How will the amendments to the law for law enforcement authorities affect citizens and businesses?
Siarhei Varankevich shared his expert opinion with Dev.by on the reasons why malware is a problem even in the hands of special intelligence agencies. The issue was prompted by amendments to the Law on Operative-Investigative Activity of the Republic of Belarus.
Nothing new about remote access to computers?
The amendments to the law “On Operative Investigative Activity” (OIA) were perceived with caution: some saw in them the right of operatives to get remote access to the computers of citizens, which had not existed before, some associated the amendments with the political crisis and imagined how the malware was launched into the gadgets of the protesting citizens.
Dev.by, together with a lawyer, having compared the amendments with the current law, did not find anything revolutionary in them in terms of remote access and means of secret fixation. “It’s more like a clarification of what existed before,” explained the lawyer.
Former investigators believe there is no connection with politics here. “Most likely, it is a consolidation of the established practice,” the former investigative officer suggested.
Alexander Sushko, a former employee of the Investigative Committee and cybersecurity expert, admitted that it was necessary to clarify the wording to rule out problems in sanctioning operational measures by the prosecutor’s office.
And he noted that special software for catching criminals is used all over the world.
– Criminals conceal their coordinates, so law enforcement agencies in many countries send them malware on phones and computers, which can be used to identify the real IP address of the person. The aim here is not to collect data, but to find the person. My opinion is that the amendments are not connected to the protests, it’s just coincidental. It is possible that the process was set in motion a long time ago. I don’t think that this would make someone in Belarus free: if the law enforcement officers wanted to take something, they would come and take it during a search or seizure. It is already known who is where. It may be difficult to find the administrators of the telegram channels, though.
And here is how the amendments are interpreted in the House of Representatives, the emphasis here is on the sale of drugs via the internet.
But regarding access to databases, something important seems to be missing
In the meantime, there are innovations in the law, which may have implications for business, believes Siarhei Varankevich, certified information privacy specialist (CIPP/E, CIPM, FIP), a consultant on the GDPR.
The article in question is Article 15 – “Rights of the agencies involved in operational and investigative activities”.
The fifth and sixth paragraphs are amended:
“to create and (or) use databases (records), information systems, means of covert obtaining (recording) information and other means in accordance with this Law and other legislative acts;
to obtain information from databases (records) and information systems through remote access and (or) on tangible media from the organizations that own such databases (records) and information systems free of charge in the cases established by legislative acts and in the manner prescribed by legislation.”
What is new in the fifth paragraph is the right to create and use means of covert obtaining of information, which include software.
In the sixth paragraph, the clause “in accordance with agreements between law enforcement agencies and organisations which own such databases (records) and information systems” has been removed.
So, law enforcers can now create malware themselves and obtain information from databases from any company, regardless of the lack of agreement.
Why malware is a problem even in the hands of intelligence agencies
Here’s what Siarhei Varankevich thinks about it:
– Operatives used to have the right to use means of covert information collection (“bugs”, wiretaps, software), but the right to create it was not stipulated. In my opinion, the addition of the fifth paragraph is a cosmetic amendment that is not that significant for ordinary citizens. Developing such tools requires budgets and expertise, which either commercial organisations or hackers have. Government agencies are usually extremely ineffective at creating such tools.
Many intelligence agencies have malware, including in democracies. The problem is that this software and the vulnerabilities found with it do not stay in the hands of law enforcement officers for long. Despite elaborate information protection measures, they leak out, are broken from the outside, are taken away by their own employees, and are eventually simply lost.
Three years ago there was a big scandal: a malware base was downloaded from internal, highly secure US intelligence systems. The NSA was building a pool of malware, in particular viruses that allowed them to gain control of smart TV cameras. At first, they used these viruses for their purposes, and then they lost them and hackers started using them. And the developers of the licensed software, which was exploited, did not immediately learn about these vulnerabilities.
The problem with all public (and private) systems is that it is only a matter of time before data is leaked. If any system turns up a massive amount of personal data or a valuable set of hacking tools, it will sooner or later end up in the wrong hands – no government agency in the world is immune to this. The rule of thumb that many governments have adopted from this is not to put everything in one pot, to leave the information distributed across the different information systems of different government agencies. Also, either not to develop, or to develop in limited amounts, the kind of vulnerabilities or tools that can cause great harm – and certainly not to accumulate them in one place.
What’s wrong with the database access amendment
While the fifth paragraph does not change anything cardinally, the sixth paragraph – remote access to databases – is a problem.
It may affect every Belarusian, not even in terms of becoming a subject of Operative Investigative Activities, but in terms of damage to the economy of Belarus.
The clause “in accordance with the agreements” is missing. In other words, the law enforcement agencies may demand access to the databases of any organization and we do not need any “extra bureaucracy” in the form of agreements. This opens up Pandora’s box.
Around the world, it is primarily the databases of telecommunications companies that are of interest to law enforcement agencies. This is metadata about phone locations, calls, call duration, etc. Transport companies such as airlines, bus, and rail carriers are often monitored as well.
I do not know how exactly this is arranged in Belarus, such agreements may already exist. But now the circle of these organisations, which willingly or unwillingly give access to their databases, may expand to unexpected dimensions.
For example, apps designed not in accordance with privacy standards often ask for much more information than they need – sometimes asking for access to SMS, emails, Google Drive, and other cloud storage. For example, a carsharing app can inform the operator of your location even when you are not driving. Law enforcement can access this information.
If the circle of such companies is wide enough, it will create prerequisites for the creation of a black market of personal data in Belarus – like in Russia. Attackers will become more “successful” in social engineering: it is easier to gain a person’s trust when using information about their trips, purchases, phone calls.
Why should the market be ‘blackened’ by the transfer of data to law enforcement agencies?
Because it will be much easier to expand the range of companies whose databases are accessible. If a company has a weak negotiating position, it opens up access to its databases without being able to monitor either the amount of information that is uploaded or which of its users are of interest to law enforcement. Because of this, there is a growing temptation for officers to ‘convert’ information into money by abusing their official duties.
The extension of access to various databases does not help to fight crime but corrupts officials.
Russia is a prime example. In Navalny’s poisoning investigation, as you may recall, airline tickets details were obtained. And the “collection” was most likely not done through the airlines and their employees, because the group may have flown on different airlines. The information was leaked from one point. And at what point is all the information collected, which employees have access to all the databases? The possibility of quick and covert access to information about the lives of citizens raises the market price of such a service, and as a result, is a big incentive to violate official instructions.
In Ukraine, by the way, law enforcers have much less access to organisations’ databases by law. And while Ukrainian law enforcers have no fewer problems with corruption, the black market is less developed there. Ukrainian corrupt officials simply cannot offer the same amount of information as the Russian ones.
There is a general principle of European law that Operative-Investigative Activity must be carried out on a separate warrant or court order for a specific person. On the other hand, the practice of large-scale access to the databases of technology companies exists in the United States. And the States have just recently been affected by this: since law enforcement agencies had access to databases for mass monitoring (for example, the behavior of Facebook users, Twitter), the Court of Justice of the European Union (the highest court in the EU) has recognized as illegal the agreement in force between the EU and the USA, under which about 5000 American technology companies could process data of European users on their servers in the USA.
This is a huge blow to US and European businesses: as a result, it is difficult to transfer European data for processing to contractors and to use US cloud providers.
Why Amazon is not coming to us
There was some talk that Amazon (Amazon Web Services – AWS) was going to come to Belarus, the company supposedly wanted to locate a data center here, because Belarus has a wide connection channel to Russia. This would give more computing power, jobs, and taxes. But that’s not going to happen with these regulations.
If AWS came to Belarus, law enforcement agencies with such a law would have an opportunity to “connect” not only to Belarusian data but also to the personal information of residents of other countries. Maybe it would be a citizen of Belarus, or maybe Joseph Biden.
International companies will not take that kind of risk.
It is true that the previous wording of the law also made it difficult to enter the market and host servers here. Now the problem will only worsen. Belarusian companies used to have at least one answer to the questions of their European partners or the EU supervisory authorities: for example, “Personal data is under our protection because we have not signed any agreements with law enforcement agencies and will not do so”. Now even such an argument is no longer available to businesses.
Therefore, companies providing services to European businesses in the area of analytics, Big Data or machine learning (for which databases with personal data are needed), or developing their , roducts for European consumers, would be better off registering a legal entity in another country and registering databases for it. And not only to register but also to physically host them outside the country.
Simply locating information on facilities abroad is not the answer. If you are a Belarusian company and place your database, for example, in Germany, you will still be legally obliged to provide access to it to the Belarusian authorities. But in such a case, you are in breach of the GDPR because you are not guaranteeing your European users the appropriate level of protection of their personal data.
So the Belarusian IT business will have problems in terms of GDPR?
Not all of them, but those that work for the European market or provide outsourced services to European customers (and those who provide them with access to their databases as part of their contracts), the risks for these companies are exacerbated.
But widespread access to databases may also have long-term consequences. If people start to realize that every action they take in a Belarusian app or online shop (even using a discount card at the checkout) is accessible, some of them will stop using services and purchases. As a consequence, fewer purchases, less chain revenue, fewer taxes, etc. Will you install an app that shows you the nearest pharmacies and cafes if you know that your geolocation could end up in the hands of law enforcers and then the black market?
It’s a matter of trust. Before GDPR was introduced, the Europeans calculated that every year €60 million is lost to the EU economy because of consumer distrust. A person wants to buy an item on a website and they are asked for their address and phone number, so they refuse to buy it. Strict rules were introduced, inter alia, to restore confidence in e-commerce. But we are going in the opposite direction – we may undermine not only the export of digital services but also the trust of our citizens in electronic services.
Read more about GDPR in our long read!