Is there a dark side of digitalisation?

Digitalisation, or digital transformation, is a stated priority of all countries in Central and Eastern Europe. But as they move sensitive data to the cloud, new threats emerge both to privacy and civil liberties. Are governments doing enough to protect their citizens?

Late June is a significant time for Serbian eighth graders as they undertake the graduation tests that, together with their GPA, will determine their high school placement. True to its stated commitments, the Ministry of Education had digitalised how pupils could check their results after taking the test.

Brute force

But, adding to the long list of worries around graduation this year was a fact discovered on the Serbian portion of the popular social website Reddit — the database at the Moja Srednja Skola portal (My High School) was vulnerable to a simple “brute force” attack. The website used eight-digit codes to identify the children — enter your code and get your data.

However, due to improper security measures, the white hat hackers of Reddit discovered it would be possible to create a script that would simply cycle every possible eight-digit combination thus revealing personal info of the children — their names, the school they attended, their grades, and their graduation test results.

Privacy advocates from the Belgrade-based privacy watchdog SHARE Foundation pointed out to local media that leaks like these could potentially cause discrimination later down the line if an employer would have access to the data.

To make matters worse, it’s not the first time that private info was (potentially) leaked through official government websites.

Clumsy digitalisation

As Danilo Krivokapić, director of SHARE Foundation, points out, there were at least two similar cases before.

In 2014, the personal information of more than five million Serbian citizens (including the unique citizen numbers) was publicly exposed, and downloaded multiple times due to a misconfiguration in the web servers of the (now defunct) Privatisation Agency. It was a big blow to the very notion of personal data protection in the country; the newly adopted procedures and laws had failed to stop a massive leak.

More recently, the username and password to access the government Covid-19 information portal was left exposed publicly on the website of a hospital.

“Clumsy Digitalisation is what we often see when governments try ‘techno-solutionism’ which is relying on technology to solve complex social problems which are sometimes deeply rooted. The ‘Digital State’ becomes portrayed as a sign of the government’s success instead of making citizens’ lives easier. In these circumstances, we have cases such as the ‘My High School’ website, which practically leaked personal data of one entire generation of students, who can be profiled at any point in the future,” says Bojan Perkov, a policy researcher at the SHARE Foundation.

In general, digitalisation is a good thing. Some countries in the emerging Europe region have gone farther than others, and it seems that in due time the days of waiting in long lines at various municipal and state institutions will be finally over.

Yet, SHARE Foundation’s Krivokapić points out that for all the good that digitalisation does, there are negative aspects as well.

“The very fact that you’re multiplying, centralising, and amassing data creates new risks, from both external and internal factors,” he tells Emerging Europe.

Bad actors

Such risks are many as any database that is connected to the internet could be attacked by bad actors such as hackers. Recently, the Ukrainian defence ministry said Russian hackers had attacked the website of the Ukrainian Naval Forces and published fake news about the international Sea Breeze 2021 military drills.

In June, top Polish government officials were hit by a far-reaching cyber-attack allegedly conducted by Russia. In early July, the email accounts of about a dozen members of parliament were hacked recently, which the Polish counter-intelligence called one of the biggest cyberattacks on the country in recent years.

Cybercriminals also use other tactics such as “phishing” where fake but convincing emails can lead people to disclosing their login info.

“There are a lot of reasons why cases like these happen, and raising awareness and educating people who are parts of the state system is one of the priorities so that cases like these don’t happen. However, it should be acknowledged that states are in an unenviable position when it comes to retaining quality experts. This is especially true for IT experts which can often earn several times more in the private sector with significantly lesser responsibilities,” Krivokapić points out.

Gytis Trilikauskis of the Lithuanian cryptocurrency anti-fraud start-up Lossless confirms that when it comes to cybersecurity, governments have to up their game.

“Governments in the CEE region are way behind the private sector, in some region countries, the public sectors’ understanding of the cybercrime threat is virtually non-existent, elsewhere the knowledge is sporadic and may be dependent on individual civil servants or administrative unit’s competence, rather than on policy or framework level. Probably proper attention will be paid only when national security will be directly threatened by cybercrime or other forms of online exploits,” he tells Emerging Europe.

In Poland, at least, this seems set to change. At a recent press conference, the Polish PM Mateusz Morawiecki announced a new anti-cybercrime bureau to respond to cyber-attacks.

Bad governments

Hackers and negligence are only one part of the problem of cybersecurity. What happens when governments themselves misuse data? Thousands of Huawei smart cameras in Belgrade are still shrouded in mystery. In Hungary, reports have surfaced that journalists and lawyers may have been targeted with the Pegasus spyware.

Across the region, biometric surveillance has taken root, and this is worrying privacy and digital rights advocates.

“Biometric surveillance creates the possibility for governments and companies to monitor, track and ultimately control people on a scale and at an intensity that we previously could never have imagined. Unfortunately, these dangerous practices are prevalent in most European countries,” says Ella Jakubowska, a policy advisor at the European Digital Rights (EDRi).

She adds that while in the EU there are laws meant to protect citizens — the General Data Protection Regulation and the Data Protection Law Enforcement Directive — they don’t go far enough to stop the deployment of biometric surveillance systems.

“In Poland, Slovenia and Czechia, for example, the EDRi network has exposed examples of police forces abusing people’s biometric data in collusion with private companies,” Jakubowska tells Emerging Europe.

Jakubowska further warns that countries in the region that are not EU members have even less protection.

“In non-EU countries without an equivalent data protection framework, there will be even less to prevent states and corporations from unjustifiably intruding into our faces and our lives. Our work has clearly shown that there is no such thing as benevolent biometric mass surveillance. These practices are designed to violate our privacy, our right to data protection, our dignity, and they are working exactly as intended,” she says.

Getting the basics right

Digitalisation is changing how things are done across the region and is set to keep doing so. As more and more data is online, and as more and more data is generated by various sources including mass surveillance, governments will have to navigate an increasingly complex landscape fraught with many dangers.

Where to start in the protection of all that data?

“Probably the most obvious yet good starting step is setting a standard on how to store passwords and manage access to account information — personal or business. It can help maintain the integrity of the network and leave user databases intact […] All one requires is a proper encoding system, secure storage space, and a hierarchy of whom can access different tiers of information,” concludes Trilikauskis.

Unlike many news and information platforms, Emerging Europe is free to read, and always will be. There is no paywall here. We are independent, not affiliated with nor representing any political party or business organisation. We want the very best for emerging Europe, nothing more, nothing less. Your support will help us continue to spread the word about this amazing region.

You can contribute here. Thank you.

emerging europe support independent journalism