Artur Papyan, Ruben Muradyan on Armenia’s Draft Law on Mass Surveillance and Cybersecurity Track Record | Ep 344, July 15, 2024 [EP344]
Posted on Monday, Jul 15, 2024 | Category: Armenia, Azerbaijan, Legislation, Cyber | Series: cog
Groong Links:
Guest:
Topics:
- Armenia’s Draft Law on Mass Surveillance
- USAID-funded Deal with AWS
- Government Track Record of Cybersecurity Failures
Episode 344 | Recorded: July 11, 2024
Show Notes
Is Armenia Becoming a Surveillance State
Draft Law on Ubiquitous Surveillance
Last month a very onerous surveillance law was proposed by Pashinyan’s government, which flew under most radars except the few in the business of security, privacy and and civil rights protections.
Essentially the law would require all but the smallest of businesses to install hi-res cameras to watch over and around the entrance and exits of their premises, and what’s more: to continuously share the video and audio streams with the government.
Pretty much all businesses that occupy over 50 m2 of space would be affected.
Questions:
- Arthur: Can you give a brief overview of this law for our listeners?
- Who is going to pay for all of this surveillance equipment, its installation and maintenance?
- Note: this is essentially a tax (or fee) on businesses. An unfunded mandate.
Crime and drug trafficking in Armenia has been on the rise since 2018, when Pashinyan took over. So his government is fully on board with this law, pretending that this will solve their problems.
The Interior, Defense, and Justice ministries have signed up despite the fact that the Justice ministry’s own Data Protection Agency raised red flags about the proposed law.
Questions:
- What is the current status of this proposed law?
- What are the privacy concerns with this law, and how have privacy experts reacted to it?
- Has the government submitted this law to international organizations for a review, and comparison with other similar laws?
- Are there examples of other countries where this type of law exists?
- Will businesses even be notified if their data is accessed? Or is there a subpoena process for accessing the data?
Trust and Verify
One of the key concerns to address is trust in a centralized surveillance system. Who will be reviewing the data feeds, what policies govern the data protection, handling and retention aspects, and how will it be possible to verify the trust that people must put in the government, ANY government. The Armenian government’s track record for information access is not good.
Questions:
- Are there any regulations in Armenia governing the handling of this type of data?
- Are the regulations robust?
Armenia’s US-funded Deal with AWS
As if our concern about Armenia increasing its surveillance of its citizens, we were reminded this week about a new concern. During her visit to Armenia this week, Samantha Power, director of the USAID, announced a US-funded deal for the Armenian government to use Amazon Web Services (AWS) as part of its “digital transformation” efforts.
The announcement sounded more like a press release drafted by a cloud provider than the US government but specifically said that Armenia needs systems “that can withstand cyber attacks, systems that are governed by clear regulatory frameworks that protect human rights and privacy for citizens”.
Question:
- Do we know any more details about how the Armenian government plans to use this money?
Data Sovereignty
One of the main aspects of this deal is that Armenia would lose sovereignty over any of the data it stores in AWS, because AWS does not have data centers in Armenia.
There are numerous compliance laws that countries have put forth to govern how cloud providers should store and process their data. These are normally called “Regions” by cloud providers and you as a customer can instruct the cloud provider to store your data in only a specific region. GDPR is a popular EU-wide regulation that, for instance, stipulates that data of EU persons should be stored only in EU regions or in regions that have safe harbor agreements with the EU.
Questions:
- Do we know what type of data the Armenian government intends to store in the cloud?
- Even if not a privacy issue, is there a data sovereignty issue?
Cyber Security Failures
During the 44-day war the government was hacked by Azerbaijan, and they still don’t know the full extent of the intrusion. We haven’t seen any follow-through or audit on this either. Among other resources, Armenia’s network of street cameras were hacked.
Questions:
- What’s the current state of our national cybersecurity posture?
- Is it any better than it was in 2020?
- Has there been any investigative analysis of the 2020 cyber attacks, with mitigation recommendations?
- What ongoing process will people have to ensure that this onerous surveillance system does not fall into enemy hands?
- And that is, if one can consider the government as a non-enemy.
Wrap-up
That’s our show, we hope you found it useful. Please find us on Social Media and follow us everywhere you get your Armenian news.
Thanks to Laura Osborn for the music on our podcasts. We’ll talk to you soon!
Guests
Artur Papyan
Artur Papyan is a malware researcher, digital security consultant, co-founder of CyberHub and director of the Media DIversity Institute.
Ruben Muradyan
Ruben Muradyan is a Yerevan-based cybersecurity analyst. He’s an independent researcher, and a frequent speaker on cybersecurity topics on ArmSec, BarCamp.
Hosts
Hovik Manucharyan
Hovik Manucharyan is an information security engineer who moved from Seattle to Armenia in 2022. He co-founded the ANN/Groong podcast in 2020 and has been a contributor to Groong News since the late 1990s.
Disclaimer: The views expressed by Hovik Manucharyan on the ANN/Groong podcast are his own and do not necessarily reflect the opinions of his employer or any other organization.
Asbed Bedrossian
Asbed is founder of the Armenian News Network Groong and co-founder of the ANN/Groong podcast.