By Reem Almasri, translated by Hani Barghouthi

The space in which governmental transactions are carried out is slowly shifting from papers in offices to websites and applications, and this shift from paper to online services is set to transform how Jordanian citizens interact the government. The Ministry of Information and Communications Technology (MoICT) recently announced that ten governmental services will shift entirely online as of January 1st, 2019. This change means that citizens will simply need to create personal accounts on government websites to complete tasks such as accessing tax data, citations, non-criminal processing, professional permits, and other government services.  

Shifting to a complete reliance on the internet for certain transactions however brings to question the measures that government departments have undertaken to secure the data, especially as government ministries and servers are almost certain to be flooded by a massive amount of new information entering their systems.

The government has long been aware that cybersecurity and privacy will be critical in e-Government, as MoICT named “Information security” as one of their four main pillars in the e-Government Strategy of 2006-2009.

Nader Thunibat, Secretary General of the MoICT, said in an email to 7iber that information security is indeed one of the standards to which they submit e-Government services, in addition to user experience and service quality. He said that each ministry has discretion over whether or not to use e-services. “Based on the results of tests each ministry performs, (the Ministry) decides whether to launch these services or not,” Thunibat said.

The e-Government was initially project was launched in 2001 and many of these online services have proven convenient and useful to citizens. In this article however we will be commenting on gaps in security, procedure, and technology pertaining to the design of these services and they leave citizen data vulnerable to breaching. Our aim is not to denounce the program entirely, but to raise awareness of potential security risks that 7iber’s investigation has uncovered. We have found that the private information of citizens using Jordan’s e-Government services may be left vulnerable and exposed to not only professional hackers, but even amateurs with simple tools.

Websites without support for HTTPS

If you look at the URL of this webpage, you will notice it begins with the letters https preceded by a green padlock symbol. This symbol means that the website uses a secure certificate to transport data from the user’s device to the website’s servers on which it stores this data. This symbol also means the browser has verified the website as safe. Inputting personal information (account name, password, national ID number, address, credit card number, etc) into a website that does not include https and the padlock symbol can be as dangerous as scribbling that information on a piece of paper and tossing it out in the street.

In “https”, the letter “s” stands for for secure. This “s” refers to the layer of secure ports (SSL/TLS) that encrypts data sent from the website’s server’s computer. Today, all websites that receive personal information carry an SSL certificate to protect from hackers.

E-Government websites require that citizens provide their personal information and create accounts in order to access services, but they fail to adhere to the most basic technical requirement to ensure citizen security; a strict SSL certificate. Let’s imagine there’s a business owner who wants to create an account to utilize online services provided by the Companies Control Department. In order to ensure the confidentiality and legitimacy of the account-holder, the department requires her to sign an official request and receive a username and password in person. However, because the website does not support https these security measures are rendered useless the moment she enters her information into the department’s website.

This situation applies to services offered by the Ministry of Industry and Trade, the Unified Window Project that aims to allow citizens to view details of due or paid taxes on their property and is coordinated between the Department of Lands and Survey (DLS) and the Ministry of Finance (MIF), and “Da3mak”, the website launched by the MIF to allow households to request detailed information about financial support after government eliminated subsidies on bread.

While many e-Government service websites do not adhere to this standard, it is important to note that several of them do, such as the Ministry of Interior, the Income & Sales Tax Department (ISTD), and the e-Government portal.

Some websites did not implement this standard of security until months after their services were made available to the public, including the Municipality of Greater Amman, the Ministry of Justice’s (MoJ) Non-Criminal Record Certificate website, and the ISTD. Sultan Kharabsheh, the Head of IT Department in the Municipality of Greater Amman responded to 7iber’s question on the delay. “MoICT commented on the absence of a SSL certificate from the website when its online services were tested prior to launch, but despite that no service emerges at 100%.” Kharabash said. “Even security is routinely revised, and we try to fix any errors we notice.” Mohammad Lahham, Head of the IT Department in the MoJ, told 7iber that the https issue may have to do with launching the service as a trial. “Despite the fact that the SSL certificate was required, and one of the points MoICT raised when examining the service, the service had to be launched as a trial which was done until the certificate was purchased.” Lahham said. The MoJ’s Non-Criminal Certificate website was initially launched in 2011, according to the website’s internet archive.

Passwords that are not secret

Just as we should ask whether car dealerships are keeping copies of keys to cars they sell to us, we should ask how e-Government services are protecting and storing information to our personal accounts. Technical officers for e-Government services have access to vast amounts of private data of Jordanian citizens, and it is important to know how this information is encrypted and stored. Much like car salesmen should not have keys to our cars after we buy them, technical e-Government officers should not have access to the private information of citizens.

Despite the Secretary General of the MoICT’s office’s statement that information security is one of the prerequisites for launching an online product, many e-Government websites and services did not meet the simple requirement of password encryption. If a user forgets their password and requests that it be recovered through MoICT’s “Bi Khidmatikum” (At Your Service) application, the MoJ application, or the Municipality’s website, the original password will be sent to the registered email or phone number. This means that the website or application saves the password, in text form, on a central server. With a large number of passwords likely saved in the same place, we can only try to fathom the number of different accounts that can be accessed using one password. This is one of the most dangerous and common malpractices in information security. Moreover, because these passwords are kept in a central server, millions of citizen accounts can be easily laid bare to a clever hacker, or someone authorised to access the server.  

However, according to Kharabsheh, the Municipality of Greater Amman is aware of this issue and is currently working on encrypting passwords. “I’ll tell you honestly why I am not concerned about a hacker or anyone penetrating it, it is an ordinary account, it doesn’t keep financial information, just querical and procedural,” Kharabsheh said. It should be noted here that access to a Municipality website account can include access to details regarding an account holder’s excise tax, traffic citations, and private real estate property.

The MoJ application, alternatively, generates a password comprised of random numbers you use to access your account, without offering the choice of changing it. If a user forgets the password, the server sends another random number to the user’s phone. According to Lahham, the passwords are not saved on the server as text. “The system sends them in an unencrypted form to the user so they can read them,” Lahham said. “This means that the encryption key exists on the same server, encrypting and decrypting passwords.”

Lahham said that he isn’t necessarily worried about the potential for authorised personnel to violate the personal information of citizens. “This authorisation only exists for a very small number of trustworthy technicians whose work is also monitored,” Lahham told 7iber. However, in addition to expert hackers or those authorised to access account information, any person who uses your phone could have easy access to your personal records. They can simply click on “forgot password” in an e-Government app to receive a text with a new password.

Password encryption in online storage spaces is considered one of the most basic standards for  any website. For example, in 2017 Yahoo admitted that 3 billion of its user accounts were breached due to an insecure encryption method implemented three years earlier. Using certain algorithms, encryption converts — with varying degrees of security — the letters entered in the password box into a combination of letters and numbers referred to as “hash,” which is then stored in the server. This is why when a user forgets a password to their bank’s website and tries to recover it they do not receive the actual password but are asked to create a new password.The actual password or encryption code is not stored on the website’s servers, just the “hash.”

Ease of identity theft

To explain how easy it would be to steal someone’s identity, we refer to the requirements for receiving documentation from some government websites:

National number and date of birth to request a Non-Criminal Certificate on the MoJ website.

National number only to view financial liabilities on the MIT website.

National number and ID number to register an account on the MoJ’s application.

A national ID number is all that you need to create an account on the e-Government portal. This portal then grants you access to your Family Registration Book, a passport from the Civil Status and Passports Department (CSPD), building and property tax information from the Municipality, and legal claims from the MoJ.

While government websites require the national ID number to access these services, there is currently no process for confirming the identity of each person putting in a request. That means that family members who share ID photocopies with each other, or employees who have photocopies of customer IDs, can all therefore create accounts on your behalf on the Hukomati Bi Khidmati (My Government at my Service) portal, or the Municipality website and gain access to personal information like household registration records, tax files and court cases. We can only imagine the number of people in possession of photocopies of our IDs in banks, communication providers, hotels, car-rental companies, CSPD, etc.

A move last year by the Independent Election Commission (IEC) and the CSPD to publish millions of national ID numbers on their website could be putting a large portion of Jordan’s citizens at risk of identity theft. In 2017, the IEC published national ID numbers for millions of male constituents eligible to vote in Municipality elections, supposedly to allow them to contest their polling locations. These published lists also included their four-part names and locations  as registered with the CSPD, even though the IEC could have made do with just the names. These numbers inexplicably remain public on the IEC’s website despite their purpose having been served.

Additionally, in 2016 the CSPD published lists of four-part names and national ID numbers belonging to all children of Jordanian women and foreign fathers so they could receive their ID cards. The IEC stated on their Twitter account that “publishing citizen’s names and National Numbers was pursuant to operational instructions of the electoral process”. This statement points to either a reduced care for, or complete neglect of consideration for the security of citizens’ information on government internet platforms.

The problem in this is twofold: first, that government institutions exploit their citizens’ privacy by publishing private information that can facilitate identity theft; and secondly, that the same institutions overlook assurances of identity verification when providing services. Kharabsheh thinks that the more they “trouble the citizen” when accessing their account, they less likely they will be to use it. He said that it is the responsibility of each government agency that collects data to secure the citizen’s information: “I carry out anything to do with security through the MoICT, not the Municipality,” Kharabsheh said.  

When the MoJ detects a breach in its server they simply inform a hacker that they’re breaking the law. “The application requires information that is only available to the person in question, like their Natural Number and ID number,” Lahham said. When 7iber pointed out that photocopies of IDs exist in hundreds of places and institutions such as insurance companies and the CSPD, Lahham  responded “what interest would they have in accessing your information? Also, the citizen in question would receive a text informing him that an account was initiated using his information. Then, he could file a complaint with the MoJ against the person who created an account with his name, and the MoJ will be able to track the perpetrator using tools available to them.”

“There’s prosperity in every delay”

This popular Arabic proverb may be helpful in some contexts but does not apply to implementing international standards of security to publicly-offered online services. Jordan’s e-Government platform could have greatly benefited from the guidance  of other governments versed in these technologies. Instituting a uniform set of technical security standards and mandating that agencies implement them could greatly improve cybersecurity for Jordan’s e-Government platform.  The United States government, for example, releases a technical guide to https with which all federal agencies must comply before launching their services.India’s government launched a special website outlining requirements for launching online services, including technical standards relating to encryption levels, documentation, and verification.

When asked about the availability of a guide of mandatory technical or operational standards for the various official agencies when designing their online services, the office of the Secretary General of the MoICT shared with us the “National Information Assurance and Cyber Security Strategy” (NIACSS). NIACSS was launched in 2012 and includes standards governmental agencies must follow but does not mention any operational or technical details.

MoICT did point out however that they have “the most up-to-date information-security devices and programmes (Firewall, WAF, IDS and IPS). The Ministry is also working on connecting all government institutions to the Secure Government Network (SGN).” While the Ministry may be implementing regulations and security tools on an infrastructural level to protect it from systematic and complicated breaches, in this article we are referring to simple standards that should have been followed to protect citizen data when transferring, storing, and authentication.

If the proposed Data Protection Law that MoICT is still working on is ratified, governmental institutions will be held accountable for failing to uphold appropriate technical and operational measures to secure the data of the citizens they serve. Providing e-Government services in Jordan has been an expensive and lengthy process, but taking risks when it comes to security could be far more costly and damaging and put in jeopardy any trust citizens have in e-Government.

______________________________________________________________________________

1. 1) An application for citizens to submit comments, complaints of appraisals of government’s services.
2. 2) A central portal through which citizens can access all available e-Government services.