Two weeks ago, databases of 600 thousand clients of Avito and Yula services were found on the forums, among which there are real addresses and phone numbers. The databases are still freely available, anyone can download them. Imagine how many people have already downloaded the database with the intent to send out spam or, even worse, trick users' payment card details. The administration of forums does not delete the bases, becauseThey do not see any problem in this situation, let alone a violation, and they say that this is not theft of personal data, but the collection of open data.
You won't surprise anyone with the news of a data breach
July and August 2020 is packed with news of TikTok being blocked for unauthorized data collection. And my task is not to surprise, but to understand the issue, and keep the promise that Habr made to one of the readers. By the way, my name is Vyacheslav Ustimenko, I wrote the article together with Bella Farzalieva, an IT lawyer from the international law firm Icon Partners.
Why is it important
The issue of protection and processing of personal data is gaining momentum every year. Personal data protection is about the freedom of choice of a person, the culture of society and democracy. An independent person is difficult to manage, difficult to deceive and impossible to copy. This idea is carried by the well-known data protection regulations in the EU (GDPR) and the USA (CCPA). I conducted a survey on my personal Instagram account , even lawyers (90% of my subscribers) are still poorly versed in data protection issues.
The question was: "Which of the following is personal data."
I attach a screen with the survey results.
The correct answer was chosen by about 20% of those who voted.
PS The fact that I am from Ukraine, and the article on the laws of the Russian Federation should not confuse you, dear readers, since the expertise of an IT lawyer cannot be limited to one country.
What is personal data in the Russian Federation
The definition of personal data in accordance with the Federal Law does not differ much from the European or Ukrainian, which was written about in the previous article .
Personal data - any information relating directly or indirectly to a specific or identifiable natural person, we are talking about any data by which a person can be identified.
In Russia, the use and protection of personal data is regulated by many documents, in particular, 152-FZ "On personal data", 149-FZ "On information, information technology and information protection", Administrative Code, Criminal Code of the Russian Federation, Labor Code of the Russian Federation and Civil Code of the Russian Federation.
Open personal data. What a beast it is.
# Let's look at the situation through the eyes of a user
Perhaps readers have not yet thought about how personal data can be open, because personal sounds like personal, and open - like public.
At the same time, the feeling of confidence does not leave that after another conversation with a telephone seller, each of us thinks "where did he get my number" or "what is this strange call from a stranger who knows more about me than necessary."
So, users who put up something for sale through Avito, do not be surprised that they got into hacker databases, received spam in their mail or an incomprehensible call from scammers or "cold sellers".
You can only blame yourself in such a situation, because ignorance of the laws does not exempt you from responsibility.
Everything that the user himself has posted about himself for public consideration, in other words, on the Internet, becomes publicly available, that is, open data and can be stored, distributed, used without the user's consent.
Confirmation from legislation
1 152.2. .
, , , , , , .
, , , , , , , .
, , , , , , .
, , , , , , , .
Another confirmation
4 7 β 149- Β« , Β».
, «» , , , .
, «» , , , .
Conclusion
The Avito administration rightfully claims that the database on hacker forums entirely consists of public information that is available on their website and can be collected by parsing (automatic collection of information using special programs), that is, there is no question of any data leak ... Whether the data is used for legitimate purposes is another question that should definitely not be asked about Avito.
If you do not want someone to compose, evaluate or use your consumer portrait, leave less information about yourself on public resources.
Below is a funny (but not accurate) comment from the forum.
# Let's look at the situation through the eyes of a business
Let's take the same Avito as an example, and consider the questions:
- whether the site is the operator of personal data,
- whether it is mandatory for him to take consent to data processing and declare himself to Roskomnadzor to be included in the register of operators,
- whether Avito will really go unpunished.
In a situation with a data leak, Avito really has nothing to do with it. You can imagine that Avito is a fence on which the user wrote "SELL GARAGE" and indicated a name, phone number or other data for communication, and then began to be indignant at why the data is known, copied or used by everyone who passed the fence.
Confirmation from legislation
10 β 152-.
. , β , , .
. , β , , .
Another confirmation
4 2 22 Β« Β».
.
.
# Conclusion
Avito is the operator of personal data. As for the notification of Roskomnadzor, there are exceptions in the law, but they do not work for Avito, since this site collects and processes not only publicly available data. But if the site works only with open data, there would be no need to notify and register with Roskomnadzor. Avito is innocent, and therefore there will be no punishment.
Data can be leaked or legally obtained not only from marketplaces, but also from any website or from mobile operators, from social networks, banks, registries, it can be extracted from the sequence of mobile transactions with a bank card or using hidden functions of smartphone applications, million options.
By the way, everyone knows that Habr is not a forum, but there is an opportunity for commenting, and the purpose of the article is not to surprise, but to understand the issue.
Question
In the realities of 2020, you need to be careful with posting personal data on the Internet and act as in the