Author: Denis Tahiri
Like a viral fortune over the past three days, personal data has been spread far and wide, calling into question the security of the institutions responsible for guaranteeing it. The scandal started with the publication of the January 2021 list with a figure where about 637,138 citizens were harmed, whose unique identification code, first name, last name, place of work, salary, how many jobs they are registered in, part-time were published. or full, as well as the nephew of the company where they work. On the second day, the scandal was repeated with the publication of another list for April salaries, where the excel list contained 60 more names than the first list. Between accusations and political accusations, the third day was another blow for more than 530 thousand citizens who, in addition to their surnames and ID numbers, were also published the license plates and the cars they have.
Institutions that avoid responsibility
The National Information Service Agency, the Social Security Institute and the General Directorate of Taxes are under the prosecutor's watch for abuse of office, but each of them avoids responsibility. Employees of these institutions are being questioned hour after hour by judicial police officers, although each of them, according to sources, insists on their duties and responsibilities and deflects blame. The explosion of the scandal comes without the closure of another file, that of the patron Nazis, in which nearly 1 million citizens found their name in an elaborated list, where, in addition to the identity card, next to the name, a supervisory person also declared the observed citizen's political affiliation. At that time, under suspicions that there could be corruption in the elections, the Special Prosecutor's Office against Corruption and Organized Crime declared that it immediately started investigations. But besides the question of the media representatives, SPAK avoided the exponents of the political parties who were mentioned by every journalist as the source of the data published in the list of "patronazis". For SPAK, the Commissioner's administrative investigation was sufficient.
In the decision declaring incompetence that "SINJALIZO" has made available, it is shown that on September 30, the case of "patronazis" signed by prosecutor Enkeleda Millonai, was forwarded to a regular prosecution. The conclusion from the investigations is that the data was misused by internal employees.
"What so far relies on the administered evidence, has to do with the fact that there is a suspicion that employees who have access to the state database may have misused the attributes provided to them by the regulatory legal framework, act in excess of the authorization to access a computer system or a part of it, by violating the security measures. For this reason, it is estimated that it is necessary to proceed with the change of the legal qualification of the criminal offense, from the one for which this criminal proceeding was registered, specifically from Article 328 of the Penal Code. is written in the decision to remove the file from the local prosecutors.
Everyone found the institutions responsible, but there was no reaction
In parallel with SPAK's investigation, the Commissioner for the Right to Information and Protection of Personal Data "investigated" administratively, but without being able to establish where the data could have come from. In a decision released on August 19, 2021, it is underlined which parties are involved in this investigation and in the measures taken against them, where there were not only recommendations but also fines. However, the offense in terms of the violation of the law found by the KPDI remained still in search of a culprit.
Until now, even though the publication of the data in the list of "Patronageists" was described as a breach of national security by many experts, there is no one responsible before justice. The Commissioner for the Right to Information and Protection of Personal Data insisted a few hours after making public the database with the list of payments and institutions where they work as well as the positions they hold together with the personal identification numbers of 637 thousand Albanians, he officially declared that he had started an administrative investigation.
"The Commissioner's Office has started the work to secure this database and to identify possible violations, in order to exercise the legal obligation and perform the necessary actions for an administrative investigation mainly (on its own initiative) on this matter", it is stated in the official announcement of the Commissioner.
But the commissioner publicly insisted on the show Open, that these events happen all over the world, and even added "You have probably heard Cambridge Analytica, which is one of the biggest world scandals that has happened with the misuse and illegal processing of personal data of American and European citizens". Despite the example brought by the official, the guests reminded him that the case of Cambridge Analytics, the issue is related to the breach of a private contract (Facebook Scandal) and not the release of data from state databases.
And on the other hand, just a few hours later, the prime minister was live apologizing to the Albanian citizens for the release of their data, and explaining to the journalists that there would be no resignation. another database was published, which included not only the salaries for the month of April, but also phone numbers, paternity, and all other data that the first database also contained.
And when the trend is that even this scandal is turning into a meme campaign, where the majority of citizens do not understand the real danger that is exposing them, the task remains with the prosecution of Tirana, which has started the investigations. ACQJ sources indicate that finding the people who made it possible to withdraw this information is almost impossible due to the lack of capacities in the field of cyber security. The big question that is already raised by experts in the field is whether there are other personal data that the suspects have and have not published.
What do we risk?
The published list includes key positions, starting from the Ministry of Defense, the Ministry of the Interior, SHISH, the Army and many institutions of particular importance, where the security of the country has practically been compromised. Experts in the field declare for ACQJ that National Security has been compromised.
Professor. Nor. Ervin Karamuço, professor at the Faculty of Law, says that we are dealing with a serious violation, since in the publication of personal data, the data of private citizens and not only of public persons, whose personal data are often have public because of the declaration of wealth, but again unauthorized publication is a violation.
"The problem does not lie only in the fact that the data has been published, but the one who has access to this data can manipulate this data". says the professor, who brings a concrete example where citizens have refused to provide their data to the state. "This is the reason that in Great Britain citizens refused to give their biometric signs, because they said that in special cases, a hack and our traces can be placed in certain places, we can bear certain responsibilities and so on. ", he adds.
Even the former head of the State Information Service, Fatos Klosi, qualifies the publication of these data as a breach of national security, while regarding the risk of identifying SHISH officials, he says that they are vulnerable people anyway. "Those in conflict with crime are, with terrorism, it is not good for them. In small towns, they are identified by time, the people who enter and exit the SHIK offices every morning are known. Whoever is interested finds out, they are not anonymous, anonymous are the collaborators, etc", he says, adding that it is important that "The informants have not been identified, even in SHIK only those people who have connections, the director of SHIK knows them, he only knows them with pseudonyms".
Fabian Zhilla, security expert and lecturer at the "Canadian Institute of Technology", says that the problems related to these data are on several levels.
"There are two problems related to these data, these data contain bank data, working hours, workplace. Bank data can be used not only for buying and selling, but also to steal the income they have in the bank, but also to apply tomorrow for loans and other things" he says, adding that for specific subjects, this problem can go as far as violating national security.
"The other part that is more problematic is the blackmail that can be done through bank data. It can also be used for blackmail as it also matters who the subject is being blackmailed against. If we talk about officials at levels related to national security, this opens up other problems that go beyond the personal level, but that affect national security." he concludes.
Experts point the finger at ANKSI, the prosecution investigates Taxes
Not more than a few hours passed after the publication of the scandal and the prosecutor's office of Tirana started investigations. Sources from the Tirana prosecutor's office said that the Tax Directorate is currently at the center of the investigation, as the data that has been published are data directly related to this institution, and if it turns out that these have come from the tax servers, those servers will be seized for to undergo an expertise to verify who was the person who made the withdrawal of these data. But the prosecution refutes the suspicions that the first person who entered the system and retrieved the excel data from there is a Tax employee, whose name was made public. "It is certain that this shared information has internal collaborators and the system has not been hacked” says an expert in the investigation of cybercrimes at the State Police for ACQJ, anonymously.
But, for Gentian Progni, an IT expert, the institution from which these data originate is AKSHI. "The main problem is that everything is collected in AKSHI. This means that the IT of a Ministry is certified in ANA to start work and at the same time all data is collected in ANA. The first institution that has fallen is AKSHI and I don't know what they are waiting for all the leaders of AKSHI to resign since this data is collected only in AKSHI". he says, adding that these are data that have come out from the inside. Asked if these data could have come from taxes, he says that it is impossible.
"No one can know that Gentian Progni works in this institution with this ID and this Nipt. These are data collected in AKSHI. There is no chance that this data can come from Taxation. Even Taxes, AKSHI has its own servers. So, if they have left the Tax server, we assume that a Quer has been generated in the Database that mass data has been generated, and if a mass generation is made, an alert goes to the National Tax Agency. It is impossible for AKSHI not to know when such data is collected. The only place where these data can be published are AKSHI and e-ALBANIA". he concludes.
On the other hand, another security expert says that this data should have been fragmented and it is scary that in such a database the access given to an employee is so great that it can pull large amounts of data. .
Experts: All state databases in unknown hands
After the second time the personal data of thousands of citizens was published, IT experts say that what needs to be done urgently is to change the algorithm of generating personal ID numbers, because there is already a great possibility that this algorithm can to break.
"The algorithm that generates the ID data is an algorithm that is highly secure. Generating that algorithm from the data that came out is compromised since anyone with a decent computer system can decipher how that calculation is done. So it is enough for 3% of the data to be correct in 1 million inhabitants and the algorithm is found and no more than 1% of the data comes out because they stole almost 1/3 of the data from us". says Gentian Progni, adding that: "Cyber protection and cyber security in Albania is 0. E-Albania is back like Facebook without passwords, write your name and the data will appear. My understanding is that the entire state database is in someone's hands. The database has been compromised, from the evidence of the penalty, the taps, the properties, everything".
Professor of Law, Karamuço describes Albania's cyber security as a national emergency. "I talked to the cybercrime specialists in the Ministry of Defense and the Ministry of the Interior and they told me, we want the private salary and this was proposed to the government only for the reason that there is a national emergency, data theft, data attack it is a national emergency and this story had to break so that we would understand how fragile this system was", he concludes.
Meanwhile, it is very difficult for Gentian Progni to take control of the created situation as the costs are very high. "To put that thing on the rails is very difficult because the costs are colossal. The contract with the ALEAT company must be terminated and new contracts must be concluded for the restoration of the generation code in a different way, all AKSHI servers must be destroyed and set up from scratch, e-Albania must be set up completely from scratch, it must be taken foreign company to do system penetration testing, there is a lot of work and high cost", he concludes.
And while the personal data of Albanians is already in the hands of every citizen, the biggest misfortune is that nothing has been done to stop the further distribution of these data and their misuse.
