The preliminary investigation, undertaken by the Internet search company, showed that MCS — after only a day of ownership — had misused digital certificates (SSL/TSL), which are in place to protect the privacy of communications.
This was not the first time that MCS Egypt, a subsidiary of the Emirati-based MCS Holdings, had come up in cases related to monitoring and online surveillance. Leaked documents that emerged after Cairo’s State Security headquarters were stormed by protesters in March 2011 showed MCS had been corresponding with the State Security Investigation Service (SSIS) to obtain the FinFisher system, surveillance software offered by Anglo-German company Gamma International. The security products distributor, which is partnered with Juniper Networks, McAfee and Honeywell among others, flatly denied any involvement at the time.
Google responded by overturning MCS’s certificate and asking the Chinese Internet Network Communication Center (CNNIC), an administrative agency under China’s Ministry of Information Industry, which had issued the certificates, to investigate.
The preliminary investigation indicated that the Egyptian company took advantage of the digital certificate to undertake an electronic assault known as a “man-in-the-middle-attack,” which according to Ramy Raoof, a technologist and digital security researcher, “allows a company access to data packets passed over the network between the senders and receivers, including the ability to access the content read by the users, their private correspondence, their personal data, as well as impersonating identities of websites and individuals and the acquisition of confidential data.”
The use of these digital certificates to run a man-in-the-middle proxy with full authority, according to Google’s statement, was a “serious breach of the CA [conditional access] system.”
MSC eventually released an official comment on the incident, blaming one of its engineers for unintentionally causing the chain of events.
In keeping with the official comment, Amr Farouk, the managing director of MCS, completely denied the company’s involvement in any act of surveillance or monitoring in a phone interview. He stressed that the incident was nothing more than human error. He also blamed the CNNIC for granting MCS a full authority certificate in violation of the terms of their contract, something the company, he asserted, had been unaware of until the incident.
Ahmad Gharbeya, a digital privacy and IT expert, believes the company’s justification of the error is farfetched: “It is unlikely that specialists in this field would ask for a digital certificate that they would… set the system to use without being aware of the properties and authority of the certificate.”
Though the consequences of this latest incident have been limited, the leaked correspondence between MSC and the SSI in 2011 indicates that MSC and other security firms are acting with a degree of governmental approval or sponsorship. The documents revealed that the company had submitted a proposal in December 2010 for the FinFisher system to the security agency, who appeared to be very enthusiastic about the proposal following a five-month free trial.
FinFisher is a “high-level security breach system that accomplishes many technical capabilities unavailable in similar systems,” read the correspondence. These capabilities could “penetrate e-mail inboxes, update spyware on the computers of targets, and achieve full control of the penetrated devices, penetrate personal Skype accounts,” in addition to allowing “full control of the penetrated computer and the capacity to copy all of its contents.”
TV host Yousry Foda aired a report on his programme “Last Words” in February 2013, demonstrating MCS’s involvement in the SSIS’s surveillance deals, to which the company responded by denying it is the same company whose name appears in the leaked documents, stating “there is a similarity between the letter abbreviation of the names of the two companies in the English language.”
The managing director insisted on this explanation when approached by Mada Masr.
These incidents all appear to be in keeping with the security apparatus’s agenda since 2003, when the government passed Law No. 10 on the regulation of telecommunications. The law represented the first attempt by the state to take on cyber space, a social space with which the state was previously unfamiliar.
The 2003 law, which outlines the regulation of communications called for the establishment of a new apparatus: the National Telecommunications Regulatory Authority (NTRA), whose board notably consists of a representative from the president’s office, representatives from the Ministries of Defense and the Interior, as well as from the National Security Agency, a body within Egypt’s General Intelligence Services.
The apparatus became the only gateway for any means of communication inside or outside of Egypt.
The terms for the licenses granted by the NTRA remain classified to this day. In a transparency report published by Vodafone in the UK in 2014 about its activities and those of its subsidiaries, the British multinational indicated it could not disclose any information regarding its work in Egypt, for fear the government would suspend its license.
A lengthy study, published in April by the Association for Freedom of Thought and Expression (AFTE) and digital rights group Article 19 on the current 2003 Telecommunications Regulations Law, states that under the second and fourth articles of the law, the NTRA has authority to organize telecommunication services and to encourage investment in this sector while “protecting national security and the best interests of the state.”
Mohamed Taher, a digital freedoms researcher at AFTE, argues that the law does not refer at all to the protection of user’s personal data. Taher further remonstrates that the articles of the law force all telecommunications service providers to enable full disclosure of their systems and the data of their clients to the Armed Forces and the Intelligence’s National Security Agency, without the need for a warrant.
The state’s first real test came years later amid popular calls for a nationwide strike on April 6, 2008. The government — as shown in another batch of SSIS leaks — responded by forming an “emergency unit,” made up of representatives of the Interior, Defense, Telecommunications and Information Ministries, as well as from General Intelligence Services and three mobile companies and Internet providers.
The unit is responsible for responding rapidly to what it calls “inciting elements” that aim to “spread chaos” by “preventing mobile communications and Internet communication from one or several cities or governorates, shutting down the bulk SMS feature” and “blocking access to predetermined websites,” in order to prevent what it called “threats to national security.”
According to Raoof’s research, the unit was active several days before January 25, 2011. On the evening of January 27, the NTRA cut off Internet connections and mobile phones in an incident described by various reports as “unprecedented in the history of the Internet.”
Commenting on the shutdown, AFTE and Article 19 highlighted a court ruling issued by the administrative court of the State Council in May 2011. In the judges’ discussion pertaining to the scope of national security as contained in the Telecommunications Act, the ruling indicates that the violation of the rights of citizens to freely communicate constitutes an attack on national security. Egypt’s peaceful protesters, the judges further argued, did not represent a threat to national security but to a regime that has lost its legitimacy in their eyes.
Until this time, the attention of the security services had been confined to individually specified surveillance, which targets specific individuals or specific destinations. After the revolution, however, a new approach began to be adopted: The state entered into the arena of collective non-directed surveillance. Citizen Lab, a research lab specialized in Internet technology affiliated with the Canadian University of Toronto, revealed in January 2013 that the Egyptian government is using a system called ProxySG, which is produced by Blue Coat.
The system allows for monitoring and filtering Internet content in a collectively non-directional manner. In February 2014, Citizen Lab issued a detailed technical report dealing with the use of one of the developed programs in 21 countries over different periods of time. The system called the Remote Control System (RCS) is used for remote penetration and control. The report cited the use of the program in Egypt in the last quarter of 2013.
In June 2014, after the end of the presidential elections and before the announcement of the official results, the private Al-Watan newspaper published documents relating to the bid requirements and specifications set by the Interior Ministry for the purchase and installation of monitoring software to take on the “era of news transmission without limits or restrictions, and the consolidation of democratic concepts” among other risks. In the bid requirements, the Ministry of Interior demanded capabilities relating to the collection of and organization of social media content and the possibility of linking it with other security systems in the ministry.
At the time, rights organizations and citizens filed a lawsuit before the administrative court against the Ministry of Interior to put an end to the monitoring of social networks. Human rights lawyer Ahmed Ezzat highlighted the highly intrusive and illegal nature of the monitoring project in an article he published with Mada Masr in late 2014:
“The Egyptian government is not only violating Egyptian laws concerning privacy, it is actually violating the Constitution itself.
Officers performing surveillance will no longer require a judicial warrant to monitor individuals and invade their privacy, and the surveillance will not be limited to a timeframe or a necessity.”
Then, in September 2014, BuzzFeed published a report revealing that See Egypt, an affiliate of US-based cyber-security firm Blue Coat, had won a contract with the Ministry of Interior that summer to monitor Internet communications in Egypt, including social network websites and various networking applications. After the publication of the report, See Egypt shut down its website for several hours and later re-published, replacing its homepage with a press statement in which it denied any relationship to the contract between Blue Coat and the Interior Ministry.
In October 2014, the Interior Ministry announced it had halted a project to measure public opinion pending the outcome of the lawsuit.
In January 2015, the European Union issued a decree calling for “an EU-wide ban on the export to Egypt of intrusion and surveillance technologies,” recognizing “a large-scale campaign of arbitrary detention, harassment, intimidation and censorship against government critics.”
2015 could be a very critical year for telecommunications in Egypt. A report published by privately owned Al-Borsa newspaper on May 10 stated that the Defense Ministry has demanded a 60 percent share in a new national entity, which would participate in rebuilding the infrastructure of the telecommunications sector, rejecting an initial draft proposal that allotted them half that share.
The new draft allocates only 20 percent to other ministries, while telecommunications companies would get a 20 percent stake — a reduction of 20 percent from the initial draft.
The Defense Ministry further stipulated that telecommunications companies would have no role in installing or extending cables into lands controlled by the military, but would be limited to renting the cables from the ministry.
Taher believes the amendments will increase the ambiguity of the law, which if broken, would mean a prison sentence of no less than six months, with a possible fine of at least LE200,000.
He also points to problematic provisions in the first draft, which would punish owners of penetrated websites if they neglect to report an incident or take security measures that prevent the hacking of their sites, despite the fact that most hacking operations take place without the knowledge of the breached website’s owner.
The year 2015 then is a decisive year for the future of Egyptian cyber space, an existential thorn in the state’s side. In its fight, the government, through the tight grip of its security and military apparatuses, is recalling a legacy of terminology and tools it has long utilized in the name of national security.
Ahmed Gharbeya and Ramy Raoof greatly contributed to and supported the completion of this report.