Turning Turkey’s Citizens’ Data leak into an opportunity

Around 50 million Turkish citizens details recently leaked and went wild on the internet. The information included the Citizens’ First/Last/Parents Names, Birth date, National No. (aka Kimlik No.), Gender and Address.

On the upside, the database is somewhat old (2009), it’s an elections (voters) database; so it only contained citizens that were at the age 18 years and older as of 2009. Also bear in mind that this is not the first leak of its kind nor will it be the last; there have been many major (even more severe leaks in the past such as millions of Credit Cards or Bank Accounts details) such leaked data continue to be available on the black market as well.

On the downside, this is the first public large volume leak of this kind;  Put the citizens names aside (which is not necessarily a big deal as the phone books in every country used to provide that along with the phone numbers) National Id and birth-date are sensitive and can be used as the bases of various types of attacks, accounts hijack, fraud and privacy breaches. One thing can be said for sure; the leak can not be undone; Hence damage control is not possible. Turkey needs to live with this reality and think of improving and protecting its data security and access control.

Those who released that database said they were able to get a username/password to a portal and from there they were able to pull that data; they criticized poor data protection  (through the lack of encryption and the use of bit-shifting) and even made fun comments on the poor Database performance 🙂

Some say that Putin’s minions are responsible for releasing this data now on the wake of the Panama leaks in which Putin’s name was brought up. Claiming that releasing Turkey’s data could distract media and public attention. I really don’t care much about the motive of doing this as opposed to thinking of how such important information should be protected in the Information era we live in.

Before sharing some reflections, let me state it clearly that it’s easy for anyone to preach *after* the fact. So, I’m not trying to point fingers on the lameness of the IT infrastructure as much as highlighting some thoughts on how this can be better handled moving forward. Actually those types of incidents should be looked at as amazing opportunities for improvement and getting into the next level of data security.

Update: On the heels of the Turkish leak, 55 Million voters’ details leaked in Philippines. So this immediately becomes a global national data security issue.

Let’s start by listing down some basics that can be implemented to fix security for such scenarios:

1. Provision Identity Management: The Government can become a formal Identity Assertion Provider (IdP). Which is essentially the electronic / online counterpart of the identity documents governments issue such as Passports or ID card/paper along with the additional attributes, bio-metrics and authentication data. This should be implemented for Citizens and foreigners (resident and otherwise) alike.  OpenID Connect is the state of the art technology at this point and it has been adopted by many in the industry. The notion of a government becoming and IdP hits many birds with one stone:
   1. Acts as a central System of Records for all the users (citizens and foreigners); and can only be updated via the proper formal channels. Hence all / any formal documents can be issued out of it.
   2. Users are able to easily maintain/review their own personal / sensitive data. Phone/Mobile numbers, email, secret tokens such as passwords and ID&V questions and answers, etc.
   3. Proper multi-factor authentication mechanisms are leveraged. This should consider the three types of authentication: A) Things the user knows such as passwords and ID&V answers, B) Things the users have such as secret token generators and code via mobile or email and C) Things the represent who the user “is” such as Iris, Finger and voice prints …etc. 
   4. National PKI: The government should become a PKI CA and should issue smart Id cards (“Akıllı Kimlik” in Turkish) which are considered very secure in today’s standards. Those smart Ids should contain the user’s active private key that can be used to digitally sign any desired electronic activity and/or encrypt any private data. The Smart Ids are also USB-enabled so they can be used from regular computers and/or smart devices of all sorts. Malaysia has a very interesting implementation of a multi-purpose Smart Card called MyKad; they use it – among many things – as a formal ID document, Driver’s license, ATM card and provides a public-key.Paper-based IDs are becoming obsolete. One day will come where to enter a country you would only need: 1. A smart ID card (something you have), 2. Iris scan / photo / fingerprint scan (something you are) and optionally 3. Couple of ID&V questions (Something you know).
   5. Maintain a ledger (Audit) with all the activities and changes (mainly the meta data, the actual data can be maintained elsewhere). Block-chain can be leveraged with for its strong resilience and tamper-proof. As such any subsequent tampering (small or massive) can be traced and rectified.
   6. Provision Identification Services to third-parties such as A) other government agencies; Think of Tax, properties, health, educational, elections, etc. ,  B) Banks, C) Utility companies, D) Hospitals, E) Landlords when renting, F) Business owners when hiring, E) and any other service providers can easily verify the identity of a user with the user’s consent. Those third-party service providers maintain their own data about the users.
2. Enhanced Access Control: With the strong Multi-factor authentication in place, authorization service such as OAuth 2.0 in order to manage service providers’ access to the users’ data. OAuth 2.0 works hand-in-hand with OpenId Connect.
3. System-level security hardening: Proper auditing tools, OS hardening, SE-Linux, intrusion detection, Weak-password rejection, Web-app security hardening against attacks such as CSRF, SQL Injection, XSS, Cookie hijack, SSL vulnerabilities, …etc.

For a country in the size of Turkey I would estimate a 5-year national initiative with a cost less than 500 million Turkish Liras ($150 million US Dollars) at the end of which the infrastructure for the National Data would be in place along with the published capability allowing integration with 3-parties both government and private.

Conclusion

National Data requires proper protection; the good news is that today’s technologies are able to do that up to the highest standards.
National Data and services ecosystem around it are key if a nation wants embrace the digital age. Advancements in data security and related technologies greatly reduce the risk of data leaks and additionally provide the very necessary foundations for highly-secure, convenient electronic identification and access control systems. Think Elections, Census, Health (EHR), Banking, even Law-enforcement they all would greatly benefit. The good news is that this is easily achievable and at minimal cost; I claim that its far more cost effective and secure compared to any existing classical options. Last but not least and as a rule of thumb: all recommendations/setups are function of technology sophistication and advancement; any secure setup of this scale needs to be continuously monitored and updated in order to continuously protect our data.

This is the National Data Security and Services the way it should be.