Romania: Mass surveillance project disguised as eGovernment
The Romanian Intelligence Services (SRI) has recently been granted EU funds for the project “SII Analytics” to acquire software and hardware for “consolidating and assuring eGovernment interoperability between public information systems”. The project seems to aim at gathering all major state owned databases (e.g. citizens and company registry, health card data, fiscal data) in SRI’s playground. The data would be joined into one large system, through which other public institutions would potentially have unlimited and unwarranted access to the personal data collected.
The project also aims at aggregating data sets from all major public institutions, and at allowing advanced search in order to permit inquiring any type of information about any citizen or resident. Furthermore, the project description includes a chapter on behavioural analysis. Therefore, the system would be able to do complicated analysis, to correlate information cross-databases, and to combine it to other information.
Moreover, under the motivation of “preventing fraud”, the system will have facial recognition features. It will include a database of approximately 50-60 million images (probably passport or identity card photos) to which SRI already claims to have unlimited access. As the technical specifications of the project show, one of the declared purposes of the SII Analytics project is to acquire hardware and software for internet traffic interception from instant messaging apps or other similar electronic communications programmes. The official justification is that this is needed for the internal architecture of the system.
If implemented according to plan, the system will have the potential of spying on all Romanian citizens’ and residents’ private life. The project does not include limitations regarding access to the information, nor does it establish a mechanism to ensure an effective control of the system, and of the approximately 1000 people who will be authorised to access it. There is no requirement to notify the data subject (person whose personal data is collected or accessed), or to ask for consent. In short, there is no transparency and no guarantees to limit misuse.
In its decision Bara vs. CNAS & ANAF (201-14), the Court of Justice of the European Union (CJEU) declared it illegal to transfer personal data from one public institution to another without the citizen’s consent and prior notification. With this project, the Romanian National Health Insurance Fund (CNAS) could easily exchange personal data with National Tax Administration Agency (ANAF) though the SII Analytics project, ignoring CJEU’s previous decision.
EDRi member ApTI and three other Romanian human rights NGOs sent a letter on 8 August 2016 to both national and European officials urging the project and the public procurement process to be stopped. At the same time, the signatories signalled the need of introducing, as a necessary requirement for accessing European funds, the interdiction to use such funding for purposes that might violate or limit human rights. At the time of writing this article, there was still no answer from the Romanian authorities.
After the public outcry, SRI declared in a press conference that the massive databases are already in place since 2006. Therefore, with SII Analytics, SRI is not collecting new citizens’ data, the intention is “merely” to have more advanced search and query capabilities for an already existing database system.
SRI also recognises in their presentation of the SII Analytics project that indeed it is not an eGovernment project and it is only conducted for “intelligence purposes”. The EU Commission has therefore plenty of reasons to start an investigation for the misuse of public funds.
Romanian Secret Services uses European Funding for mass surveillance project disguised as eGovernment services:
Romanian Secret Services public statement confirms suspicions regarding mass surveillance:
European Court of Justice decision Bara vs. CNAS (C201-14):
No to surveillance! Public letter (only in Romanian):
Analysis of the technical specifications of the project performed by ApTI (only in Romanian):
OPSI portal – the Portal of the Intermediary Body for Promoting Information Society (only in Romanian):
Romanian Intelligence Services press conference presentation (only in Romanian):
SII Analytics project (only in Romanian):
SII Infrastructure project (only in Romanian):
(Contribution by Valentina Pavel, EDRi member ApTI, Romania)