To Russia With Love

April 18, 2017

Two weeks ago, we reported that 444.hu noticed a few unusual lines of code on a Hungarian government website. The website, which was set up by Antal Rogán’s propaganda ministry, asks users to provide their name, e-mail address and age before allowing them to fill out the online version of the government’s latest national consultation.

The code embedded on the National Consultation page belonged to Yandex, Russia’s IT equivalent of Google. In addition to offering services such as e-mail, a search engine and cloud services, the Russian company provides analytics services to website owners. This means Yandex gathers valuable information about users who access a website where the Yandex analytics code is present.

According to the last paragraph on the National Consultation website’s privacy page, “personal data provided by users will not be made public, will not be transferred to any third party, and will not be sent abroad.” But when news broke of the mysterious Russian code on the government website, the government quickly deleted the code and opposition parties rallied to investigate the incident, and Parliament’s national security committee chairman Zsolt Molnár (MSZP) announced the committee would meet the following day to discuss it.

However, Fidesz committee members stood up and walked out of the meeting, breaking quorum and preventing opposition MPs from officially questioning national security services about the code.

Good code, bad code? Which is it?

According to a statement released on the government’s own website, the National Consultation website operated in full accordance with Hungarian law. The 444.hu article, they claimed, created a situation whereby ill-intentioned misrepresentations of the facts could lead political actors to attack the national consultation.

According to the government, 444.hu itself uses similar analytics software to track how users interact with their own websites.

But that isn’t entirely true.

Unlike the Google Analytics tracking code used by 444.hu and countless other websites, the Yandex code the government used on the National Consultation site has a special feature — “Yandex Metrika.”

“While Google Analytics uses anonymous technology to count visits, clicks, and track navigation paths, Yandex has additional features,” 444.hu writes. “Yandex Metrika gives website owners the option to track every keystroke of their visitors, recording, for example, what users type into fields on their page. This feature, known as ‘webvisor’ is turned off by default — precisely because of privacy concerns. Website owners are warned by Yandex to be extra careful should they choose to enable this feature because ‘webvisor’ will record sensitive data in any field on the site not specifically marked as ‘protected’ by the site’s owners.”

The Hungarian government’s National Consultation website had this feature turned on.

444.hu tested this feature on the National Consultation website with a dummy email address, and found that the site forwarded the dummy email address to an IP address registered to Yandex in Moscow. This test proved that the government’s privacy page was not truthful when it claimed that “personal data provided by users will not be made public, will not be transferred to any third party, and will not be sent abroad.”

Hungary’s National Data Protection authority has since announced that it has launched a formal investigation into the use of the Russian code to determine whether the personal data of Hungarian citizens had been forwarded to Russia.

Why it is shady when the Hungarian government forwards private data to Russia

Just before their inital public offering in 2011, Yandex released a document concerning risk factors associated with operating in Russia. In the document, Yandex admitted that their online payment service (which is similar to PayPal) provided Russia’s state security agency, the FSB, with personal information of users who donated money to an anti-corruption website launched by Russian opposition blogger Alexei Navalny.

Amy Brouillette, a manager for Ranking Digital Rights, an NGO which ranks global tech companies based on factors such as personal data protection, told 444.hu that Yandex and other Russian tech companies are bound by law to cooperate with the state security service. Such companies wouldn’t even know if the government chose to access their data since their systems are directly connected to those of the state security apparatus. Brouillette said she wasn’t aware of the governments of any EU or NATO members states, excluding Hungary, using Yandex’s code.

Viktor Tarnavsky of Yandex did mention one NATO member whose government uses their service — Turkey, led by President Recep Tayyip Erdoğan. According to Tarnavsky, Russian government websites exclusively use the Yandex tracking code.

“Russian government sites are not allowed to use Google, we have strict laws on protecting data in our country,” Tarnavsky told 444.hu.