The case of Anna Kuznetsova: will the Moscow mayor's office answer for the leak of personal data?

Another confirmation is the case of Anna Kuznetsova from Moscow. She is suing the mayor's office of Moscow over the leakage of data of her movements.

Julia Suntsova

Muscovite Anna Kuznetsova managed to buy a detailed report on her own movements during the month on the darknet. The price of the issue is 16 thousand rubles.

After this test purchase, she filed an administrative claim against the Moscow Department of Information Technologies and the Main Directorate of the Ministry of Internal Affairs of Russia for Moscow, demanding that the city's face recognition system be stopped. Among other things, the plaintiff asks for compensation from the defendants - 100 thousand rubles for harm caused by the illegal distribution of personal data. The case in the category “Other cases on challenging decisions, actions (inaction) of state authorities, military administration bodies” has been considered for the fourth month by the Tverskoy District Court of the capital.

The experiment was carried out this fall. Volunteer Anna Kuznetsova found a data merchant on the darknet and anonymously ordered him a service to pierce her own face.

The contractor asked to send him only a photo of the "victim", and the order was executed within two days. The girl received a detailed report on her movements for the entire previous month. Almost all the addresses coincided with the girl's routes.

- For symbolic money, today anyone who wants to receive data on your movement. This is a serious violation of the right to privacy. The Moscow authorities, collecting data about you using video surveillance, do not guarantee your protection. Our volunteer checked by her own example: "data sellers" on a couple of selfies calmly track a person's movements in Moscow. On this fact, a claim was filed. The Moscow Department of Information Technology manages the video streaming system and base of the city, and the Moscow police department uses this system, including face recognition technology. That is why we involve these structures as defendants, ” attorney Ekaterina Abashina commented to NI .

It is important to note that the processing of biometric personal data, according to current laws, is allowed only on the basis of the written consent of a citizen, or in cases established by federal legislation (part 2 of article 11 of the law on personal data). The catch is that these cases were never identified, and face recognition (i.e. processing of biometric data in the form of a face image and its parameters) is nevertheless carried out, and the technology is used by default throughout the city. In other words, in fact, the law does not establish unambiguous, clear and understandable rules for the use of face recognition technology, explains the representative of the plaintiff.

The video analytics system has been developed in the capital since 2017. Today, in Moscow alone, the municipality has installed more than 178 thousand video surveillance cameras on the streets, courtyards and entrances. All information from them is collected and accumulated in the Unified Data Storage Center (ECDC).

The mayor's office assures that information from a centralized database can only be transferred to government departments upon special requests, for example, to the Ministry of Internal Affairs, and only authorized employees have access to it.

The case of Anna Kuznetsova refutes this. The illegal immigrants found sensitive information about her completely free.

In the Tverskoy court, according to the file of cases, two court sessions took place. The lawsuit is being considered by judge Denis Ivanov. Adopted a ruling on the acceptance of the case for proceedings.

The defendant, represented by the Department of Information Technologies of the Moscow City Hall, took a position of denial, and claims that the recordings from the cameras of the city's video surveillance system are not personal data, but "exclusively images."

Lawyers of Roskomsvoboda believe that leaks from the ECHD are not just a loss of control over the personal data of citizens, but also quite deliberate, selfish and criminal actions of officials.

In Russia, it is not prohibited to use face recognition systems in public space. However, once the camera images are personalized with a specific citizen, the violation begins. The plaintiff was able to identify herself on video images received from city cameras - this confirms a leak from state systems.

In such disputes, the Main Directorate of the Ministry of Internal Affairs of Moscow always stands on one thing: the installation of video surveillance systems in the city is to ensure the right of citizens to safety. The fewer "blind spots" remain in Moscow, the better, the lower the crime rate. If the law enforcement would have it, they would have stuck cameras in every nook and cranny, entrance and under every apartment door. Modern systems make it possible to recognize alleged criminals not only by their faces, but also by their voice, iris, tattoos and gait.

During the first two years of operation in Moscow of face recognition systems, law enforcement officers detained 90 people, monthly - from five to ten criminals, a representative of the Ministry of Internal Affairs in Moscow reported in 2019.

New technologies were also tested at 17 public events - with their help, over two years, the police detained more than 150 participants in street actions.

In the first 9 months of 2020, it was possible to identify 193 people who were on the federal wanted list. It is important for the Ministry of Internal Affairs that in order to catch criminals using video surveillance systems, it is not required to increase personnel.

Other police departments are involved in leaks that result in privacy and other incidents with jealous husbands, illegal surveillance and trafficking in dossiers. Cases by the standards of a metropolis are isolated and, in fact, do not require their lobby to create legal precedents.

“The so-called“ Insider Problem ”is a challenge that will remain relevant for a long time in our information age and in our information society. In the first place, unscrupulous employees of organizations are to blame for the leaks - both state and private organizations are constantly faced with this threat, says Alexander Vurasko , head of the digital threat analysis department at Infosecurity, former speaker of the K Department of the Russian Interior Ministry . The expert is sure that in most cases the “insider” is involved in data leaks from organizations.

- Employees have access to information - and it doesn't matter who it is - a bank teller who sees customer accounts, or a technical specialist in a government agency who has access to databases. Such insiders are constantly in various organizations. It is real to fight them, there would be a desire.

To identify an insider, security personnel only need to enter the darknet and conduct a test purchase: order a piercing against themselves or a dummy. For many years, modern digital systems of organizations have been recording which of the employees has requested data on the required persons in the databases at a certain interval, respectively, it is not at all difficult to calculate such a colleague.

The problem is that neither state nor private structures are in a hurry to do this, although this task does not require large expenditures. Another problem is corruption. People steal data for a reason, but for selfish reasons. 10-20 illustrative investigations with the punishment of unscrupulous employees would ironically discourage everyone else from trading in corporate information. The legal basis for this is: 137 of the Criminal Code of the Russian Federation (Violation of the inviolability of private life), Art. 272 of the Criminal Code of the Russian Federation (Illegal access to computer information) - if we are talking about a former employee using stolen data.