Ombudsman: Gov’t not responsible for Yandex code

July 29, 2017

Data Protection and Freedom of Information ombudsman Attila Péterfalvi has completed an inquiry into the use of a controversial tracking code on the Hungarian government’s national consultation website, concluding that the government could not be held responsible for installing the code and thus breaching the privacy of users.

In April, 444.hu reported that the government’s national consultation website contained a few lines of highly-suspicious tracking code. The code, created by Yandex, Russia’s equivalent of Google, is well-known in tech circles. Unlike the tracking code of its American counterpart, the Yandex code has a feature that enables Yandex to collect sensitive user information through a server based in Russia. The sensitive information collected on the government’s national consultation website included users’ names, age, and email addresses.

The 444 piece generated significant media attention for three reasons:

  • The privacy policy on the national consultation website explicitly stated that no user data would be transferred abroad or to third parties (it was).
  • Yandex has a history of being used by authoritarian regimes for political purposes. In 2011, the BBC reported that Yandex handed over private information on certain users to Russia’s state security service, the FSB. This information was on customers who had used Yandex’s payment system (which is similar to PayPal) to donate money to an anti-corruption website launched by Russian blogger Alexey Navalny.
  • The code was placed on a website run by Hungary’s Cabinet Office of the Prime Minister, commonly referred to as the “propaganda ministry”, which is run by propaganda minister Antal Rogán. It is extremely unusual that an EU Member State and NATO ally would use such technology on government-run websites.

One day after 444.hu exposed the use of the code on the government’s website, the code was removed. The government and Hungary’s ruling party denied any wrongdoing. The following day, a meeting of the National Assembly’s National Security Committee was called, but Fidesz MPs boycotted the meeting, which meant the committee could not discuss the issue due to lack of quorum.

József Gulyás, a former liberal MP and member of the parliament’s National Security Committee, criticized committee chairman Zsolt Molnár (Hungarian Socialist Party) for his handling of the Yandex scandal, calling it gross incompetence or worse.

“Some people decided that they wanted to share access to sensitive private data with the Russian services,” Gulyás said. “But there’s no investigation to determine who decided to do this and bring this under our roof.”

On July 27, ombudsman Péterfalvi held a press conference to announce the results of his inquiry.

According to Péterfalvi, his agency’s inquiry could not establish that Rogán’s propaganda ministry was at fault for the Yandex code being on its own website. The inquiry found that the code was not placed at the request of the ministry but by a third-party contractor. Therefore, Péterfalvi reasoned, the government is not at all responsible for using the Yandex code.

No criminal prosecution has taken place as a result of the massive breach of private data. Despite the government denial that any wrongdoing took place, the government did remove the code from its website — a small but significant victory for the media.