Image: Yevropeiska Pravda
However, due to a complicated sequence of setbacks, e-declaration was launched without a certificate which was meant to provide security for all the submitted data.
Ukrainian citizens that have an income are obliged to fill in an annual declarations of their finances and properties. Officials belong to a special category that needs to make their declarations public since they receive salaries from other citizens’ taxes.
However, Ukraine’s approach has had one significant flaw: the system didn’t provide criminal responsibility. This allowed officials to “forget” to declare part of their income, or have their close relatives possess their property de facto, or even openly declare cars and apartments that would cost many times more than their salaries stood at. Due to lack of criminal responsibility, journalists’ investigations didn’t lead to any consequences.
Everything changed with the Euromaidan Revolution, also called Revolution of Dignity, when the demands of society met the political will accelerated by the pressure of the West (in particular, international financial institutes are to decide whether Ukraine is to receive a visa-free regime with Europe and another tranche from IMF).
E-declaration launched, but with a significant flaw
On Friday (12 August) the State Service of Special Communication and Information Protection in Ukraine (SSSCIP) announced that it was not able to issue the Certificate of comprehensive information protection for the e-declaration system due to problems with the hardware-programmatic complex of collection and storage of electronic declarations.
This wasn’t a big surprise. Everyone involved in the process knew that the launch of e-declaration system was in jeopardy because of the problem with its certification after the SSSCIP had missed the first deadline the early August, and that’s when the conflict became public, the author added.
As of 2 August, the activists had been warning that lack of certification would turn the whole system into an illegitimate procedure which could be easily hacked, undermined and thus would give no grounds for calling to responsibility.
Yet, after debates between representatives of the National Agency for the Prevention of Corruption (NAPC) and SSSCIP that took place this weekend, NAPC announced the launch despite the lack of certificate for protecting the information (as demanded by the law).
According to NAPC Head Nataliya Korchak, the e-declarations system, however, is protected from external access. On August 15 at a briefing in Kyiv, she said that a cryptographic engine had been purchased and management of the system can only be possible from the computer in the Agency, Interfax informed.
Who derailed the electronic asset declaration system
On 14 August Yevropeiska Pravda published an article by its editor Serhiy Sydorenko entitled Who Scuppered the Launch of Digital Income Declarations? Sydorenko stated that “the State Service of Special Communication and Information Protection in Ukraine (the SSSCIP) had intentionally sabotaged the launch of the system. In fact – this was the goal from the start”, and published documents to prove his accusations.
The author points out “four lies spread by the SSSCIP.” Euromaidan Press publishes excerpts of the article translated by Reanimation Package of Reforms and Coalition of NGOs “Declarations under control.” Full translated article is available at the Ukrayinska Pravda website.
Lie #1: E-declaration System is only 60% complete and therefore cannot be accepted
“Provided software presents only three parts out of five stated in the Agreement. Approximately this is only 60% of stipulated scope that had to be done by the 30th of June,” SSSCIP said.
As it was planned last year that the e-declaration system would start working exactly in the current scope, with three components — filling-out of declarations, their protected storage, and publication. At the second stage — verification and analysis of declarations — was to be added later on.
“From the very beginning a requirement specification stated that a programmatic complex would be created in stages,” Head of the UNDP project Ivan Presniakov said (UNDP in Ukraine sponsored the software complex for the e-declaration system). In the first document, the Act of acceptance and transfer of the complex (pdf, 4 pages),UNDP stated that there were no complaints for the first part.
Moreover, the SSSCIP were fully aware of the project being done in stages. And recent claims of the Head of the SSSCIP that this news came as a surprise are complete lies. Let us direct your attention to the scan of the conclusion of interdepartmental group that has also agreed on the readiness of the system for work (pdf, 17 pages). The group included representatives from the SSSCIP.
Lie #2: Still the process was delayed. And now the SSSCIP is being forced to conduct the attestation in two days that normally takes two months
The “two months” explanation was stated by the Head of the SSSCIP Leonid Yevdochenko during the NACP meeting only on Saturday and came as a big surprise to those present. Yevdochenko, perhaps, did not think that the press would get hold of a document that he himself had approved a more month ago. On the 5th of July, the Head of the SSSCIP sent a letter to NACP, in which it was stated that “schedule for the creation of the integrated system of information protection is agreed unconditionally.” According to this document, certification should have taken place between August 5-12.
THE STATE SPECIAL COMMUNICATIONS SERVICE OF UKRAINE
13 Solomianska St., Kyiv, 03680
tel. (044) 281-92-10, fax (044) 281-94-83, email: firstname.lastname@example.org
05.07.2016 No. 08/02/01-1336
The National Agency for the Prevention of Corruption
12/2 Hrushevskoho St., Kyiv, 01008
For No. 51-03/442 of 01.07.2016 Regarding introduction of the IISC in the e-declaration system
Dear Natalia Mykolayivna,
by this letter the Administration of the State Special Communications Service of Ukraine ap-proves without any comments the Schedule of deployment of the integrated information security system for the electronic declaration system (appendix to the letter of the National Agency for the Prevention of Corruption No. 51-03/442 of 01.07.2016).
Respectfully yours, Head of the Service L. O. Yevdochenko (signature)
Later the SSSCIP additionally reduced the time for the system analysis so that they would have a reason for new claims of the “insufficient time.” At the beginning of August, the service initiated the replacement of the contractor that had to examine the security of the product. The SSSCIP forced the NAPC to cancel the services of the in-dependent expert company and hand the work over to their subsidiary.
This came as a surprise to the UNDP, and to the European Union, but there still was a chance to keep the deadline – August 15th. Instead, now the service refused to take the technical documentation from the developer for analysis until the bureaucratic process was over.
Lie #3: The developer didn’t conduct independent testing of the system and did not provide the necessary documents
On Saturday, the jokes started with the SSSCIP statement regarding the missing documentation among the ones that they received: “the acts of completion of research operation, completion of creation of the Integrated system of the information protection and the protocol of the preliminary testing were missing.” In response, the developer posted three photos – huge pile of the folders given to the SSSCIP, and title letters of two folders were the allegedly “missing” documents. In the following statements the SSSCIP the missing documents were not mentioned – maybe they had found them.
But the most interesting statement was regarding the lack of independent testing. As it turned out, all of the test results conducted by PricewaterhouseCoopers and reputable testing company TestLab2 were at the SSSCIP’s disposal in July. A SSSCIP Representative personally witnessed and approved the positive conclusions of these companies. In fact, they were used as a foundation for the interdepartmental conclusion (with the SSSCIP’s participation) regarding the full readiness of the complex.
Lie #4: The State Special Communications Service of Ukraine found a lot of flaws in the integrated security system
On Saturday the Head of the SSSCIP at an open meeting in front of TV cameras, he said that the conclusion on the denial in certification was ready and assured that in one hour, at 12:30 PM, the NAPC would get that document – he would just go to the office and bring it. In addition, Mr. Yevdochenko has promised in public that the experts of the SSSCIP would personally come to the NAPC office or the software development company to sit down with the programmers and quickly fix “ten critical vulnerabilities” of the system code.
Time passed. The document arrived neither at 1:30 PM, nor at 3:00 PM. When at 5:00 PM the document was finally delivered to the NAPC, it turned out that the SSSCIP… prohibited to hand it over to the developers, having classified it as “For Official Use Only” – despite the public promise Yevdochenko gave just couple hours earlier.
It was late at night that “Miranda,” the software development company, finally saw that document. It turned out that the SSSCIP had never analyzed the code. The loud statements of Mr. Yevdochenko who claimed that “the code is written in an outdated manner and is full of holes” seems to be another lie.
“First, the expert conclusion contains NOT A SINGLE COMMENT on the registry supporting software. All written comments are related to the accompanying documentation. Some of them could have been regarded as meaningful, had we received that conclusion at 2:00 pm on Saturday, as promised – then the documentation would have already been fixed,” wrote Yuriy Novіkov, CEO of “Miranda” at 3:45 am.
When at 11 am on Sunday, representatives of “Mіranda” came to the office of the SSSCIP, they weren’t allowed inside for one hour. They were admitted later, but were not given the documents for review.
Incomplete launch endangers Ukraine’s reputation
On Monday at 112 channel representative of Ukraine’s Presidential Administration Volodymyr Horkovenko expressed hope that the system will fully work in September. He also blamed the derail of the launch on the developers.
Ukraine’s Vice Prime Minister Pavlo Rozenko said in an exclusive comment for Interfax that he hoped all flaws to be fixed during the 60 days envisaged by the law. During this time period, all officials are obliged to declare their income online.
The European Union in Ukraine expressed disappointment and concerns by the incomplete launch of the electronic asset declaration system:
Judith Gough, British Ambassador to Ukraine, tweeted on Monday that an incomplete launch of e-declaration may cause damage to Ukraine’s reputation:
Ukraine’s Reanimation Package of Reforms called for a certificate of conformity of the integrated information security system to be immediately issued and the persons implicated in its disruption to be brought to responsibility in an open statement. Transparency International chair José Ugaz in a statement on the organization’s website said that “without a security certificate it is simply window dressing and cannot fight corruption” which will be seen “as a symbolic move to let the corrupt off the hook.”
On Tuesday Ukraine’s National Security and Defense Council stated that SSSCIP was under political and administrative pressure of the anticorruption activists. The office, however, disavowed itself from the whole process of e-declaration system launch. That day, Ukraine’s State Service of Special Communications and Information Protection claimed it was impossible to carry out an examination to certify the comprehensive information protection system of the public register of declarations. The authority backed the idea of inspecting the situation around the launch of declaration by the Security Service of Ukraine (SBU) and Prosecutor General’s Office (PGO).