From: Alice Taylor
Exit Explains: The Leak of Over 910,000 Albanians Personal Data to Politicians and the Public

Earlier this week, the media published details of a large database that contained the personal information of more than 910,000 voters. It included members of the public, journalists, members of civil society, and well-known personalities. This data was allegedly taken from the Civil Registry and provided to the Socialist Party for use in the electoral campaign.

910,000 records are equivalent to one-third of the population, or around half of those eligible to vote. It’s believed that more records exist and are in the hands of politicians.

The data provided included their ID number, name, fathers name, surname, date of birth, voting center, place of birth, residence code, list number, phone number, whether they are an emigrant and if so, which country, whether they are likely to vote for the Socialist Party, birthplace, employer, and Patron.

Not only was this data, in Access format, shared with a political party, but it was then leaked to the public domain and is now being shared widely amongst the public.

What is a patron and the patronage system?

The Patronage system is one whereby every person in the country has a “patronazhist”. This is a low-ranking party official or even just a party member who is assigned several members of the public to “watch over”. 

This means they are tasked with getting close to those they are watching over to get information from them which is then reported back to the party. The information includes their political affiliation and opinions and who they are likely to vote for in the election. Prime Minister Edi Rama has admitted to using this system since 2009.

Reactions

The National Agency for Information Society (ANA) reacted to the accusations. They said that under no circumstances had any data from their institution been used by any political party, including the government. They added that it wasn’t even technically possible.

“e-Albania at no time stores administers or processes citizens’ data. This is clearly shown in the interface of the portal. Data is kept and administered from the respective databases in the framework of fulfilment of the legal obligations of the administrative institutions according to the act of creation.”

They called the accusations “unfounded” and guaranteed the safety of citizens’ data. They invited those that made the allegations to provide evidence.

Prime Minister Edi Rama claimed that the data was collected historically via a door-to-door collection process. He added that all political parties do this both in Albania and abroad.

The Prime Minister was adamant that the data was not harvested from e-Albania and is ‘old data’.

Those who found their names on the list dispute this. The information includes new employers, changes in the last few months, new businesses that were set up in the last six months, and new mobile numbers registered in the last year. Another individual known to Exit found he was registered as employed with a different company name than he expected. This information was not known to him and would have only been available via his tax number which is part of the data held by e-Albania.

SPAK has so far not launched investigation into the leak. Head of the Prosecution Arben Kraja stressed that verifications are being made.

“We are doing verifications, there are no denunciations yet.”

The Commissioner for Personal Data Protection Redi Skenderi also announced that he is conducting an assessment of the situation but no investigation has been launched.

“In relation to the case, all necessary legal assessments are being made for the official administration of information, or the necessary evidence for the administrative review of the case.”

The implications

The implications of the leak of almost a million people’s personal data are severe. Identity data has a value on the black market and can be sold for between $1 and $5 per record, depending on the information held. 

Identity theft

The information leaked can be used to steal the identity of Albanian citizens. Online bank accounts, social media accounts, and accounts on other systems or websites can all be set up fraudulently by using an individual’s personal data. Data can also be used to create a “new” person, hijack your accounts, steal money, ruin credit rating, obtain loans, and more.

Safety

The database provides the personal data and mobile number of citizens. This means they are potentially at risk, particularly in the case of journalists, activists, or famous individuals. They or their homes could become a target of crime or harassment. Also, the name of each Patron being made public could put their safety at risk.

During the Communist regime, a similar scheme was in place whereby Communist Party spies would observe and report back on people in the neighborhood or those they were tasked with getting close to. People are sharing the name of their Patron on social media and there have been a number of angry reactions.

Personal risk

Data breaches are considered a violation of privacy by the members of the public. It allows for the classification of individual groups which can lead to discrimination and loss of freedoms. It can also cause significant personal distress as people feel exposed, fearful, and concerned about what their private data might be used for.

As well as the physical risk mentioned above, there are psychological risks including anxiety, depression, stress, and panic which are common side effects of data leaks.

Security

The information could be used to gain access to people’s existing accounts. Some of the information includes sensitive data which could help hackers guess passwords and similar. This puts social media, email, online shopping platforms, and similar at risk of being accessed by an unauthorized individual. The information can also be weaponized by private companies that may wish to target individuals for advertising, monitoring, social media targeting, and more.

An IT expert working for a large international security institution told Exit that Albania must renew IDs of all people if it wants to create trust in public institutions, despite the huge costs associated. This should also happen in order to protect Albanian citizens from all of the above risks.

“The security of Albanian identities is now a non-existent notion. People whose data is published are at constant risk,” he said.

Another individual, working for an international bank said that the data published is “all you need to create another you.”

He added:

“You can commit an offense, give the police someone’s name, ID, and I will need to go to the court to have my name cleared. It’s a criminal’s paradise. Printing out fake ID cards can now become a hobby.”