Monthly Archives: July 2016

Database with non-anonymized judicial decisions available online

Riigi_Teataja_anonymization_failure

Estonia features a punishments register with misdemeanours and crimes listed by all people. For the benefit of potential employers, for instance. Then there is a judicial decisions database where expired crimes can often still be detected. In these two, names and other data of victims and witnesses are almost never found – the occasional typo excluded. Turns out, there is a third database with judicial decisions prior to 2006. In it, glaring problems are obvious regarding personal data protection, as it holds details of entire criminal acts as well as names of criminals, victims, witnesses and experts. At times, names of close relatives are included, and home addresses at the time.

Estonian Data Protection Inspectorate PR-adviser Maire Iro agrees and says and claims people responsible at State Gazette (Riigi Teataja) database have repeatedly been notified of the problem. The justice ministry press rep Maria-Elisa Tuulik said the data has been uploaded pursuant to old legislation and the people had the right, and still do, to apply to relevant courts for removal of their data in such instances. Ms Tuulik admits people might have difficulty doing that and have insufficient knowledge. She cites the excessive amount of manual labour required to sort out the data. They may thus take it all offline as public interest is waning anyway, with time passing.

For some of the decisions State Gazette has tried to anonymize personal data, but using ineffective technical means (see picture above).

Links:
http://news.postimees.ee/3762007/the-national-victims-register
https://www.riigiteataja.ee/kohtuteave/kohtulahendite_otsing/kriminaalasjad.html
https://www.riigiteataja.ee/docs//public/dokument_279468.pdf

Privacy concerns over fingerprint collecting from e-residents

Biometric data of all individuals who have applied for or own Estonian identity cards, irrespective of whether they are national identity documents or digital identity documents meant exclusively for e-identification, are stored in digital database, archived and retained for 50 years (in case of e-residency, this is done to avoid conferring duplicate identities to one person).

From the perspective of e-residents, this is immaterial — the digital identity documents issued do not serve as travel documents, as has been established above. Nevertheless, due to the fact that under the Estonian Identity Documents Act the term “digital identity card” denotes both the e-IDs of nationals as well as e-residents’ e-ID cards, the requirement of biometric identifiers also applies to both.

Drawing on the aforementioned, the authors of the given chapter claim that the failure to differentiate between the two types of documents leads to unnecessary collection of biometric data that is in contradiction with the Data Protection Directive Article 6 principles of purpose and proportionality.

Biometrics as security technology cannot be “thrown in” for good measure, as Estonia seems to have done, without proper analysis of risks for the protection of fundamental rights and freedoms, not considering whether the purpose to be achieved could not be achieved by less intrusive means.

The practice is indeed questionable, since in case EU citizen applies for Estonian residency, the objective of “avoiding conferring duplicate identities to one person” is achieved by less intrusive means without fingerprints being collected.

Links:
http://link.springer.com/chapter/10.1007%2F978-3-319-26896-5_4

Kapo ex-employee convicted for allowing access to state secrets

kapo_state_secrets

A former employee of the Internal Security Service (ISS) was given a prison sentence for enabling illegal access to state secrets, spokespeople for ISS said. The man had taken home confidential documents.

The verdict against Aleksandr Gontšarov, 54, entered into force on Wednesday. Gontšarov, who had retired five years ago, was detained on Jan. 6 and taken into custody two days later. He admitted his guilt during the pre-trial investigation.

The first-tier Harju County Court found him guilty of enabling illegal access to state secrets and sentenced him to two years and four months, six months of which were to be served immediately and the rest not required if he did not commit a new offense within a probation period of two years and six months. Gontšarov didn’t appeal.

Gontšarov had worked in different positions in the security police between 1994 and 2011. In September 2011 he took home various documents and data storage media that were in his hands in connection with his job. He kept them in the apartments he owned in Tallinn, thereby allowing the materials to be unlawfully accessed by persons not cleared for access to state secrets.

From the wording it reads that Gontšarov did not deliberately leak state secrets to third persons. Then the question is who were the persons that got the access. Random relatives of Gontšarov or Russian intelligence officers?

KAPO annual review 2016 mentions the case:

According to the court judgement, before leaving employment in September 2011, he took documents and data media containing state secrets, which he had in his possession for work-related purposes, out of the Internal Security Service’s secure area. He kept them outside of the secure area, in the apartments he owns in Tallinn, thus enabling unauthorised people without a need to know to have illegal access to state secrets.

And provides picture of boxes full of Estonian state secrets lying about the household of Alexander Goncharov:

Links:
http://news.err.ee/v/news/0df30636-2772-459e-9f1f-2d7147d5efe2/ex-iss-member-convicted-for-allowing-access-to-state-secrets
https://kapo.ee/sites/default/files/public/content_page/Annual%20Review%202016.pdf