On 31 March, the National Assembly fully adopted in the second reading, the package of drafts proposed by the Government, which envisages receiving information on the movement of those infected and isolated by coronavirus by telephone. Iravaban.net talked to Osint (Open-source intelligence) expert, former investigator in cybercrime Aleksan Tserunyan about the Draft.
– Many equate this with wiretapping. Is this observation correct?
– The new regulation on the legal status of the state of emergency of the Republic of Armenia allows not only the receipt of information on the movement of people with coronavirus or isolated, but also, in general, in all cases when the state of emergency is declared on the basis of the epidemic. to get certain information about the subscribers from the operators, location, etc. In other words, the scope of the law is wider and not limited to the coronavirus epidemic.
As for the main issue, I would like to point out that it is not right to assume that we will be classically wiretapped, moreover, Part 4 of Article 9.1 of the mentioned law directly prohibits recording telephone conversations and voice messages or fixing them in any other way. More specifically, there is no control over the content of communication.
– How and by what means does the government plan to receive information about the movement? What measures are available?
– After the relevant amendments and additions to the RA Government Decision 298-N of 16 March, 2020, it is envisaged that all mobile operators operating in the Republic of Armenia should transfer the “Electronic Management Infrastructure Investment Office” CJSC data center the data needed to find out the location of the subscriber.
The mentioned data, in fact, are the data on the station serving the specific subscriber. The operator of the connection always knows where his subscriber is and in which service area of the station he is, otherwise it would not be possible to make and receive phone calls. For example, if the subscriber is in the Republic Square, his mobile phone is serviced through the station of the given area, although there are cases when the subscriber is served by a station farther away. Logically, it is through the service areas of these stations that the person is determined, and in the sequence of stations, his movement. In my opinion, this method does not allow to find out the exact location of the person.
– In other words, the adopted law will not be effective.
– The regulations provided by law are, in fact, effective. The most important question is whether they can be effectively implemented in practice or not. After reading the changes envisaged by the law, one should ask how this or that action should be done technically. If knowing the location of the subscriber allows you to make the situation more manageable in practice, then the means are effective. At the same time, it should be borne in mind that many subscribers use phone numbers registered with other people’s data, another group of subscribers will turn off the phone, the other group will not take the phone with them, and these are problems. The effectiveness of the law and making the situation manageable directly depends on the team that should receive, process the data on the subscribers and their phone calls.
I would be happy if at any time an objective report confirming or refuting the effectiveness of the mechanism introduced would be published, but in case of failure they are usually silent.
– What are the risks of this process? Can that information be made available to a third party?
– I will try to answer the question from the point of view of law and information security. If we assess the risks from the point of view of law, it should be borne in mind that the prescribed regulations may in fact limit the right of a person to such constitutional rights such as the right to individual and family life privacy, freedom and privacy of communication, protection of personal data. More practically, this means that the state gets the opportunity to find out the location of the subscriber, the phone calls between the phone numbers, their data and the identity of the subscribers. Naturally, a certain group of people will be involved in this data and will have the opportunity to get acquainted with their content, to know who called whom, when they called, what was the status of the phone call. Simply saying, the developer has the opportunity to know the scope of the person’s contact, but I can’t say how much it will serve the real purpose.
If we try to assess the risks from the point of view of information security, it should be noted that Part 3 of Article 9.1 of the RA Law on the Legal Regime of the State of Emergency stipulates that the data can be transferred to the third parties, but it pursues a specific goal – to prevent epidemic spreads, etc. And for what other purposes can a third party use the information? I think at least for the sake of interest he can keep the data about the phone numbers and their subscribers. In addition, big data is always the target of various cyber attacks. The system may not be vulnerable, but the human factor is always taken into account by hackers and used effectively.
In my opinion, there is a risk that this data, in addition to third parties, may become known to fourth or fifth persons. No matter how much data is processed automatically, it is impossible to exclude the human factor in the process. It should be borne in mind that information leaks regularly occur even from such serious companies as Facebook, Google, which spend huge resources on information security.
Yevgenya Hambardzumyan