Probably, every person who faced the late Soviet or early post-Soviet state machine in his time received a serious psychological trauma forever. Endless certificates, copies of documents, certificates of certificates and copies of certificates of documents issued by some state bodies, necessarily certified by other state bodies, had to be carried to third state organizations, while waiting for reception hours, correctly filling out multi-page questionnaires, wading through endless queues, be in time for the allotted deadlines for submission and not miss the fact that all certificates and certificates of certificates have an expiration date. It is not surprising therefore: I wanted to minimize communication with the state.
Probably, every person who faced the late Soviet or early post-Soviet state machine in his time received a serious psychological trauma forever. Endless certificates, copies of documents, certificates of certificates and copies of certificates of documents issued by some state bodies, necessarily certified by other state bodies, had to be carried to third state organizations, while waiting for reception hours, correctly filling out multi-page questionnaires, wading through endless queues, be in time for the allotted deadlines for submission and not miss the fact that all certificates and certificates of certificates have an expiration date. It is not surprising therefore: I wanted to minimize communication with the state.
The one-stop-shop service has become a giant step in the right direction. And the Government Services portal is a real revolution. The portal, which integrates all the official state data of a citizen, collecting them into a “digital profile”, allows you to remotely authenticate a person, confirming unequivocally that this is the same person, allows you to automatically provide (or deny) access to certain personal data at the request of third parties . Our digital future in general, according to the apologists of digitalization, is seen as exceptionally bright. In a fully digital state of the next half century, according to futurologists, there will be no actual “state” as an organization, all public services will be provided as if by themselves, based on the decisions of artificial intelligence and the digital footprint of a person, his communication in social networks, smart messengers. houses, cities. For example, you just met your love, and the data has already predicted your wedding day, AI has booked a wedding palace, and a smart budget has planned an increase in maternity capital and medical support for newborns. What is most surprising, all these miracles are really possible. But there is an abyss between possibility and realization.
Distrust of digital technologies, alas, for the most part is quite justified. Although the number of cases of hacking of the same State Services is unknown, analysts agree that it is not isolated. On popular social sites, there are enough plaintive stories, not always with a happy ending, about hacking accounts and obtaining loans for stolen personal data, followed by cashing out through the same stolen fake accounts. Last year, DeviceLock published information: hacked Gosuslug accounts are being sold on the dark web for only 4 to 40 rubles. A loan taken in your name is not even the worst thing that can happen when attackers access your data. The theft of your electronic signature, in principle, can deprive you of all your movable and immovable property. Cases of fraud with electronic signatures have already led to a revision of legislation in this area!
Why is this happening? Why, given the mutual interests of our society and the state, the digital solution we have created leaves much to be desired? Given that the strategic goals of digital transformation are set correctly and enough money is allocated? In the end, the very fact of the existence of a national digital economy project indicates a high level of strategic planning. Not every developed state has national digitalization plans. There are no such plans, for example, in the USA. You can, of course, refer to the banal truth that in the commercial sector, most IT projects as a whole are not very successful (up to 70% of IT projects have problems), or that “we always have a mess.” I will not do it. In the case of the “digital profile”, the problems are clear and specific. First, the lack of a legal framework. The main bill, which introduced the concept of “digital profile”, was rightly criticized for controversial definitions of concepts, the lack of coverage of information security issues and the absence of a responsible organization. He was rejected. There are no new proposals for regulation yet. Secondly, alas, the correct and good interface of a citizen to public services rests on an unusable and outdated infrastructure – a unified system of interdepartmental electronic interaction (SMEV), which, in principle, cannot provide real-time data delivery. It is because of her that on the State Services portal you have to enter your personal data yourself all the time and link your documents to your account, despite the fact that all documents are already in the state system, which, of course, verifies them after the fact. Of course, a new system of interagency data exchange is being developed (National Data Management System), but due to the complexity and high cost at the initial stage, it will also be largely based on SIEV, which will not greatly improve the situation.
The third problem – the desire to make authentication in public services simple, affordable and cheap, alas, remains a good wish, because it contradicts the principles of security. Authentication using smartphones and SMS is not secure in principle. SMS is not a secure transport, while the mobile operator transmitting SMS does not bear any legal responsibility to anyone. This is probably why hacking through SIM card cloning is one of the most popular. The main problem with smartphones is that you, the owner, do not really control it. A smartphone is controlled by its manufacturer and the manufacturer of the operating system for it. They have the ability to remove and install any application without your knowledge. Authentication using biometrics is more secure, but also not a panacea. When using biometrics, it is difficult to strike a balance between simplicity, cheapness and price. Simple systems based on voice and video are not reliable enough. Deep Fake systems, based on artificial intelligence, fake both your voice and your appearance with high accuracy. You can see this in The Mandalorian, where the voice and appearance of Luke Skywalker were created without the participation of actor Mark Hamill. And complex systems require expensive sensitive cameras and microphones. Systems based on other biometric features are obviously more expensive, as they require special equipment. But, most importantly, despite all its convenience, biometrics creates additional risks by the very fact of its collection and storage. If an attacker steals your biometric data, how will you prove in case of fraud that it was not you?
The fourth problem is that there is no single point of contact for complex issues related to digitalization. The price of mistakes in the digital world is very high. Probably, you faced a problem when an operator in a bank had to tell you that, in his opinion, “everything is wrong here”, but he cannot do anything, because “the program shows this way”? For example, if you are regularly issued various fines for your full namesake (not an isolated case!), where should you go? To the traffic police? To the tax office? If a loan was issued to you using State Services, then, for example, a microfinance organization, a bank, an Internet provider, a mobile operator were involved in the scheme … None of them, of course, is inclined to admit the problem. And the police are sufficiently loaded with other problems and are unable to help promptly. However, fortunately, this problem is recognized and will probably be resolved in the near future.
And, finally, the fifth problem is not so much a problem as a potential solution to the authentication problem, which for some reason is not on its agenda. We have been developing a new type of passport for a long time, primarily in the form of a secure smart card. In the world, access to public services using smart cards has been implemented successfully for a long time. Examples and pioneers are Estonia and Hong Kong, which implemented such schemes in the last decade. Last year, India, which initially relied on biometric access, began to switch to access based on documents in the form of smart cards. For some reason, we do not yet have any connection between the draft passports of a new sample and the State Services portal.
The main mistake of the portal is connecting with the current state of security of financial services. Without such an opportunity, citizens would have fewer problems.
So what is the answer to the question in the title? I will say: while your data is not 100% protected, there is a risk. But progress is inexorable, I believe that most of the problems will be solved in the near future.