Transparency Unleashed: Privacy Risks in the Age of E-Government

Abstract

E-government and transparency are significantly improving public service management by encouraging trust, accountability, and the massive participation of citizens. On the one hand, e-government has facilitated online services to address bureaucratic processes more efficiently. On the other hand, transparency has promoted open access to public information from the State so that citizens can understand and track aspects of government processes more effectively. However, as both require extensive citizen information management, these initiatives may significantly compromise privacy by exposing personal data. To assess these privacy risks in a concrete scenario, we analyzed 21 public institutions in Ecuador through a proposed taxonomy of 6 categories and 17 subcategories of disclosed personal data on their online portals and websites due to LOTAIP transparency initiative. Moreover, 64 open-access systems from these 21 public institutions that accomplish e-government principles were analyzed through a proposed taxonomy of 8 categories and 77 subcategories of disclosed personal data. Our results suggest that personal data are not handled through suitable protection mechanisms, making them extremely vulnerable to manual and automated exfiltration attacks. The lack of awareness campaigns in Ecuador has also led many citizens to handle their personal data carelessly without being aware of the associated risks. Moreover, Ecuadorian citizens’ privacy is significantly compromised, including personal data from children and teenagers being intentionally exposed through e-government and transparency initiatives.

1. Introduction

Governments today rank among the principal aggregators of high-quality personal data. By law, they collect vast amounts of data on their populations, covering areas such as biometrics, demographics, health, and economics, from birth through death [1]. Individuals are required to provide the State with continuously updated data, in perpetuity, to be recognized as functional citizens and to acquire the corresponding rights and obligations. This information is vast and validated, ensuring a high level of quality, which is critical for extracting valuable insights. All these data enable governments to make more informed decisions, enhancing their ability to serve the population effectively.

Sadly, there are several privacy risks involved in this context. First, citizens’ data are provided to the State by default, lacking an opt-out option similar to those available in, for example, social networks. In addition, there are serious risks of misuse, unauthorized access, and function creep (where data are used for purposes beyond their original intent). Finally, the State is a single point of failure holding sensitive personal data on entire populations [2].

To compound matters further, these privacy risks are exacerbated for a number of reasons. Not only does the State collect vast quantities of personal data, but these data must also be managed and processed for diverse purposes—such as enforcing regulations or facilitating online services to make administrative procedures more accessible [3]. In this context, efforts to increase State transparency have led public administrations to openly publish much information about institutions; their employees; and, to some extent, the citizens themselves. Likewise, numerous online platforms have been deployed to consolidate, process, and distribute this information, supporting ambitious e-government initiatives aimed at enabling citizens to interact more efficiently and effectively with bureaucracy [4]. Consequently, though with laudable intentions, personal data are frequently exposed, at times with absolutely no control. As if this were not enough, the interaction of everyday citizens with such platforms introduces an additional layer of risk, as privacy novices may inadvertently jeopardize the security of their data by handling them carelessly [5]. Thus, privacy becomes vulnerable even in the absence of an external attacker.

1.1. Ecuador: A Different Perspective on Privacy Research

Ecuador is a very small Latin American country, a developing nation, that has undergone many political, economic, social, legal, and even technological changes in recent years. As in other countries within the region, these changes often differ significantly from those encountered by most developed nations [6]. Thus, focusing on Ecuador is particularly relevant for privacy studies, as it provides insights distinct from those obtained by concentrating on more developed regions (e.g., USA, Europe, and China), which are characterized by stability and well-established data protection legislation. Consequently, analyzing the Ecuadorian context can provide a new perspective and help understand the challenges of data protection in other geographies with different development conditions.

In Ecuador and several Latin American countries, awareness of online privacy is very limited, unlike in other regions where it is a sensitive and high-priority issue [7]. Cultural, economic, and even language-related factors likely influence the attitudes of various stakeholders toward the concept of privacy [8]. Given that this is the reality for a significant portion of the global population (mainly Latin America and Africa), it is essential to study these contexts.

On the other hand, despite its challenges, Ecuador has made significant progress in Internet access, digitalization, transparency, and data protection [9]. For instance, Ecuador has recently enacted a privacy regulation inspired by the European Union’s General Data Protection Regulation (GDPR). This late initiative brings an opportunity to study the effectiveness and impact of such regulations in an unexplored context like Latin America, and to identify the gaps between legislation and its enforcement. This analysis is necessary to unveil the real challenges faced by societies in protecting privacy.

Furthermore, for more than a decade, Ecuador has implemented an aggressive digitalization strategy in the public sector, aimed at improving citizen services [10]. In this line, anti-corruption efforts have significantly increased public sector transparency, providing broader access to State information. However, these services were implemented without prioritizing the privacy or protection of personal data. As is known, the rapid deployment of online services often overlooks security and privacy concerns, which could worsen within the next 20 years, especially in contexts with less reliable institutions and pressing socioeconomic challenges. In this context, studying online privacy in Ecuador can contribute to the academic literature by exploring how developing countries can protect the digital rights of their citizens while advancing toward increasingly connected societies.

1.2. Contribution

This research outlines a privacy assessment framework for unveiling risks in a scenario of attack that might not even consider the presence of an active adversary but rather reveals privacy breaches that arise from the implementation of aggressive e-government and transparency initiatives, e.g., privacy breaches by design. To the best of our knowledge, this problem has not been addressed deeply before in Ecuador. Moreover, previous studies in other countries often rely on citizens’ perception assessments when using online services due to e-government initiatives, gathering insights based on their feelings and experiences through surveys and questionnaires. This method is highly prone to error as it is subjective and biased by each individual’s opinion. Therefore, this research is based on evidence through the analysis of information collected from websites and open-access systems.

Table 1. A comparison of this research with previous studies carried out for other countries.

Study	Year	Country	Advantages	Disadvantages
Atobishi et al. [11]	2025	27 European nations	Assesses digital access, digital literacy initiatives, and online privacy.	Assessment through a theoretical framework without experimental evidence.
Chengdan Luo et al. [12]	2024	China	Offers practical guidance to improve e-government with privacy in mind.	Assesses online privacy just by perception of Chinese Internet users using questionnaires.
Sigurjonsson et al. [13]	2024	Iceland	Overall digital transformation assessment including privacy concerns due to transparency.	Results based on municipal employees’ experience collected through surveys.
Alghareeb et al. [14]	2023	Saudi Arabia	Assesses privacy and usability of mobile apps.	-Assessment carried out just through perception of users. -Focus on just mobile apps resulting from COVID-19 countermeasures.
Goloshchapova et al. [15]	2023	Russia/Czech Republic	-Representative sample of 400 participants. -Strong statistical analysis for generalization of results.	Results based on perception of males and females using services due to e-government initiatives.
Fabregue et al. [16]	2023	Italy/Switzerland	Analyze and contrast two different legislations including ethical aspects.	The study involves two limitations related to the exact types of data collected and accessing direct data.
Zeebaree Mosleh et al. [17]	2022	Iraq	Privacy assessment due to e-government using “Trust of system (TOS)” and “Ethics of Internet (EOI)” proposed indicators.	Surveys employed to collect information from 371 participants are prone to error and extremely subjective because they are based on user expectancy.
Yuehua Wu [18]	2014	USA/Germany/China	Comparison between three different legislations.	Suggests an evaluation through a theoretical framework without experimental data.
This research	2025	Ecuador	-Analyzes privacy risks by design. -Includes privacy risks due to transparency initiatives and not just e-government. -Privacy assessment based on experimental evidence.	Overcomes limitations found in previous studies.

summarizes these previous studies, detailing their advantages and disadvantages.

In addition, the focus on Ecuador provides a distinctive approach to privacy and data protection, as it constitutes a highly specific regulatory and technological landscape. This perspective highlights the unique challenges and opportunities in addressing data governance, compliance, and cybersecurity risks in underexplored geographies. For instance, given the recent enforcement of privacy regulations, it is possible to conduct a granular analysis of their impact on vulnerability management and risk assessment methodologies. Additionally, the implementation of secure cipher channels for data transmission; the strengthening of authentication, authorization, and auditory protocols; and the adoption of zero-trust architectures are critical considerations in mitigating data exfiltration threats and unauthorized access across different sectors of society.

In other words, this study addresses a critical gap in the literature by providing a structured framework to examine privacy challenges in volatile and rapidly evolving threat landscapes. It not only enhances the understanding of data protection risks and vulnerabilities in Ecuador but also contributes to global cybersecurity discourse by offering transferable insights for societies undergoing digital transformation, regulatory adaptation, and networked infrastructure expansion. This perspective emphasizes the importance of including underrepresented regions in global privacy and cybersecurity discussions, particularly in paramount areas such as risk-based access control (RBAC), secure cipher channels for data transmission, and adaptive threat modeling. By integrating less-explored environments into regulatory and technological frameworks, the study promotes a more holistic approach to privacy governance, incident response, and resilience against emerging cyberthreats.

In this paper, privacy breaches resulting from this contradictory scenario are analyzed. Section 2 details the roadmap to e-government, transparency, and privacy in Ecuador. Section 3 describes the applied methodology, while Section 4 presents and analyzes the results obtained. In Section 5, a discussion is presented, and in Section 6, the conclusion reached in this research is presented.

2. The Ecuadorian Roadmap to E-Government, Transparency, and Privacy

2.1. The Pursuit of E-Government and Transparency

E-government primarily aims to enhance citizens’ access to information and online services through the strategic use of technology [19]. Ecuador has achieved notable advancements in e-government and transparency initiatives, which have been widely recognized and appreciated by its citizens. These efforts have significantly enhanced public access to governmental services and information, thus fostering a more transparent and efficient administrative framework [20].

In Ecuador, this initiative was officially launched in 2000, when universal access to telecommunications services—critical channels for public engagement with e-government tools—was established as a State policy [21]. This foundational move was instrumental in enabling the development of digital governance platforms, facilitating more efficient and transparent interactions between the State and its citizens.

In 2003, the first National Electronic Government and Information Society Program was published with the components definition of policies and implementation of infrastructure projects [21]. In 2007, Ecuador signed the Ibero-American Charter of Electronic Government, which aims to guarantee citizens transparency in public administrations, optimize processes, improve access to information, and encourage active participation [21]. Also, the Undersecretary of Informatics was created during this year to improve government management through the implementation of information technology projects. In 2011, the National Online Government Plan was proposed to promote digital services for citizens, governments, and companies, promoting citizenship access to information and public services, for example, through online portals and websites [22]. In this sense, the Undersecretary of Electronic Government was created in 2013 to support the implementation of e-government in public administration. As part of this initiative, several mechanisms were defined to simplify procedures. In 2014, the first National Electronic Government Plan 2014–2017 was launched with more than 100 programs, projects, and regulations [23].

In 2015, the mandatory implementation of the National Electronic Government Plan was provided for all State institutions and dependent organizations on the Ecuadorian executive function. In 2016, the publication of the National Electronic Government Plan 2016–2017 was made official, whose objectives included increasing access to electronic services and improving the level of access to public information, as well as the efficiency, effectiveness, and performance of public institutions [24]. In the same way, the Organic Administrative Code provided the adoption of electronic government instruments in 2017. In 2018, regulatory improvement and administrative simplification of procedures were proposed as a State policy [25]. Also, the National Electronic Government Plan 2018–2021 was issued during this year [26]. Finally, in 2019. the Law for the Optimization and Efficiency of Administrative Procedures was promulgated, which guarantees the implementation of online procedures whenever possible.

As part of this initiative, the Ministry of Telecommunications and Information Society (MINTEL, which stands for Ministerio de Telecomunicaciones y de la Sociedad de la Información) created the Single Portal for Citizen Procedures Gob.ec available at [27], which includes a detailed and centralized list of procedures offered by public institutions in Ecuador to citizens, as well as an Application Programming Interface (API) that allows the direct interconnection among MINTEL and the technological platforms of these public institutions to share information, streamline processes, and reduce service times. Due to these significant efforts, Ecuador has achieved through time the OSI (Online Service Index) and EGDI (E-Government Development Index) indexes detailed in Figure 1 and Figure 2, respectively [28]. These indexes reflect the significant advance of Ecuador in e-government initiatives [26,29].

On the other hand, transparency in Ecuador has been mainly managed from 2004 through the Organic Law of Transparency and Access to Public Information (LOTAIP, which stands for Ley Orgánica de Transparencia y Acceso a la Información Pública). In order to help curb corruption and fraud in Ecuador, as well as increase responsibility and participation between the Ecuadorian State and citizenship, this law guarantees citizens the right to access the information generated and managed by public institutions [30]. Therefore, public institutions are compelled to disclose at their online portals or websites information about their employees and processes, allowing to know how they are managed.

Overall, an Ecuadorian law is formed by a group of articles designed to clearly and concisely provide the guidelines and directives that must be followed. Since certain articles may cover multiple guidelines applicable to different related areas, they also define several subsections known as literals. Each literal outlines specific aspects of the article, providing precise directives that help clarify its purpose for a particular context, thus avoiding ambiguity. Specifically, five literals of LOTAIP Article 7, summarized in

Table 2. LOTAIP Article 7 literals associated with mandatory disclosure of personal data.

Literal	Information
b1	Complete institutional directory.
b2	Staff distribution.
c	Monthly remuneration per position and any additional income, including the compensation system, as established by the corresponding provisions.
j	A list of companies and people that have breached contracts with the institution.
n	Per diems, work reports, and justifications of national or international mobilization of authorities, dignitaries, and public officials.

, establish as mandatory the disclosure of information by public institutions including but not limited to personal data belonging to their employees.

Nevertheless, transparency in Ecuador has been promoted as the panacea against corruption by several social sectors [31], allowing Ecuador to raise significant places in the overall Right to Information Rating (holding at the time of writing the worldwide position 76) [32].

2.2. Privacy Regulation in Ecuador

Privacy and personal data have been protected in Ecuador through several regulations. For instance, the Ecuadorian Constitution and a set of several laws related to telecommunications, electronic commerce, and criminal procedures establish measures oriented to protect personal data.

In 2021, the Organic Law on Protection of Personal Data (LOPDP, which stands for Ley Orgánica de Protección de Datos Personales) was published in Ecuador and is currently the main mechanism for the protection of citizen privacy. LOPDP main objectives are (1) to guarantee the right to protection of citizens’ personal data and (2) that citizens have access to and can make decisions about their personal data [33]. However, it is worth mentioning that the achievement of these objectives is expected to be reflected in the coming years through the proper execution by public institutions, private companies, and citizens.

The LOPDP does not establish a taxonomy for personal data; however, it distinguishes four categories of sensitive personal data, which, if revealed, would significantly impact its owners. These four categories of sensitive personal data are as follows: (1) Immigration status, (2) Ethnicity, (3) Judicial, and (4) Health.

Although LOPDP is based on GDPR, it has several limitations. One of those limitations, for example, is related to the reduced penalties in comparison to the GDPR. However, the most important limitation is regarding the law’s exceptions for its application, a phenomenon that already occurred with previous legislation. For instance, the Electronic Commerce Law already indicated that consent for data processing is not necessary when its collection is carried out in the context of public administration [34]. Likewise, LOPDP raises several exceptions concerning the privacy rights of users in Ecuador, such as the declaration of personal data of public workers as open data accessible for citizens and entities for data treatment (Article 2). In addition, it provides public workers’ patrimonial history declarations and remuneration details, which constitute sensitive personal data.

In November 2023, the Regulation of the LOPDP was issued to ensure the correct implementation of the law. This regulation seeks to strengthen data security and confidentiality, establishes the responsibilities of the entities that manage it, and ensures that citizens have control over their personal data. In addition, it seeks to align with international data protection and privacy standards [35]. Furthermore, the Superintendence of Personal Data Protection was created in October 2024 to ensure compliance with the LOPDP and its Regulation, protecting the privacy and security of Ecuadorians’ information. Figure 3 summarizes the milestones in the regulation of e-government, transparency, and privacy in the Ecuadorian context.

2.3. A Worrisome Outlook in Ecuador

Ecuador has suffered several data leak incidents in recent years, primarily caused by reconnaissance attacks, ransomware attacks, lack of adequate perimeter security, and a lack of a culture of information security and privacy.

Reconnaissance attacks: Reconnaissance and information-gathering attacks on websites and infrastructures have affected public organizations in Ecuador, allowing them to collect sensitive data and serving as a baseline to execute subsequent advanced exploits against privacy such as Advanced Persistent Threats (APTs) attacks and backdoors. Moreover, other kind of exploits such as Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks against systems availability have been executed after a successful reconnaissance attack [36].

In 2024, for instance, the Agencia Nacional de Tránsito (ANT) identified that it had fallen victim to reconnaissance attacks on its technological infrastructure, allowing attackers to collect information such as IP addresses, usernames, and servers’ details, allowing subsequent theft of user credentials, and causing delays in citizens service [37]. In 2025, the Civil Registry reported a cyberattack on its IT systems and website, which is believed to have collected basic information, stolen cookies, and disrupted the appointment scheduling system for issuing Digital Number Identifier (DNI) documents and passports [38].

Ransomware attacks: Ransomware attacks have also been a cause of personal data exfiltration in Ecuador [39]. In 2021, the National Transit Agency (ANT) suffered a data breach in its AXIS system due to a suspected ransomware attack (whose strain could not be identified). This attack also caused service disruptions in the issuance of driver’s licenses and vehicle registrations for extended periods [40].

That same year, the RansomEXX ransomware affected the Corporación Nacional de Telecomunicaciones (CNT), causing not only personal data exfiltration but also preventing users from paying phone, Internet, and television bills and completing certain online or in-person transactions for several days [41]. A similar situation occurred with the Municipio de Quito in 2022, when the BlackCat ransomware massively exfiltrated data from its production and development databases, paralyzing its technological infrastructure [42].

Lack of adequate perimeter security: In 2019, the sensitive information of Ecuadorians held by the consulting firm Novastratech S.A. was severely compromised due to the failure to implement adequate security measures for its protection. The data breach was identified by the cybersecurity company vpnMentor, which alerted Ecuadorian authorities [43]. It was revealed that the data were stored on an unprotected server in Miami, USA, and was publicly accessible. The breach is estimated to have involved 18 GB of personal data, including names, financial information, and civil records of up to 20 million people [44].

As a result of the incident, the urgent approval of the LOPDP law was promoted, and public institutions were encouraged to store their information on their own servers and implement proper perimeter security controls. This latest requirement has had positive effects in recent years. Most public institutions in Ecuador have their secure on-premise technological infrastructure with controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Data Loss Prevention (DLP), Web Application Firewalls (WAF), and Email Security Appliances (ESA). However, it is important to maintain and update the rules of these devices regularly to avoid likely security holes.

Lack of a culture of information security and privacy: The lack of a culture of information security and privacy has been the main trigger for several cyberattacks that have led to massive leaks of Ecuadorians’ personal data. Unfortunately, protective measures were implemented only after a serious incident had occurred. In 2021, for example, the Policía Nacional del Ecuador reported unauthorized access to its Integrated Computer System (SIIPNE 3W) using the credentials of one of its members, exposing sensitive information related to a femicide case [45]. It is presumed that the credentials were not carefully safeguarded by their owner rather than being compromised through a brute-force or dictionary attack. In 2024, the Agencia Metropolitana de Tránsito (AMT) reported a suspected hack of its IT system, which allowed the alteration of approximately 9620 transit procedures in Quito, Ecuador, exposing the personal data of citizens and vehicles. However, it is suspected that rather than an actual system vulnerability, the attack resulted from negligence in access management by the responsible personnel [46].

A final reflection: Security is a complex chain and a single weak link is enough to enable a successful data leak. Our study estimates that more than 75% of personal data leaks in Ecuador are likely caused by threats that take advantage of the lack of a culture of information security and privacy in the Ecuadorian society, creating an ideal scenario for personal data exfiltration. We estimate this percentage based on the number of public access systems due to the e-government initiative that we were able to analyze from the representative sample of 83 systems initially chosen.

Additionally, the lack of encrypted production databases, the use of production database information in software development environments without proper controls, storing sensitive data in plaintext files on servers, the use of personal devices by public institution employees, and paper-based document management with inadequate disposal methods are among the main risk factors contributing to personal data leaks.

3. Methodology

The research methodology was based on four stages that allowed the identification of privacy risks in Ecuador. Figure 4 illustrates this methodology and shows the information gathered and analyzed in each step.

In stage 1, we performed a general review of the e-government, transparency, and privacy in Ecuador in order to determine the benefits of e-government and transparency as well as their impact on privacy. This baseline facilitated a subsequent analysis of the regulation and its evolution from each initiative to have a first insight into the associated law in Ecuador.

A deep analysis of LOTAIP was carried out in stage 2. This analysis led to unveiling the parts of the law (Article 7) that explicitly require the disclosure of personal data. The corresponding literals of the law and the information to be disclosed are depicted in Table 2. As a result of the enforcement of this law, public institutions’ websites are filled with personal data associated with public employees. In this research, 21 public institutions between ministries, control entities, municipalities, and institutions that offer popular services in Ecuador were analyzed.

Table 3. Number of open-access systems by public institution.

Public Institution	Number of Open-Access Systems
Agencia Metropolitana de Tránsito (AMT)	3
Agencia Nacional de Tránsito (ANT)	4
Asociación de Municipalidades Ecuatorianas	1
Consejo de la Judicatura	5
Contraloría General del Estado	1
Corporación Nacional de Telecomunicaciones	1
Dirección Nacional de Registros Públicos	1
Fiscalía General del Estado	2
Instituto Ecuatoriano de Seguridad Social (IESS)	4
Ministerio de Defensa	1
Ministerio de Educación	2
Ministerio de Gobierno	5
Ministerio de Inclusión Económica y Social (MIES)	3
Ministerio de Salud Pública	2
Ministerio del Trabajo	2
Municipio de Quito	3
Registro Civil	2
Secretaría Nacional de Educación Superior	5
Servicio de Rentas Internas (SRI)	10
Servicio Nacional de Aduana del Ecuador	4
Superintendencia de Compañías	3

lists these 21 public institutions.

The information disclosed by these 21 public institutions on their online portals and websites was carefully gathered and classified, considering as personal data all information that could identify or be used to identify individuals, either directly or indirectly. Related personal data were then clustered and assigned to a more general personal data subcategory. Finally, resulting subcategories were assigned to a category, allowing the obtainment of compact and easier-to-analyze information. For instance, the personal data Monthly remuneration and Annual remuneration refer to the same subcategory Income of the category Heritage.

Table 4. Proposed taxonomy of disclosed personal data to analyze privacy risks due to LOTAIP transparency initiative.

Category	Subcategory
Identification	Email address
	taxpayer tax identifier
	Complete names
	Budget item number
Demography	Workplace
Job	Public sector position
	Contract details
	Trip details
	Position hierarchy grade
	Labor regime
Heritage	Debt
	Income
Judicial	Appeal status
	Judicial processes/infractions
Location	Travel date
	Phone number
	Geographic location

, presents a proposed taxonomy of 6 categories and 17 subcategories defined to analyze privacy risks due to the LOTAIP transparency initiative.

A similar strategy was carried out in stage 3, studying the personal data provided by open-access systems. In total, 64 open-access systems belonging to the 21 public institutions were identified and analyzed, as detailed in Table 3. To consider a system as open access, the following criteria were taken into account: (1) the system must be accessible through the Internet; (2) the system must belong to a public institution; (3) the system must provide personal data of citizens through online consultation; (4) the system must not require authentication of the owner of the information.

Some web pages and mobile applications that generate traffic and income through advertising, such as EcuadorLegalOnline [47], Ecuador WEB [48], and Consultas Ecuador [49], serve as gateways to several of these open-access systems. These platforms helped identify most of the open-access systems from the 21 public institutions described in Table 3. The 64 open-access systems identified revealed 111 unique personal data that were consolidated through a proposed taxonomy of 8 categories and 77 subcategories, as detailed in

Table 5. Proposed taxonomy of disclosed personal data to analyze privacy risks due to e-government initiative.

Category	Subcategory	Individual(s)
Identification	Identity card	Owner/Third parties/Relatives
	Birth code	Owner/Relatives
	Email address	Owner/Third parties
	Taxpayer tax identifier	Owner/Third parties
	Full names	Owner/Third parties/Relatives
	Username	Owner/Relatives
	Vehicle license plate	Owner
	Vehicle identifier	Owner
	Business name	Owner/Third parties
Demography	Age	Owner/Third parties/Relatives
	Civil status	Owner/Third parties/Relatives
	Bonus status	Owner
	Immigration status	Owner
	Taxpayer details	Owner
	Ethnicity	Owner/Relatives
	Birth details	Owner/Third parties/Relatives
	Workplace	Owner/Third parties
	Email address domain	Owner/Third parties
	Disability waiver amount	Owner
	Nationality	Owner/Third parties/Relatives
	Number of pregnancy/children	Owner/Relatives
	Relationship	Owner/Relatives
	Weight	Owner/Relatives
	Sex	Owner/Relatives
	Height	Owner/Relatives
Education	College level	Owner/Third parties
	Specialty	Owner/Third parties
	Scholar status	Owner
	Degree registration details	Owner
	Place of studies	Owner/Third parties
	Educational day	Owner/Third parties
	Education/training level	Owner/Third parties/Relatives
	Degree	Owner/Third parties
	Profession	Owner
Job	Economic activity	Owner
	Public sector position	Owner/Third parties
	Social security affiliation status	Owner
	Job impediment status	Owner
	Turn number	Owner
	Employment/Employer Status	Owner
	Status belonging to security services	Owner
	Driver’s license type	Owner
	Date of employment status change	Owner
Health	Health insurance status	Owner/Third parties
	Vaccination status	Owner
	Number of parental controls	Owner/Relatives
	Number/type of delivery	Owner/Relatives
	Percentage of disability	Owner/Third parties
	Type of health insurance	Owner
	Type of disability	Owner/Third parties
	Blood type	Owner
	Vaccine type	Owner
Location	Appointment date/time	Owner
	Property identifier	Owner
	Phone number	Owner/Third parties
	Geographic location	Owner/Third parties
	Place of procedure	Owner/Third parties
Heritage	Assets by rights	Owner/Third parties
	Property details	Owner
	Home appraisal	Owner
	Cash/investments	Owner/Third parties
	Vehicle appraisal	Owner
	Shareholder/legal representative status	Owner
	Debt status	Owner
	Inheritance status	Owner
	Complementary funds	Owner/Third parties
	Information on companies/shares	Owner/Third parties
	Accounts receivable	Owner/Third parties
	Debt	Owner/Third parties
	Payment value	Owner/Third parties
	Other vehicle details	Owner
	Income/rent	Owner/Third parties
Judicial	Criminal record	Owner/Third parties
	Detail complaints/crimes	Owner/Third parties
	Status impediment to leave the country	Owner
	Legal proceedings/infractions	Owner/Third parties
	Prohibition to alienate	Owner

. While some subcategories can allow identification of the owner of the personal data, others can enable identification of third parties related to the owner and even their relatives. The Health and Judicial categories of sensitive personal data in the LOPDP directly correspond to the categories of the same name detailed in Table 5, while Immigration status and Ethnicity correspond to the subcategories of the same name within the Demography category.

In stage 4, disclosed personal data were gathered, organized, and analyzed both for e-government and transparency. This analysis allowed us to determine existing privacy risks and their possible impact on Ecuadorian society, as well as to suggest strategies for mitigating them.

4. Results and Analysis

This section outlines the privacy risks related to e-government and transparency initiatives in Ecuador, examining the number of disclosed personal data by public institution.

4.1. E-Government and Its Related Privacy Risks

When analyzing the number of disclosed personal data and their corresponding subcategories by each public institution, we found that the entities that reveal the most personal data through open-access systems are Registro Civil (21 personal data in 19 subcategories), Servicio de Rentas Internas (SRI) (25 personal data in 25 subcategories), Contraloría General del Estado (19 personal data in 17 subcategories), and Consejo de la Judicatura (12 personal data in 12 subcategories), as shown in Figure 5. Specifically, Registro Civil and SRI host massive amounts of personal data belonging to all citizens, whereas Contraloría General del Estado and Consejo de la Judicatura concentrate personal data of citizens related to a specific context (in this case, public employees and citizens involved in judicial processes).

Regarding sensitive data (according to the LOPDP criteria), the statistical analysis demonstrates that roughly 72% of the 21 public institutions disclose at least one instance of sensitive personal data in one of the sensitive categories—Immigration status, Ethnicity, Judicial, and Health. While approximately 38% of public institutions reveal Health data, around 24% reveal Judicial history data. These statistics are exposed in Figure 6. In this sense, data on legal proceedings and infractions, health insurance status, and even details of a mother’s delivery process (such as the number of pregnancies and prenatal check-ups, among others) are exposed. The entities that disclose most of these personal data are detailed in Figure 7. Among all the revealed personal data by public institutions, 28% correspond to sensitive personal data.

From the analysis of children and teenagers’ personal data, we found that Registro Civil (sixteen personal data in fourteen subcategories), Ministerio de Educación (eleven personal data in eleven subcategories), and Ministerio de Salud Pública (seven personal data in seven subcategories) are the institutions that disclose more personal data of these groups, as Figure 8 shows. The analysis demonstrates that 57% of the institutions reviewed disclose at least one personal data instance of children and teenagers—that is, more than half of the public institutions reveal the personal data of minors.

Regarding the personal data of disabled people, a couple of systems were found that disclosed this type of data, but they stopped doing so during the completion of this research. These systems made it feasible to check if a citizen had received economic compensation or whether they had been subject to tax exemptions. The information that these systems revealed included compensation status, full names, type of physical disability, percentage of disability, and disability waiver amount.

When analyzing the magnitude of the disclosed personal data by category, we found that those corresponding to the categories Demography (23 disclosed personal data in 16 subcategories) and Heritage (26 disclosed personal data in 15 subcategories) are the most critical, as shown in Figure 9. On the other hand, as shown in Figure 10, the open-access systems of the analyzed public institutions not only disclosed personal data of the individual but also about third parties and relatives. The results suggest a concerning scenario. All 21 public institutions collectively host 63 systems that expose 77 subcategories of individuals’ personal data. Additionally, sixteen systems across eight public institutions disclose personal data of 51 subcategories able to identify third parties, and three systems from three public institutions expose 23 subcategories of personal data capable of identifying relatives.

Regarding disclosed personal data by open-access systems, public institutions that reveal the greater number of personal data categories were Ministerio de Gobierno (disclosing personal data for about 62% of the categories), Fiscalía General del Estado (54%), Ministerio de Educación (54%), Ministerio de Inclusión Económica y Social (MIES) (54%), Registro Civil (54%), and Servicio de Rentas Internas (SRI) (54%). In addition, all the entities shared Identification data and more than 50% of the entities disclosed sensitive data of citizens. Other categories of personal data that are shared by more than half of the entities are Demography (62%) and Location (57%).

Beyond the large number of disclosed personal data by these systems, 25% of them were vulnerable to enumeration attacks—that is, with one or a few queries, results could be obtained about several individuals. For example, searching for a single last name returned results for all those who shared that last name. Furthermore, although the information in public consultation systems was usually sensitive and abundant, few protection mechanisms had been implemented.

Only 6% of the open-access systems analyzed implemented trivial privacy protection mechanisms. One common strategy identified was the generalization of certain data, such as the identification number or vehicle’s engine number, replacing the most specific part of such data with a symbol. Another common strategy was to add a watermark with the IP address of the user to the document that contains personal data to deter the leak of this information.

4.2. LOTAIP Analysis

Figure 11 shows the number of personal data and subcategories that are disclosed by LOTAIP Article 7 literals described in Table 2 through the transparency section on online portals and websites of public institutions. Literal b (Institution Directory and Personnel Distributive) is the one that allows access to the greatest number of personal data. As Table 4 suggests, the LOTAIP initiative requires the publication of 17 subcategories of personal data, including full names, public sector position, income, contract details, and place of employment, among others. After categorizing these disclosed personal data, it is found that most correspond to the Job category (nine personal data in five subcategories) and the Identification category (eight personal data in four subcategories), although the Location and Heritage categories are also included, as denoted in Figure 12.

5. Discussion

Privacy risks and possible attacks: The results obtained show that e-government and transparency regulations affect privacy in Ecuador. First and foremost, identifying data are disclosed in almost all cases, allowing to correlate an identification number with the full name of an individual and vice versa. Also, an identification attack that uniquely identifies an individual within a population grouping of attributes that characterize him (quasi-identifiers) is feasible from the disclosed personal data of the 21 open-access systems.

Regarding transparency initiatives, both identifiers and full names are published together. Thus, an attacker who knows some of these data could easily obtain all the others that are disclosed. On the other hand, disclosed data associated with an identity could allow to classify or categorize an individual. For instance, wealth data (taxes, income, properties, among others) could place an individual in a category that prevents him from receiving credit or, what is even more worrying, in a category that attracts criminals interested in extorting, kidnapping, or stealing victims that stand out for their income level. Likewise, health or legal data could be input for institutions that discriminate against individuals based on the number of children or due to inconclusive legal proceedings.

The large amount of disclosed personal data can be consolidated to build a comprehensive profile that provides a clear view of an individual’s characteristics across various facets of their life. Just as a criminal investigator constructs a profile to study and ultimately apprehend a suspect, an attacker could use profiling to violate a victim’s privacy.

The risk to privacy in the analysis scenario of this research is exacerbated due to several factors. Firstly, who is in charge of disclosing the information is the Ecuadorian State, which certainly has the greatest amount of information of all citizens. Secondly, personal data are published directly on the Internet, significantly increasing the number of potential attackers. Thirdly, some open-access systems do not control the number of records that were obtained from queries; sometimes, many records are returned from a generic search parameter (for instance, searching for a last name returns information for everyone with that last name). In several cases, there are no minimum protection mechanisms that control the automated extraction of data, so there is a high risk that an attacker can easily obtain that information.

These factors that increase privacy risks for citizens also exacerbate the impact of the attacks described above. In fact, a virtual online mass surveillance platform has been created, due to the magnitude and granularity of the data disclosed, the number of individuals involved, the straightforward access to these data, and especially the sensitivity of these data, which include location, assets, and health, among others, and in many cases are constantly updated.

Vulnerable groups: As a result, all citizens (more than 18 million Ecuadorians [50]) are highly vulnerable to privacy attacks, even those groups that do not regularly interact with public services such as children (more than 6 million girls, boys, and teenagers [51]) or extremely vulnerable groups such as people with disabilities (more than 470,000) [52]). In particular, roughly 400,000 public employees are at risk [53], including more than 50,000 police officers and more than 40,000 employees among military forces, justice operators, mid-range authorities, and others [54], whose decision-making power in certain sensitive areas could put them at greater risk if their personal data are disclosed. This group, according to the exceptions established by the regulation, would have their privacy rights restricted. In contrast, activities related to freedom of expression (generally journalistic), which could be carried out by any citizen, would not be required to consider these privacy rights, which could generate serious distortions in the protection of personal data.

Given that e-government and transparency are considered as solutions for serious problems in Ecuadorian society (corruption, online services, among others) and given the citizenship acceptance that their implementation has had in Ecuador, their adoption will surely continue to grow in the coming years with the consequent aggravation of the effects on citizens privacy. Thus, more public institutions that handle huge amounts of personal data will be integrated, including municipal governments and smaller institutions. Finally, this research allows us to state that third parties are already using personal data. For example, there are several Internet sites and mobile applications that concentrate access to the open-access systems, generating revenue through online advertising.

In addition, although these systems have been used by journalists to uncover cases of corruption in public purchases or in the issuance of fraudulent documents, there are cases in which they are used to extract data from a media target in order to attack it. Therefore, criminals take advantage of these data to carry out, for instance, harassment and extortion against their victims.

Protection mechanisms: In order to mitigate these privacy risks, several protection mechanisms could be implemented. First of all, the use of a CAPTCHA control that helps to prevent automated extraction of personal data must be implemented. Only half of the analyzed open-access systems implement a CAPTCHA control, while only four adopt useless privacy protection mechanisms. The adoption of access control mechanisms could also be considered, which allow access to the data only to its owner or to a more restricted group of users who legitimately require the use of said data. Part of this strategy could be to record the access to the data and particularly of the individual accessing it (for example, registering the source IP address and identification data, among others) so that usage patterns can be determined to help to detect, for instance, malicious use of these data.

Another strategy to mitigate the impact on the privacy of citizens consists in minimizing data—that is, disclosing what is just strictly necessary. For this, it would be necessary to reduce as much as possible the amount of personal data that is disclosed, since the results of this research lead us to determine that there are too many disclosed personal data with excessive granularity. Also, it is important to analyze the exceptions of the legal Ecuadorian framework to the guarantee of privacy rights, as well as to observe the application of this legal framework in terms of transparency and e-government.

Finally, it is the citizens themselves who must be aware of the risks they face when indiscriminately providing and revealing their personal data, often sharing far more information than is actually required for a given process. Therefore, it is urgently necessary to create awareness campaigns that promote a culture of privacy in Ecuador.

Table 6. Proposed protection mechanisms to prevent personal data leaks in the Ecuadorian context.

Type	Subtype	Protection Mechanism	Explanation
Technical	Hardware	Trusted Platform Module (TPM)	Enhances privacy and data protection by securely storing cryptographic keys, credentials, and sensitive information directly on a tamper-resistant chip [55].
	Software	Single Sign On (SSO)	Enables user authentication to be performed once to access multiple systems, thereby preventing open and publicly exposed systems [36].
		Database Firewall (DBF)	Allows to recognize data exfiltration and implement encryption.
		Tokenization	Allows to maintain user authentication and authorization without cookies. OAuth 2.0 is a major example [36].
	Network	Network segmentation and Zero Trust security	Helps contain advanced threats such as ransomware, preventing its spread to critical networks where database servers storing personal information may be located [56].
	Security Operations Center (SOC)	Advanced Malware Protection (AMP)	Systems able to detect, monitor, and recognize malware trajectory and data gathered in a system [39].
		Security Information and Event Management (SIEM)	Records data-reading activities for subsequent interpretation and finding of privacy Indicators of Compromise (IoCs) [36].
Administrative	User	Awareness	Awareness campaigns to encourage citizens to take care of their personal data [57].
	Process	Reduced bureaucracy	Reduced requirements for implementing processes suitable for privacy enhancement in public organizations [58].
	Policy	Privacy policy	Write short but clear privacy policies on how citizens’ personal data will be treated [59].
		Final user policy	Prevent employees and collaborators from using personal devices on organizational equipment [60].
		Paper sanitization policy	Avoid sharing personal data on paper through correct sanitization. A clean desk policy is also part of this protection mechanism [60].

summarizes and details some protection mechanisms to prevent personal data leaks in the Ecuadorian context.

6. Conclusions

While enhancing administrative efficiency and free access to public information, e-government and transparency initiatives pose significant privacy risks in Ecuador. The massive publication of personal data, including names, income, health status, and judicial data, exposes citizens to serious risks such as identity theft, extortion, and discrimination.

Moreover, the recent enactment of privacy regulations in Ecuador highlights important gaps in their implementation. For instance, the disclosure of public employees’ data, combined with the absence of robust control mechanisms for access systems, further exacerbates these risks. Concerningly, the disclosed data often include information about vulnerable groups, such as children and individuals with disabilities, which amplifies their risk of harm. Thus, implementing stricter restrictions is crucial to safeguard their privacy.

Public access systems lack essential security features, including limitations on the amount of data retrievable in a single query. This deficiency facilitates enumeration attacks and enables large-scale access to sensitive information, further compromising data protection. Current practices in data publication often prioritize transparency at the expense of privacy. To address this, a shift towards data minimization is necessary, ensuring that only the information strictly required to meet transparency objectives is disclosed. This approach not only reduces the risk of data misuse but also aligns better with modern principles of privacy by design, which advocate embedding privacy protections directly into data practices.

The findings underscore global challenges, particularly in developing countries where regulatory frameworks and privacy cultures may be underdeveloped. By contrast, a design-oriented approach to privacy emphasizes proactive measures to prevent misuse from the outset, offering a model that could guide these nations in crafting more robust privacy protections. While current strategies focus on reactive measures like strengthening access controls and monitoring usage patterns, a privacy-by-design framework emphasizes preventive actions. For instance, integrating secure data practices from the inception of policies and systems could significantly mitigate risks. Additionally, public education on data safety remains a critical component for ensuring a privacy-conscious society.