Tunisian privacy advocates are concerned about a new cyber crime investigative body: the Technical Telecommunications Agency (better known by its acronyms ATT or A2T).
The agency was created by the Tunisian government under decree 2013-4506 issued on 6 November. It is tasked with “providing technical support to judicial investigations into information and communication crimes” (article 2 of decree ).
As soon as the creation of ATT was made public, netizens expressed their concern of a comeback of the despicable Ammar 404 (nickname attributed to internet censorship and surveillance under the Ben Ali regime). Others described the newly established agency as “Tunisia’s NSA”.
“Fears about a Tunisian NSA are justified”, Douha Ben Youssef an internet freedom activist said.
“The ICT Ministry is justifying the existence of A2T the way Ben Ali justified the need for a control of information flow under the pretext of counterterrorism”, she adds.
Ben Youssef is also concerned about the lack of transparency and civil-society participation in drafting decree 4506.
“There was not a single multi-stakeholder debate about the decree while it was a draft”, she says.
While acknowledging the need to “monitor criminals and terrorists’ activities in this digital age”, Raed Chammem, a member of the Pirate Party shares Ben Youssef’s fears.
“The fact that this agency was dropped as it is with no external supervision, in a country with a history full of abuses in this field, is very suspicious”, Chammem said.
The decree is “too vague. It mentions cyber-crimes without providing a clear definition about the nature of these crimes or specifying them”, he added.
Tunisia does not have laws addressing cybercrime or clearly determining “ICT crimes” mentioned in the decree. This legal void could be problematic considering the country’s vague ICT legislation and repressive laws.
Article 2 of decree 4506 states that ATT is tasked with the “reception and processing of investigation orders… stemming from the judicial authority, in accordance with the legislation in effect”.
Without specifying “the legislation in effect”, users could be investigated and put under surveillance by the ATT under criminal defamation and insult laws.
“Judges do not assess the seriousness of putting certain types of internet content under surveillance”, Moez Chakchouk CEO of the Tunisian Internet Agency (ATI) told Index.
Despite the absence of a legal text requiring the agency to practice surveillance, ATI has been tasked with policing the Internet and assisting the judiciary to investigate cases of cyber crime amidst a legal and and institutional vacuum. Though, the establishment of ATT is set to bring an end to such tasks.
Chakchouk says that many of the surveillance court orders received by ATI after the revolution have nothing to do with cases of counter terrorism or national security but are rather related to defamation.
“A crime in the cyberspace is not defined within the meaning of the Tunisian law. A simple facebook post or a tweet could be considered as a serious crime by these people [judiciary]”, he said.
In 2012, the Ministry of Information and Communications Technology (ICT) consulted ATI about a new surveillance agency. The ATI had suggested the creation of an independent and permanent committee tasked with responding to court requests and made up of judges and civil-society actors, ATI chief declared to Index.
ATI’s suggestions “had been completely ignored”, he said.
Under the current decree, ATT is far from being an independent entity.
The agency’s director-general and department directors are “named by decree on the proposal of the ministry of information and communications technology”, (articles 4 and 12).
While an oversight committee established by the decree “to ensure the proper functioning of the national systems for controlling telecommunications traffic in the framework of the protection of personal data and civil liberties”, is dominated by government representatives appointed from the ministries of ICTs, Human Rights and Transitional Justice, Interior, National Defense, and Justice.
Tunisia’s interim authorities have failed to introduce real reforms in order to cut ties with the surveillance abuses of the past. Before taking the step to establish a surveillance entity the priority should have been repealing the dictatorship era laws and legally consolidating personal data protection.
Last year, the National Authority for the Protection of Personal Data (INPDP), Tunisia’s Data Protection Authority, was working on a draft of amendments to the 2004 privacy law.
The proposed amendments’ aims were to consolidate the authority’s independence from government interference and make state authorities’ collection and processing of personal data without the consent of the authority not possible. But, to this date the amendments have not been voted on at the National Constituent Assembly (NCA).
“The government does not see these amendments as an urgent priority”, Mokhtar Yahyaoui head of INPDP told Index.
“Without reforms, the authority is incapable of conducting its role the way it should”, he added.