Tag: identity theft

Why the Barbados Election List Data Leak is Problematic – And How it Could Have Been Prevented

nielharper

On 27 December 2021, the Prime Minister of Barbados Mia Amor Mottley scheduled a snap election for 19 January 2022.

On 29 December 2021, a full data dump of all eligible voters in the country was published by the Government of Barbados on the open Internet. This occurred largely because the Representation of the People Act 13(1) states “The [Electoral] Commission shall cause to be prepared and shall publish not later than the 31st day of January in every year a register of electors for each constituency and a register of foreign service electors entitled to vote at any election.” 

In the past, this list was made available in somewhat controlled environments to be queried by election officials, candidates, voters, etc. to ensure that elections accurately reflected the will of the people (in most all cases it was usually printed and held at libraries, constituency offices, polling stations, etc. to be reviewed by interested parties). To limit congregation of individuals in the previously mentioned locations during COVID-19 times, it was decided to publish the full voters list on the Internet to ensure access for all.

The 5250-page list contains approximately 250,000 individual records with the below personally identifiable information (PII). *

  • Last Name
  • First Name
  • National Registration Number (similar to a Social Security Number in the United States)
  • Gender
  • Date of Birth
  • Residential Status
  • Constituency (Voting District)
  • Home Address

* The total population of Barbados currently hovers around 290,000 persons.

Instead of this data being restricted to a few thousand persons in Barbados, it was now accessible by all 4.6 billion Internet users, exposing 250,000 Barbadians to increased risks of data misuse and abuse, fraud, identity theft, and other financial and reputation risks. The information was quickly downloaded and posted on Reddit and a number of hacker/fraudster sites on the Dark Web, making it perpetually available to malicious actors. There is also a high physical risk to individuals with regards to stalking, home invasions, robberies, rape, etc.

PII, also referred to as personal data, covers a wide variety of information that can identify a living individual. If a piece of information is unique to that person, it can lead back to them in several ways, and it is private and needs to be protected with the greatest care.

Why Does Personal Data Need to be Kept Safe?

The reason this type of information requires protection is that it can be used to commit fraud or to steal an individual’s identity.

Depending on what a thief is trying to accomplish, he will need different types of information. To open specific accounts all that is needed is an email address, while in other cases an individual’s name, address, date of birth, a national registration number, and other information may be required.

It’s also critical to note that accounts of all types can be opened over the phone or via the internet without having to physically visit a location for your identity to be verified. This provides opportunities for criminals with appropriate stolen information to open bank accounts, enter into contractual agreements, or make claims using someone else’s information or identity.

If a criminal is fraudulently using your information, you might not even know it. They may not use the credit card you already own to make purchases (in which case you might catch them by looking at your purchase history). Most often, criminals open up new, separate accounts using the victim’s information, leaving the victim unaware of the damage that is being done until years after the fact. In that time criminals can rack up a lot of debt using your identity.

How Can Identity Thieves Use Your Personal Data?

There are several ways which identity thieves can use your personal data, including but not limited to the following:

  • Open a new credit card account.
  • Create fake social media accounts with your identity (e.g., Facebook, Twitter, Instagram, etc.).
  • Take out a commercial bank loan.
  • Obtain and use your debit card to withdraw funds.
  • Change your billing address so your bills will no longer be delivered.
  • Obtain expensive medical care or procedures.
  • Open new utilities accounts in your name (e.g. electricity, water, natural gas, etc.).
  • Obtain a mobile phone service.
  • Open a bank account, obtain a cheque book, and write bad checks.
  • Obtain a new driver’s license or national ID.
  • Use your information when arrested or in a court action.
  • Engage in bullying, stalking, harassment or otherwise cause fear.
  • Inflict severe reputation damage.
  • Combine it with additional data gathered from the Internet (e.g., Google search, Facebook, Instagram, LinkedIn, etc.) to create even more detailed profiles of individuals.

How Long Does It Take Fraudsters to Use Stolen Personal Data?

In 2017, the Federal Trade Commission (FTC) in the United States demonstrated how criminals can use your personal information within minutes. The FTC developed fake personal data and posted it on a website that hackers use to make stolen information available. It took a mere nine (9) minutes for the fraudsters to access the information, and over 1,200 attempts were made to access email, credit card and payment accounts. The research confirms how valuable personal information is to identity thieves, and if they can gain access to it, they will most definitely use it.

What Should the Government Have Done Instead?

While it’s not an exhaustive list, below are some of the key steps the government should have taken.

From a technology perspective, a searchable database should have been published on the Government Information Service (GIS) portal, where individuals could use personal data which they already knew to confirm that they were on the voters list. The full database could have been provided to election officials and campaign managers using a digital rights management (DRM) solution to control access and distribution of the document. 

The Data Protection Act was approved by Parliament in July 2019 and came into force in March 2021. This statute introduces a strong privacy and data protection regime in Barbados, and its wide-reaching impact on overall data governance across sectors and industries should have triggered key updates to existing legislation, processes and operational guidelines (including the Representation of the People Act and any other legislation involving personal data processing). And this doesn’t even address the urgent need for broader legislative reforms in the country. There are way too many outdated pieces of legislation which are incompatible with progressive changes in technology, changing community awareness, changing community values, and changing expectations of the legal system.

Appropriate funding should be allocated to the Office of the Data Protection Commissioner to better equip them in investigating and monitoring data breaches and providing other types of regulation involving the public sector. Additionally, these financial resources can be used to deliver privacy awareness training to educate government personnel on how to protect individual privacy in their daily work. Simultaneously, a public campaign should be started to achieve broad public awareness on all issues related to the Data Protection Act and the new legal framework created. The Office of the Data Protection Commission is severely under-resourced at present, making it virtually impossible to implement and enforce the Data Protection Act, which focuses largely on preventing exactly these types of data leakages. For example, adhering to the principle of data minimisation would have significantly reduced the risk and impact of publishing the entire voters list. By this I mean the narrowing of data collection and processing to strictly what is needed – In this case, there is absolutely no reason to publicly release the National Registration Number (NRN) and Date of Birth of all eligible voters.

Why the Electoral and Boundaries Commission (EBC) is Dead Wrong

The Electoral and Boundaries Commission (EBC) has strongly (and wrongly might I add) defended its decision to publish the voters list online. Their position is that “We are obligated to publish the list now electronically so that more people can have access to it.” Chairman of the EBC Queen’s Counsel Leslie Haynes also maintains that “ID numbers are not private” and made reference to them “being published before the introduction of the digital age in public libraries, rum shops, the electoral office and other spaces.” Because a law states that you must publish information electronically doesn’t mean you should make it accessible to 4.6 billion Internet users (including hackers, fraudsters and other cyber criminals). There are numerous laws in Barbados that are outdated, poorly drafted, contradictory to other laws, and incompatible with existing technology – Should we follow them all to the letter or do we comprehensively update them to be more fit for purpose? Moreover, there are numerous technology solutions available for publishing said data online in a controlled manner to reduce the overall risk and exposure. And if they are not at fault, why did government officials remove the voters list from the public websites?

Finally, national registration number (NRN), date of birth (DOB) and home address are all private information, and there are established technical standards, privacy principles, and national laws or treaties around the globe that assert as much. From a data minimisation perspective, the requirements of the law could have been satisfied without including NRN and DOB.

Where online can you find the social security numbers (SSNs) for all eligible voting Americans? What about the passport numbers or driver’s license numbers for all voting Canadians? What about the national ID numbers for all voters in France, Denmark, Switzerland, Germany, etc.? The answer is NOWHERE!

[UPDATE] Sunday, 2 January 2022 – I have amended the original blog post in response to the EBC’s staunch defence of their decision to publish the voters list on the open Internet.

Comments on the National Identity Management Systems Act (2021)

nielharper

Dr. Ronnie Yearwood and Niel Harper recently collaborated to provide expert comments on the National Identity Management System Act (2021) just passed by the Government of Barbados. Given that this piece of legislation was quickly passed with no opportunities for public debate or feedback, we felt it necessary to articulate and ventilate some of our key concerns with the statute in its current form.

GENERAL COMMENTS

Disability and Accessibility

  • In line with the obligations under the United Nations Convention on the Rights of Persons with Disabilities, there are no provisions in the Act for mandatory accessibility features in the digital ID and related services. As such, persons with disabilities may be excluded.

Oversight and Liability

  • There is no mention of a supervisory and oversight body that ensures the digital ID system is used for its intended purposes (to prevent abuse and misuse), to audit and certify the digital ID provider and third-party trust services, to address complaints, and ultimately provide redress.
  • There is no mention of the liability to be assumed by the government or trust services providers to ensure due diligence, transparency and accountability of their operations and services related to the digital ID. The digital ID service provider (Government) and trust services providers should be liable for damage caused to any natural or legal person due to failure to implement robust privacy and security controls or otherwise disadvantage individuals via the delivery of the digital ID system.

Breach notification

  • The Act does not speak to data breach notification and the relationship between this statute and the Data Protection Act (2019) which is critically important.  Furthermore, the Office of the Data Commissioner does not have the staffing or capabilities to oversee the various activities related to large scale data collection and processing.

Comprehensive digital ID ecosystem

  • The Act does not comprehensively cover electronic signatures, electronic seals, time stamps, electronic documents, and website authentication. The legal effect of the above needs to be clearly defined to avoid confusion. Existing practices, standards and legislation exist that can be built upon to address these matters which are integral to a functional digital ID system. Without those features, the Government will essentially be replacing the existing physical ID cards and not truly realizing the value of a digital ID ecosystem that delivers identity, authentication and trust services.

Interoperability

  • The Act does not speak to an interoperability framework that guarantees the digital ID system is built using open standards and can be seamlessly integrated into national and cross-border digital identity ecosystems.

SPECIFIC COMMENTS

Discrimination and equality before the law

Section 5 (9) “A person who is a visitor shall not be eligible for registration in the National Register unless that person is a person to whom subsection (1) applies.

(Section 5(1) covers persons, for example born in Barbados or citizens of Barbados who “shall be registered in the National Register.”)

  • The point is that a person who is a visitor to Barbados shall not be eligible for registration in the National Register unless section 5(1) applies.
  • Is it that only Barbadians and persons resident in Barbados must register to gain access to public services (see section 5(10)) regarding the fact that if you are not registered under the Act you cannot get a national registration number, cannot be added to the electoral register to vote, cannot obtain a permit to drive, or qualify to access any goods or services requiring presentation of the ID?
  • This looks somewhat discriminatory because the same requirement does not seem to be placed on foreigners for any access to services. I have not seen a reason for this proposed by the government.

(Also see section 12(1) reads: “A person who is issued an identification card may be required to produce his identification card (c) for the purpose of voting in an election in Barbados; (d) for the purpose of accessing goods or services provided by the Government or the private sector… and that identification card shall be prima facie evidence of the identity of the person shown on the identification card…”)

Voter’s rights, registration and identification

Section 5(10)(d) “A person who is not registered under this Act shall not qualify to be added to the register of electors or the revised register of electors prepared under the Representation of the People Act, Cap. 12

Section 34(1) An identification card authorised under section 25 of the Representation of the People Act, Cap. 12 or under the Statistics Act, Cap. 192 shall remain valid for a period of 12 months from the date of the commencement of this Act.

  • Therefore, section 34(1) provides that an ID card under the Representation of the People Act shall only remain valid for 12 months from the commencement of the new ID law. When has the Act been commenced?

Section 12(1)(c) “A person who is issued an identification card may be required to produce his identification card for the purpose of voting in an election in Barbados.”

  • This needs clarification as there should be more than one valid piece of identification to enable voters’ rights […]

To read the entire comments document, please click on this link.

You can also find a full copy of the ‘Barbados Identity Management Act’ here.