The future of information security and data privacy in Georgia

Headquarters of the Georgian State Security Services. Photo: ssg.gov.ge

In February of 2020, the Open Society Foundation Georgia (OSGF) released a statement in coordination with numerous local civil society organizations that expressed concerns about the government’s proposed amendments to Georgia’s Law on Information Security. I recently spoke with OSGF’s Media Support Program Manager, Hatia Jinjikhadze, to discuss information security in Georgia and concerns about data privacy in the coming years. 

MACKENZIE BALDINGER: Recently, some civil society organisations in Georgia have expressed concerns over proposed amendments to the Law of Georgia on Information Security. Georgia has been hit by multiple large scale cyberattacks in recent years. Most recently, I recall the 2019 attack on broadcasters and governmental bodies. Could you tell me what are the biggest threats to Georgian information security right now?

HATIA JINJIKHADZE: Definitely, there have been threats to Georgia’s information security and those threats have been evident to ordinary citizens as well. You mentioned last year’s wave of attacks. Fortunately, those were not very high tech attacks in terms of the level of sophistication. However, the attacks were quite widespread. They affected a lot of online platforms including private broadcasters, public broadcasters, government entities, and private entities. Later, we found out that these attacks came from our aggressive neighbor in the North. It took a long time to investigate it, but in February 2020, a common investigation by our government and the governments of the United Kingdom and other partners exposed the Russian military intelligence service’s responsibility for the cyberattacks. Nobody is surprised that Russia is to be blamed for these attacks because we feel the presence of this aggressive neighbor. We felt it in 2008 as Russia waged a war against Georgia, and that was a military offense immediately followed by a massive cyberattack. These days we are talking about hybrid war and cyberattacks, a different type of aggression that must still be considered very seriously. The problem for us is that Georgia does not seem to be prepared to counter those attempts. This should be a primary concern for Georgia’s political leadership, as well as civil society. We realize that there are external threats that need to be countered, and it does not seem that the state is doing that efficiently.

Do you think that Russia is the primary external threat to Georgia and the main source of hostility?

Yes, of course. There has been an investigation and there are intelligence reports by other countries like Estonia. For instance, the Estonian Ministry of Foreign Affairs has highlighted Russia’s effort to discredit the Georgian state. This is not a rumor. It’s a real threat based on evidence.

As you mentioned, the government found these hybrid threats to be a main concern, and they took steps to amend the current law on information security in October of 2019. What are the main changes proposed that have drawn concern from civil society organisations?

First of all, there is general agreement that there is a need for a new law or amendments to the existing law. We have a law that was adopted after the war with Russia, but that law only meets minimal standards. It was a step forward at that point, but this law needs to be updated keep pace with rapid technological advancements and to safeguard against external threats. We believe that the amendments that have been suggested are not sufficient. There is a new classification of categories of critical infrastructure. That classification includes government agencies, institutions and bodies. It also covers the private sector, which includes private banks, the energy sector and perhaps many others. Also, the second category of designated critical infrastructures, which is quite problematic, is private telecommunication companies. These are the private companies that own communication infrastructure in the country and provide mobile and internet services. When the state has indirect access to private telecommunication companies and there is nothing that can restrict this access, this creates a clear cause for concern. We are concerned about unlimited access to citizens’ personal data. It is dangerous in the hands of any government, be it democratic or semi-democratic. There is no reason to believe that our government will be an exception and that it will not use this personal data for x and y reasons. The other concern, which is a major one, is who is going to be in control. According to this draft law, it is going to be the State Security Service. Formally, it is going to be an Operational Technical Agency (OTA) that is an independent agency under the umbrella of the State Security Service. In Georgia, when you mention the OTA, there are no doubts that this organisation will act as the righthand of the State Security Agency. It naturally has this function of surveillance. It is designed for carrying out surveillance operations with both the capacity and the personnel for that purpose. You can imagine what it will be like when the agency, which is specialised in surveillance and falls under the umbrella of the State Security, has unrestricted access to any kind of data, be it government data or private companies, like internet providers and banks. This is naturally seen as dangerous. There needs to be a system of checks and balances to control the operations of this agency.

On the topic of the State Security Service and data privacy: Have there have been past issues with surveillance in Georgia? Can you give a brief history of the “It Affects You Too” campaign?

It is not a problem of this government only, but every government in Georgia. There is a Soviet past with intelligence services and state security services that heavily controlled citizens. We remember those times very well. There is this legacy, and we are quite alert. Of course, there is no comparison to the Soviet times, but every government has had problems with illegal surveillance. With the previous government, there were big problems with the ruling party, the United National Movement, that used video tapes that were illegally recorded. Conversations and personal videos were used as a tool for blackmail and for discrediting and frightening opponents. There was an overall feeling that surveillance was very strong and the government was checking on many citizens’ personal lives and political preferences. This was a very uncomfortable feeling that our society had and many groups voiced protests. With the current government, in the beginning, things were relatively okay, but later there were more incidents with taping and other occasions of surveillance. Civil society groups responded by starting a big campaign against surveillance, and it was called “It Affects You Too.” You can tell from the slogan that this surveillance was something that could harm any citizen. Campaigners demanded changes to the law to put an end to the practices of illegal surveillance.

These days, web surveillance is also a major concern, especially with the current situation in the world right now. There are a lot of opinions about what is going to happen to the world, and it is clear that the world is not going to be the same after the COVID -19 pandemic. The question is, how will countries act? Are they going to become more authoritarian and isolated? This option would mean that the countries that become more isolated, closed, and authoritarian would rely heavily on technology and data to control their population. This may come in the form of “serving the public good” with a government initiative that uses facial recognition or the tracing technologies that are becoming widespread. It is presented as protecting public health. Of course, it is very hard to contradict that statement because a lot of people who are suffering now from the COVID-19 pandemic will say “yes, let’s do it” if it is going to contain the virus. But that would also mean that we sacrifice our privacy and allow total surveillance of our citizens. These are the dilemmas for the future. Maybe now it is too early to talk about it, but this will be a major challenge that will need to be addressed. This is not only about external threats that a country like Georgia is facing. It is also about homegrown threats that could possibly do a lot of harm to human rights.

That is an interesting point you make. There often seems to be a tradeoff between protecting liberties and security. I know many countries, including Georgia, have recently unveiled new mobile applications that can be used for contact tracing to mitigate the spread of COVID-19. This seems to be a prime example of the state seeming to serve a public good through data collection. However, these kinds of apps have major potential privacy concerns.

I have one final question that returns to the draft amendments on the information security law. What steps do you think need to be taken at this time to ensure that Georgia’s information security is updated without compromising citizens’ rights? What steps should the government be taking to enact more responsible legislation?

To formulate it briefly, the government needs to adopt the law with a broad consensus. That consensus would entail having people from different fields sit around the table. It would include information security experts, human rights advocates, the private sector, different branches of the government, and international experts that can harmonize their thoughts and concerns. Because there will be many. The problem with this draft law is that it was initiated very quietly. It did not get public attention. It did not get critical reviews from different actors until civil society started to talk about it publicly. After that, there were some hearings in the committees, but those were quite formal. If we have a genuine desire to have a law that secures us from external threats and does not harm privacy and the personal information of our citizens, we have to find the balance. For that purpose, broad consensus is essential. I am not hopeful in that regard. I have not seen the signs assuring that this is the government’s intention. At the moment, this issue is frozen because of the pandemic, but we will see what happens when parliamentary life returns to normal.

Hatia Jinjikhadze is the Media Support Program Manager and the Deputy Director at the Open Society Georgia Foundation.

Mackenzie Baldinger is an editorial intern for New Eastern Europe. She has a Master Degree in International Relations from Central European University and is currently completing an Erasmus Mundus Joint Master Degree in European Politics from Charles University, Jagiellonian University, and Leiden University.

Dear Readers - New Eastern Europe is a not-for-profit publication that has been publishing online and in print since 2011. Our mission is to shape the debate, enhance understanding, and further the dialogue surrounding issues facing the states that were once a part of the Soviet Union or under its influence. But we can only achieve this mission with the support of our donors.  If you appreciate our work please consider making a donation.

cybersecurity, data privacy, disinformation, Georgia, information, internet freedom, Russian cyber operations, South Caucasus