Journalists of the publicationJellyfish"Stated that the passport data of Internet voters participating in electronic voting on amendments to the Constitution of the Russian Federation were practically in the public domain. Journalists also found in the database invalid passports and voters recorded in the system twice, who were still able to vote.
On June 30, 2020, the newspaper’s own source handed over instructions to journalists to check online voters by voting on amendments to the Constitution of the Russian Federation. The Moscow City Election Commission (IPCC) on the eve sent it to the chairmen of the metropolitan territorial election commissions. The document did not contain any stamps of secrecy and confidentiality.
So, with the help of a special program, special SMS messages or a call to the call center operator, it was possible to find out whether a particular citizen registered for Internet voters and whether he eventually voted remotely. It was possible to check the voter by the number of his passport. This was necessary so that people did not vote twice (once remotely and a second time at a polling station).
The mentioned special program had to be downloaded from one of the state websites and it was a password-protected degvoter.zip archive. The publication notes that access to this archive was free: on July 1, at least from 9 to 12 hours Moscow time, anyone could download it.
Although the journalists already had a password for the archive, for the sake of experiment they also tried to crack it using the John the Ripper utility. As a result, on the Intel Core i3-4160 processor, the password from degvoter.zip was picked up in a couple of days.
The program for checking Internet voters was an executable file degvoter.exe. The polling station workers were asked to enter the series and number of the passport of a Russian citizen into the program, after which she informed whether the person with this passport was given “access to the ballot by electronic ballot” or not.
At the same time, information about the passports of Internet voters with voting notes was supplied with the program and stored locally, in the form of hashes in the db.sqlite file, which is not password protected. In fact, degvoter.exe calculated the hash sum of the series entered by the user and the passport number, and then searched the db.sqlite database for this hash amount and the corresponding voting mark.
Journalists note that they easily converted these hashes into human-readable data, having received 1,190,726 entries with series and passport numbers of all Internet voters in Moscow and the Nizhny Novgorod region (electronic voting on amendments was available only to residents of Moscow and Nizhny Novgorod). About how this was done – in the illustration below.
Medusa also writes that it found 97 passports that were recorded in the database of Internet voters twice. That is, the total number of real Internet voters (those who voted and only registered) may have been less than the official number by almost a hundred people.
In addition, the publication took advantage of service for checking Russian passports according to the list of passports declared invalid, which is available on the website of the Main Directorate for Migration of the Ministry of Internal Affairs of Russia. It turned out that from 2347 to 4720 passports from the db.sqlite file are considered invalid (different numbers were obtained during the reconciliation of data with different versions of the Ministry of Internal Affairs database – from May 22, 2020 and July 3, 2020). Moreover, the majority of holders of these invalid passports participated in the online voting: 2060 out of 2347 (May 22) or 4233 out of 4720 (July 3).
Head of the Department for the Improvement and Development of Smart Projects of the Moscow Government Artem Kostyrko writesthat Medusa is a little cunning and the data was still not in the public domain:
“Medusa herself actually admits that she received everything from an employee of the electoral system – only members of TECs and PECs had access to these installation files, that is, no databases of Internet voters appeared in any open access.”
Also, according to Kostryko, the database of invalid passports from the Ministry of Internal Affairs website is just a service and an interface that is not the ultimate truth. “The ultimate truth is the system of interagency electronic interaction – abbreviated SMEV. It was with her that the passport data was checked by the CEC and the Ministry of Communications, ”he writes.
Head of DeviceLock Ashot Hovhannisyan in his Telegram channel calls what is happening "PR leak" and notes:
“A series / passport number without any other data (name, year of birth, address, phone, etc.) is nothing but a simple set of numbers formed according to the well-known“ formula ”. A series / number of a passport without any other data (name, year of birth, address, phone, etc.) is nothing but a simple set of numbers formed according to the well-known “formula”.
There is no sense in such a database separately.
The only use of this data is the enrichment of other databases containing personal data (including passport data) with the sign “registered for participation in electronic voting”.
Hovhannisyan also notes that the database has already appeared in a truly open access – it is already published on the forums. We will replace on our own that the base can be easily found in many Telegram channels.