Mere hours after Lebanon’s Ministry of Labor launched its platform to provide job opportunities for Lebanese youth in Qatar last week, serious concerns over the privacy of applicants and job seekers were raised. The issue caused the ministry to suspend the “search for employees” feature to protect the applicants’ personal data.
The controversy surrounding this platform did not stop there, as it encouraged “qualified” people to emigrate, rather than fulfilling the ministry’s duty of providing jobs in Lebanon by bringing in investment. The ministry chose the easier, faster way.
The platform is a joint initiative between the Lebanese Ministry of Labor and its Qatari counterpart, where any Lebanese citizen, worker or graduate can register to travel to Qatar and work there. The applicants’ data is accessible to everyone on the browser under the “search for employees” feature, including their phone number, email, CV, and other personal information.
The ministry was quick to suspend the feature and rendered it only accessible to Qatari companies registered on the platform, who can now search for applicants under certain conditions. In the meantime, Lebanese citizens are still registering on the platform.
Red Flags
The first person to sound the alarm on the possibility of applicants receiving “fraudulent attacks” was information auditor Mohamoud Ghozayel.
Ghozayel sat down with Beirut Today to discuss the platform’s many faults, in addition to potential consequences resulting from such negligence.
“Despite the red flags raised by me and others who are concerned over the safety of the Lebanese, the data has not yet been seriously protected,” he said.
“All that has happened so far was putting the information behind a window that requires non-serious registration. With fake registration information, you can access that information again and get it the same way it appeared in the site’s first version.”
“To say the least, this shows the unprofessionalism of the site’s developers,” he added. “We are also talking about a platform that was created on the official website of the Ministry of Labor, not a separate website as is customary with other platforms, such as the COVAX platform, which is clearly and transparently managed by the Central Inspection, which always worked to protect and develop it.”
Ghozayel claims that despite the good intentions behind the Lebanese-Qatari agreement, scams aimed at the Lebanese who applied are bound to increase. People trying to leave the country were already faced with many struggles since the collapse of the economy.
Now, they are dangerously faced with having their personal information such as their phone number and, in worst cases, their home addresses, for everyone to see.
Good Intentions
Ghozayel’s point is echoed by Amer Tabsh, advisor for information and communication technologies.
“It is possible that there were good intentions from the minister, but not from those carrying out the task, especially since the minister’s goal was to ensure job opportunities for Lebanese people in Qatar” he said.
“He is not an expert on cybersecurity and has no idea on what happens in those cases, or there could be unprofessionalism from the team,” which Tabsh claims happens a lot when ministries focus on their teams rather than ask experts on the matter.
“The problem is not with the privacy involved in the platform, but rather in its existence, in who is hosting it and how to protect it,” he added.
“It is open for companies to enter and extract specific pieces of information, and it may lack traditional means of protection, and anyone who has the necessary tools can hack it and withdraw large amounts of information.”
He recalls that, “cyberattacks and hackings affect sites and pages more secure than the platform adopted by the Ministry of Labor, notably with what happened in some American airports on Tuesday and Wednesday.”
Ghozayel went further and said that the platform for jobs in Qatar is raising a threshold and creating pages to contain this amount of personal information “without any business regulations, and insufficient clarity on the rights of the site and the user.”
“The biggest proof is that there are pseudonyms in the databases, as well as many duplicate names, and there is no possibility to change or remove the data or any way to dispose of it,” Ghozayel added. “Also, if I was a company and wanted to search, there are no tools that enable me to search for the right person among hundreds, perhaps thousands of applications, despite them being organized by specialty.”
Ghozayel also recalled that the Internal Security Forces have been persistently warning people against the high rates of electronic attacks via e-mail or WhatsApp ever since people have moved to working from home due to the COVID-19 pandemic. That is notwithstanding the continuous cyberattacks through false SMS advertisements.
Platform Protection
Regarding the protection of the platforms, Tabsh said that the platforms must be subject to protection and security exams, of which the first tests must be passed for them to be online and usable. While the platform is working, experiments must be intensified to ensure they are ready for the task they were created for.
According to Tabsh, the protection should meet international standards and be monitored on a 24-hour basis.
“The breach and spreading of information lead to a great danger, notably with impersonation, for example for banking applications, as they take information that include the phone number, email, date of birth, father or mother’s name, or other private questions,” he added.
“When the hacker steals this information, he can fully impersonate the person and carry out criminal acts such as extortion, sending out emails, or opening fake accounts, hence why the information on those platforms must be encrypted. We must also limit the number of companies licensed to enter the platform.”
To protect online platforms, Ghozayel says it is necessary to have an electronically-capable and security-prone official body that also handles the testing of websites and protection of data.
“How can a ministry present the Lebanese people’s data for free on the Internet, while another ministry is preparing to solicit bid requests to purchase it?” he wondered. “Perhaps it would have been better, before opening this wide door to receive Lebanese CVs, to start filling out the internal pages of the Ministry of Labor, especially the section dealing with ‘Copyright’; it has apparently remained empty since the site was created in 2019.”
Bullying the Ministry
Tabsh reassured people on the safety of the data on the ministry’s website, claiming that the global cyberattacks and cybersecurity issues taking place are mostly targeting countries participating in the war between Russia and Ukraine, which will keep global hackers’ attention away from the Lebanese Ministry of Labor’s website.
“However, we could be vulnerable to local hacking or hacking from an Arab country for the sake of entertainment or bullying of the ministry’s website,” he added. Nonetheless, he claims theft of information still is not ruled out.
Tabsh called on the ministries to return to the Central Inspection for examination of websites and platforms. He also called on them to communicate with international companies to protect websites, putting the responsibility of data protection with the authorities in charge. So far, the government’s track record shows no safe or secure platform ever having been established.