Possible Voters’ Registry Breach raise Privacy Issues in Macedonia

By EDRi · February 24, 2016

The return to democracy in Macedonia has been marred by the need to solve political and human rights issues. The right to privacy has been at the centre of the political crisis, and state institutions undergoing reform struggle to meet the standards set by the Law on Personal Data Protection.

................................................................. Support our work - make a recurrent donation! .................................................................

From February to May 2015, the main opposition party the Social Democratic Union of Macedonia (SDSM) published excerpts of leaked wiretapped conversations recorded illegally by the Security Services under direct command of the prime minister’s cousin. These wiretaps indicated mass illegal surveillance and corruption at highest level of government. In May, a group of experts lead by former European Union (EU) Commission Home Affairs Director Reinhard Priebe undertook an inquiry confirming the allegations, and their findings were used by the European Commission (EC) to shape the reform priorities needed to reverse the state capture in Macedonia.
In June and July, the four biggest Macedonian parties forged an agreement in a village called Przhino outlining the steps out of the crisis. The EU and USA serve as mediators and guarantors of the Przhino Agreement, which stipulated measures such as end of the opposition boycott of Parliament, reforming of institutions such as State Electoral Commission (SEC), forming of a new state body of Special Public Prosecutor to investigate the crimes that were previously not addressed by the judiciary.

The last stage of this agreement includes “free and democratic” elections, initially scheduled for 24 April. However, since much of the implementation was sabotaged and delayed, the opposition, domestic civil society organizations, and the guarantors issued opinions that conditions for such elections are not met.
One of the keys to such issues is the capacity of the State Election Commission (SEC), both in terms of human resources and legal competences. The SEC was formed with a delay of 5 months, in November instead of June 2015, and by 21 February 2016 it had not been able to “clean” the Voters’ Registry by removing dead and “phantom” voters, who were a major factor in previous elections. The incumbent ruling party Internal Macedonian Revolutionary Organization – Democratic Party for Macedonian National Unity (VMRO-DPMNE), on the other hand, insists on speedy elections.

As the Macedonian government has been refusing to conduct a population census, clear-cut data on the population of the country does not exist. Thus, the cleaning of the Voters’ Registry first involves a comparison of datasets from various state institutions, in order to determine the scope of the anomalies. A lack of interoperability between state institutions makes this task difficult, especially considering that the SEC announced that not enough candidates applied for the IT positions.
In the past, citizens had the opportunity to check if they are listed in the Voter’s Registry, by entering their Unique Master Citizen Numbers in a web application. However, on 10 February 2016, the software developer Kalina Zografska pointed out a critical flaw in the application through a blog post, alerting the public that the citizen’s data are available for harvesting to anyone who can write a simple script. According to Zografska, it is relatively easy to scrape the whole Voters’ Registry for citizens’ personal data including names, birthdays and locations.

The SEC closed the access to the web application on the same day, at first claiming it was “due to internet connection problems.” As a result of a follow-up inquiry one week later by the Independent News Agency the SEC admitted that the application is closed “due to security issues,” without providing details.
The quick reaction to public scrutiny indicates the new SEC’s awareness of their obligations as data controller under the Personal Data Protection Law. The role of international community monitoring has been crucial in preventing the abuse of state power. The next several months will be crucial for reversing the backsliding of democracy in Macedonia, a candidate for EU membership, which has been noted in the EC annual reports. The whole process will benefit from increased scrutiny by international institutions and civil society.

EDRI-gram 13.3: Macedonia: Massive surveillance revelation: 20 000 people wiretapped (11.02.2015)

Mass surveillance endangers freedom of expression in Macedonia (11.02.2015)

The former Yugoslav Republic of Macedonia: Recommendations of the Senior Experts’ Group on systemic Rule of Law issues relating to the communications interception revealed in Spring 2015 (08.06.2015)

Former Yugoslav Republic of Macedonia: No time to lose to reform the country! (24.07.2015)

In Sweeping Effort to Spy on Civil Society, Macedonia Broke Its Own Privacy Laws (14.07.2015)

A Blogger Exposes Personal Data Protection Flaw on Macedonia’s Election Commission Website (18.02.2016)

Electoral List inaccessible due to a security problem on the SEC website (17.02.2016)

Civil Society Analysis of the state of the Przhino Agreement: Reforms First, then Elections (19.02.2016)

Electoral list still inaccessible on the SEC’s website (19.02.2016)

Joint US-EU Letter to Prime Minister Dimitriev (21.02.2016)

Insufficient Number of IT Specialists Applied for SEC Job Opening (22.02.2016)

(Contribution by Filip Stojanovski, Metamorphosis, Foundation for Internet and Society)