On April 8, 2026 (updated April 22), Access Now's Digital Security Helpline, working with the mobile-security firm Lookout and the regional digital-rights group SMEX, published a forensic investigation into a spear-phishing campaign that impersonated Apple and Google to target two exiled Egyptian critics: journalist and human-rights defender Mostafa Al-A'sar and former MP Ahmed Eltantawy. Attackers approached the targets through sockpuppet personas on LinkedIn and iMessage posing as "Apple Support," built fake login pages to harvest credentials between October 2023 and January 2024, and stood up infrastructure capable of delivering Android spyware able to "access and extract victims' files, personal contacts, text messages, and geolocation," and to switch on device microphones and cameras. Lookout assessed the operator as a hack-for-hire group with ties to Asia, likely linked to the BITTER APT. The researchers were careful: there was "not enough information... to confidently conclude which government(s)" was behind it. But the target set points circumstantially toward Egyptian state interest.
Not an aberration
The circumstantial read is reasonable because Egypt has a documented record. In September 2023, Citizen Lab confirmed that Eltantawy's iPhone had been targeted with Cytrox's Predator spyware via network injection from a device sitting inside Vodafone Egypt's network, after he announced he would challenge President Abdel Fattah al-Sisi in the 2024 election. That operation burned a full iOS zero-day exploit chain (CVE-2023-41991, 41992, 41993), and Citizen Lab attributed it to Egyptian authorities with high confidence. The Committee to Protect Journalists, reacting to the 2026 report, warned that "spying on journalists is often the first step in a broader pattern of intimidation, threats, and attacks." The newer phishing campaign is cruder and outsourced, but the targets are the same profile: a presidential challenger and a journalist, both now in exile.
The infrastructure under construction
Here is where the editorial tension sits, and it deserves an honest framing of both sides. Egypt is in the middle of an ambitious and, on its face, genuinely beneficial digital-identity build-out. In October 2025 the Central Bank of Egypt unveiled "Haweya," a biometric digital-ID platform combining face and fingerprint data with digital signatures, linked at launch to 37 banks for remote account opening, document verification, and SIM-card registration. Financial inclusion had reached 76% by June 2025, with roughly 53 million adults holding accounts — well above the MENA regional average. For a country where the unbanked skew poor and rural, a working eKYC layer is a real public good, and the strongest case for it should be conceded plainly: it lowers the cost of services, curbs benefit fraud, and brings millions into the formal economy.
But identity systems are dual-use by design. The same architecture that lets a citizen open a bank account from a phone also creates a single, biometrically-anchored spine that binds a legal identity to a SIM, a bank account, and a lengthening list of government services. Egypt has been integrating its databases for a decade — the Unified National Registry built for the Takaful and Karama cash-transfer programs already links food-subsidy, pension, education, and social-protection records. Integration is the point; it is also the risk. A spine built for inclusion is a spine available for tracking.
A law that exempts the watchers
The safeguard meant to make this safe is Law No. 151 of 2020, the Personal Data Protection Law, whose long-delayed executive regulations were finally issued by Prime Ministerial Decree No. 816 in November 2025, standing up a Personal Data Protection Center under the communications ministry. On paper this is the proportionate-regulation story we generally favor: consent rules, breach notification within 72 hours, and cross-border transfer controls.
The problem is Article 3. The law excludes from its scope personal data held by "national security authorities" — defined to include the Presidency, the Ministry of Defence, the Ministry of Interior, and the General Intelligence Service. As Access Now put it, these are bodies that "have perpetrated documented human rights abuse for decades," and they "should not be exempt from the obligation to protect users' personal data." A data-protection regime that carves out the exact agencies most likely to run a Predator deployment or commission a hack-for-hire operation protects citizens from supermarkets and banks — not from the state that may be phishing them.
The proportionate path
None of this is an argument against digital ID, against Egypt's fintech ambitions, or against legitimate cybercrime enforcement; all can be done well. It is an argument that the order of operations matters. A government simultaneously (a) building a centralized biometric identity spine, (b) buying or commissioning offensive intrusion capabilities, and (c) exempting its security services from the only law constraining data abuse has assembled the components of a surveillance apparatus faster than the components of accountability.
The fix is not to slow the technology — it is to make the rules bite where it counts. Egypt should narrow Article 3 from a blanket institutional exemption to specific, judicially-reviewable national-security uses; subject identity-linkage and inter-agency data-sharing to strict purpose limitation under an independent regulator with real enforcement power; and publish transparency reporting on lawful-access requests. Spyware against exiled critics and a credential-phishing operation dressed up as Apple Support are not national security; they are the suppression of speech. The open-internet case for Egypt's digital transformation is genuine — but it holds only if the same state that wants citizens to trust a biometric ID can be trusted not to weaponize it.