Russia’s blockchain vote experiences yet another hiccup, as e-constituents’ personal data is reportedly exposed.
Personal data for over a million Russian nationals has reportedly been leaked. The data allegedly belongs to some of the citizens who participated in the recent blockchain-based e-vote on Constitutional amendments.
The archive was reportedly available for everyone to download
According to an investigation published by Russian language media outlet Meduza, an archive titled “degvoter.zip”, which contains said data, was publicly available for download for at least several hours on July 1 via a government website. The file has since been distributed through various Telegram groups and channels.
The archive was password protected. According to the publication, however, it could be easily hacked with a free password cracking tool.
Along with the archive, there was an unpassword protected database titled “db.sqlite”. This database allegedly contained passport numbers for over a million voters from Moscow and Nizhniy Novgorod — two cities in Russia where residents could cast their votes online. The system that allowed for online voting was based on the Exonum blockchain platform developed by Bitfury.
Although that data was encrypted with the SHA256 algorithm, the reporters were allegedly able to decode it “very easily” using free software. That has lead them to the following conclusion:
“Considering the poor security and availability of the degvoter.zip archive, the Russian government actually put the personal data of all e-constituents from Moscow and Nizhny Novgorod in the public domain.”
Journalists reportedly cross-referenced the leaked data with the Ministry of Internal Affairs’ official service for checking the validity of passports. They found that over four thousand of passports registered for the e-vote were invalid.
The Ministry of Digital Development, Communications, and Mass Media has since commented on the investigation, saying that they exclude “any possibility of leakage”, since the passwords were distributed through “secure data channels” and only to authorized personnel.
The agency also stressed that the passport numbers were encoded and consisted of a randomly obtained sequence of characters, or hash sums, adding:
“Hash sums are not personal data. Publication of random sets of characters cannot harm citizens,”
Not the first failure
As previously reported by Cointelegraph, Russia’s blockchain e-vote system has been attracting a lot of controversy. Not only did it malfunction soon after going live, it also allegedly allowed double voting, and had a vulnerability that reportedly made it possible to decipher votes before the official count.
E-voting occured online from June 25 to June 30, while the referendum itself ended on June 1. With all the ballots counted, 77.9% voted for the reform package and 21.3% against, according to the electoral commission.
As per the approved Constitutional amendments, Vladimir Putin’s term limits will be reset in 2024, meaning that he may remain president until 2036.