Wednesday, March 02, 2011

Latvia's 2011 census on the internet is off to...a clusterf**k

Latvia's attempt to conduct part of its 2011 census on the internet has gotten off to a start that can only be described as a total clusterfuck. The Latvian Central Statistic Bureau (CSB) opened a internet page www.tautasskaitisana.lv where people could fill in a census questionnaire using three methods of authorization -- their passport number and personal code number, the PIN code and access code from a number of internet banks, and the official e-signature.
While the last two authorization methods are relatively safe, passport numbers and personal code numbers are often publicly available, widespread information. For example, the personal code of controversial Ventspils mayor Aivars Lembergs, on trial for money laundering and other economic crimes, was recently published in an official list of charitable donors. Travel agencies and employers also often have both personal code numbers and passport data.
The possibility to circumvent the authorization system was first pointed out by the Latvian language IT blog www.defense.lv.  The internet news portal delfi.lv then conducted an experiment, opening the census data filed by a third person, altering it, then putting it right again. This clearly proved that it was possible for anyone with the right data to change someone else's census questionnaire.
The Latvian State Data Inspectorate (Datu valsts inspekcija/DVI) then hastened to stop internet census data collection, calling the authorization method a violation of the law. However, around 100 000 persons had already used the internet to answer census questionnaires, most, though not all using their passport and personal code data. The CSB announced on the evening TV news that it was freezing all these questionnaires to prevent anyone from making any changes.
Local data security experts are shocked by the way the CSB handled data security. Ilmars Poikans, a researcher at the University of Latvia's Institute for Mathematics and Computer Science, also known as the cyberactivist "Neo", who leaked state salary data from a poorly designed data base last year, called the census fiasco " a breach of sound thinking rather than a data security breach".
Ilze Murane, a lecturer in computer science and a data security specialist said the bungled internet census could destroy public trust in any kind of e-government services.
Baiba Kaskina, who heads the recently re-organized CERT.LV cyberincident reaction team, said the CSB had never consulted her staff about security issues, and there was no law that compelled them to do so. Although CERT.LV has a small staff, Kaskina said the agency would have advised the CSB on where to find descriptions of best practices and recommended data security auditors.
Somehow, almost year after "Neo" started leaking government agency salary data because he was able to leaf through reams of "unauthorized" data simply by changing the last number of an authorized URL in the State Revenue Service electronic filing page, this doesn't surprise me.  As Poikans/Neo said -- now there can be many more "Neos"  and it is doubtful whether the police can catch them all. Poikans is still under criminal investigation for his activities last year.