The State of Emergency Command Isn’t Saying Who Created the Program

To prevent the spread of the coronavirus infection, the Armenian government (State of Emergency Command), with the consent of the National Assembly, is monitoring the telephone calls of infected people.

The Command receives information about these calls from mobile operators. A special automated system has been set up to identify people who have been in contact with them by following their movement.

Command Head Tigran Avinyan (who also serves as Deputy Prime Minister), stated in the National Assembly on April 13 that after the amendment to the Law on the Legal Regime of the State of Emergency, which envisage restrictions on the protection of personal data and the inviolability of private and family life, the freedom of communication and privacy, and permitted the monitoring of telephone calls, the system analyzed the data of 3,029 people, as a result of which 7,000 people isolated themselves.

However, did it help to prevent the spread of the infection? The Deputy Prime Minister found it difficult to say, as the self-isolated were tested only in case of symptoms.

In this context, the question arises again as to how necessary the restriction of freedom of communication and privacy was, especially since concerns about the security of the telephone call control process have not been allayed.

On April 17 of this year, the Command released a video showing how they find out the scope of contact of the infected person via the information received from mobile operators about the patient's calls.

Based on their location, it is decided whether the patient and the person who called them were in the same place. Command staffers then call the people who are in contact with the patient, give instructions for self-isolation, after which they monitor the entrance and exit of the self-isolated people through the program downloaded on the phone of the latter. Deputy Prime Minister Avinyan's advisor Bagrat Badalyan claims that they are not interested in the content and duration of the calls, and that this data is not collected.

Hetq tried to find out who was processing the data and how protected it was. On behalf of Command Head Tigran Avinyan, Serzh Varag Siseryan, Head of the Deputy Prime Minister's Office, responded to our inquiry, noting that the “computer program was created by volunteer programmers and is utilized by agencies envisaged by Government Decision 298N, for purposes specified by the Law on the Legality of the State of Emergency.”

The data obtained to determine the scope of contact of the infected person is collected and stored in the server of the e-Governance Infrastructure Implementation Agency (EKENG) (this is also stated in the above-mentioned video).

According to Mr. Siseryan, the EKENG server is a multi-layered isolated network (Isolated DMZ) free of external influences, and the maintenance of a special computer program is carried out and security is monitored by the National Security Service (NSS).

Some IT professionals are concerned about the computer program created by the developers and the EKENG server security guarantees, as well as the fact that the security of the program is monitored by the NSS.

The computer program, as a rule, should undergo a security test. Hetq asked Command Head Tigran Avinyan who had conducted the security tests of the launched program, what tools were used to check its security, and in accordance with what standards; for example, ISO 27034 or some other standard.

We asked for the results of the program's security tests and, if available, the program's compliance certificates. However, our questions remain unanswered.

To maintain the security of the data on its server, EKENG CJSC should have also undergone a security audit.

In response to our inquiry, EKENG Director L. Avetisyan said that EKENG strictly follows the guidelines of the Information Security Management System (ISMS) ISO-27001 standard, and the audit process is underway.

David Sandukhchyan, a lawyer and information and security specialist, believes that the Deputy Prime Minister Office's clarification that the data is being processed "under a multi-layered isolated network (Isolated Demilitarized Zone)" does not correspond to that presentation of the program's work where it is shown how the program affords the possibility to identify, in real time, those people who violate the self-isolation regime.

"However, even if we assume that DMZ can be used to process data in real time, or it is developed in non-real time, it does not explain the extent to which the EKENG network is protected from the threats of external intervention, as long as there is no conclusion of the audit organization about the compliance of the EKENG information system with information security standards. The NSS control cannot be considered such a guarantee either, especially since the NSS has had many problems with information security in the past,” says David Sandukhchyan.

It is true that the law does not oblige EKENG to have a certificate of compliance with ISO standards, but it does impose security measures and rules.

"How to find out if they used them or not? Through an independent audit. There is no other way. And the ISO compliance system developed under the international system can be a reliable audit,” says Mr. Sandukhchyan.

And the fact that the program was created by a group of volunteer programmers in a short period of time also, according to Sandukhchyan, can cause concerns if the security of the program has not been thoroughly tested.

"Such an assumption can be made as long as the government does not present an independent expert's opinion on the results of the program's security quality," said Sandukhchyan.

In addition, if the program was developed by a group of volunteer developers on a non-commercial basis, the source code of the program should have been submitted to the government and should be open to independent experts.

Mr. Sandukhchyan says that it is in the government’s interest to publish this code, which will exclude the existence of other undeclared tools in the program, which always causes deep fear among various institutions of civil society.

In the conclusions and guidelines adopted by the Council of Europe and the EU's political and expert bodies on the use of technical means to track the movement of people in the context of the co-operation, it is specifically stated that governments should be as transparent and accountable as possible when using such tools.

With the lifting of Armenia’s state of emergency on May 14, restrictions on people's freedom of expression and privacy must also be lifted and, consequently, the monitoring of their telephone calls by a special program must also be halted. All the personalized and de-personalized data collected must be destroyed within one month after the end of the state of emergency. The government plans to set up a commission to destroy the data, which may include representatives of parliamentary parties and experts.

Given that the state authorities have not provided the information requested by us to prove the security of the data, we can only hope that one day it will not fall into the hands of third parties.