The opening of the public consultation to mark the inclusion of children from 5 to 11 years old in the Covid-19 vaccination campaign was inaugurated on Thursday (23) with a series of problems.
Initially, the Ministry of Health’s website was down and a form was made available that, according to experts consulted by the CNN, did not respect the basic privacy and security practices required by the General Data Protection Law (LGPD).
This Friday afternoon (24), the consultation migrated to a new platform, but which remains unstable until the time of publication.
The Ministry of Health advises that it is under maintenance and that it is working on a solution, as shown in the image below.
The initial form, chosen by the government for public consultation, was a simple page using a Microsoft platform for forms.
It’s still on the air, despite no longer being featured on government pages. According to the folder, the answers obtained by this first form will still be used.
A CNN contacted the Ministry of Health to find out why the Microsoft platform was chosen and when the consultation is expected to be normalized.
Until the closing of this report, he had not received any responses.
Home form has privacy and security issues
The page asks for personal data such as CPF, full name, telephone number and e-mail, but there is no notice about privacy or data protection treatment, except a notice from Microsoft itself disclaiming.
“It’s extremely fragile,” says Arthur Igreja, a lawyer specializing in digital law, about how the public consultation was made available.
“The form looks like something that was hastily placed. you don’t have terms [de privacidade], it doesn’t have more in-depth details, it’s all extremely superficial”, he comments.
The lack of transparency about how data will be treated and protected can hurt the LGPD, as Rafael Zanatta, lawyer and director of Data Privacy Brasil, evaluates.
“Clearly the form was published without an LGPD adequacy review – which is a serious neglect for citizens.”
“The activities of processing personal data by the government, in this form, are taking place illegally considering the validity of the LGPD”, says Zanatta.
“In general, it is necessary to put in a period of treatment. When will this data be excluded or if it will only be used for statistical purposes and, therefore, anonymized”, says Fernanda Campagnucci, executive director of Open Knowledge Brasil, and specialist in data transparency.
According to her, the excess of requested information still violates the principle of reasonableness and proportionality.
“If the objective is to get to know people’s opinion on a topic, you would not need the date of birth or the telephone number, for example”, he says.
The form is also susceptible to fraud – both manual and automated. This is because there is no mechanism to validate the data entered, such as name, CPF and telephone number.
In tests carried out by CNN, the tool accepted random data.
“You can, in addition to using a CPF generator, fill in the form with some automation. There is not even a captcha [ferramenta que verifica se quem está preenchendo é humano]. The minimum required would be some unique registration key per citizen. As it is, someone can vote for me”, explains Igreja.
“It’s easy to amplify voices in an artificial way. There is no validation mechanism or transparency about the results. These data will hardly have the credibility to affirm anything”, says Campagnucci.
According to Zanatta, if the data in this first form is kept in the final result, “internal audits will be necessary to verify the violation of data quality, ensuring ‘clarity, relevance and updating of data, as needed and for the fulfillment of the purpose of its treatment’, under the terms of article 6, V, of the LGPD”.
According to him, if massive use of robots or incorrect data are identified, the usefulness of the query is questionable.
New form reduces problems, but it’s down
Around 2:50 pm this Friday (24), the Ministry of Health issued a statement stating that it would migrate the consultation to the Gov.Br.
According to Saúde, the change happened “due to the great interest of the population in public consultations”.
The folder started to use the Participa + Brasil platform, developed precisely for public consultations.
In it, many of the above problems are resolved.
“It certainly alleviates the problem of the possibility of fraud and artificial ‘boosting’ of votes, as the mechanism is integrated into the government’s own records and bases such as the Federal Revenue Service”, says Campagnucci.
Zanatta recalls that the Participa + Brasil platform has already been used for a series of public consultations, such as those of the National Authority for the Protection of Personal Data, and that “it has an adequate structure to receive contributions on regulatory and public policy matters.
There are, however, some problems.
The platform has been unstable. Since the change, the report of the CNN he tried numerous times to vote in the public consultation and, most of the time, the form would not even open. When opened, the results were not computed, always displaying the maintenance message.
Saúde also said that the results collected during the first day in the Microsoft form will be computed normally: “The participations already registered in the system will be evaluated and will also be analyzed by the technical area”, says the folder.
Reference: CNN Brasil