In less than two weeks, Argentina experienced a series of personal data leaks of great magnitude. In early April, a cybercriminal published more than 115 thousand stolen photos of the Renaper. Two weeks later, almost 6 million images of Argentine driver’s licenses were stolen and distributed. And on Thursday of last week, another attacker published a database with 65 million records, also from Renaper.
For this type of case – among other reasons, the Via Libre Foundation who fight for the protection of citizens’ digital rights, presented a report in dossier format in which They demand more responsibility from the State. The presentation, led by Beatriz Busaniche, president of the Foundation, an expert in privacy and the right to information, featured specialists in three areas that are crucial for the processing of personal data.
“The project is part of the Leaking Data work program that has been developed with the support of Avina, the Indela initiative,” explained Busaniche.
Filtrations, or “leaks” as they are known in the cybersecurity environment (as they say in English), imply that certain internal information of a State, company or entity, which was not intended to be public, is made known. Personal data is marketed to commit various types of cybercrimes, including identity fraudwhich can be used to gain unauthorized access or perform social engineering.
But the dangers go beyond these specific scams. The report highlights underlying issues that have to do not only with state responsibility, but also with what the law is like in Argentina: what happens if data from my document is leaked? Who can you complain to? Who is responsible for any potential damages that may be suffered?
Here, everything about the presentation, the panorama in Argentina and the full text to read online:
Why does the State collect (so much) information?
The idea of the Vía Libre dossier aims to work on data management in the State. “It has a historical overview of the identification policies of the State, how the policies of DAYS were developed, the role of identification, the history of Renaper, the current panorama and why it is necessary to set limits, including the reform of current legislation,” Busaniche explained.
The presentation had three speakers dedicated to understanding the nature of personal data, each with different perspectives. The first to speak was Margarita Trovato, lawyer in charge of public policies at Fundación Vía Libre, who made a review of the history of data collection in the country. What information does the State have access to? How did the advancement of technology change, the volume of data and what potential new problems were generated in times of big data?
“Naturally the State collects personal data; originally for a registration issue and then, over the years, with various functions, for example to produce public policies. Over that time, data collection, processing, and storage technology has evolved in leaps and bounds, including the type of data being collected (think biometrics) but the regulatory framework is the same: our personal data protection law, number 25,326, dates from 2000,” the specialist explained to this medium.
Of course, a law that is already 24 years old “was outdated and anachronistic,” but it preserves certain minimum guarantees. “We know that the State has clear limits on what it can do with our personal data: in no case may it violate constitutional rights to privacy, intimacy, informational self-determination, security, transparency, to mention a few, which in turn are a condition for the exercise of others,” he added.
In this sense, the consent It is an unavoidable starting point: there are certain data that the citizen has to actively decide to provide to the State, he recalled, and they cannot even be used for a purpose other than the one intended at the time of being requested.
But the most interesting thing is that the State has the duty of security and confidentiality: During the last few years, Argentine state institutions were “breacheada” (leaked, hacked), as they say in the cybersecurity environment: from the National Directorate of Migration, which suffered a ransomware that made departures from the country public, to the Senate of the Nation, exposing internal documentation of legislators, or the Buenos Aires Legislature.
The problem is that, according to Trovato, there are “loopholes that in practice become windows to deviate from these principles” of data protection. He explains:
1) The first big problem is the regime of exceptions to the consent of the owner. The state should not collect or store more data than is strictly necessary for the public policy it carries out, but the law leaves room for it to do so.
2) This is even more worrying if we combine it with another of the law’s shortcomings: creates a control authority with little autonomyinstitutionally weak and which is currently concentrated in the Agency for Access to Public Information (AAIP) which, as its name indicates, has a totally different nature and technical specificity.
3) Finally, although along the same lines, the law also does not clearly describe what security measures should be adopted or how public authorities should act in the face of a security incident (for example a leak), an issue that more advanced legislation in other regions already resolve [Chile, por ejemplo, que en enero aprobó una Ley Macro sobre Ciberseguridad].
“We are going towards a computer Cro-Magnon”
The second presentation was given by Tomás Pomar, member of the Argentine Computer Law Observatory (ODIA), an entity that has a history of warning about violations of citizens’ rights (such as facial recognition in the City of Buenos Aires). The lawyer highlighted the current challenges of data transfer between intrastate agencies.
“The absence of an adequate regulatory framework, combined with the lack of effective judicial controls and the impossibility of developing broad political consensus on the matter, end up forming an explosive cocktail. For these leakswhen analyzing the constant erosion of the State’s computer systems and the warning lights that the growing leaks turn on, we believe in the need to communicate its urgency from ODIA and we usually propose that we are going towards a Computer Cro-Magnon“Pomar told Clarion.
The reference is an analogy with the Cro-Mañón Tragedy, which left 194 dead on December 30, 2004 in the City of Buenos Aires.
“We designate as ‘Computer Cro-Magnon’ a potential cyber incident with tangible physical harm to citizens. From that definition, Renaper would not fall into this category, but, to give an example, what would fall would be that we receive an attack on critical infrastructure such as sanitary water systems or even aeronautical control towers,” he explained.
“That is, a ‘tragedy’ in the most classic sense but originated in a computer attack and, as so many other times, in the apathy and negligence of the authorities with responsibility in the matter,” concluded the lawyer specializing in personal data protection. This is what is known as the OT (Operation Technology) sector, as happened with the energy company Colonial Pipeline in the United States in 2021.
Finally, Pablo Palazzi, professor of Law at the University of San Andrés and partner in the technological law area of Allende & Brea, explained what laws could force the State to be more transparent regarding leaks.
First, he recognized the difficulty of the area: “When you talk about cybersecurity, you talk about defending yourself. You are always defending yourself and that is more difficult than going on the attack. They can hack anyone: security is a process, it is not a product,” he stated in a section of the presentation.
Currently, in the event of this type of leak, the State should notify the AAIP. But at the end of 2022, Congress approved a agreement called 108+ which, although it requires the specifications of other countries for it to come into force, also urges organizations to make these incidents public.
“The 108+ agreement has yet to come into force, but it has an article on incident notifications of security that, as is directly applicable, in Argentina it would be mandatory for incidents to be reported. That is, we would not have to wait for a bill that is currently in Congress to notify incidents: since it is directly applicable, Argentina would have data breach notification”Palazzi closed.
Security incidents worry various sectors in the country. Given the latest Renaper case, one of the biggest fears had to do with the enormous number of services that consult the registry of people. Data protection, cybersecurity and information security are increasingly becoming a problem that, far from being minimized, it deepens.
The law is trying to correct the gap that was left open between people’s digital rights and technological advance, it is true that it makes our lives increasingly simpler, but also that of cybercriminals.
The full presentation can be seen at this link: