Data protection agency investigates gov't sending personal data of Hungarian citizens to Russia

„More and more foreign funded organizations operate in Hungary with the aim of covertly interfering in our domestic affairs. These organizations could jeopardize our independence. What do you think Hungary should do?”

This is one of the questions asked of Hungarians in the government’s „Stop Brussels” National Consultation for 2017. The National Consultation, in which Prime Minister Viktor Orbán personally addresses every single recipient, is sent out by mail to the homes of every Hungarian adult. Issues addressed in the 2017 National Consultation include migration, the EU, and non-governmental organizations.

As the questionnaires arrive the National Assembly of Hungary is debating controversial NGO bill that many have suggested bears a strong resemblance to similar legislation in Russia and Israel. The bill would require civil society organizations to register themselves as being “foreign-funded” if they receive more than 24 thousand USD from abroad annually.

On schedule to be adopted by the Hungary’s Fidesz controlled parliament in three weeks time, the bill would force NGOs critical of the government – such as Transparency International Hungary, the Hungarian Civil Liberties Union, and the Hungarian Helsinki Committee – to register as “foreign-funded” organizations, and would also require them to present this label conspicuously in all their public communications, websites, leaflets, studies, etc.

To make sure they receive as much feedback as possible, the government also launched an official National Consultation website on April 8th, 2017.

Visitors to the website must provide their full name, age, and email address before they can start answering questions about NGOs, migration, and the EU’s interference in Hungary’s domestic affairs. There’s a link at the bottom of the website that takes users to the privacy and data protection policy page. In the last paragraph of the policy page, the government explicitly promises users that

„personal data provided by users will not be made public, will not be transferred to any third party, and will not be sent abroad.”

This short and straightforward sentence is commonplace in the privacy and data protection policy sections of the Hungarian internet.

In this case, however, the statement is completely false: all private user data from the Hungarian government’s National Consultation website were forwarded to servers in Russia.

Let’s just track everything

Almost all websites use some kind of user-tracking software in the form of a piece of code embedded in the website itself. This code enables a site’s owners to track web traffic to see how many people visited a site within a given time frame, but it also provides details including how many pages each visitor used and how they navigated through the website. This information is valuable to someone running even the smallest personal blog.

There is a considerable industry dealing with web statistics.

The largest player in the market is Google with its service called Analytics. But there are others, such as Comscore, Alexa, Adobe, and so on. In Central and Eastern Europe, a company called Gemius provides the market standard tracking solution, but Google Analytics is also widely used.

But there is another relatively large company in this industry, Yandex, which is often referred to as the Google of Russia due to its search engine and other services they provide. Yandex also has a web tracking software called “Yandex Metrika”, but this service is rarely used outside of the Post-Soviet states. According to Viktor Tarnavsky, a representative of Yandex’s, a thousand Hungarian websites use Yandex Metrika as their tracking solution, a miniscule number in the Hungarian market.

While Google Analytics uses anonymous technology to count visits, click, and track navigation paths, Yandex has additional features. Yandex Metrika gives website owners the option to track every keystroke of their visitors, recording, for example, what users type into fields on their page. This feature, known as “webvisor” is turned off default — precisely because of privacy concerns. Website owners are warned by Yandex to be extra careful should they choose to enable this feature because “web visor” will record sensitive data in any field on the site not specifically marked as “protected” by the site’s owners.

The Hungarian government, it turns out, decided to use Yandex’s tracking code on the National Consultation office website. It did so with the “webvisor” feature enable, but neglected to mark the fields containing personal data as “protected”. This means the system forwarded the personal information of all users to Russia, contrary to the claims on the site’s privacy and data protection policy.

Wanton misinterpretation

On Saturday, April 8th, using publicly available online tools, 444.hu recorded the Hungarian government’s National Consultation website forwarding a dummy email address (created for testing purposes) to an IP address registered to Yandex in Moscow. On Sunday morning, April 9th, a few hours after we published our detailed findings, the Hungarian government proceeded to remove the Russian code from their website. They released a statement a half an hour later claiming that all private data had been handled in accordance with the law. The code was removed, the government claimed, because

„it enabled a deliberate misinterpretation of the situation”.

Later that day, Zsolt Molnár, opposition chairman of the National Assembly’s National Security Committee, announced he would move for an inquiry into the issue at the committee’s closed-door meeting scheduled for the following day. Opposition parties MSZP and LMP called for the National Data Protection Agency to open a formal investigation into the matter.

On Monday morning, April 10th, MPs of the governing Fidesz party walked out of the National Security Committee’s meeting when opposition MPs raised the issue of the Russian code. Because of the committee’s rules, the walk-out prevented opposition MPs from formally addressing officers of Hungary’s National Security Agency present at the meeting.

Later that day, the National Data Protection Agency announced it had launched a formal investigation into the use of the Russian code to determine whether the personal data of Hungarian citizens had been forwarded to Russia.

When the Kremlin asked, they told them everything

The use of Yandex’s code and the sending of Hungarian citizens’ personal data to foreign server isn’t only problematic because the government explicitly promised it wouldn’t do it.

Just before their IPO in 2011, Yandex released a document concerning risk factors associated with operating in Russia. In the document, Yandex admitted that their online payment service (which is similar to PayPal) provided Russia’s state security agency, the FSB, with personal information of users who donated money to an anti-corruption website launched by Russian opposition blogger Alexey Navalny.

Amy Brouillette a manager for the Ranking Digital Rights, an NGO which ranks global tech companies based on factors like personal data protection told 444.hu that Yandex and other Russian tech companies are bound by law to cooperate with the state security service. She said they wouldn't even know if the government choose to access their data, since their systems are directly connected to those of the state security apparatus. Brouillette said she wasn't aware of any EU or NATO members states government’s using Yandex’s code.

Viktor Tarnavsky of Yandex did mention one NATO member whose government uses their service — Turkey, led by President Recep Tayyip Erdoğan. According to Tarnavsky, Russian government websites exclusively use the Yandex tracking code. He told 444.hu,

„Russian government sites are not allowed to use Google, we have strict laws on protecting data in our country.”

(Benjámin Novák of the English language Budapest Beacon contributed to this report.)

;