Ahead of municipal elections, Lebanese voter data is at risk

Outdated laws and weak cybersecurity leave Lebanese voter data vulnerable to breaches, with no clear privacy policy in place.
Written bySMEX
Read this post in русский, বাংলা, Español, English
Posted 22 April 2025

Screenshot from YouTube video “‘Ballot box revolution’: Lebanon holds parliamentary elections” by Al Jazeera English. Fair use.

This article by Abed Kataya was published on SMEX on February 24, 2025. An edited version is republished on Global Voices as part of a content-sharing agreement.

With Lebanon set to hold its first municipal elections in nine years between 4 and 25 May, the country’s Directorate General of Civil Status (DGCS) initiated a campaign encouraging voters to confirm their personal information on online voter lists by March 1, 2025. 

Under Lebanese municipal and parliamentary electoral law, these lists must publicly display voters’ full names, parents’ names, registration numbers, gender, birth date, and sect to ensure accurate identification. Voters can check their records online using their national ID numbers.

Exposing voter lists and personal details online allows anyone to access and misuse this information, as seen in the recent war in Lebanon, whether with the Israeli pager attacks or threatening phone calls and other examples of digital warfare. It is also concerning that users can see all the voters in the same section by selecting the voter’s governorate, village, neighborhood, gender, sect, and civil registry number.

When you enter these details, the platform displays your information and other relatives with the same or similar civil records. This raises privacy concerns due to the potential for manipulation, which could expose relatives in specific regions, reveal personal data, and enable illegal activities. Personal information can be exploited for malicious purposes, including targeted attacks, harassment, and discrimination.

Data misuse during the last war and Lebanon’s history of data leaks since the digitization of personal records highlights the need to protect citizens’ data from breaches and manipulation. Recent incidents in Lebanon, including the leaks of voters’ data from embassies, data from schools, and recurrent leaks of car registration records, all underscore the country’s vulnerable cybersecurity landscape.

Moreover, government agencies have shown they do not sufficiently protect user data, and the legal framework is weak. The Electronic Transactions and Personal Data Law is insufficient and fails to offer adequate safeguards for personal data. 

Chapter Five of the e-Transactions legislation encompasses personal data protection. This legislation only mandates that data processors inform the Ministry of Economy before processing personal data and exempts public authorities from this requirement (Article 94). Additionally, the law ambiguously defines this “notification” and leaves it to the Ministry of Economy’s discretion. 

On the other hand, a cybersecurity strategy has existed since 2019 but has not been implemented and is outdated

The DGCS platform, which receives financial and technical support from the European Union and the United Nations Development Programme (UNDP), lacks a privacy policy and terms of service. This omission prevents users from understanding what data is collected about them, how and where it is stored, the safety and security measures implemented to protect this data, and the steps taken in case of a breach.

SMEX attempted to reach DGCS General Manager Elias Khoury, but received no response. 

International practices

While countries like the US and the UK allow the public listing of voter data, others, such as France and Germany, do not.

The Commission governs France’s Data Protection Act on Informatics and Liberty (CNIL), an independent regulatory agency that oversees personal data. The act “helps professionals achieve compliance and empowers individuals to manage their data and exercise their rights.” It ensures that any processing of personal data, including voter information, has a legitimate basis and grants individuals the right to access, correct, and object to using their data.

In Germany, the Federal Data Protection Act complements the GDPR by outlining strict guidelines for handling personal data. The act restricts access to voter information to authorized personnel only. 

If we use France as an example of online voter verification, French citizens can check their voter registration status online through the official government website Service-Public.fr. This service provides information about the registered municipality, polling station location, national voter number, and existing proxies. To use this online service, you must authenticate via FranceConnect or a Service-public.fr account, ensuring the security and privacy of personal data. FranceConnect, a digital identity platform, is employed for secure authentication across public services.

Service-Public.fr employs various data protection measures to safeguard user information. Personal data and documents are securely stored in confidential storage spaces accessible through user accounts. The platform follows the “data minimization” principle, collecting only essential information for specific purposes, such as account management and administrative procedures. Furthermore, access to personal data is restricted to authorized personnel and tracked to ensure accountability and security.

Reforms needed

Several experts and civil society organizations have called for legal reforms to strengthen voter privacy in Lebanon. They recommend amending the electoral law to limit the amount of personal data published on voter lists, suggesting that only essential identifying information be made publicly accessible.

There have also been proposals to replace Chapter Five of the Electronic Transactions and Personal Data Law with a standalone law dedicated to personal data protection. Advocates argue that a new, comprehensive legal framework should apply to both public and private sectors to ensure stronger safeguards for personal information.

Entities responsible for handling voter data are being urged to adopt enhanced data protection practices. Suggested measures include stronger technical safeguards, strict adherence to data security protocols, and improved transparency and accountability in managing personal information.

In addition, experts emphasize the importance of strengthening Lebanon’s broader cybersecurity infrastructure to prevent future breaches and ensure the secure handling of sensitive data by public institutions.

Categories

Countries
Regions
Topics
Creative Commons License
Written bySMEX

Support our work

Global Voices stands out as one of the earliest and strongest examples of how media committed to building community and defending human rights can positively influence how people experience events happening beyond their own communities and national borders.

Please consider making a donation to help us continue this work.

Donate now

Recent Lebanon Stories

More »

Start the conversation

Authors, please log in »

Guidelines

  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.

This site is licensed as Creative Commons Attribution 3.0. Please read our attribution policy to learn about freely distributing our work Creative Commons License Some Rights Reserved