Data security concerns abound over the country’s digital governance reform
One year ago, the Ukrainian government released the revolutionary mobile application Diia (Ukrainian for “action”), a cornerstone of President Volodymyr Zelensky’s campaign promise of making public services convenient and easily accessible via the internet.
The Diia mobile app — and its accompanying online e-services portal — allows citizens to digitize their national ID and biometric passport, personal tax number, student ID, and more, and the digital documents wield the same legal power as the original paper ones. Within a year, Ukraine became the fourth European country to have a digital driver’s license and the first country in the world to have a digital passport.
However, a massive data leak last year has raised concerns about the level of protection around users’ personal information. In May 2020, activists discovered about 900 GB of citizens’ personal data being traded by an anonymous chatbot on the popular messaging platform Telegram. The dataset included passport numbers, personal tax numbers, residence information, driver’s licenses, social media passwords, and even bank details of millions of Ukrainians.
Some public officials accused Diia of leaking data from government registries, while security experts recalled that the Ministry of Digital Transformation had yet to release any security documentation for the app. While journalists and researchers were able to confirm that part of the datasets had come from Ukrainian government registries, no evidence implicating Diia directly has been found.
On the anniversary of its launch, Diia app boasts over 6 million users. At the same time, IT specialists and digital rights defenders continue to call on the government to consider all of the risks that e-government and digital identification technology carry, as these may potentially undermine the public’s trust.
Digitizing the nation
While the idea of digitizing public services is not new to Ukraine, Zelensky’s is the first administration that has made e-governance a top priority or established a separate ministry entirely dedicated to it — the Ministry of Digital Transformation, headed by Mykhailo Fedorov.
Originally presented in the spring of 2019, the ambitious “State in a Smartphone” program envisioned moving all public services online and providing the majority of the citizens with a means of digital identification. It was later expanded to include goals such as increasing people’s digital literacy, expanding internet infrastructure, and creating favorable conditions for the development of the information technology (IT) industry.
If implemented successfully, the program could help combat corruption by minimizing the interference and arbitrary decisions of public officials, while significantly reducing state bureaucracy.
In addition, Minister Fedorov has proudly noted that not a single hryvnya from the state budget had been spent on the development of the Diia app — its development team comprised 35 volunteers from the well-known software engineering company EPAM Systems. They later transferred the completed product and relevant technical know-how to the state.
How secure are citizens’ data in Ukraine?
Initially, the ministry announced that Diia used BankID technology from several leading Ukrainian banks for user authorization, and that it utilized a secure cloud server for the transfer of encrypted data.
Still, few disclosures were made about the security of citizens’ personal data on the app, and security specialists cautiously noted that not enough was known about Diia’s security testing.
No independent security audit seemed to have been performed, for example — hardly acceptable for technology to which millions of citizens would be entrusting their personal information. In fact, the app’s first public bug bounty program was not launched until December 2020.
The leaks have made clear that the standard of data security at the state level in Ukraine remains inadequate — including a weak legal data protection regime, poor enforcement, and the lack of appropriate protection measures within state institutions themselves. Synchronization of data from various government registries into one portal or app is therefore likely to result in additional vulnerabilities to external attacks.
Moreover, in December 2019, the government granted the Ministry of Internal Affairs the power to verify and aggregate citizens’ data from multiple state registries, providing the law enforcement body with access to data from at least five government registries, including those that handle civil, tax, social security, healthcare and voter information. Alarmingly, the data sharing was to be carried out as a part of an “experimental” process that lacked comprehensive legal safeguards ensuring citizens’ right to privacy.
According to an analysis by digital rights advocates from Digital Security Lab, as of August 2020, the interior ministry had not yet developed a methodology for such verification, but this has not prevented it from gaining access to the vast trove of citizens’ personal data.
Vita Volodovska, a lawyer with Digital Security Lab, concluded:
Якщо у випадку із цифровими відображеннями документів у смартфоні, “експериментальний” доступ до інформації, здійснюється хоч і без повної відповідності принципу правової визначеності, але лише за згодою користувачів, то передача масивів персональних даних з державних реєстрів до МВС в рамках іншого експерименту, без згоди громадян та будь-якого незалежного контролю, суперечить вимогам чинного законодавства та Конституції України.
Whereas in the case of digital display of documents in smartphones, ‘experimental’ access to information is carried out with the consent of users, albeit without full compliance with the principle of legal certainty, the transfer of personal data from state registries to the interior ministry in another experiment, with neither the consent of citizens nor any independent control, contradicts the requirements of current legislation and the Constitution of Ukraine.
The app’s future will likely depend on the state’s ability to ensure that citizens’ data are digitized in accordance with the highest standards of privacy, security, and human rights.