Information Privacy Status in Saudi Arabia

Privacy is one of the most fundamental rights that must be preserved for individuals because it is integral to their integrity, self-respect, and safety. However, it is also a vague concept with a number of controversial issues that need to be addressed from ethical, jurisdictional, and sociological perspectives. The perceptions of both organizations and individuals have undergone noticeable changes since the introduction of communication and processing technologies. Furthermore, with the dominance of the Internet and social networks in business and personal lives, information privacy appears to be a myth as massive volumes of personal information and data are stored in the Cloud and back end systems of organizations. Such systems have created serious legal, ethical, and technological challenges related to information collection, processing, and dissemination. This paper presents the findings of the first phase of a countrywide research project that aims to provide a comprehensive assessment of information privacy practices in the public, health, banking, and private sectors. The results presented in this paper are based on a survey and structured interviews with key stakeholders in multiple organizations in the Kingdom of Saudi Arabia to measure organizational compliance and personal perceptions of information privacy.


Introduction
Privacy is one of the most fundamental rights that must be preserved for individuals because it is integral to their integrity, self-respect, and safety.However, it is also a vague concept that is associated with controversial issues that need to be addressed from ethical, jurisdictional, and sociological perspectives.As technologies advance, new privacy challenges arise owing to the pervasive and ubiquitous availability of information.
Many countries have addressed privacy in their laws and have designed regulations for specific sectors (such as communication, health, and commerce) to preserve information privacy.Additionally, huge efforts have been made to model privacy in computing and to develop proper solutions to map privacy business requirements into user applications and systems.
In this paper, we will present the outcome of the first phase of a 2-year project (Alrodhan & Alsulaiman, 2014) (Alsulaiman & Alrodhan, 2012) that aims to assess and analyze information privacy practices in the Kingdom of Saudi Arabia.The study looks at privacy practices in terms of current regulations, technical controls, perception, and awareness at various sectors.To date, there has been very little research on this issue in Saudi Arabia.The only serious and relevant study to the best of our knowledge is that conducted by the Saudi MCIT (Ministry of Communications and Information Technology) to propose a Law Regulating Electronic Privacy and Data Protection in Saudi Arabia (e-Privacy Act) (MCIT, 2010).However, the study only covers legislation aspects and does not address how privacy is perceived nor how the current regulations are implemented in organizations.
We followed four strategies for the assessment; namely, an online survey, structured interviews, penetration testing, and social engineering.The results were insightful and will be presented later in the paper.
The remainder of the paper is organized as follows.Section 2 describes the assessment approach and methodology.Section 3 discusses our findings and recommendations.Section 4 presents concluding remarks and potential future work.

Overview of Privacy
There have been many attempts to define privacy and many philosophers, jurists, sociologists, and even computer scientists, have created definitions based on their context.However, most of those definitions have shortcomings (Solove, 2008).An excellent comprehensive definition of privacy is "the claim of individuals, groups or institutions to determine for themselves when, how and to what extent information about them is communicated" (Westin, 1967).In a computing context, privacy is an information security service that protects the attributes, preferences, and traits associated with individuals' identities against unauthorized distribution or use (Windley, 2005).
Figure 1 shows an expanded and slightly different representation of the classic three-phase information lifecycle diagram (input, process, and output).In the information collection phase, relevant private data could be collected from individuals (or data subjects) by an organization (also known as data controller) that then uses this data to make decisions.Typically, data is processed in-house or outsourced to the IT department (also known as the data processor), making personal data subject to various privacy invasion attacks.
Figure 1.Data protection and privacy taxonomy (adopted from (Solove, 2008)) The protection of private information (i.e., personal data) against unauthorized disclosure must be considered as a 'right' of individuals (i.e., data subjects).Information, be it medical, criminal, biological, ethnicity, or political, can negatively impact the data subject when unauthorized disclosure occurs by the data controller that holds the personal data.For example, disclosing medical records might impact on insurance coverage, employment, or one's social life.Table 1 presents a good categorization of possible privacy problems that could occur at each stage of the information lifecycle.Furthermore, there have been multinational efforts to establish privacy guidelines and frameworks such as the one created by the (OECD, 1980), the European Union's directive on data protection in 1995, and the APEC framework (ECSG, 2005).

Information Privacy in Saudi Arabia
Currently, there is no specific law in the Kingdom of Saudi Arabia that targets information privacy, with the exception of some provisions and articles scattered in various regulations, such as those in (Royal decree , 1992) (CITC, 2001) (MCIT, 2007) (CITC, 2007).For example, Article 40 of the Basic Law of Government states "The privacy of telegraphic and postal communications, and telephone and other means of communication shall be inviolate.There shall be no confiscation, delay, surveillance or eavesdropping, except in cases provided by the Law" (Royal decree, 1992).The Telecom Act (CITC, 2007) is more specific in protecting information exchanged through public networks.However, in 2010, the Saudi Ministry of Communications and Information Technology (MCIT) adopted an initiative and proposed an e-Privacy law to have a unified general law that addresses issues related to information privacy, similar to that practiced by other countries, and to support MCIT Plan goals (MCIT, 2010).The proposed law adopts many principles stated in the (The Madrid Resolution: International Standards on the Protection of Personal Data and Privacy, 2009) and the APEC Privacy Framework (ECSG, 2005) such as the right for a person to be notified before the collection of his/her personal information.The law was proposed to take precedence and preempt contrary laws and regulations unless they provide more protection for information privacy.Unfortunately, the Shura Council, under the belief that the existing cybercrime law (MCIT, 2007) is sufficient, has rejected the proposed law.In our opinion, the proposed law has many advantages as it provides consolidated and structured privacy principles that can be implemented in all governmental and business sectors.

Addressing Privacy in Computing
Privacy has been addressed in many contexts from formal protection modeling of privacy to ensure anonymity and to the design of applications and protocols that address specific threats (Sweeney, k-anonymity: A model for protecting privacy, 2002).For example, the TOR Project aims to protect privacy and guarantee anonymity by implementing an encrypted network overlay on the Internet using the Onion Routing Protocol (Dingledine, Mathewson, & Syverson, 2004).Another tool is the Private Web Search (Saint-Jean, Johnson, Boneh, & Feigen, 2007), a browser extension that aims to minimize private information that could be revealed by intercepting queries sent to search engines that may identify data subjects (e.g., SSN info and phone numbers).Other multidisciplinary projects such as PORTIA (Privacy, Obligations, and Rights in Technologies of Information Assessment (PORTIA)., 2013), (Sweeney, Shamos, & Madhava, Social Security Number Watch, 2013), Information Accountability (Weitzner, Abelson, Berners-Lee, & Fei, 2008), Ensuring Consent and Revocation (EnCore) (Mont, Sharma, Pearson, Saeed, & Filz, November 2011), and Hippocratic Database (Bolton, 2003) are very good examples where privacy has been addressed from technical, legal, and social perspectives.
In contrast, there are huge efforts in the field of computing to identify and discover security flaws and privacy issues in computer systems at every level, from design to implementation.Many tools have been developed to automate the process of detecting and exploiting vulnerabilities such as (Acuntix, 2013), (Nessus, 2014), (Nikto, 2014), (Nmap, 2013), and (Shodan HQ, n.d.).We have also used these tools to support our thesis and to demonstrate how easy it is to extract private data.

Assessment Methodology
This section shows the approach we followed for our privacy assessment: The following subsections highlight each method.

Review of Relevant Regulations in Saudi
We examined the majority of publicly available key legislation and regulations for each sector in the Kingdom and extracted every provision related to data collection and dissemination, with an emphasis on the five sectors mentioned earlier.Our interest in the regulation review is to identify if privacy is addressed and to classify what privacy problems they tackle as presented in Table 1.The analysis should not be treated as a legal assessment because that is beyond the scope of this research.Instead, we attempted to identify how such regulations can be mapped into information security management systems and controls (i.e., technical, physical, and/or administrative) as this is a very important step in terms of the future work of the project.

Field Survey
The objective of the survey was to evaluate information privacy perceptions and adherence in a sample of professional workers and decision makers representing government, education, health, banking, and business sectors (Note 1).The survey was distributed electronically, as well as hardcopies, and we received a relatively good number of responses: 101 in total including 34 responses from decision makers distributed in terms of demographics as shown in Table 2.The survey's questions measure the following metrics: 1) Existence and adherence of information privacy policies and practices at the organization level.
2) Awareness and perception of privacy issues related to clients, employees, and citizens.
For decision makers, there were additional questions to verify organizations' maturity in taking due care and due diligence measurements on information privacy and data protection.

Structured Interviews
We conducted personal interviews with a number of key stakeholders in major organizations representing Telco, health, banking, government, and educational sectors.The interviewed stakeholders were responsible for managing information technology and the information security department for their organization.The purpose of the interview was to cross-check the survey findings and to reveal more detailed information regarding information privacy practices, in addition to evaluating organizations' adherence against the applicable privacy requirements and principles mentioned in (MCIT, 2010) and (CITC, 2001) (e.g., the right of the data subject to access his/her information and data retention for personal data).

Penetration Testing and Social Engineering
The last approach we used in this study was to perform penetration testing after obtaining official consent from the organizations' authorities.The objective was to verify whether we could obtain what is usually considered private information (e.g., customers, citizens).Our approach was to select sample organizations that represent educational and telecommunications sectors.We then navigated through publicly available information on the website using basic technology tools (see Table 3), without interrupting the service to identify potential vulnerabilities.

Regulations Review Findings
Table 4 summarizes our findings for the reviewed regulations; please notice that the table only shows regulations that have articles or clauses related to information security and privacy, which, of course, is a subset of what has been reviewed.The first two columns present the regulation title and relevant article(s).The third column presents the privacy issues or problems it addresses.For example, in the Anti-Cyber Crime Law, Article 3 criminalizes any person who commits one of the following cybercrimes: "1) Spying on, interception or reception of data transmitted through an information network or a computer without legitimate authorization.2) Unlawful access to computers with the intention to threaten or blackmail any person to compel him to take or refrain from taking an action be it lawful or unlawful.3) Unlawful access to a web site, or hacking a web site with the intention to change its design, destroy or modify it, or occupy its URL.4) Invasion of privacy through the misuse of camera-equipped mobile phones and the like.5) Defamation and infliction of damage upon others through the use of various information technology devices" (MCIT, 2007).From that article, we can determine that surveillance, intrusion, blackmailing, distortion, exposure, and disclosure privacy issues were addressed.Breach of confidentiality, From the table above, the regulations in most of the examined sectors do have provisions on information privacy.However, the major concern in our context is that many of them are so broad and require supporting written compliance programs specifically directed at privacy and data security in the respected domains.Unfortunately, we were not able to identify any that are supported by the structured interviews and survey findings.This is important when designing and developing IT systems that need to comply and implement privacy requirements as stated in the relevant regulations.For example, part of our current project is to develop privacy profiles based on XACML (OASIS Open, 2010) for each sector, which maps applicable privacy policies into PEP.This is to ensure that all business applications and systems will adhere to the relevant privacy policy when accessing or exchanging personal information.Regrettably, with the level of abstraction we have owing to the lack of detailed compliance programs and procedures, the resulted XACML profiles will have fewer and more generic privacy rules.
In addition to this finding, there are other observations and shortcomings-most of them are regulatory and detailed in (MCIT, 2010).

Survey Analysis
The survey feedback revealed very insightful information with respect to privacy status in Saudi.In this section, we list the most important findings and prefer to place the full details to Appendix A.
1. Roughly 60% of employees have been asked to follow some specific privacy procedure as shown in Table A.1.
2. Health and public sector employees appear to have received more privacy related procedures (75 and 70%, respectively) as presented in Table A.4.However, when it comes to the question of having a privacy policy adopted by the organization, 67% of the responding sample from the banking sector confirmed the existence of such policy.Forty-five percent of the educational sector respondents answered that they do not know if there is a privacy policy in their organization (see Table A.5) 3. In Table A.8 , we can see that people with a higher level of education, regardless of seniority, tend not to trust their organization when it comes to client/customers privacy protection: PhD (26%) vs. high school (50%).This is consistent with their perceptions regarding their personal information held at the organizations they work for: 67% of those with a high school degree trust their personal data compared with 32% who hold a PhD degree (see Table A.12).Gender also had a slight influence in this aspect.
Females tend to have greater trust with respect to their own personal information and that of their customers compared with males (Table A .11 ).
4. Table A.15shows that when it comes to witnessing incidents of privacy violation, responses from people working in financial sectors are higher (42%) than those in the public sector (24%).
5. Regarding accessing unauthorized information without permission, 34% of the sample had knowledge of such acts regardless of their seniority; however, those in education and finance scored higher (43%) than the sample average (Table A .16 ,Table A.18 ,and Table A.19 ,respectively), and only 25% reported the incident.Surprisingly, none of the participants from the financial sector reported such incidents.
6. Thirty-one percent of participants confirmed that their organizations log privacy related issues in their operations.The financial sector seems to be more stringent in that regard (50%) with the education sector scoring the lowest value (19%) (Table A.20).
7. Eighty-four percent of participants believe that privacy protection is important regardless of their seniority as presented in Table A 11. Twenty-seven percent of the decision makers stated that their organizations have privacy officers (Table A.37).
12. With respect to organization seriousness, Table A.38 shows that 32% of the participants believe that their organizations take stakeholders data seriously, especially the financial sector (50%).Participants from the education sector believe their organizations are somewhat serious (50%).
13. Table A.39 shows that 26% of the decision makers answered that their organization audits privacy relevant operations and 42% among them do so once a year.
14. Forty-one percent of the decision makers answered that their organization has a data calcification policy (Table A.41).
15. Table A.42, shows that 18% of the decision makers stated that their organizations encrypt their data, 56% use partial encryption and just 26% do none at all.
16. Thirty-eight percent of decision makers answered that their organizations use a need-to-know basis when allowing access to personal data (Table A.44). 17. Thirty-two percent of decision makers answered that their organizations are subject to international mandates related to data protection as shown in Table A.45.
18. Eighty-two percent believe, as presented in Table A.47, that they are morally obliged to preserve the data of their stakeholders, which indicates that privacy, as a principle, is still perceived as an important human value.

Structured Interview Feedback
The interview results showed clear gaps and differences in the knowledge, experience, determination, and seriousness in terms of protecting information privacy.However, the sole similarity amongst all the surveyed organizations is that most efforts towards protecting information privacy are somewhat "voluntary".Furthermore, the adopted procedures are selected based on the discretion of the organization rather than from direct mandates issued by regulation and compliance authorities.
To clarify this point, we wish to provide two examples representing two extremes as gleaned from the participants.The first is the information and privacy director of a major telecommunication and Internet service provider in Saudi (CIO, 2013).The second example is an interview conducted with the CIO of a Saudi university under the Ministry of Higher Education (Manager, 2012).The objective of the interview was to determine how decision makers from the selected samples of the organizations working in Saudi address privacy.
The first interview outcome can be summarized into the following points.
1. User data are segregated from all other data; it is not easy to transfer user data between departments from technical and procedural perspectives.protect company's information assets, which is a good initiative to reduce the amount of disclosed data.
3. As geographical information is logged by mobile operators for various technical reasons, this information is sensitive and creates privacy concerns in many countries.The company does have special procedures to reveal geographical info and only two people are authorized to disclose such information to law enforcements liaisons.
4. He is not sure if his company sells customer data to third parties, as this is a responsibility of another department.
5. The privacy protection and measurements taken by the company falls under their internal interest to follow best practices and was not mandated by regulators (e.g., the Commission of Information Technology and Communications) or as a response to any international mandate.
6.The organization has a 1-year data retention period for data as they are ISO27001 certified but the choice to do so was irrelevant of any national regulation.
7. In the information security department, there is an ongoing effort to follow international trends in information privacy and they encouraged their team to obtain certification from the International Association of Privacy Professionals (IAPP).
In contrast, the second interview with the CIO of an educational organization shows the opposite in terms of privacy protection as summarized below.
1. Most users' data, mainly students, are not segregated nor encrypted.
2. There are no clear boundaries on what data can be accessed from each department and many times departments have access to classified data without legitimate reasons.
3. There is no information security department, and security controls are ad-hoc and based on the best efforts of IT members.

Penetration Results and Discussion
Penetration testing revealed shocking results, as we were able to demonstrate how easy it is to access and collect private data using very simple on-the-shelf tools as mentioned in Table 3.
We have summarized the findings into the following points.
1. We found many unprotected WIMAX/WIFI CPEs terminals.For example, in two of the tested telecommunication organizations, it was possible to login into users' Internet devices with administrator privileges using a default username and password as shown in Figure 2.This provides the ability for an intruder to intercept and collect all public and private data with a basic update of the routing table of the network device.
2. We found some open webcam servers with default admin/admin passwords with no authentication.
3. Links to firewall configuration GUI's, with NO SSL for authentication.
4. Multiple open anonymous FTP servers.

Concluding Remarks and Future Work
In this paper, we presented the current information privacy situation and its challenges in Saudi Arabia by reviewing existing regulations, conducting a countrywide survey, performing interviews with stakeholders, and conducting penetration testing to express our concerns.
We believe that additional efforts are required to close identified gaps in handling information privacy issues in Saudi.We propose that relevant governmental bodies need to create information privacy compliance programs and mandate their implementation in all related entities.Moreover, it is crucial to create a privacy officer function, especially in large organizations, typically within the information security department with the authority to implement privacy compliance programs.Country level awareness initiatives are also needed to create the appropriate perceptions of information privacy and its importance from human rights and consumer standpoints.
For future research, we will focus on the development of XACML profiles and templates, which will be developed based on the privacy rules identified in Table 4.In addition to business applications, these rules will be used by Policy Enforcement Points (or PEPs) such as files servers, mail servers, and firewalls.
We will also participate in the development of compliance frameworks that address privacy, especially in the telecommunications sector.
A.1 Survey Questionnaires for All Participants A.1.1 Have you been asked to follow specific 'privacy-protection' procedures (and/or regulations) that should protect the privacy of your organization's clients/customers/users?

Figure 2 .
Figure 2. The screenshot represents how easy it is to gain root access to customer-premises equipment (CPE); in this figure the ADSL firewall was accessed

Table 1 .
Taxonomy of privacy problems adopted from (Solove, 2008) framework ExclusionNot allowing data subjects to know about what has been collected about them and provide them the ability to correct inaccurate information Information dissemination Breach of confidentiality Breaking the trust between the data subject and data controller in keeping confidential data Disclosure Revealing truthful information which data subject's that Privacy issues have captured the attention of many countries around the world.Many nations have addressed privacy at various levels, starting from the constitution that protects privacy as a basic human right and going further to set specific laws and technical requirements for information privacy.For example, the Brazilian constitution states, "the privacy, private life, honor and image of persons are inviolable" (The Constitution of Brazil, 2013).Canada has the Personal Information Protection and Electronic Documents Act 2000 (The Office of The Commissioner of Canada, 2000) and Japan the Personal Information Protection and Electronic Documents Law of 2003 (The Government of Japan, 2003).Both laws address how personal information shall be collected, processed, and disseminated by government agencies and private entities.The relevant U.K. laws include the following laws: (Data Protection Act , 1998

Table 2 .
Demographic attributes of the responses

Table 3 .
Tools used to conduct penetration testing

Table 4 .
List of privacy-related articles in reviewed laws and regulations .23.However, just 50% of participants with high school education think that way (TableA.22)comparedwith 100 and 90% of respondents in the financial and health sectors, respectively (TableA.24).8. Approximately 50% of participants were unaware of IT criminal laws in Saudi regardless of their education level (Table A.26).Decision makers scored slightly higher (60%) compared with the remainder of the sample (Table A.29). 9. Interestingly, 85% of participants are not satisfied with current status of privacy protection in Saudi, especially those who work in the financial sector as shown in Table A.33. 10.Twenty-six percent of the decision-maker group believes that their organization adheres to a global standard of privacy protection (Table A.35).However, 15% used technical mechanisms for privacy protection (Table A.36).

Table A .
1. Results of survey question A.1.1 grouped by gender Do you (or any of your colleagues) have access to private data that belongs to your organization's clients/customers/users and/or personnel without operational-justifiable reasons?Are you aware of the IT Criminal Laws in the Kingdom of Saudi Arabia?Table A.25. Results of question A.1.9grouped by gender

Table 5 .
Results of question A.1.9grouped by authority level Are you satisfied with the current status of 'privacy-protection' in all sectors of the Kingdom of Saudi Arabia?Table A.29. Results of question A.1.10grouped by gender

Table A .
31.Results of question A.1.10grouped by years of experience

Table A .
32. Results of question A.1.10grouped by industry

Table A .
33. Results of question A.1.10grouped by authority level Is your organization adhering to any global standard of 'privacy-protection'? Table A.34. Results of question A.2.1 grouped by industry Is there a 'privacy officer' (or any similar role) in your organization?Table A.36. Results of question A.2.3 grouped by industry How serious is your organization in protecting the privacy of its clients/customers/users and personnel?Table A.37. Results of question A.2.4 grouped by industry Fairly serious Not serious Very serious Grand Total A.2.5 Do you log and audit privacy-relevant operations?