Phishing for personal data a threat to everyone’s security
The scandal revolving around NGO Pere Sihtkapital that obtained the personal data of thousands of Estonian women through unscrupulous means should leave us all worried. It shows just how easily one can swindle even the Ministry of Internal Affairs out of personal data in breach of both ethics and the law. It poses a serious security risk as opposed to just reputational damage and makes one wonder how well is the data (in the case of scientific research) actually kept by the state?
Data, especially mixed and personal data, is safeguarded for a reason. Data is the most valuable resource of our time, a country’s most important value and asset. And data is usually protected quite thoroughly.1 Ask any entrepreneur who has been forced to comply with requirements pursuant to the GDPR or family medicine centers that have struggled to ensure database security.2
Data protection is subject to draconian rules because data ending up in the wrong hands robs people or groups of people of their privacy and at worst makes it possible to manipulate them through threats. To manage these risks, data is under the protection of the law: the constitution (inviolability of family and private life), data protection laws and the EU data protection directive.
Starting from 2019, the Data Protection Act also governs surveys for the purposes of policymaking.
And yet, by wielding the name of the University of Tartu,3 Pere Sihtkapital managed to access data of childless women, as well as those with more than two children, including their personal identification codes, phone numbers and email addresses. Combined with a form asking them how many partners they’ve had, their mood recently, why they still don’t have kids and who they plan to vote for, this makes it possible to draw up complete (intimate) profiles of people.
This kind of data mining by a think tank with political roots is problematic for several reasons. Let it be said that the survey did not get a green light from an ethics committee of the university as the questionnaires were sent to participants before it even convened to discuss the matter.
Data phishing a security risk
The reputation of the government to which we entrust our data has also suffered in this scandal. Yes, the Ministry of Internal Affairs’ population register department surrendered the data in good faith, as is common practice, while the incident shows that relevant processes need to become more stringent also for the purposes of scientific research. The current procedure, based largely on self-control – for example, the website4 of the Data Protection Inspectorate reads that “bodies conducting research must first analyze the legal grounds on which personal data will be collected and processed” – is useless looking at the case at hand.
Policymaking surveys must also secure permission from an ethics committee and the Data Protection Inspectorate for use of mixed data. In short, the data ended up in the wrong hands not just because powers were exceeded but because the system meant to protect it was generally ineffective.
It remains unclear why the data was surrendered before permission was secured from the ethics committee and the inspectorate. This additional filter would ensure data being made available to ethical and rules-based projects.
The fact that the council of the Pere Sihtkapital foundation includes respected scientists from several Estonian universities makes the violation all the more serious. It is impossible that persons who make a living engaging in scientific research are unfamiliar with the fundamental principles of scientific ethics and relevant legislation.
Potentially severe consequences
Loss of privacy could lead to humiliation and cost people their job after their reputation suffers damage. Systematic failure like this can also easily turn into a national security threat. If such surveys include people working in sensitive national defense fields, it could pose a threat to state secrets – a person who decides to take part could be blackmailed into revealing classified information by threatening to make public their health or other delicate information.
We can give an example from the Ukraine war where Russian troops had data on people who had participated in defending Ukraine’s territorial integrity in the ATO (Anti-Terrorist Operation Zone) in Donetsk and Luhansk since 2014.
As a result, people who first opposed Russia’s aggression against Ukraine in 2014 were looked up, tortured and murdered when the 2022 assault began.5 The data had been used to put together lists of people, and those people were found, probably not least to send a signal to Russia’s other neighbors, which include Estonia, that those who dare oppose Russia’s neo-imperialist foreign policy have made the list.
What happens next?
Therefore, during a time when we are increasingly worried looking at the data the world’s digital giants have on us, we must also consider data being collected as part of politically motivated studies and the dangers they pose.
In addition to concerns over TikTok, we should seriously look at how data in the Population Register gets used. The public expects state institutions to take decisive steps to explain the situation, launch proceedings and ramp up security measures. The fact that people’s personal data was accessed without the necessary permits suggests that the rule of law was ignored and requires relevant reaction.
We can also take small steps to remedy the situation ourselves. When invited to participate in a study, one should pause and ask oneself, who wants my data and why? While this may be difficult to ascertain and the study abstract come off entirely respectable, it pays to take a closer look. Additional information should be sought if there are any suspicions. Remember that they want your data, which is why its protection and legal processing must be ensured.
Finally, we can ask why no one asked for the personal data of childless men? Women cannot have babies by themselves, and half the sample seems to be missing from the study. Why was this data not sought? After all, it is extremely irresponsible not to go phishing for the personal data of men, not to publicly demonize and harass them in statements, while they are just sitting around not making babies. Where is the public debate and state-funded pressure on childless men? Men have been completely and painfully cut out of a crucial public matter.
*The opinion piece was first published in Estonian by the Estonian Public Broadcasting on August 14, 2023. Photo: mother and child (Pexels, 2023).
5 Tondo, L. & Mamo, A. 2023. ‘Some never came back’: how Russians hunted down veterans of Donbas conflict. The Guardian, 02.07.2023. (accessed 12.08.2023).