract data from the internet. According to the foundation, scraping is merely a form of web browsing, conducted in a machine-automated manner. "There is nothing that can be done with a web scraper that cannot be done by a human with a web browser," says the foundation.

In 2016, the government blocked Facebook's free internet project after the company refused to disclose customer data.

The foundation also argued that web scraping is practiced by everyone, including companies that prevent other parties from extracting their users' data. Facebook and Google, for example, have tracking codes in 25% of the top one million web sites, according to statistics the foundation disclosed during the hearing.

In such an environment, Azhary believes that the current legislation does not really aim to protect user data or privacy, but rather to assert government control over digital spaces.

Meanwhile, Gharbeia notes that Maher's activities did not violate privacy in a traditional sense, before the internet and the explosion of digital content changed the notion of what personal privacy entails. "The current definition of privacy violation takes into account the comprehensiveness and the great capacity with which systems are able to collect data from different sources, as stated in the preamble to the 13 principles of communication surveillance," Gharbeia says. Based on this new concept, the violation becomes serious "whether it was committed by Facebook or other parties that were able to exploit the data Facebook accumulated."

User agreement is a fundamental point, Gharbeia points out, but current efforts aim to determine the boundaries of the user agreement and the obligations Facebook and its peers need to provide in return for this agreement, as well as the mechanisms for transparency and accountability needed, all of which were stated in the Santa Clara Principles.

Maher's sheer ability to extract large amounts of data may have tempted him to use the data itself improperly. His case also shines a spotlight on the enormous potential for the misuse of data by social media giants like Facebook or the Egyptian state that collect people's personal information on a far larger scale. According to Azhary, legislation regulating data protection that applies equally to everyone is thus imperative. Until this happens, people like "the Internationals' will continue to be singled out while the state and large corporations are allowed to continue operating with impunity.

Translated by Mohamed Attalla

Keep up with the world. Break out of the bubble.
Sign up to our expressly international daily newsletter!

What It Means When The Jews Of Germany No Longer Feel Safe

A neo-Nazi has been buried in the former grave of a Jewish musicologist Max Friedlaender – not an oversight, but a deliberate provocation. This is just one more example of antisemitism on the rise in Germany, and society's inability to respond.

At a protest against antisemitism in Berlin

Eva Marie Kogel


BERLIN — If you want to check the state of your society, there's a simple test: as the U.S. High Commissioner for Germany, John Jay McCloy, said in 1949, the touchstone for a democracy is the well-being of Jews. This litmus test is still relevant today. And it seems Germany would not pass.

Incidents are piling up. Most recently, groups of neo-Nazis from across the country traveled to a church near Berlin for the funeral of a well-known far-right figure. He was buried in the former grave of Jewish musicologist Max Friedlaender, a gravesite chosen deliberately by the right-wing extremists.

The incident at the cemetery

They intentionally chose a Jewish grave as an act of provocation, trying to gain maximum publicity for this act of desecration. And the cemetery authorities at the graveyard in Stahnsdorf fell for it. The church issued an immediate apology, calling it a "terrible mistake" and saying they "must immediately see whether and what we can undo."

There are so many incidents that get little to no media attention.

It's unfathomable that this burial was allowed to take place at all, but now the cemetery authorities need to make a decision quickly about how to put things right. Otherwise, the grave may well become a pilgrimage site for Holocaust deniers and antisemites.

The incident has garnered attention in the international press and it will live long in the memory. Like the case of singer-songwriter Gil Ofarim, who recently claimed he was subjected to antisemitic abuse at a hotel in Leipzig. Details of the crime are still being investigated. But there are so many other incidents that get little to no media attention.

Photo of the grave of Jewish musicologist Max Friedlaender

The grave of Jewish musicologist Max Friedlaender

Jens Kalaene/dpa/ZUMA

Crimes against Jews are rising

Across all parts of society, antisemitism is on the rise. Until a few years ago, Jewish life was seen as an accepted part of German society. Since the attack on the synagogue in Halle in 2019, the picture has changed: it was a bitter reminder that right-wing terror against Jewish people has a long, unbroken history in Germany.

Stories have abounded about the coronavirus crisis being a Jewish conspiracy; meanwhile, Muslim antisemitism is becoming louder and more forceful. The anti-Israel boycott movement BDS rears its head in every debate on antisemitism, just as left-wing or post-colonial thinking are part of every discussion.

Jewish life needs to be allowed to step out of the shadows.

Since 2015, the number of antisemitic crimes recorded has risen by about a third, to 2,350. But victims only report around 20% of cases. Some choose not to because they've had bad experiences with the police, others because they're afraid of the perpetrators, and still others because they just want to put it behind them. Victims clearly hold out little hope of useful reaction from the state – so crimes go unreported.

And the reality of Jewish life in Germany is a dark one. Sociologists say that Jewish children are living out their "identity under siege." What impact does it have on them when they can only go to nursery under police protection? Or when they hear Holocaust jokes at school?

Germany needs to take its antisemitism seriously

This shows that the country of commemorative services and "stumbling blocks" placed in sidewalks as a memorial to victims of the Nazis has lost its moral compass. To make it point true north again, antisemitism needs to be documented from the perspective of those affected, making it visible to the non-Jewish population. And Jewish life needs to be allowed to step out of the shadows.

That is the first thing. The second is that we need to talk about specifically German forms of antisemitism. For example, the fact that in no other EU country are Jewish people so often confronted about the Israeli government's policies (according to a survey, 41% of German Jews have experienced this, while the EU average is 28%). Projecting the old antisemitism onto the state of Israel offers people a more comfortable target for their arguments.

Our society needs to have more conversations about antisemitism. The test of German democracy, as McCloy called it, starts with taking these concerns seriously and talking about them. We need to have these conversations because it affects all of us. It's about saving our democracy. Before it's too late.

Keep up with the world. Break out of the bubble.
Sign up to our expressly international daily newsletter!