For nearly three months, a bulk data harvesting program has been collecting the phone call history and location data of every wireless subscriber in Armenia. The Government argues that it is necessary to help prevent the spread of the COVID-19 pandemic. Normally, individual court orders would be required to collect this type of information about a person, which is protected by several constitutional provisions, including the inviolability of private and family life (Article 31), freedom and confidentiality of communication (Article 33) and protection of personal data (Article 34); however, the ongoing State of Emergency allows for the temporary curtailing of certain constitutional rights.
On March 31, the National Assembly passed a legislative package making amendments to the Law on the Legal Regime of the State of Emergency and the Law on Electronic Communications. President Armen Sarkissian signed it on the same day and it came into force on April 1.
Before the bill was approved, the Human RIghts Defender (also referred to as the Government Ombudsman) issued a statement in which he identified the conditions under which the temporary limiting of the constitutional rights may be permitted, based on precedent decisions made by the European Court of Human Rights (ECHR):
The limitations must be strictly necessary and arise from situations and also do not lead to the abuse of rights and power;
The limitations should not exceed the minimum necessary to address the situation and steps taken have to be the last resort, without which it would not be possible to oversee the situation;
The limitations must be adequate to the purpose at hand and be temporary in nature;
The limitations must be general in nature and not target separate groups of people.
“Intelligence Agencies Would Love This System”
The Government has not confirmed the existence of these conditions. Shushan Doydoyan, Director of the Freedom of Information Center NGO, says that “obscure definitions” have been given from the beginning. “It should be very clear that we can’t prevent the spread of the virus without processing this data and that is why we are taking this step,” Doydoyan explains. “All other legal means should have been exhausted and then steps to process personal data that intrudes in people’s personal lives should have been taken only as a last resort.”
Another observation Doydoyan has made is the temporary nature of these limitations. On March 31, when the phone surveillance bill was being discussed, the State of Emergency was set to expire on April 14. On April 3, when additions were made to Government Decision 298-N and it was decided that the data collected would be destroyed two weeks after the expiration of the State of Emergency, it was assumed that all the data would have been destroyed by May 1. However, the State of Emergency was extended and continues to be extended every 30 days because the underlying reason for it has not changed, i.e. COVID-19 has not gone away. Doydoyan is uneasy about the lack of a concrete deadline. The longer a “temporary” measure is entrenched, the harder it will be to ever fully eliminate it.
On April 6, Human Rights Watch quickly responded to the restrictions on the right to privacy in Armenia. “If the state of emergency persists over a prolonged period, the government should regularly review whether phone records that are no longer relevant should be destroyed,” the statement reads.
The State of Emergency has been extended until August 12. The issue of periodically destroying data is still not on the agenda. “Combining data and processing it over the long-term can lead to interesting results,” says Samvel Martirosyan, an expert on data security. “Social graphs can be created; connections between people and how strong or weak those connections are can be identified. This can lead to interesting discoveries surrounding opposition parliamentarians, politicians, journalists, their confidential sources and other connections. Intelligence agencies would love this system.”
The information necessary for tracking mobile phone customers is transferred to the e-Governance Infrastructure Implementation Agency (eGIIA) through a closed protected channel (VPN). Upon request, data on a mobile subscriber and the mobile numbers in contact with said subscriber during a certain time period are automatically provided, as well as the date and time of phone calls.
The first name, last name, birth date, address of residence, address of self-isolation, phone numbers, identity document information and social security numbers of those who have been tested, infected, showing symptoms, previously infected, treated or come in contact with a confirmed case, and those in self-isolation, are also transferred to the eGIIA.
All this information is passed on without requiring any person to approve the request. While the National Security Service, responsible for the country’s intelligence activities, is prohibited by Executive Order from “processing” the data, the same paragraph tasks them with managing the computer infrastructure that runs the whole system.
How Safe is Your Data?
On May 25, Shushan Doydoyan and citizen Izabella Sargsyan sent a written request to the Government’s Chief of Staff for clarification on who developed the tracking system. However, their request was denied under the reasoning that “the system was not obtained through procedural purchase but by volunteers and for free. Individual programmers developed and provided the system as a donation… At the same time, the programmers do not wish their names to be public and did not agree to publicize their free help.”
“The whole process of developing and deploying the system is shrouded in secrecy, which is not compliant with the principles of processing personal data,” says Doydoyan. “Processing personal data has to be implemented on the principles of complete transparency for citizens. The citizen has to know what data is being collected, how it is being processed, who has access to that data, when and how that data is to be destroyed.”
“It turns out, a very closed system was developed, over which there is no oversight,” claims information security expert Samvel Martirosyan.
“If Armenian volunteers made a plane, would you allow passengers to board it immediately?” asks lawyer and data security specialist Davit Sandukhchyan. “Have they checked it and tested it for safety and security? I ask that they provide a summary conclusion on this.”
According to Sandukhchyan, in the sphere of cybersecurity, human factors are a major potential vulnerability: Can we be sure that those who took part in developing the program did not leave a back door, which they can use later on to enter the program? “Tests should be conducted to ensure the system does not have any technical flaws,” says Sandukhchyan. “A [cybersecurity] audit should also be conducted to make sure there are no side entrances that can be abused. We want to be sure that the data is in safe hands.”
Samvel Martirosyan says that there are no guarantees that copies of the data are not being made, which can remain available after the “official system” is eventually destroyed.
Does the System Work?
According to data provided by the Special Commission on the State of Emergency, as of June 15, contact tracing of 3319 people infected with COVID-19 was analyzed through this computer system. Phone calls were made to 30,814 phone numbers. As a result, 1,314 citizens were confirmed to have been in contact with a confirmed case and they were ordered to self-isolate for 14 days. Among those that self-isolated, 148 tested positive for the virus.
On April 1, when the tracking system was launched, the number of confirmed COVID-19 cases was 663. By June 15, that number had reached 17,489.
Economist Hrant Mikayelyan, who studies and analyzes data on the spread of the pandemic daily, clarified the data provided by the Special Commission. “If one confirmed case infects 2.5 other people on average, then, in theory, 3,319 confirmed cases should have infected 9,000 people. In this case, 148 seems a small number,” he explains and adds that a lot depends on when the 3,319 cases were sick - in April-May or more recently? And if it was more recently, then probably the symptoms would become visible much later.
According to Mikayelyan, a considerable amount of effort has gone into calling 30,000 people. “If we’re talking about 148 out of 30,000 people, then that’s half a percent of those that have been considered,” he says. “But if we look at the confirmed cases, then it doesn’t differ much from that percentage. If we called that many people randomly, we would have discovered the same number of people who had been tested. This means that if they called 2.8 million people, nearly 15,000 cases would be identified. This call rate shows that it doesn’t differ from random phone calls, at least for now.”
The Government’s Response
Bagrat Badalyan, Advisor to Deputy Prime Minister and Warden of the Special Commission Tigran Avinyan, said that the tracking system resolves two main issues: those who have come into contact with a confirmed case are identified and their self-isolation is supervised.
When asked if this is the only way to reach the desired outcome, Badalyan stated that more stricter tools have been implemented in many countries including electronic bracelets, sealed doors, etc. This version adopted by Armenia is more acceptable and has several components to it. “When the test results come back positive, epidemiologists interview the patient to find out who they’ve been in contact with,” explains Badalyan. “There are cases when the confirmed patient won’t say or forgets who they have come into contact with. Through the tracking system, we are able to find out who else they might have been in contact with, without accessing personal data or the actual content of the phone calls. Then, after conducting another interview, this is either confirmed or refuted.”
Regarding the efficiency of the system, Badalyan says that, after being interviewed by epidemiologists, about 20% of those in self-isolation test positive for the virus. Through this system, 12% of tests conducted on those who had been in contact with a confirmed case come back positive. According to him, internal reports are filed periodically regarding the system, which the Special Commission publicizes if requested by media outlets.
As to why the identities of those who created the system is kept anonymous, Badalyan explains, “This program was created from scratch by Armenian programmers. They worked on it in their individual capacity. We have now received consent from the programmers to publicize their names.”
Later, EVN Report received the names of the nine experts who worked on the program: Harutyun Martirosyan, Narek Baghdasaryan, Sevak Ghazaryan, Hovhannes Sargsyan, Gurgen Danielyan, Lilya Ghukasyan, Hayk Avetisyan, Armena Sanasaryan, Maksim Adamyan.
As to the issue of security, Badalyan says that the program has been tested by the National Security Service. “All security measures have been maintained,” says Badalyan. “I would like to make one fact clear. Even though the law allows us to retrieve data from mobile operators through this system, a decision was made to take a more secure route. The data is maintained in databases and servers belonging to the mobile operators and the data is transferred to eGIIA only through a digital request, without any human interference. Solutions for security issues are guaranteed so that when data is being transferred leaks do not occur. The human factor is nonexistent.”
In response to the observation that based on the Government 298-N Decision the NSS, eGIIA, the Police, the Ministry of Health and the Ministry of State Emergencies have access to the system, Badalyan explained that the NSS is not allowed to process and use the data. As for the others, Badalyan says only certain employees have access and have signed non-disclosure agreements. Moreover, the whole database is not accessible to these employees, only the minimum amount which is enough for them to carry out their work.
Experts propose creating an oversight body on maintaining, using and destroying the data. This oversight body should also include civil society representatives, who would also sign non-disclosure agreements.
Moreover, proposals on how to process contact-tracing data obtained during the COVID-19 pandemic was also presented in the reputable The Lancet journal, which also includes the creation of an independent oversight committee with the participation of civil society representatives. The oversight committee would be the guarantor that would ensure the proper and safe flow of data, while periodically informing the public about the whole process.
by the same author
Egor Zaitsev, the World Health Organization Representative in Armenia says that the Armenian government’s decision to implement a lockdown was timely, however, the issue was with enforcement and lifting the lockdown too soon, especially when cases were increasing.