Friends of Fidesz commit unprecedented privacy violations in Tisza app scandal

A mysterious data breach involving the opposition Tisza Party’s mobile application and 200,000 names has been used by pro-government sources as a proof of the party’s criminal negligence – at the same time, pro-government actors are committing serious crimes by using the data to name and implicitly threaten individual people who registered in the opposition party’s app.

The legal assessment of the latest data-leak / data-theft case involving the Tisza Párt is — in many respects — dependent on the circumstances under which the data left the system. But what is indefensible is that individuals in the leaked database were publicly identified by pro-government political operatives. Publishing individuals’ personal data, when the data originate from a database obtained unlawfully, is almost certainly unlawful — and here there is nothing that justifies this procedure.

Earlier this year, the opposition Tisza Party, which currently polls above the governing Fidesz, has launched a mobile application called Tisza Világ (Tisza World) for community-building purposes, particularly to facilitate online voting in its upcoming primaries. The app required a simple user registration. In November, a database containing names, addresses and other data of about 200,000 individuals has been uploaded on the internet. Allegedly, the data contained in the document came from the Tisza Világ application.

In the database, in addition to the usual user-registration data (name, e-mail address, home address, telephone number) there were logs created by a data-processing algorithm run inside of the app.

The Tisza Party has communicated the incident as a data theft, alluding, without specifics, to government intervention, or even a Russian hacker attack.

In contrast, the pro-government media, which claimed to have obtained internal Tisza communications, covered the accident as a “leak” – leaving obscure the circumstances under which the data was obtained. Usually, the coverage was woven into the ongoing anti-Ukraine campaign, as pro-government figures vaguely pointed to Ukrainian IT specialists who were allegedly involved in the app’s development, suggesting that through them, the data could have been obtained by malicious actors in Ukraine (which it could have, since all of the data was uploaded to the open internet, so it could have been downloaded by any person in Ukraine, or Vanuatu, or on the International Space Station).

More sinisterly, various government-linked figures, including elected officials, used the leak for obvious intimidation and doxxing of people whose personal information was exposed. A number of commentators (for example: mandiner.hu, Tamás Menczer) identified specific persons whose names has been allegedly in the leaked database.

In an especially egregious example, media figure Balázs Németh shot a video in front of the house of a person who he claimed registered in the app.

Promenad24, a regional outlet closely tied to János Lázár, the minister of transportation, has named and attacked local individuals (businessmen, lawyers, public employees) for registering in the app.

In other words: they are using the contents of the database for their own purposes –explicitly to publicly identify individuals and mark them as being connected with the opposition party. Several of the “exposed” people denied that they registered in the app, which can mean that either some people have been misidentified due to having similar names as real registerees, or that the data was false (during registration the app did not verify IDs, and could hardy do so legally, leaving room for people to enter false data).

What legal violation has occurred?

The leaked data was stored by Tisza and processed on the basis of the consent given by the data subjects during registration for the purpose of direct communication with the party. Legally, registering on a political party’s app is similar to following a politician on Facebook: it is a point of personal data related to political opinion, even if it does not necessarily imply actual participation in the party’s activities. The fact that 200,000 such data records were made public, but also that such a large database of addresses and contact details became accessible to others, is clearly a serious and extensive violation of data protection law, and it violates a dozen GDPR provisions, from the lack of a legal basis for data processing to unlawful data transfer and violation of purpose limitation.

In addition, we can be certain that a more serious crime involving the misuse of personal data, specifically special data, has also been committed: making the database public was clearly a deliberate and significant violation of data protection rights, even if it was not obtained through hacking.

In addition, we know for sure that the offence of misuse of personal data committed with aggravating circumstances (i.e., special category data) has been realised: the public disclosure of the database was clearly intentional and caused significant harm, even if it was not obtained by hacking (in the language of the Criminal Code: breach of an information system or data).

Who may have committed a legal violation?

The person whose responsibility in this story is clear, and whose identity is also known, is anyone who uses the data contained in the stolen or leaked database for their own purposes, publishing the data to substantiate the relationship between the data subjects and the Tisza Party. A very strong substantive basis – a legitimate interest under the GDPR – would be required in order to process data that was not originally collected for public processing and was obtained through a particularly serious violation of the law. However, there is no trace of this here.

Moreover, the real harm to interests at the individual level in this case is not caused by the fact that the name of a public figure or the address of a local Tisza Party organizer is among the tens of thousands of names in a database that is available for a relatively short period of time, but by the fact that someone sorts through this data and publishes the information in such a way that it becomes widely known and remains permanently accessible. Without being particularly paranoid, one might wonder what those who are now using this database plan to do in the future with the treasure that has fallen into their laps. Will Mandiner, government communications, Fidesz constituency campaign teams, or who knows who else, search months or years from now to see if the name of a person who later becomes interesting was on the list?

Without going into wild conjecture: one may ask what those who are now using the database plan to do in the future with this windfall.

Will the staff of Mandiner, the government communications, the Fidesz electoral-district campaign teams — or who knows who else — months or years later check whether the name of a person who becomes interesting appeared on the list?

Of course, the perpetrators of the external attack, if there were any, certainly committed a data protection violation and—in all likelihood, unless the data was accessible through a simple query—a criminal offense as well. The party and its employees, as well as their data processing partners, may also be liable for violations, but the extent of their liability depends on what exactly happened. Only by knowing the exact circumstances of the violation that led to the data leak can it be determined whether Tisza is so bad at its own data management processes that data leaks are a regular occurrence, or whether it is actually operating under constant and not always preventable external attacks.

In theory, the data protection authority’s investigation could uncover these circumstances, but even if it does, it is not expected to happen before the April elections. A similar data leak incident from June involving Tisza Party volunteers is still being investigated by the National Data Protection Authority (NAIH) – we know this because Átlátszó was also involved in the proceedings after the article confirming the authenticity of the list was published.

In that case – and in stark opposition to how pro-government media handled the latest incident – we followed the law by anonymizing the database and refused disclosing personal data to NAIH.