Ignoring repeated warnings, Argentina biometrics database leaks personal data

Just a few weeks ago, thousands of Argentinians had their privacy rights violated when the country’s electoral registration roll, which had been made available online, experienced a major leak of personal data following the presidential election.

Despite some early warnings on the weaknesses of the system, the government did nothing to fix the situation, allowing serious technical flaws in an online system to persist and refusing to respond to the crisis, further jeopardising public trust in the system.

The global trend of setting up biometric national identification databases (e.g. India, Pakistan) has been portrayed as an effective tool to citizen information management, securing an individual’s legal identity and as means of facilitating access to socio-economic services and civic rights. However, these databases are often not accompanied by appropriate legal frameworks to protect the right to privacy and the personal data of individuals and often lack sufficient security mechanisms to protect and secure data. Unfortunately this legal vacuum on biometric national identification databases is neither new nor specific to Argentina. For example, in India the Unique Identity Scheme biometrics database (Aadhaar) aimed at collecting the biometric data of 1.3 billion people has been initiated and continues to be developed in a legal void.

The dangers of such ubiquitous use of biometric technologies were dramatically illustrated recently in Argentina, when it was revealed that it was possible to download all National Identity Document photos from the online biometric electoral registration roll

Argentina’s biometric systems

Argentina is historically known for being one of the first countries in the world to adopt biometrics technologies as a form of recognition of individuals’ legal identity. Since Argentinian police officer Juan Vucetich, a police officer, established the first system of fingerprint identification and initiated the first use of fingerprint evidence in police investigations in the late 1800s, biometrics technology has greatly evolved. It is now used for a range of purposes: from conducting population registration in countries where birth registration has not previously been systematic, to conducting elections, or as a means of facilitating access and delivery of certain services such as food, health care and other basic social needs.

In 2011, the Argentinian government established by Executive Decree the Integrated System of Biometric Identification - Sibios (Sistema Integrado de Identificación Biométrica). Sibios integrated the existing ID card database, Argentine National Registry of Persons (RENAPER) and includes an individual’s digital image and fingerprint, civil status, and place of residence.

Aimed at facilitating the identification of citizens and enabling cross-reference of data to support crime investigation and as a tool for preventive security functions, it is accessible by the National Directorate of Immigration, the Airport Security Police, and the National Gendarmerie, and is even available to Provincial enforcement entities.

Given the country’s enthusiasm for these types of databases, their biometrics system was expanded to include electoral registration (Padrón electoral) during the 2013 presidential election, incorporating photographs from the RENAPER without asking for individuals’ permission or at the least informing them.

The purpose of the electoral registry was so that voters, who were in possession of a new ID card (obtained after 2011) and thus whose data was saved in Sibios (around 30 per cent of total of number of voters) could check where they were registered to vote.

First warning

Segu-Info, which publishes information on the safety of free and open information, discovered the weakness in the online electoral registration roll during the first round of presidential elections on 11 August 2013. They informed the Computer Emergency Response Team of the Argentine Public Administration (ArCERT), of the ability to download the photos through a system vulnerability. ArCERT had passed on the report to the National Electoral Commission (Cámara Nacional Electoral) but nothing was done about it.

Once this information was public, civil rights group Asociación por los Derechos Civiles (ADC) took a case to the Contentious Administrative Proceedings Tribunal requesting the removal of photos from the database on the basis that:

the photographs’ publication was unconstitutional and in violation of the right to privacy as it was not necessary for the electoral process to function; and
publication online increased the risk that they would be downloaded by third parties.

What’s worse, despite these serious concerns the photographs were not taken down, the technical flaw was not addressed and until now there has been no response to the claim. And just as ADC had warned, the situation took a turn for the worse.

Code is broken

In late October 2013, a 16 year-old boy discovered how to break into the online database of the electoral registration roll, which gives access to the photos of the voters whose data was saved. The boy circulated the information in the form a blog, publishing this information to denounce the government’s failure to take the necessary steps to protect citizens’ data. Read the translated blog here.

On 3 November 2013, an anonymous developer published the site Jsfiddle.net, which by using the working code enabled the images to be retrieved from the electoral registry.

On 4 November 2013, Ramiro Álvarez Ugarte, Director of access to information and privacy at ADC, revealed on his Twitter account the code had been broken and a website existed to access to the database and download the photos. The extent of the leak is unclear and it seems the government itself is unable to evaluate how many photos were downloaded and by whom. Mr Álvarez Ugarte himself was able to download around 5,900 pictures overnight.

Thankfully, ADC revealed the data’s accessibility relatively quickly and the government took some measures to prevent a simple Java script from downloading all the available pictures.

Even if ADC succeeds in its claim, the privacy of thousands of individuals have already been compromised. The leak shows clearly that the system as it is currently set up is not safe from future leaks. Whilst the electoral registry website is no longer accessible, the existence of the database and the biometric data it contains must continue to be challenged.