The insufficient protection of biometric data in Kazakhstan poses threats to citizens’ personal security. There is also the possibility that the authorities could use such data to increase control over society, said Dana Buralkieva, an independent researcher and expert on digital human rights and freedoms and participant of the CABAR.asia School of Analytics.
In Kazakhstan, the concept of “biometric data” until 2016 was mentioned only in the Law of the Republic of Kazakhstan “On Personal Data and Their Protection”, which regulates the procedure of collection and procession. It also stipulated liability for violations related to its loss.
Following this, the Law of the Republic of Kazakhstan “On Dactyloscopic and Genomic Registration” was adopted, which introduced the concept of biometric data in more detail, as well as partially clarified the mechanism of data collection and processing.
Human biometric data is a sensitive type of personal data that needs a high level of protection. But at the moment, the government of Kazakhstan cannot guarantee a hundred per cent security of citizens’ data. Until the law becomes fully effective, the risks of leaks of biometric data need to be minimised.
In the experience of the government of Kazakhstan, there have already been leaks of personal data. That is why experts point out an increased level of risk for the new type of data collection.
One of the biggest leaks was the loss of voters’ data by the Central Election Commission, which occurred in 2019. At that time, the data of eleven million Kazakhstanis, about 60% of the total population of that year, who had reached voting age, was online. It was possible to find their names, IIN (Individual identification number), passport number and exact residence address, thus jeopardising not only their exploitation by malefactors for the purpose of fraud but also their physical safety.
For example, in July 2019, the Ministry of Internal Affairs of the Republic of Kazakhstan launched an investigation into the unlawful dissemination of confidential digital data resources (Article 211 of the Criminal Code of the Republic of Kazakhstan). However, no one was punished for the crime, the justification was that the data had not been used and no one was harmed, although the very fact of leakage already suggests criminal or administrative liability.
The Ministry of Internal Affairs of the Republic of Kazakhstan dropped the case in December of the same year, due to the lack of criminal offence, and many Kazakhstanis never heard about the incident.
A similar situation occurred in Sweden in 2015, when data on car owners were lost. Due to a lack of protection during the transfers, the names, photos and residential addresses of millions of citizens became available online. The problem affected not only the private sector but also the police and the army. As a result, the Minister of Internal Affairs and the Minister of Infrastructure resigned, and the head of the transport agency was not only dismissed but also fined approximately eight and a half thousand US dollars.
Although the details of these cases differ, the essence is the same: the leakage of citizens’ data is a violation of human rights, which in international practice is prosecuted and punished. The difference is that in Europe there is a common regulation on the protection of personal data of residents of all countries belonging to the European Union –- the GDPR (General Data Protection Regulation).
It gives EU residents the tools to have full control over their data and imposes penalties on both business entities and public authorities.
Situations like this are happening all over the world. In 2019, the UK experienced a massive data breach involving passwords, photos, facial recognition information and fingerprints of over a million users of a Suprema company that develops Biostar 2 biometric locks security software.
The system is used by thousands of organisations around the world, including police, banks and defence organisations in the UK. The leak was discovered by vpnMentor researchers, who found that the database was unprotected, meaning that nearly all the data was not encrypted. In total, they accessed around twenty-eight million accounts. If the data had fallen into the hands of attackers, they could have edited these records, changed fingerprints and been able to log into institutions. In addition to UK citizens, organisations in the US, Indonesia, India, Sri Lanka and Finland — all Suprema customers — also faced this risk.
The Kazakhstan government needs to take such cases into account and learn how to take preventative measures to ensure that citizens do not face the problem of losing their data. In Suprema’s case, researchers detected the problem first, so the data was not taken advantage of by attackers. Otherwise, users would not only have lost their data forever but their security could have been compromised.
For legislation and technical security to meet standards, the government needs to work with leading experts and advocates who are willing to propose an anti-crisis strategy. The problem, however, is that communication with them has not taken place since the draft law was considered. As a consequence, when we study the text of the law, we see that many questions remain in each of the processes: collection, storage and processing. Just as experts cannot fully understand the system due to the lack of precise definitions and regulations, ordinary citizens do not understand what and how exactly the state is trying to implement, and most importantly: for what purposes.
This is primarily due to the fact that, after the law was passed, the competent authorities failed to educate the population, leaving people to deal with the news on their own. It appeared on the agenda, then was forgotten. This led to public anxiety about the uncertainty associated with the theory of digital slavery. This was happening until the human rights activists took the responsibility to explain to everyone what this innovation means, and most importantly, what are the risks that the people of Kazakhstan may face.
So the Erkindik Kanaty (Wings of Freedom) — #BiometricsKZ project was launched, within the framework of which an information campaign and research on the practices and consequences that can be encountered after the entry into force of the law is being conducted. The lack of communication with the population is a great omission by the government, as one of the obligations of the citizens of Kazakhstan is to undergo a mandatory dactyloscopy registration procedure.
In other words, citizens will have no choice, and penalties will apply in case of their refusal. And according to information currently known, citizens will not be able to obtain new documents (ID card or passport) and will have to pay a fine until they provide their biological data.
What if biometric data will be used by the government against the citizens?
However, there is a possibility that the authorities in Kazakhstan, following the example of neighbouring countries, will use biometric data for their own purposes.
After President Kassym-Jomart Tokayev visited the Chinese company Hikvision, the idea of introducing recognition systems in Kazakhstan was introduced. It not only identifies individuals by facial traits and behavioural characteristics but also provides all the data stored in the databases of China’s intelligence services. In 2018, 176 million cameras operated on China’s 1.4 billion residents. This allows for surveillance of those who oppose the authorities.
There have also been cases in Russia where facial recognition cameras have been used to prosecute citizens. In 2019, for example, an activist was detained for picketing alone and identified through the processing of her biometric data.
And at recent anti-mobilisation protests in the Moscow metro, police began actively detaining protesters using facial data processing technology. The protesters who have been recognised have been charged with administrative offences post facto. Activists who did not even take part in the rally but had attended anti-war protests before were also being detained. According to the latest news, Russians who avoid mobilisation are also being tracked by facial recognition cameras. Currently, cameras are in active use in the Moscow metro since 2020, young people are tracked through these systems, detained and sent straight to the military enlistment offices. This is not only a violation of Russian law but also of human rights in general. At the moment, the authorities are going to introduce cameras in the regions as well.
International experts claim that biometric screening in public places is a tool for surveillance and public monitoring.
In other words, biometrics is also a dangerous tool for political repression. During the January events in Kazakhstan, human rights defenders and activists wondered whether facial recognition cameras had indeed been used to detain protesters, but the Human Rights Foundation “Erkindik Kanaty” received a reply from the Ministry of Internal Affairs denying this fact. However, international experience shows that in countries where offline and online human rights violations are periodically recorded, where human rights violations are commonplace, the use of such technology can lead to harassment and pressure on civil society.
The misuse of biometric data is seen as a potential continuation of systematic human rights abuses in Kazakhstan, so it is up to civil society to take on the function of risk prevention. Otherwise, it could lead to data manipulation, unlawful harassment and detention. And if databases are leaked outside the state, national security may also become an issue, as we have seen in the examples of countries where law enforcement agencies and government officials have been threatened. In other words, no one is safe from leaks: neither ordinary citizens, opposition activists, nor the government itself.
The question arises, what actions can Kazakhstanis and the expert community take?
First of all, it is necessary to understand what exactly the concepts of “biometric data”, “dactyloscopy and genomic registration” are, as well as what terms for citizens are regulated by the new legislation. The #biometricsKZ human rights initiative, in which experts explain the law in plain language, provide international examples and give recommendations on how to protect personal data, will help citizens understand these issues. Awareness of law-making and law-enforcement processes is an important component of human rights protection that any citizen can use. This will not only help to protect themselves but also to conduct monitoring.
At the moment, the law has not yet fully entered into force, but it is possible to start by monitoring breaches relating to common personal data. Every citizen can monitor breaches, record them and contact lawyers and human rights activists, who in turn will help eliminate the consequences of leaks and abuses by both private firms and public authorities.
Once the law is in place, it needs to be closely monitored, controlling the data collection process –- which will help minimise the risks. This will be possible if as many Kazakhstanis as possible will be aware of their rights and the data collection regulations.
If the monitoring of the implementation of the law reveals problems, and legal and technical unpreparedness of the authorised institutions, civil society should use other human rights tools to exercise its right to privacy and data protection, such as peaceful assemblies, information and advocacy campaigns, petitions to amend the law with the demand to prosecute the perpetrators.
At this point, citizens are already encountering biometrics in their daily lives, for example, when submitting data to banks, e-government systems and foreign embassy representations in Kazakhstan. The most important thing is to understand how this data is processed and stored, to request a privacy policy and, if your data is leaked, to demand its destruction from all databases. With personal data, it is possible, because of article 24 of the Law of the Republic of Kazakhstan “On personal data and its protection”, which spells out the rights and obligations of the subject. According to this article, we have the right to withdraw our consent to the collection, processing and distribution of public sources, as well as transferring to third parties. It is logical to assume that this article also applies to the erasure of biometric information, but this will be known in practice after the piece of law enters into force.
Monitoring of the implementation of this law will lead to an opportunity for the expert community to finally participate in the law-making process to regulate biometrics and improve the current law.
These measures will help Kazakhstani civil society to unite against a common problem. And also understand how the new technologies that are being actively introduced into government processes work. If the government decides on digitalisation, it should help the state system to act for the benefit of society by strengthening human rights and freedoms.