Recently, articles have been published by Xataca and El Pais inspired by twitter conversations on an alleged security vulnerability that exposes Catalan census data to anyone with a little free time and bad intentions.
A few days before the referendum vote, the Catalan Government surprised everyone by using an encrypted and distributed technology approach to overcome the anticipated problem of digital repression from central government, and to allow citizens to consult the polling stations where they should vote. The quoted articles question the safety of this system and profess alarm that the data of citizens are already exposed as a result of this system.
Xnet has studied the matter and we would like to make the following response:
– To begin with, as any computer expert knows, one hundred per cent security does not exist: anything can be hacked with sufficient resources. Given the data that we have so far, we can say that the security of the census seems better than average, especially in comparison with censuses of the central government that in electoral periods, for example, are often given to the political parties.
– In the case of the Catalan census, the security measures applied have been optimal regarding the value of the data at risk: DNI (truncated, only the last 5 figures), postal code and date of birth – data that could be collected much more easily with brute-force attacks or other attacks on other registers. Thus, the strategy of the Generalitat has been risky but functional and sufficiently secure emergency solution.
– Xnet has contacted other experts in cryptography to investigate the matter further. Here is the feedback received:
“The cryptographic algorithm used is secure and in line with the ISO/IEC 18033-1:2015 and 18033-3:2010 standards. It uses a CBC encryption block that is also used in military environments and 256-bit AAS Hashing compatible. In this case, it is normal not to use “SALT” because the database would have had to be distributed and the decryption carried out for each client. This would have required an exposure of “SALT”. The criticism of not using SALT betrays a certain ignorance and/or an inability to take into account all the facts of the case.
Thus, in our professional opinion, the authors have not endangered the personal data of the Catalan census since the encryption procedure followed is in line with the standard procedure. Although the brute-force attack scenario may be plausible, the relationship between the data obtained in proportion to the investment in economic technology required would not be economic.”
– The alleged leak of data El País speaks about in its alarmist headline boils down to: with enough free time and knowing the last 5 digits of someone’s ID, some bad data thief could guess… his or her age and neighbourhood. That would be rather inefficient of the data thief concerned, taking into account the fact that the poor management of the Public Administration regarding our private data over years has furnished us with far better ways for massively obtaining far more detailed citizen data.
– We would urge Xataka, a technology medium that we often turn to and respect, not to fall into the temptation of publishing information not sufficiently corroborated in the form of “doubts for debate” as they contribute to a false debate that seeks to reconstruct a symmetry in the conflict where there is none. In reality, the situation is one in which the only objective data that we do have concerns the constant violation of rights on the Internet and also civil liberties by the Spanish State. Doing this without sufficient precautions allows a technical issue to be used politically for propaganda and the creation of fake news.
Regarding EL País, which in fact includes this issue in its serial fiction on “the network of Russian interference” that is apparently behind everything that happens in Catalonia, as if this were not a historic political conflict with a broad social base; we simply ask them to stop publishing fake news and hysterical news stories about what is happening in Catalonia. We especially condemn the deliberate intention to criminalize distribution strategies and encryption technologies, since these are opening the doors to a future improvement in democratic quality of life. Their criminalization can only lead to a permanent state of authoritarian exception in our life in digital space.