Culture of Protecting Personal Data: From Online Freedom to Digital Surveillance?

На русском

«While developing their own approach on protecting personal data, Central Asian states combine elements of the Russian and Chinese concepts of a “sovereign Internet”, “great firewall” and “censorship”», – mentioned by Anna Gusarova, director of the Central Asian Institute for Strategic Studies, Chevening program scholarship holder at King’s College, London.

Follow us on Telegram

Central Asia for a long time remained on the periphery of the wide and deep distribution of IT-technologies, as, for example, happened in regions with the most developed economies and communication infrastructure. This factor does not contribute to the disclosure of all the possibilities that information and communication systems allow, but in the Central Asian region, digital technologies have quickly begun to play an important role in the functioning of the state and the life of society.

The main trends in the development of cyberspace in Central Asia over the past ten years are:

ensuring public access to information resources (Internet, digital broadcasting, mobile communications, modern technologies, etc.).
increasing computer literacy of the population and the inclusion of citizens in the information sphere (e – Learning, e – Banking, electronic money, electronic commerce, Pay-me mPOS terminals, online stores, etc.).
the transformation of many areas of the state’s life on the basis of the sharp and ubiquitous entrance of information and communication technologies (e-Government implementation, OMC – Operational Management Centers, unified control systems, virtual reception rooms, etc.).
integration into the global information space and the creation of digital societies.

Along with ambitious national strategies for digitalization and innovative development, the countries of Central Asia are actively developing services in biometrics, artificial intelligence, video surveillance systems and face recognition. Thus, the introduction of a face recognition system and “smart cities” in Kyrgyzstan,[1] Tajikistan and Uzbekistan, the Ministry of Internal Affairs plans to install video surveillance cameras in all courtyards of high-rise buildings until 2022[2] and mass fingerprint and genomic registration[3] since 2021 in Kazakhstan only reinforces the importance and the need to build a culture of protecting personal data in the region. Moreover, digital rights, cyber literacy and cyber hygiene should be an integral part of the campaign to promote a culture of personal data protection in Central Asia along with cyber security.

Personal data protection: privacy, COVID -19, GDPR

The protection of personal data in different parts of the world takes on new shades, since it is more associated with the management and control of the Internet, and, as a consequence, the large-scale growth of authoritarianism.

In fact, the Internet has become a modern public domain, and social networks and search engines have tremendous power and a strong responsibility to ensure that their platforms serve the public good. The unlimited collection of personal data limits the human right to loneliness, without which peace, prosperity and individual freedom – the fruits of a democratic world – cannot be preserved or used.[4]

While some countries are making real progress in the field of Internet freedom, such as the countries of the European Union (EU), others, on the contrary, are tightening and restricting Internet freedom. It is enough to recall when the citizens of Malaysia voted for the Prime Minister, who promised to repeal the recently adopted law criminalizing fake news (Anti-Fake News Act 2018),[5] which was actively used by his predecessor. And today, in the context of the information boom around COVID-19, this issue is of particular relevance.

On the one hand, it is about respecting the right to privacy, including in the cyber environment, which today is unavoidable in the context of identifying and instantly disseminating medical information about infected politicians, super stars of various sports, cinema and pop culture. On the other hand, there is a growing trend towards the use of new technologies (drones, face recognition programs, video surveillance, etc.) and old old-school solutions in war conditions to monitor compliance with the emergency situation and quarantine regime in many countries of the world.

On the one side, we see how in some countries the mass media openly publish information about infected political figures and their spouses (Canada, USA, Great Britain, etc.), and on the other side, restriction of access to such information (such as failure to provide information on whether there are ministers among coronavirus infected due to medical confidentiality[6] in Kazakhstan, ignoring the problem and blowing dust on the unthinkable measures taken by the Russian Air Force).[7]

Indeed, the perception of the problem of COVID-19 through the prism of war allows states to take tougher measures that often significantly limit human rights and freedoms, including in the online environment. At the same time, experts from the Office of the UN High Commissioner for Human Rights have already specified that states should not take advantage of the emergency situation to suppress human rights, and the state of emergency cannot be used as a cover for repressive actions.[8]

Table 1. TOP 11 states that practice digital surveillance and systematically violate confidentiality on an ongoing basis.[9]

In response to concerns about the pervasive collection and inherent security of personal data, many countries have adopted legislation that gives individuals the right to control how their data is collected, processed, and transmitted by public and private organizations.

According to a report by Freedom House,[10] at least 15 countries have reviewed data protection laws since June 2017, and 35 countries already have data protection laws. The data protection laws that have been proposed or adopted in Argentina, Brazil and Indonesia are very similar to the European GDPR (General Data Protection Regulation, EU Regulation 2016/679[11]), which entered into force in May 2018. This document sets seven key principles:

Legality, fairness and transparency of data processing,
Limiting the purpose of collecting and using data,
Minimization of data (collection of only necessary data),
Accuracy (inaccurate data must be deleted or corrected)
Storage limit (data retention period),
Honesty and confidentiality (protection against unauthorized or illegal processing, destruction or damage to data),
Accountability (obligation to comply with GDPR and ability to demonstrate compliance with regulations).

These principles should underlie any approach to personal data processing in Europe. They have an extraterritorial principle: all organizations that collect, process and store personal data of individuals who cooperate with the European Union must also comply with the GDPR requirements.

Rating of states on Internet privacy.[12]

According to the results of a study conducted by the British company Comparitech at the end of 2019, all countries of the world without exception are very far from the stated tasks of maintaining privacy on an ongoing basis, and as a result of the protection of personal data. According to the developed criteria,[13] from 1 to 5 out of 47 countries participating in the project, only five states received a rating above 3 points. Some countries are more responsible and transparent, while others take continuous systematic security measures, including digital surveillance of their own citizens.

If we talk about the so-called digital surveillance, then we are talking primarily about video surveillance and the number of cameras installed. For instance, in the USA there are 15.28 surveillance cameras for every 100 people, followed by China with 14.36 and the UK with 7.5 cameras. The top ten countries also include Germany with 6.27 cameras per 100 people, the Netherlands 5.8, Australia 4, Japan 2.72, France 2.46 and South Korea 1.99.[14]

Number of cameras in million units[15]

On a city scale, 8 out of 10 cities with the largest number of surveillance cameras are located in China, including Wuhan (more than 500 thousand cameras), which is considered the epicenter of COVID-19 (London takes 6th place with 6.84 video cameras and Atlanta (USA) – 10th place with 1.55 cameras per 100 people).

How do things stand in Kazakhstan and Central Asia?

According to Kaspersky Lab, many users and enterprises in Kazakhstan (as in other Central Asian countries) continue to use pirated software, such as unprotected copies of old Windows operating systems,[16] for their online activities, putting all actions at risk on the Internet due to a lack of experience and education in the field of information technology and cybersecurity in the public domain. Lack of experience means that Kazakhstan and Central Asia as a whole are extremely attractive to cybercriminals who exploit these weaknesses and make money from them. In Kazakhstan, only 3% of online crimes are prosecuted.[17]

First of all, from the point of view of personal data protection, questions arise about who has access and controls the security of the collection, processing and storage of personal information obtained with the help of, for example, Sergek cameras. This is an intelligent system for video monitoring, recording and image recognition, an intelligent system for processing and analyzing information and forecasting, fixing offenses on the streets and roads.

Cameras of the video monitoring system “Sergek”. Photo: kolesa.kz

This issue is of particular relevance due to the fact that the two technical partners supplying products to the Kazakhstani market are the Chinese company Dahua Technology (partner of Corkem Telecom on Sergek) and Hikvision (has been working in Kazakhstan since 2015),[18] in respect of which the US government, along with other 26 Chinese companies, imposed sanctions and blacklisted[19] for actions contrary to US foreign policy interests (in the case of these two, for promoting violations of human rights against Muslim minorities of the PRC[20]). At the same time, it is important to remember that it was the President of Kazakhstan K. Tokayev who proposed to adopt the experience of China in digitalizing the personal data of each citizen, mentioning the Hikvision company.[21]

This component is compounded by the extent to which state authorities will respect the rights of citizens to protect personal data, and here, first of all, we are talking about the functions and capabilities of the power structures of the Republic of Kazakhstan, in particular the Ministry of Internal Affairs (MIA) and the National Security Committee (NSC). As for the police, the representative Sergek mentioned that access to the video archives was provided to the police of Nur-Sultan, Ust-Kamenogorsk and Atyrau, where this question is under review regarding Almaty[22]. If we talk about the role of the National Security Committee, it is enough to recall the safety certificate, which was developed by the State Technical Service of the National Security Committee of the Republic of Kazakhstan and implemented as pilot projects in the summer of 2019 in Astana.[23]

With the introduction of the National Video Monitoring System (NVMS), the main question arises as to how a balance will be achieved between the right to privacy and interference with it to ensure national security.[24]

In general, the system of stakeholders (participants), one way or another involved in the processes related to the protection of personal data in Kazakhstan, is very large. Despite the existence of specialized departments in charge of supervisory authorities and other involved participants in the information process, all state bodies are involved in the collection, processing, storage, destruction of personal data. It is important to understand that, in fact, all existing state bodies and their committees and departments should be captured, since each institution of power has a database with which they work.

This means that the culture of protecting personal data should turn into the very link that will allow government agencies to harmoniously interact with each other and with society, increase the level of trust and communication, which is an integral part of a digital society, the creation of which is provided for by the Law of the Republic of Kazakhstan on personal data and their protection.

Taking into account the largest leaks of personal data of Kazakhstan citizens in 2019[25] from the databases of the CEC and the Prosecutor General’s Office, the question arises of how the state can guarantee the protection of personal information. According to the Center for Analysis and Investigation of Cyber Attacks (CARICA), the leak occurred from the database of the General Prosecutor’s Office of the Republic of Kazakhstan, i.e. of the authorized body in the field of personal data protection, and the Ministry of Internal Affairs of the Republic of Kazakhstan suspended the case of data leakage due to the absence of corpus delicti, because “the specified information with the data of citizens of the Republic of Kazakhstan was not found on the Internet”.[26]

Let us recall that at the end of 2019, it became known that the well-known Chinese cybersecurity provider Qihoo 360 announced that it had discovered data received from infected computers of Kazakhstanis from 13 cities of the country. Researchers say that “an advanced hacker group uses specially designed hacker tools, expensive tracking kits, mobile malware and radio interception equipment to spy on Kazakhstan’s targets”.[27] The data collected related mainly to office documents taken from hacked computers. All stolen information was placed in the folders of each city, each folder of the city contained data on each infected host.

According to the results of the study “Protecting Personal Data in Kazakhstan: Status, Risks and Opportunities”, people who are hiding their personal data, are not wary of Internet companies, but rather surveillance by government services, and consider that it is worth worrying only when it comes data, the leakage of which can directly lead to the loss of money or property.

The perception of the existing system for collecting, storing and using personal data provided online is sometimes associated with a belief in conspiracy theory ideas. It is believed that social networks were invented in order to legally collect information about citizens of foreign countries. In addition, Kazakhstanis believe that special services have access to the personal data that they provide online, can view the content of emails and messages in instant messengers.

Digitalization and culture of personal data protection

If one talks about trends, it is important to pay attention to the following points:

The Chinese government (the same as Russia, but to a lesser extent) not only does not protect the privacy of citizens, but also actively invades it,
The collection and storage of biometric data – fingerprints and faces – is gaining momentum around the world (in Kyrgyzstan and Kazakhstan, these issues are becoming even more relevant),
EU countries tend to share a large amount of their citizens’ data with other member states,
Immigrants are often most affected by government surveillance, especially when they enter or leave a country,
Only five countries have adequate guarantees of confidentiality in accordance with the evaluation criteria on an ongoing basis, and all of them are located in Europe. GDPR plays a big role in this, but does not consider all the issues
Not a single country received an ideal score or even an almost ideal score in the ranking of countries on privacy on an ongoing basis ( see table 2 above ),
Enforcement varies widely even among countries with good privacy laws.

Obviously, it is impossible to create a culture of protecting personal data in one day, month or even a year. It took the European Union several years to significantly raise awareness among its citizens, as well as explain why this is important and what needs to be done. Moreover, the large-scale promotion and encouragement of this legal culture has increased the level of trust and communication between government bodies and business organizations and citizens.

It is important to talk about GDPR and the need to comply with it for the following reasons:

Firstly, this regulation aims to fundamentally change the way personal data is processed in all sectors of Europe.
Secondly, this provision has raised the awareness of professionals and individuals about data protection issues.
Thirdly, the regulation has provided new broad powers to people in how they can control their data.
Fourth, it is about awareness and education of citizens about the rights to protect personal data.
Fifthly, all organizations collecting, processing and storing personal data of individuals who cooperate with the European Union must comply with the requirements of the GDPR.

Throughout the world, governments and corporations are increasingly eager to receive large amounts of personal information in order to use it either for political repression or for the development of artificial intelligence algorithms. Unfortunately, ordinary citizens are not armed with so many options to withstand this state of affairs. It would be logical if governments and companies would strive to increase transparency regarding the use of personal data, ensure data portability between platforms and allow people to view and delete all the data collected about them – niches that some of the largest companies have already occupied.

One way to respond to this state of affairs would be to incorporate a guarantee of human rights in national artificial intelligence strategies. As policymakers consider how it can advance national priorities and improve the lives and security of citizens, they should ensure that all proposed research and development plans include a thorough assessment of any potential human rights consequences, including privacy rights and freedom of expression. Moreover, human rights assessments for the technologies under consideration should be accessible to the general public.

Conclusion

Today, even the most developed and democratic countries are less able to balance adequately between digital rights and freedoms on the one hand, and national security on the other in the face of new threats to national security.

Obviously, the devil is in the details, and the problem is not so much in the technical as in the human factor, and, as a result, is closely related to building a legal culture around the value of personal data. In modern realities, the government departments try to ensure their own security in order to be less vulnerable to new threats, very often they forget about their citizens, who also need to be trained and be aware of these issues.

While developing their own approach on protecting personal data, Central Asian states combine elements of the Russian and Chinese concepts of a “sovereign Internet”, “ great firewall” and “censorship”. At the same time, they actively interact and expand cooperation with the European Union, which led to the adoption of legislation on these issues. Raising awareness among professionals and individuals about GDPR requirements, on the one hand, and informing citizens about digital rights and protecting personal data, on the other hand, should be one of the priority areas for digitalization in Central Asia.

In this regard, strengthening cooperation with European partners in the framework of the New EU Strategy for Central Asia is of paramount importance for creating transparent, accountable and healthy ecosystems with a strong legal component.[28]

This material has been prepared as part of the Giving Voice, Driving Change – from the Borderland to the Steppes Project project. The opinions expressed in the article do not reflect the position of the editorial board or donor.

[1] Laura Mills, “Implementing a face recognition system in Kyrgyzstan poses a threat to human rights,” November 15, 2019, https://www.hrw.org/en/news/2019/11/15/335819.

[2] In the courtyards of high-rise buildings they want to install security cameras by 2022, September 25, 2019, https://profit.kz/news/56690/Vo-dvorah-mnogoetazhek-hotyat-ustanovit-kameri-videonabludeniya-k-2022-godu /

[3] When will all Kazakhstanis be required to take fingerprints, Forbes, February 20, 2019, https://forbes.kz/process/vvedenie_daktiloskopicheskoy_registratsii_v_kazahstane_mogut_otlojit/?

[4] Adrian Shahbaz, “Freedom on the Net 2018. The Rise of Digital Authoritarianism,” Freedom House, 2018, https://freedomhouse.org/report/freedom-net/freedom-net-2018/rise-digital-authoritarianism.

[5] Rozanna Latiff, “Malaysia parliament scraps law penalizing fake news,” Reuters, October 9, 2019, https://www.reuters.com/article/us-malaysia-politics-fakenews/malaysia-parliament-scraps-law-penalizing-fake-news-idUSKBN1WO1H6.

[6] “Abayev on coronavirus-infected ministers: medical secrecy,” Tengrinews , March 23, 2020, https://tengrinews.kz/kazakhstan_news/abaev-zarajennyih-koronavirusom-ministrah-vrachebnaya-tayna-395808/

[7] “There is no coronavirus infected in the Russian army, said Shoigu,” RIA Novosti , March 26, 2020, https://ria.ru/20200326/1569175397.html

[8] COVID-19: States should not abuse emergency measures to suppress human rights – UN experts, March 16, 2020, https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=25722&LangID=E&fbclid=IwAR2h917wGdZnKKVHrHxgkgbjF90DP3FXyWakOjdKkMTFH14J8oROAD7UtIg

[9] Justinas Baltrusaitis, “https://www.precisesecurity.com/articles/Top-10-Countries-by-Number-of-CCTV-Cameras,” Precise Security, December 4, 2019 | UPDATED February 15, 2020, https://www.precisesecurity.com/articles/Top-10-Countries-by-Number-of-CCTV-Cameras

[10] Adrian Shahbaz, “Freedom on the Net 2018. The Rise of Digital Authoritarianism,” Freedom House, 2018, https://freedomhouse.org/report/freedom-net/freedom-net-2018/rise-digital-authoritarianism.

[11] GDPR at a Glance, The UK’s Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/.

[12] International Privacy Index Ranking, Best VPN, https://bestvpn.org/countries-ranked-by-privacy/?__cf_chl_jschl_tk__=015c8dc6776b09a145679c1b7400854be4c9a4e8-1586380678-0-AfSNQoWxi4T-JXj55jo2unB9GTA8syaUrNf_9Pc8KDalm1e2k1NPnUKtJ6EnY_TBwBL5Uy_KSNh7OybIC0HR-D0eygKUbj4JN5H3ya0JVCtYIfrXs6ZAk39lwnWwAmexIq1z52wJ3ucP235fRLdeFiECM-owvz0KT26oAHrGHITEUtyBZRrv9tUUda2zNe8plWUoaZhkM_k18nm66C6zdF1eEtREUkWiABOt6EQw8JmiY8etRUbFgZRa6KftOqRO7PV6dXb6Cc9BlAxD3Jrizp9bjzIU_YyhzQHL-Z8hvdxC57R_cSj_z-5HdvP65vwYPQ.

[13] Paul Bischoff, “Data privacy laws & government surveillance by country: Which countries best protect their citizens?,” Comparitech, October 15, 2019, https://www.comparitech.com/blog/vpn-privacy/surveillance-states/.

[14] Justinas Baltrusaitis, “https://www.precisesecurity.com/articles/Top-10-Countries-by-Number-of-CCTV-Cameras,” Precise Security, December 4, 2019 | UPDATED February 15, 2020, https

[15] Compiled by the author based on data from Precise Security, December 4, 2019 | UPDATED February 15, 2020, https://www.precisesecurity.com/articles/Top-10-Countries-by-Number-of-CCTV-Cameras

[16] Anna Gussarova, “Kazakhstan Adapts to the Cyber Age,” Per Concordiam, European George C. Marshall Center for Security Studies, Garmisch-Partenkirchen, Vol. 7 Issue 2, 2016: Unipath CENTCOM, April 7, 2017, https://unipath-magazine.com/kazakhstan-adapts-to-the-cyber-age/.

[17] Almaz Kumenov, “Hackers eyeing Kazakhstan as a safe haven,” Eurasianet, November 27, 2018, https://eurasianet.org/hackers-eyeing-kazakhstan-as-a-safe-haven.

[18] Kanat Altynbaev, “Chinese technology in Kazakhstan’s cities raised concerns about possible espionage surveillance,” Karavan Sarai , December 11, 2019, https://central.asia-news.com/en/articles/cnmi_ca/features/ 2019/12/11 / feature-01

[19] Addition of Certain Entities to the Entity List, Office of the Assistant Secretary, Export Administration, Bureau of Industry and Security, Department of Commerce, October 9, 2019, https://www.federalregister.gov/documents/2019/10/09/2019-22210/addition-of-certain-entities-to-the-entity-list.

[20] John Honovich, “Hikvision And Dahua Sanctioned For Human Rights Abuses,” IPVM, October 7, 2019, https://ipvm.com/reports/sanction-hikua.

[21] Sergey Kim, “Tokayev peroposed to introduce a surveillance system, as in China,” Factcheck , October 9, 2019, https://factcheck.kz/glavnoe-2/tokaev-predlozhil-vnedrit-sistemu-nablyudeniya-kak-v -kitae / .

[22] “The Almaty police does not have access to Sergek’s base,” February 19, 2020, https://www.zakon.kz/5008129-sergek-v-almaty.html.

[23] “Certificate of safety: how it was,” Inbusiness . kz , August 7, 2019, https://inbusiness.kz/ru/news/sertifikat-bezopasnosti-kak-eto-bylo.

[24] “Big Brother: How the National Video Monitoring System in Kazakhstan Will Work,” Forbes , February 20, 2020, https://forbes.kz/process/technologies/bolshoy_brat_po-kazahski_1582187734.

[25] Catalin Cimpanu, “Extensive Hacking Operation Discovered in Kazakhstan,” ZDNet, November 23, 2019, https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/.

[26] CARICA’s official Facebook account, https://m.facebook.com/story.php?story_fbid=2636221533272242&id=1674347306126341.

[27] Catalin Cimpanu, “Extensive Hacking Operation Discovered in Kazakhstan,” ZDNet, November 23, 2019, https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/.

[28] Anna Gussarova, “The EU Should Strengthen GDPR-driven Data Protection Activities in Central Asia,” SEnECA Blog, April 3, 2020, https://www.seneca-eu.net/blog/the-eu-should-strengthen-gdpr-driven-data-protection-activities-in-central-asia/