«Disaster without legal consequences»: cybersecurity expert criticizes «Reserve+»

Cybersecurity expert Kostiantyn Korsun believes that the «Reserve+» app has a number of significant drawbacks in terms of personal data protection.

In addition, citizens cannot control their personal data — it is impossible to find out who manages it and how it is stored, said he said in an interview with Radio NV.

Here are the main points from the interview.

«Reserve+» — this «catastrophe»

Konstantin Korsun noted that in terms of cybersecurity and personal data protection, «Reserve+» — is a disaster. And the most important thing here is that it is not functionally ready.

Thus, the developers knew the approximate number of people liable for military service and could have calculated the workload and adequately adapted authorization through BankID. But they didn’t.

In addition, there are other factors that indicate functional unreadiness.

• «Reserve+» made on the basis of an unfinished application «Dream» — this is an online school diary.
• Users were offered to contact technical support via Telegram (currently, only Viber is left — ed.).
• The developers were in a great hurry to release it on May 18 to coincide with the first day of the updated law on mobilization.

«And what is done very quickly is never of high quality. Each of us knows this rule» very well,” he said.

And here the expert points out that security always lags behind functionality — «it is in second, third, fifth, tenth place».

Protection of personal data

Konstantin Korsun believes that the risks associated with security, and especially personal data protection, have been “simply ignored,” although they exist.

From a cybersecurity perspective, the main threat and worst-case scenario is if the base somehow ends up at the disposal of the enemy. At the same time, information about how the developers have protected themselves from attacks is closed.

«Nothing — not a word, not half a word — about the infrastructure and how security is ensured is said, not reported. Accordingly, you can build any conspiracy theories», — Korsun emphasized.

Accordingly, Citizens cannot control their personal data and it is impossible to find out who and how they are used, how they are stored, and whether their protection is reliably ensured.

You will not be able to prove that you have updated the data

The expert believes that from the point of view of the law, this application is «the same as you passing the “what kind of fruit are you?” test, purely formally and legally».

• The application itself does not say anything directly: there is no fine print that this product is an electronic office of a person liable for military service, conscript, or reservist. There is nothing about this, and therefore it does not create any legal consequences.
• After updating your data to «Reserve+», you have no way to prove it. There is no documentary evidence that you have updated your data, and the function of generating a QR code that leads to an electronic military registration document is planned to be launched only after June 18.

«To the people who are filling this out now: it doesn’t insure against anything, it doesn’t prove anything, and it doesn’t create any legal consequences. You’re so happy, you’ve updated everything through the app, you’re walking down the street, and a TCC patrol stops you and says: “We don’t have anything about you in our database. Get in the van, please, let’s go to the TCC, to the medical commission”», the expert summarized.

As a reminder, the other day, Deputy Defense Minister Kateryna Chernogorenko saidthat more than 700 thousand Ukrainians have been removed from the groundless «wanted list» in «Reserve+».

The agency explained that Ukrainians had this status if they violated the rules of military registration, for example, by ignoring summonses, and the MCC appealed to the National Police. However, according to Chernogorenko, the actual number of such appeals is about 25%.

And there are many errors in the state registers themselves due to «human error», which would be almost impossible to correct without Reserve+.