Homo Digitalis together with The Hellenic League for Human Rights, HIAS Greece, Privacy International and the researcher Phoebus Simeonidis submitted before the President of the Hellenic Data Protection Authority (HDPA) on 14.2.2022, a request for the exercise of its investigative powers regarding a procurement tender published by the Hellenic Coast Guard for the acquisition of a Social Media Data Collection Software (protocol number 2322/15/2/22 ).
Specifically, as pointed out on 2/2/2022 by researcher Phoebus Simeonidis, in the framework of the European Commission’s “Internal Security Fund” (ISF) program, the Coast Hellenic Guard – Ministry of Maritime Affairs published a tender for the “Upgrade/maintenance of the computer room of the Directorate of Maritime Border Security and Protection” with a total estimated contract value of seven hundred and thirty thousand euros #730.000,00€# (including VAT and other deductions).
One of the deliverables described in this call for tender (see page 34 et seq.) is the supply of Social Media Data Collection Software (hereinafter referred to as Software). As explicitly stated by the Ministry of Maritime Affairs in this notice, the Software should support the social networks Facebook, Twitter, VK, Xing, Instagram, and Telegram, and some of the necessary features as described are:
– The creation of a visualization of multiple correlations (friends, comments, posts, likes and followers).
– The identification of user identifiers including their searches, and
– The simulation of human activity to avoid account blocking.
Specifically for Facebook, the software should allow, among other functions, storage of a profile’s public contact list, storage of all 2nd degree public contacts, storage of public timeline posts (including images, videos, linked YouTube videos, comments and reactions), storage of image galleries, storage of published account information (employer, residences, education), and searching accounts for specific personal characteristics.
With respect to Twitter, the Software should, among other functions, allow for the storage of audience following a profile list, storage of all public contacts of the 2nd degree (Followers List), and storage of public messages (including images, videos, linked YouTube videos, and likes).
For Instagram, the Coast Guard is seeking the Software to allow, among other things, storage of the follower list, storage of the public list following a profile, storage of public comments per profile by time sequence including images, videos, linked YouTube videos, and storage of timelines and Profile Stories.
With regard to Telegram, the software must allow the storage of participants in group conversations (up to 10,000 participants), as well as the storage of the full content of each group conversation (text and photos or other material shared in them).
It is therefore clear that the software in question seeks to monitor an indeterminately large number of users of the social networks in question, and to collect, process and analyse their information, without indicating the purpose of the processing operations, the legal bases that allow them and any other safeguards for the protection of personal data, as the European Data Protection Supervisor has expressly stated in a case of similar software maintained by the European Support Office for It is also worth noting that the European Border and Coast Guard Agency (FRONTEX) had in 2019 withdrawn a related call for tender for the procurement of similar social media data collection software, following a successful action by Privacy International.
Thus, the procurement of this software will be a clear challenge to the right to the protection of personal data and respect for the principle of lawfulness of processing, the principle of purpose limitation and the principle of proportionality (data minimisation) as outlined in EU and national legislation, as well as the rights to respect for privacy and freedom of expression.
Also, the creation of a fake account simulating human activity is contrary to the terms of use of social media and messaging mentioned in the tender, while the logging of searches of third party accounts is a highly intrusive activity. Of course, highly intrusive is also the recording and monitoring of group conversations on Telegram.