I suspected that it was a serious violation of regulations in the field of electoral legislation and protection of personal data, even possible criminal acts, said the state auditor. Milan Popovic.
He said this to "Vijesta", referring to the software that the Democratic Party of Socialists (DPS) bought to match citizens' social security numbers with their profiles on social networks or data on the Internet, during pre-election cycles.
It was Popović who "found" the documentation on the trade of that computer program during the control of the finances of the then strongest ruling party, and after the presidential elections in which the former leader of that party had triumphed. Milo Djukanovic.
In addition to the contract for the purchase of software from the Hungarian company "Big data analytics", among the files is also the internal communication of DPS officials in which they claim that the program lived up to expectations because in the test phase it enabled them to recognize and influence the political attitudes of about 40.000 citizens...
Popović told the "News" in detail what happened during and after the audit of the Consolidated Annual Financial Report of DPS for 2018, stating that both the State Audit Institution and the Agency for the Protection of Personal Data behaved "strangely" in that case.
That auditor said that from the documentation that was made available to him, he suspected that "the software in question serves the needs of election engineering".
"That is to say that everything reminds of the procedures (methods) of modeling the electoral will of voters described during the 'Cambridge Analytics' scandal, which was intensively reported by the media during 2018. That scandal was mentioned in internal correspondence as the reason why, due to changes in rules and restrictions on the social network Facebook, the subject of the audit and the supplier were forced to look for alternative systems for collecting data...".
DON'T MISS IT
Popovic said that he was never trained in this or any other techniques - marketing methods, for conducting election campaigns.
"As the state auditors, however, were trained by international partners, what is the purpose of audits of political subjects, to contribute to a fair and transparent election race, and that the presented documentation stated, among other things, that the creation of a 'Matching Interface' that gives the possibility matching of personal data (identification number, name, age and location), which can be uploaded by the client - DPS (the software provides the possibility to upload files exported from the databases available to the client), with the activities of individuals on social networks, as well as to the service provider (Big Data Analytics KFT) performs automatic matching in the background and that an estimate was obtained for some 40.000 people for the presidential elections, I suspected that this is a serious violation of regulations in the field of electoral legislation and protection of personal data, even possible criminal acts" .
He said that additional suspicion was raised by the fact that in that period it was allowed to copy election lists that contained protected personal data, but with a clearly prescribed purpose and the way in which it can be handled.
"I removed the evidence in question from the audit subject's register in the way that I took a picture of it, although the SAI has not yet regulated clearly and in detail the procedures for removing evidence. Otherwise, due to the aforementioned circumstances, I, as a state auditor, prefer to use these methods rather than traditional copying, considering that evidence exempted in this way also provides a clue about the date of exemption"...
He said that he then informed the competent DRI Collegium, which is made up of members of the Senate, about his findings via email. Nikola Kovacevic i Branislav Radulović, explaining that this body manages and monitors the audits and is responsible for the results of the controls performed. With that, says Popović, he complied with the Rules of Procedure of the SAI.
The agency never considered the case?
Popović explained that after that a meeting was held where they considered the evidence he submitted, after which he was authorized to inform the Agency for the Protection of Personal Data about everything.
He claims that on that occasion he invited the then chairman of the Council of the Agency Muhamed Gjokaj.
"The same person initially hung up on me when I mentioned that I was calling from the DRI, which was preceded by a stormy reaction in which he expressed his protest about the way the state auditors, who were in the audit of the Agency, handle personal data when seizing evidence. After that, he called me and apologized for his sudden reaction, when I told him that I would be happy to take part, if I needed to testify somewhere, in order to achieve the legality of the actions of the DRI in that segment, although I told him my personal opinion that the DRI would due to the nature of the work and the anti-corruption role, it had to be able to exclude and dispose of evidence (records) containing protected data without a special procedure".
He said that he described to Gjokaj the content of the evidence at his disposal, but without specifying which subject of the audit was in question - in order to preserve the objectivity of the process...
"He stated that this is a serious case and that the material should therefore be forwarded to the Agency for further processing. Also, he advised me to protect all personal data in the copies of evidentiary material that will be submitted to the Agency, so that the SAI would not be involved in an alleged violation, and to leave those parts that indicate which subject of the audit is in question. That's what I did, and the evidentiary material is attached to the accompanying document, in which the entire case is described, on a CD, submitted to the Service for Administrative-Professional Affairs of the SAI for further processing, as evidenced by the reference number from the accompanying document".
In spite of everything, Popović claims that he repeatedly inquired about the case with the members of the Senate of the SAI, but that he received the same answer - that the Agency did not inform them about the outcome...
"I must point out that the entire described situation is still strange to me today, as it was then, for at least two reasons. The first describes the competences in the cases in question, and the second is the fact that according to the internal rules of the SAI, state auditors do not have an official seal and are not able to send written mail externally on behalf of the SAI".
He explained that because of this it happens that audit subjects, when asked to submit evidence by email, insist on requests for the delivery of information and documentation certified and signed by the SAI, and that as a result they have to wait for members of the Senate to review and certify. list of requested documentation.
"As a result, it happens that because they disagree with the content of the request (list), they refuse to sign it until it is corrected in accordance with their suggestions. For this reason, it is very indicative that in that case the 'usual' procedures and practices were abandoned - so the accompanying Act sent to the Agency contains my signature and the seal of the SAI. Also, I must point out that recently... I learned directly from the persons who were then in the Council of the Agency that the Act in question and the evidentiary material sent to the hands of the President of the Council of the Agency were never discussed at the Council of the Agency and that their position was that it was about a 'major' case about which the public had to be informed and actions taken by the competent authorities, and above all by the Agency".
He did not ask for an opinion, but submitted extensive material
The DRI told "Vijesta" two days ago that the acting auditor informed the competent Agency for the Protection of Personal Data about doubts regarding the software used by DPS, that is, Popović did it.
However, in his reply to the editors, Gjokaj referred to the AZLP opinion from 2015, according to which the Personal Data Protection Act "does not apply to the processing of personal data by Facebook INC, so the Agency is not competent to interpret and apply foreign legislation..." . He also claims that the SAI asked the AZLP for an opinion, which they gave back in 2015, so they didn't think it was necessary to do it again.
Yesterday, Popović denied that he approached the AZLP with a request for an opinion.
"In accordance with the conclusion of the Collegium, the evidentiary material obtained by the state auditor during the audit procedure has already been sent to the Agency for further processing, with which the appointed person, as the responsible person to whom the act of the SAI is addressed, had the obligation to familiarize himself with the presented material Council of the Agency. Therefore, no opinion of the Agency was requested. If the allegation that the SAI required the Agency to give an opinion was correct, then it is clear that according to the Law on Administrative Procedure, a received request cannot be resolved by not responding to the same - the silence of the administration, but the party that submitted the request must refer to the an act that has already been resolved in the same or similar legal matter. If it is true that the relevant Opinion of the Agency was published on the website, so that the party addressing the request could know about it", asked Popović.
He repeated that Gjokaj emphasized in the telephone conversation that it was a potentially serious problem and asked for material.
"Why didn't he refer me to the AZLP opinion he was referring to in the interview with the state auditor, is a question for him. Also, why SAI did not inform the public about this when the Agency has not already responded, is a question for those responsible at SAI. From the attached documentation, it is clear that it is not about Facebook, but about software, the creation of which was commissioned by the subject of the audit, and from which there is a clear suspicion that the protected personal data in the possession of the subject of the audit was managed in an illegal manner," concluded Popović.
What is written in the DPS contract with the Hungarian company
DPS, as the client of the work, signed a contract with the Hungarian company "Big data analytics" from Budapest. The subject is "creation and installation of software for the database of voters from social networks (Social Voter Database)", "providing consulting services to the client so that he can apply this software and start using it properly".
The Hungarian company also committed to "submitting the data described in Annex I based on available information about voters from their activities on social media."
According to that document, the system will be built around the "Social Voters Database".
"It will be a central hub that will contain all the data we can collect about voters. The database of voters from social networks will represent your widest access to our database, where we provide the possibility to export all our data to your own systems", it is stated, among other things, in the description of the project that "Big data analytics" offered to DPS through contract.
At the same time, she asked that party to provide them with the name, age, place and voter registration numbers.
“The social media voter database will get its data almost exclusively from our data sources. The only exception is the import of basic data (Basic data import) from your existing voter database, which is necessary for matching. You need to upload the name, age, location of your voters with a unique ID number for each of them, which will be used to connect all the data you receive from us with people from your voter database. the offer is from a Hungarian company, which DPS accepted.
According to the documentation, the IT sector of the DPS reported to the business director of that party that "the conditions from the contract with the Hungarian company 'Big data analytics', which refer to the payment of the second invoice, have been fully met."
"Everything that was foreseen in the second phase of the contract was realized. The delays that occurred were caused by factors that we were not able to influence directly, neither we nor the company 'Big data analytics', but were caused by changes on Facebook. That company, faced with the Cambridge Analytica scandal and allegations of misuse of private data, introduced new rules and restrictions, due to which 'Big Data' and we were forced to look for alternative data collection systems," the official's memo states. from May 3, 2019.
He specifies in the letter that "the test phase of the new system has been successfully completed".
"For the presidential elections, we managed to obtain estimates for about 40.000 people. In the following period, work on improving the system continues and the implementation of the next phase of the contract is underway. Please, based on the contract, pay invoice 2, in the amount of 21.000 euros...", the letter states...
Lacmanović: Violation of citizens' rights, I did not know about the auditor's submission until now
I responsibly claim, under full moral, material and criminal responsibility, that as a member of the AZLP Council at the time, I was not aware of the situation discussed in the specific case, former long-time member of the AZLP Council Radenko Lacmanović told "Vijesta" yesterday.
"Therefore, I never received any information, memo or any other act on which I put my signature at the Council session, and not even individually, on the basis of which it would be confirmed that I was informed about what the SAI sent to the AZLP. From the answer I am giving you, one can clearly impose a conclusion that would be possible and valid - if it reached the Agency, someone hid it. Only the director of the Agency at the time, as well as the president of the Council of the Agency (Gjokaj) at the time, could do that..." Lacmanović said.
He emphasized that this is not about the competence of the Agency to control Facebook.
"Here is the question, on the basis of which someone had access to the data of citizens, in the specific case of at least 40.000 voters in Montenegro, and what they publish on their profiles on social networks. "Apparently, the DPS misused data that it did not collect for that purpose, and that it got from, probably, the voter list, or possibly from the Ministry of the Interior, which was under their control," Lacmanović assessed.
If he had the information then, he says, he would have asked for DPS control and informed the competent institutions about the findings.
MANS: Politicized institutions helped DPS in illegal activities
The Network for the Affirmation of the Non-Governmental Sector announced that this example shows how politicized institutions allowed DPS to use illegal methods in the election campaign, even when conscientious individuals from the system pointed out abuses.
"AZLP had to react to the obvious misuse of personal data by the DPS, because that party obviously owns the identity numbers of citizens. The law and previous opinions of AZLP clearly stipulate who may be in possession of personal data, under what conditions they can use it and for what purposes. It has nothing to do with Facebook, but with DPS, which is obliged to respect Montenegrin laws.
In addition, the SAI was obliged to submit this data to the Agency for the Prevention of Corruption, when it determined that the software was purchased in connection with the campaign for the presidential elections, because that cost had to be reported in the official reports on the costs that the parties are required to submit, which it was not the case", say MANS.
DPS: Untrue, it is a program to get to know voters
DPS announced yesterday that that party used a program that "belongs to a series of programs used by absolutely every serious company that deals with digital marketing."
"There are hundreds of similar programs on the market, and each one aims to monitor and systematize publicly available data from social networks, with the aim of getting to know voters better, the topics they are interested in and to which they react positively or negatively. Everything DPS did using this software, any Facebook user can do manually on their own, only it takes longer and is more complicated. Just as classic public opinion polls would get to know the attitudes and opinions of voters, so the online space is used in the same way...", they announced.
Even in yesterday's announcement, that party did not answer a series of questions that "Vijesti" asked four days ago.
"Of all the untruths presented in the text, the most striking one is that the DPS used citizens' registration numbers to match the voter list with profiles on social networks...Given that almost every citizen in Montenegro has a Facebook profile, it is only necessary to remember if he ever left his social security number when registering on any social network. Of course not. Therefore, we ask a logical question: How is it possible to match data by social security number when it does not exist on social networks?", asked DPS.
In the contract signed by that party with the Hungarian company, the request is clearly emphasized that DPS must "upload the name, age, location of your voters with a unique identification number for each of them, which will be used for connecting all the data you receive from us with persons from your voter database".
In the documentation from the register of that party, which was exempted by the auditors, there are also copies of test reports, according to which, next to the names of the "tested" citizens, there is the city, their address, date of birth and a link to their Facebook profile, if they have one.
Bonus video:
