How officials establish digital slavery for citizens

2024 Author: Seth Attwood | [email protected]. Last modified: 2023-12-16 15:55

Until recently, digital passes for getting around the city seemed to Russians to be a wild element of a cyberpunk dystopia. Today it is a reality, moreover: since yesterday in Moscow they have become obligatory for movement by public transport. How it happened, why many countries have created digital control systems for the movement of citizens and whether such surveillance will stop after the end of the pandemic - in a new material from researchers at the Center for Advanced Management Solutions.

General context

The general trend in countries' response to the coronavirus epidemic is to strengthen control over citizens. Based on the analysis of data from mobile operators, banks, law enforcement agencies, the state calculates the contacts of those infected, and also monitors citizens' compliance with self-isolation and quarantine. Many publications on this topic raise questions of privacy and the observance of citizens' rights, painting a bleak picture of a “surveillance society”.

We have collected several episodes of the introduction of special digital control measures by different states and tried to understand the risks that these measures carry due to the fact that access to information about the movement and personal life of citizens is provided to several bureaucratic departments at once.

Israel: Police, Special Services, Ministry of Health

What happened?

On March 19, the Israeli government introduced partial quarantine throughout the country. As part of the interim measures a few days earlier, on March 15 and 17, the authorities issued two emergency orders that expanded police powers to conduct searches and also allowed the Israeli Security Service (Shin Bet) to use digital surveillance to combat the coronavirus epidemic. …

Who exercises control and how?

All citizens of the country infected with the coronavirus, as well as those who have come into contact with them, are placed in mandatory two-week quarantine. As part of the emergency orders, the police, as an interim measure, will be able to determine the current geolocation of these people using data from cell towers without an additional court decision. In turn, the special services will be able to gain access not only to the current location of a person, but also to the history of his movements. In addition, the Israeli Ministry of Health has released its own smartphone application that continuously updates the location data of infected people received from law enforcement officers and warns the user if he is near them.

On the one hand, this allows not only to check how conscientiously a person complies with the quarantine regime, but also to identify an approximate circle of contacts with other people who could also become infected. But, on the other hand, in normal times, such "dense digital tracking" technologies are used only to catch criminals and terrorists.

Such extraordinary powers of the security forces will last until mid-June - after that, all received data must be destroyed. However, the Ministry of Health will be able to extend the storage period of the data collected in this way by two months for additional research.

South Korea: Police and Civil Self-Control

What happened?

In February 2020, the Republic of Korea became one of the fastest growing countries for the coronavirus epidemic.

The authorities were able to fairly quickly and effectively first level, and then reduce the rate of spread of the infection

This is partly due to the fact that Korea has a wealth of experience in fighting the epidemic: in 2015, the country was faced with an outbreak of Middle East Respiratory Syndrome (MERS), after which a whole system of epidemiological measures was developed. However, the decisive factor was the organization of mass mailing of notifications about each case of infection with detailed information about the infected person (age, gender, detailed description of his recent movements and contacts; in some cases, it was reported whether the person had a mask, etc.). Such mailing would not have been possible without a powerful and large-scale system of digital control over the movement and contacts of South Korean citizens.

Who exercises control and how?

Several services are now operating in the country that use personal data in order to provide information on the spread of coronavirus. For example, the Coroniata website publishes information on the total number of cases, as well as on the zones where the largest outbreaks of infection were recorded. The second resource, Coronamap, is a map that displays when and in what places all isolated cases of infection were recorded. The Korean government has also released an official smartphone app to track the quarantine compliance of infected people.

The Republic of Korea has a highly developed digital infrastructure, so tracking and verifying data is not a problem for the government. To improve the accuracy of the analysis, in addition to data from cell towers and GPS, data on transactions made with bank cards are used, city video surveillance systems and face recognition technologies are used.

Such forced "openness", on the one hand, shows its effectiveness in containing the epidemic, but, on the other hand, leads to negative social effects. In addition to the fact that those infected with the infection themselves feel a sense of constant surveillance, other - "random" - people also fall into the control zone.

Since each case of infection is displayed on a map, some Koreans, even not being infected, but corresponding to the tracked "points", are subject to public pressure.

Thus, proactive Korean citizens are joining police and officials in digital surveillance of each other.

Alternative: Poland vs European Commission

In the European Union, one of the first applications for monitoring citizens required to comply with a 14-day quarantine appeared in Poland. The authorities require the installation of the application by healthy citizens who have come into contact with infected or potentially infected people, as well as everyone who returns from abroad. Since the beginning of April, the installation of the application has become mandatory by law.

The Home Quarantine application (Kwarantanna domowa) randomly sends a notification several times a day with the requirement to upload your own photo (selfie) within 20 minutes. According to the website of the Polish government, the application checks the user's location (by GPS) and also uses facial recognition. If the request to upload a photo is not met, the police may come to the address. According to the regulation, the Ministry of Digitalization will store personal data of users for 6 years after deactivating the application (in accordance with the Civil Code), with the exception of photos that are deleted immediately after the account is deactivated.

In addition to Poland, their own applications have appeared or started to be developed in other European countries, for example in Austria (with the participation of the local Red Cross), France, Ireland and Germany.

Against this background, the European Commission proposed to make a pan-European application for tracking the spread of coronavirus in compliance with special recommendations for its development, based on the law on the protection of personal data in the EU

Among the listed principles of the future application, the efficiency of using data from a medical and technical point of view, their complete anonymity and use only for creating a model of the spread of the virus are indicated. To reduce the risk of personal data leakage, application developers will have to adhere to the principle of decentralization - information about the movements of an infected person will be sent only to the devices of persons who could potentially contact him. Separately, it was emphasized that the steps taken should be justified and temporary.

The deadline for submitting proposals for the implementation of these measures is April 15th. In addition, by May 31, the EU member states will have to inform the European Commission of the actions taken and make them available for peer review by the EU members and the European Commission. The European Commission will assess the progress made and will periodically publish reports starting in June with further recommendations, including the removal of measures that are no longer needed.

Russia: the Ministry of Telecom and Mass Communications, mobile operators and regions

What happened?

From the end of February to the beginning of March, after the introduction of measures to counter the spread of the coronavirus, the first cases of strengthening control over the population with the help of technical means appeared in Russia. According to Mediazona, police officers came to the quarantine violator with a photograph, probably taken by a camera, which was connected to a face recognition system. Mikhail Mishustin instructed the Ministry of Telecom and Mass Communications to create by March 27 a system for tracing contacts of patients with coronavirus infection based on the data of cellular operators. According to Vedomosti, on April 1, this system was already working. In parallel, the constituent entities of the Russian Federation began to develop their solutions. In Moscow, in early April, they launched a monitoring system for patients with coronavirus using the Social Monitoring application, and also prepared the introduction of passes with special codes (the decree on their introduction was signed on April 11). In the Nizhny Novgorod region, the first of the regions, control by QR codes was introduced, in Tatarstan - by SMS.

Who exercises control and how?

Digital control mainly covers citizens who are infected or are in official quarantine. To track their movements, the Ministry of Telecom and Mass Communications requests "data of numbers and dates of hospitalization or date of quarantine." This data is transmitted to cellular operators, which monitor compliance with the quarantine conditions. The violator of the conditions receives a message, and in case of repeated violation, the data is transferred to the police. According to Vedomosti, responsible officials in the constituent entities of Russia will enter data into the system. At the same time, Roskomnadzor believes that the use of numbers without specifying addresses and names of subscribers of cellular operators does not violate the law on personal data.

In addition to these measures, patients' geolocation is monitored in Moscow using the Social Monitoring application installed on smartphones specially issued to citizens. To confirm the information that the user is at home, next to the phone, the application periodically requires a photo to be taken

According to the head of the Moscow Department of Information Technology (DIT), the transfer of data about the user is regulated by an agreement that he signs when choosing the option of home treatment. They are stored on DIT servers and will be deleted after the end of quarantine. In addition, control is exercised over all cars of those who are obliged to sit in official quarantine (patients and their loved ones), as well as through the city video surveillance system.

On April 11, the mayor of Moscow signed a decree on the introduction of digital passes for travel in Moscow and the Moscow region by private and public transport. The passes began to be issued on April 13 and became mandatory on the 15th, they can be obtained on the website of the Mayor of Moscow, by SMS or by calling the information service. To issue a pass, you must provide personal data, including your passport, car number or public transport pass (Troika card), as well as the employer's name with TIN or travel route. The pass is not required to move around the city on foot, subject to the previously introduced restrictions.

Passes to control the movement of citizens have also been introduced in other Russian regions:

On March 30, the governor of the Astrakhan region, Igor Babushkin, signed an order on special passes for the period of quarantine. On April 13, an electronic platform for issuing passes was launched in the region. Applications are submitted on a special website, a pass with a QR code is sent to the applicant's e-mail. The governor also instructed to check the previously issued passes according to the lists provided by the organizations.

In the Saratov region on March 31, a pass system was introduced. Initially, it was determined that passes for working citizens will be issued in paper form with the need for certification in the administrations. On the very first day, this led to queues, as a result, the launch of the access system was delayed. The regional government added the option of obtaining passes electronically. The introduction of the passes was postponed twice more.

On March 31, Tatarstan approved the procedure for issuing permits for the movement of citizens. Permits are issued using an SMS service: first you need to register and receive a unique code, then submit a request for each movement. The decree defines the cases for which permission is not required. For working citizens, a certificate from the employer is provided. After the launch, changes were made to the service: on April 5, the list of data required for registration was limited, and on April 12, the interval between the issuance of permits was increased to combat abuse of the system.

In the Rostov region, the requirement for the issuance of certificates to employees of organizations continuing to operate during the epidemic was introduced on April 1 by Governor Vasily Golubev. On April 4, control over cars at the entrance to Rostov-on-Don was tightened, which led to many kilometers of traffic jams. On April 7, Rostovgazeta.ru reported that the regional authorities are considering the possibility of introducing a "smart pass".

In the Nizhny Novgorod region, the control mechanism was approved by the decree of the governor Gleb Nikitin on April 2. An application for a pass is made using the service "Card of a resident of the Nizhny Novgorod region" on a special website or through a mobile application for Apple devices, as well as by calling the help desk. After considering the application, the applicant receives a pass in the form of a QR code for a smartphone or an application number. For legal entities, there is a procedure for issuing confirmations that they can operate on non-working days due to the epidemic.

On April 12, against the background of the creation of various digital solutions for access control at the regional level, the Ministry of Telecom and Mass Communications of the Russian Federation launched the federal application "State Services Stopcoronavirus" (available for Apple and Android devices) in a test format. According to the ministry, the application can be adapted to the conditions of a specific region, except for Moscow, where a different solution is in force (see above). Without the relevant decisions of the regional authorities, the application of the Ministry of Telecom and Mass Communications is not obligatory. The first region where this solution will be used will be the Moscow Region - Governor Andrei Vorobyov announced this on the evening of April 12.

Will the state protect personal data?

Commentary by information security specialist Ivan Begtin

The European approach in trying to accommodate legal requirements for data protection is generally correct. The EU pays more attention and resources to these issues than in Russia. But we must understand that no one is protected from the problem of data leakage, primarily due to the human factor. There have already been precedents, for example, voter data leaks in Turkey, cases with private companies. Now, when systems are created on the run, I would not rule out such a possibility. With the data of "Gosuslug" this has not yet happened, but, perhaps, everything has its time.

The reasons may vary. Let's say the lack of security of a database that is remotely accessed. Hackers or security specialists can detect this and get all the information. There are special services Censys and Shodan that are used to search for such technical vulnerabilities.

Another option is when the data is misused with direct intent. That is, people who have access to databases use this to extract benefits.

It makes sense to monitor different services for "breaking through" people. In Russia, for example, there are about five such services that offer a service for checking people

That is, it is not necessary that the entire database will be merged, but persons who have remote access to it can "punch" people and sell this information. This can be done by civil servants, contractors who participated in the creation of these systems. That is, people who have access to them. In Russia, this is quite common: if you search the Internet for "punching" services, you can find a lot. Often this is data from the Ministry of Internal Affairs, the traffic police, the Federal Migration Service and other government organizations.

Fears that the state may maintain the infrastructure of control over citizens are not unfounded. In principle, everyone who collects data does not want to part with it. The same is with social networks: if you get there, then, most likely, information about you still remains there, even if you deleted your account. Public services have a very wide interest in collecting data about citizens and will take advantage of the current situation. At the same time, they, including under pressure from public organizations, publicly undertake to delete the data after the end of the pandemic. But all the same, the motivation for preserving this infrastructure is very high on the part of government agencies.

Why is this happening?

To ensure control over the spread of the epidemic, government agencies in different countries are acting in a similar way: they are expanding their tools to track the movements and contacts of citizens. Such additional measures go beyond what is considered acceptable in ordinary times, but these actions by governments have met with little resistance from citizens. This can be explained by the concept of policy securitization.

Securitization is a term originally coined by the Copenhagen School of Security Studies Barry Buzan, Ole Wever and Jaap de Wilde. In their 1998 book, they define securitization as "an action that takes politics outside the established rules of the game and presents the issue as something above politics." Securitization begins with an actor (eg, political leader, government) using terms related to security, threat, war, etc., within ordinary discourse, and the audience accepts that interpretation. The success of a securitization consists of three elements:

the use of "security grammar" when presenting a question - that is, at the language level, presenting it as an existential threat (in the case of a coronavirus epidemic, this is, for example, the use of militarized vocabulary and comparing the fight against the one row with the historical trials of the country);

the actor has significant authority so that the audience perceives his interpretation and “intrusion into discourse” (the country's leadership, medical professionals, WHO);

the connection of the current threat with something in the past that really posed such a threat (the experience of previous epidemics, including historical ones, for example, the plague in Europe, contributes to the perception of the current epidemic as such).

The global attention to the coronavirus problem also serves as an example of securitization: polls in Russia and other countries show an increase in fears about the epidemic.

Societies accept the interpretation of securitization actors, thereby legitimizing a departure from the usual rules to combat the threat, including introducing special digital controls that typically violate our privacy rights

From a crisis management perspective, securitization has clear benefits. The introduction of emergency measures can speed up decision making and implementation and reduce the risks posed by the threat. However, the securitization process is associated with negative consequences both for the public administration system and for the whole society.

First, the introduction of new emergency measures reduces the accountability of the authorities. During a crisis, the instruments of civilian control, including over new security measures, may be limited or simply not yet built. Lack of accountability increases the likelihood of both accidental error and deliberate abuse by rank-and-file officials. An example of this is the violations by American intelligence officers, which are known thanks to the leak organized by Edward Snowden. Using digital control tools that fell into their hands, a number of NSA employees used them to spy on their spouses or lovers. In addition, during the same period, the FBI abused access to NSA data concerning American citizens, in many cases without sufficient legal justification.

Secondly, the securitization of any issue is fraught with the risk that some of the measures introduced on an emergency basis will not be canceled immediately after the end of the crisis period and the normalization of the situation

An example of this is the Patriot Act, passed in the United States in October 2001 after the 9/11 attacks, which expanded the government's ability to spy on citizens. The terms of action of many provisions of the law were supposed to expire from the end of 2005, but in reality they were repeatedly extended - and the law with the amendments has survived to this day.