A Blogger Exposes Personal Data Protection Flaw on Macedonia's Election Commission Website

Ensuring that the next elections are free and fair is crucial to the return of democracy and stability in Macedonia. A young female blogger contributed to this process by discovering a flaw related to the government's voters’ registry web app.

One of the reforms needed to end the current political crisis in Macedonia ^[2], as stipulated within an agreement that was overseen by the European Union and the United States, is the restoration ^[3] of the State Election Commission (SEC) to good and honest working order. It also requires a “clean-up” of the voters’ registry, ensuring that only people with the right to vote can do so. The first official investigation that the Special Public Prosecutor has launched ^[4] as part of this effort is looking into the creation of “phantom voters,” as well as votes in the name of dead or absent ^[5] citizens.

The web application that enables citizens to check if they are in the voters’ registry has been active for years. The SEC is supposed to clean up the database behind it, but as software developer Kalina Zografska found out, that would have only solved part of the problem.

On the morning of February 10, Zografska published a blog post titled “Would you like to have a copy of the voters’ registry? Click here!” ^[7] reporting that she had discovered a flaw that “leaves the voters’ registry free for the taking, including sensitive personal data of all citizens, such as the Unique Master Citizen Numbers, names, area of residence” on the official government body's website.

In the blog post, Zografska explained that the application utilizes a very simple URL to trigger the display of citizens’ data, using the Unique Master Citizen Number ^[8] as input. In all former Yugoslav countries, this ID number has a fixed, predictable format, consisting of the date of birth and other basic elements. Therefore, a simple script can target the application with requests using changed parameters and extract data on all citizens.

This ID number consists of 13 digits in the form “DD MM YYY RR BBB K” (without blank spaces) where “DD MM YYY” is day of birth, “RR BBB” refers to region of birth/registration and gender, and K is checksum. Since the SEC application used the URL format of ‘http://electorallist.gov.mk/Found.aspx?value= [ ID Number format ]’ a simple software can just try all ID number combinations for the dates of the last 80 years or more, and extract data for the “hits” that actually coincide with real citizens’ IDs.

Иако официјалната форма е навидум зад captcha, со околку 2мин на страницава со view source се наоѓа голиот линк.

Ова остава простор за:

• со погодување на нечиј МБ, да се добијат податоци за живеење
• бизниси да таргетираат возрасни групи, да добијат информации со место на живеење на сите нивни потенцијални клиенти
• партии, лоби и бизнис групи да имаат копија од избирачкиот список во и да прават таргетирано и персонализрано комуницирање со гласачите
• итн.

Грешката е на многу аматерско ниво од аспект на професионални принципи на работење со лични податоци на отворен веб. Грешката е противзаконска на Законот за заштита на лични податоци. И не е грешка од Државната изборната комисија која се појавува првпат ^[9].

Ни требаат податоци и системи на кои може да им веруваме и заштита што е загарантирана, како минимум.

Even though the official form is seemingly protected by a captcha form, one can find the naked link in two minutes with the “view source” option.

This opens up the possibility of:

• by guessing somebody's ID number, one can get data on their residence
• businesses can target age groups, getting location information on potential clients
• political parties, lobby groups and business interests can get a copy of the voters list and perform targeted and personalised communication with the voters
• etc.

The mishap is at a very amateurish level from the perspective of professional principles of working with personal data on the open Web. The mishap is against the Law on Personal Data Protection. And this is not the first time that the State Election Commission has made such a mistake ^[9].

We need data and systems we can trust, guaranteeing protection as a minimum.

The Macedonian Law on Personal Data Protection ^[10], which was adopted in 2005, is based on the related European Union directives and is aligned with EU data protection standards. It requires that data controllers ^[11], such as government institutions, take measures to ensure the protection of citizen's private data that they store and process. In particular, data such as the Unique Master Citizen Number, name or address enjoy the highest level of legal protection.

Zografska announced her findings in the tweet below, causing quite a stir online, with a flurry of retweets and mentions of the profiles of state institutions.

Сакате копија од избирачки список? Клик овде! https://t.co/Jkr1qer0Mj ^[12]

— Kalina Zografska (@kzograf) February 10, 2016 ^[13]

Would you like to have a copy of the voters’ registry? Click here!

Within hours of the blog post's publication, the SEC shut down access to the voters’ registry application. The button inviting citizens to check if they are on the voters list is still present on the home page of their website ^[14], but clicking on it just redirects to the same page.

When journalists from independent news organization Meta.mk asked the SEC why the application became inaccessible, their initial response ^[16] was that “there is some problem with the Internet connection.” A week later on February 17, with the application still not working, Meta.mk asked again. This time, the SEC admitted ^[17] that the list is “currently offline due to a security problem.” Government officials did not provide details as to whether the problem is the one pointed out by Zografska, but added that their IT department is developing new ways for citizens to confirm their presence in the voters’ registry.