The Equalize case is filling the front pages of the national press and is spreading like wildfire. On social media, it is being talked about in a very technical way, at the risk, however, of neglecting important aspects of the issue.
The culture of data
It is good to clarify the problem right away: the Equalize case concerns information technology, but it is not just an IT problem. It mainly concerns the ability to manage and protect information correctly (be it digital or paper) and in the last period in Italy there have been several cases that have highlighted certain difficulties:
- March 2024 – The case of Guardia di Finanza lieutenant Pasquale Striano for abusive access to the database of the National Anti-Mafia Directorate(for more details click here).
- September 2024 – The case of the Banca Intesa San Paolo employee who freely accessed the accounts of several famous customers without any particular control by the bank(for more details click here).
- September 2024 – The case of Carmelo Milano, 24, who accessed the databases of the Ministry of Justice, Public Prosecutors’ Offices and others(for more details click here).
- October 2024 – The Equalize case and data thefts at major Italian databases(for more click here).
All these recent cases denote a common problem: the inability to attribute a correct value to the data and, on the basis of that, to set up correct security and monitoring measures. We are talking, specifically, about adopting internal and external protection measures that are proportional to the sensitivity of the information contained in the database. Many readers will recognise the term proportionality as one of the founding features of our data protection system.
Because it is not an IT problem
It is certainly important to note that these events involved different databases including:
- SDI (Sistema Di Indagine): a system accessed by law enforcement agencies to check people’s criminal records;
- INPS: where information on contributions and income is kept;
- Serpico: a computer system that collects and processes data from the Inland Revenue to cross-check possible cases of evasion, and which stores tax returns;
- ANPR: the National Register of Resident Population;
- SIVA: the Guardia di Finanza’s Currency Information System for reporting suspicious financial transactions;
- SIDDA/SIDNA: in which all data relating to ‘information’ on preliminary investigations and proceedings pending or finalised at the individual district prosecutors’ offices are stored(for more details click here).
Those who assume a bug are mistaken: this is not a technical problem; the issue is of a different nature and concerns awareness in the processes of handling this information. Awareness which, as in the Striano case, leaves much to be desired.
An example: security measures in the Striano case
On 24 October 2024, the hearing of Colonel Antonio Sassi, Head of the Analysis Office of the Special Currency Police Unit of the Guardia di Finanza, and of Colonel Stefano Giovanni Salvatore Rebechesu, Head of the Operations Office of the Central Italy Interregional Command of the Guardia di Finanza, was held in the Fifth Floor Chamber of Palazzo San Macuto, regarding the events surrounding the so-called Striano case. For the sake of completeness, here is the link to the video of the hearing, Scarpinato’s speech is at the beginning of part 2 around minute 05:00.
During the hearing, Senator Scarpinato asked Col. Sassi a series of questions, mainly concerning the internal controls operated to protect information. In particular, Senator Scarpinato asked for clarifications on the supervision of questions that Guardia di Finanza personnel could operate on themselves:
You don’t have an alert indicating the anomaly of such an access, because obviously there is a flaw […] if you don’t consider including an alert for an anomaly of this kind, i.e. a financier making queries about himself, there is something wrong. There is something that does not work also for the future.
Scarpinato’s question is very clever and is intended to show a possible design error in a system that undoubtedly has high security levels but apparently only for potential threats from outside and not from within. Scarpinato, again, would clarify the concept in another passage.
Scarpinato: you are telling me, excuse me, that currently a financier can ask questions about himself and nobody notices?
Sassi: not only a financier, any member of the police force or otherwise qualified in databases.
Scarpinato: it is serious that this is still the case.
Scarpinato emphasises a design, organisational, conceptual and not merely technical measure: it is serious that a financier can ask questions about himself without objective evidence.
Less friendship and more results
Where was ACN while these data were repeatedly consulted illegitimately?
This is the substantial question that many people are asking on social media and in the press why it takes time to create dossiers on the more than 800,000 spies. In recent years, Italy has created agencies, task forces, technical tables, director’s cabins and organisational structures in such large numbers that there is sometimes an operational overlap in the observance of competences. None of this, however, is a guarantee of quality; on the contrary, sometimes it becomes the very cause of the problem. Let us take the ACN case: Senator Matteo Renzi published an interview in which an important passage on appointments is reported.
Yet the delegated authority for national security is Undersecretary Mantovano, a former magistrate and experienced politician. While at the Cybersecurity Agency there is a prefect like Bruno Frattasi. The relevant resumes are there, so what is not working?
“It is clear that we do not have the technical capacity to handle a matter as vital as our security and privacy. Frattasi is a prefect, what are we talking about?”.
The problems, according to Renzi, would be twofold: the technical inability required to coordinate an infrastructure such as the National Cybersecurity Agency, andfriendship, a phenomenon whereby the choice of top management of companies is mainly made on a friendship basis.
When cronyism comes to endanger the constitutional rights of citizens, an alarm must be raised.
The response that Italy has been offering for years is based on appointments with seemingly perfect curricula but questionable results with a strong penalisation of citizens’ rights that sometimes even result in compression. This approach is the reason, among other things, why one age group (the younger ones) is very mistrustful about the professional future of their careers. Italy basically seems not to have understood that this operational context (that of digital) is much more complex and delicate than any amicable agreement one can reach. Therefore, it is crucial that the heads of these agencies have people with a full awareness of decision-making roles and responsibilities but, above all, with skills commensurate with those roles.
What is presented at conferences, round tables, webinars, is very different from what happens ‘in the real world’. There is a need for advanced and proven technical knowledge, there is a need for the decision-maker to have the experience but also the right knowledge and this, after all, applies to every professional field. No one would get on an airliner if the commander was only an expert in small motorised aircraft: every context needs expertise but this country continues to see such top positions as ‘a space to place a friend’ and when the spaces run out, all one has to do is create a new technical-organisational structure.
The results are not long in coming, and the events that fill the newspapers these days are full proof of this. Now that everyone is asking ‘what has ACN done‘ or‘what is the point of ACN if it cannot prevent…‘, we should look at how the organisation is growing, how it is developing and how it is exercising its powers.
Conclusions
Sometimes it seems as if Italy has stood still forty years ago: friendships, lobbying, while the world around the country goes on and runs, but runs very fast indeed. The disgust at seeing one’s own country dragged into scandals of this nature should make everyone indignant, just as the inertia, incapacity and cronyism mentioned above should make one indignant, but evidently we never have enough, we cannot learn from our mistakes. So let us make an appointment for the next agency, the next technical table, the next steering committee, perhaps even unpaid and held up with the free contribution of professionals.