By Shriya Roy
Earlier this week, social networking platform Twitter suffered a major security breach when hackers took control of the accounts of some major public figures such as Barack Obama, Elon Musk, Joe Biden, Bill Gates, Jeff Bezos and Kanye West, and companies like Uber and Apple. The hackers sent a series of tweets through these accounts urging followers to make donations in cryptocurrency in exchange for double the money back. Twitter attributed the hack to a “serious breach in the company’s internal system” and shut down parts of its service. “If a message sounds too good to be true, it is too good to be true. If Musk, Gates, Apple, Biden or any well-known person or company wanted to hand out huge amounts of money on a whim, they wouldn’t demand that you hand them money first. It’s a trick and an obvious sign that the person’s account has been hacked,” says Paul Ducklin, principal research scientist at security software and hardware firm Sophos.
Last month, the government of India, too, had issued a warning of a large-scale cyber attack in the country. Attackers, the advisory said, may use Covid-19 as a ploy to steal personal and financial information of netizens. Consequently, CERT-In, the country’s cyber security nodal agency, outlined a list of steps for users to protect themselves, including not opening attachments in unsolicited emails.
It’s true that in the fight against the virus, humans have found a great ally in technology, but it comes at a cost, as technology is a double-edged sword when it comes to data privacy. As the world settles into the work-from-home mode, there’s been a new challenge to contend with: cyber security. With more and more number of people logging on from their homes, there’s been an increased risk of phishing attacks. Add to this the various contact-tracing apps being employed by countries around the world to fight the spread of the pandemic and the scenario becomes even more grim—at least 34 countries are making use of such measures to combat the virus, undermining the personal privacy of individuals. The apps, which employ a user’s personal data to monitor who they have been in touch with, have naturally triggered fears of growing surveillance, raising questions about how the data might be used once the crisis is over.
That’s not all. Even videoconferencing platforms like Zoom and chat apps like Houseparty have come under the radar for their weak data privacy policies. At a time, when most people are confined to their homes, turning to apps like Zoom to keep work going, or sharing views of their kitchens, balconies and bedrooms online, it becomes even more crucial to protect and safeguard one’s personal data. “The Covid-19 pandemic is an extraordinary circumstance,” says Gulshan Rai, former national cyber security coordinator in the Prime Minister’s Office. “It is posing extraordinary challenges, which have been further compounded by technology and other circumstances. These challenges need to be addressed through extraordinary solutions. The government has taken several steps during the last three months to address them. It must be noted, however, that these challenges can be addressed collectively by the government, citizens and other organisations,” adds Rai.
Rising cyber crimes
The new work-from-home culture has spawned a series of cyber security threats and risks. Corporate data is being accessed from laptops and home PCs that may not have the same level of security as in-office setups and, hence, are more vulnerable. Cyber criminals are also exploiting the fear around the virus outbreak to send scam emails and launch phishing and ransomware attacks. “Most of the times, users don’t observe security guidelines while working from home. The devices at home are not professionally managed like those in offices. The cyber crime ecosystem is becoming complex,” says Rai.
Agrees Aditya Narang, co-founder and MD, SafeHouse Technologies, a mobile-first cyber security enterprise based out of Delhi and Israel, saying that work from home has created several cyber security challenges for companies and individuals alike worldwide. “Smartphones have always been an integral part of working efficiently and while these devices were already vulnerable in our office perimeter, they are completely exposed and unprotected at home,” he says.
From creating malicious links to developing otherwise unsuspecting apps, new-age hackers are getting ever more creative in executing attacks. Low-security home Wi-Fi setups, for one, are a serious threat as far as cyber security is concerned. “The threats that one has to fight in the cyber space have increased exponentially. These attacks can be extremely dangerous if not addressed in a timely and appropriate manner,” cautions Narang.
Another big concern when it comes to breach of privacy is the use of contact tracing apps. As countries around the world slowly open up, the strategies for reopening involve monitoring the contacts of newly-infected people. In South Korea, the authorities require telecom companies to hand over mobile phone data of infected people to track their location. China and Israel use personal telecom data, too, to trace coronavirus patients and their contacts. The use of location data to track the disease has been applied in Italy, Spain, Norway and Belgium as well. Even Germany, the most privacy-conscious nation in the world, has considered an app that would trace the contacts of anyone infected with Covid-19.
While Singapore’s TraceTogether app is being cited as a good example—it can only be used by the country’s health ministry and assures citizens that the data will be strictly used for disease control and won’t be shared with law enforcement agencies for enforcing lockdowns or forcing quarantine—some countries are using a less cautious and more dangerous road when it comes to data privacy. Russia’s Social Monitoring app, for one, requests access to calls, location, camera, storage and network information to check that those who test positive don’t leave their homes. In Argentina, those caught breaking quarantine are forced to download an app that tracks their location at all times. And in Hong Kong, those arriving at the airport are given electronic tracking bracelets that must be synced to their home location through their phone’s GPS signal.
Big online players like Facebook, Google and Apple are also rolling out initiatives to aid location tracking. While Google and Apple are working on in-built support in mobile operating systems for Bluetooth-based contact tracing apps, Facebook has launched a slew of new tools. “We have launched new tools that will use aggregated and anonymised data on population movement, collected from users, that can show whether social distancing measures are working or not. The tools have been developed under the Facebook Data for Good programme and will offer Disease Prevention Maps,” as per Facebook.
In India, too, the government launched the Aarogya Setu app to ensure contact tracing. It alerts users if they have come in contact with a Covid patient and suggests measures they need to take. It also simultaneously alerts the authorities. The app, which requires users to keep Bluetooth and location on at all times, was initially made mandatory for any sort of travel—air, rail or road—in the country. In recent guidelines and in response to a petition in the Karnataka High Court, the Centre, however, clarified that the app is no longer mandatory for air or train travel, but advisable. Initially, the UP government had also made it mandatory for all its residents to have the app installed on their phones, failing which they were liable for fine and punishment. Government and private employees have also been asked to download it. Not just that, reports suggest that the app could now come pre-installed on all new smartphones.
Cyber security experts, however, worry that Aarogya Setu could violate users’ privacy and be a surveillance tool in the hands of the government. “Aarogya Setu appears to be inconsistent with privacy-first efforts, which are being considered by technologists and governments,” says Sidharth Deb, policy and parliamentary counsel at Internet Freedom Foundation, an NGO that defends online freedom, digital rights and liberties in India.
“Other apps just collect one data point, which is subsequently replaced with a scrubbed device identifier. Aarogya Setu collects multiple data points for personal and sensitive personal information, which increases privacy risks,” Deb said.
Privacy groups are concerned because healthcare data and patients’ details are extremely sensitive information. The value of health data in the black cyber market, in fact, is up to $1,000, as per multiple reports. Moreover, Covid-19 information pages are everywhere and visitors tend to leave a lot of sensitive personal health details there, which puts them at further risk. The EU Data Protection Board, too, issued a statement in March to clarify that data protection rules “should not hinder Covid-19 measures”, but data controllers must be cautious to protect personal data.
Rai believes the processes can be evolved wherein the privacy of the user is maintained. “Standard operating procedures may be needed and implemented to share the data while preserving the privacy and security, and keeping data confidential. The concept of privacy needs to be redefined to address such challenges,” he says.
Factors such as population size and technology readiness need to be taken into account as well, says Narang. “Everyone would be more at peace with using a technology that poses no threat or risk of invasion of privacy for the user. While most applications in general have the capability of compromising a user’s privacy, there are ways to mitigate this… more than ever before now when there is a need for a comprehensive end-to-end solution to protect one’s smartphones along with their data and privacy,” says Narang.
Downloading contact tracing apps seems to be the only way people can freely leave their houses and move around for now. But the question that arises here is: for how long will they be willing to trade one kind of freedom (right to privacy) for another (right to leave their homes)?
The ministry of electronics and information technology on its part has clarified (as part of the Aarogya Setu Data Access and Knowledge Sharing Protocol) that personal data from the app can only be used for health purposes and must be deleted after a maximum of 180 days ‘unless any specific recommendation is made’. The new protocol also allows an individual to request deletion of their data, which has to be abided by within 30 days. The personal data of users, the protocol says, can be shared by app developer National Informatics Centre with the health ministry, health departments of states/Union Territories, government/local governments, National Disaster Management Authority, state disaster management authorities, other ministries and departments of central and state governments, and other public health institutions of the central and state governments.
Data being shared with third parties is, however, one of the biggest concerns of legal experts. They are of the belief that the process of de-identifying the data should have been detailed by the government in the protocol. Plus, Aarogya Setu is not an open source, which means that it cannot be audited for security flaws by independent coders and researchers. Privacy activists have also said it may lead to India “becoming a surveillance state”. Some see it as evidence of the country following China’s footsteps, where technology was deployed heavily to monitor citizens.
Abhishek Singh, CEO, MyGovIndia, which developed Aarogya Setu, however, maintains that the app has been built “with privacy as the core principle”.
Other players have also announced the various safeguard measures they have undertaken to protect people’s private data. “In our efforts to help track the virus, we will only share analysis with government health officials and will not share underlying data sets with governments, third parties or the public at large,” as per Facebook, which is often criticised for its handling of user data, adding, “Appropriate legal, organisational and computational safeguards are put in place to minimise or manage data privacy risks associated with research effort and the use of aggregated data.”
Tech giant Microsoft, too, has proposed a series of privacy measures (such as giving users control over where their data is stored and how it is shared) that governments, health authorities, stakeholders, etc, should consider. In addition, it also advocates minimal data collection and its deletion once the danger has passed. “Tracking individuals who are infected, tracing those with whom they have recently come into physical contact with, and making testing available to those contacts may play an important role. This requires special care as sensitive data about our location and health status may be involved,” says Julie Brill, corporate vice-president and chief privacy officer, Microsoft.
The role of cyber security companies at this moment becomes extremely critical. In addition, there has to be an educational framework to teach people how to identify and avoid incidents that might lead to personal and corporate data being compromised. “An updated legal framework placing obligations on businesses that collect and use personal data would help provide the necessary guardrails for companies to know how to protect and respect personal data as they create tools and technologies to address urgent societal needs. Privacy and ethical concerns must be considered as we move forward to use data responsibly to defeat the pandemic,” Brill and Peter Lee, vice-president for research and incubation, Microsoft, jointly said in a public blog on the company’s official website.
India, however, doesn’t have a dedicated data protection or cyber security law. While the government has been pushing for cyber security by pulling up tech giants like WhatsApp, Facebook and Zoom, there exists no specialised law on privacy. India’s personal data protection bill is also still to be in the process of being approved by the Parliament.
Not surprisingly, there is a constant fear of digital surveillance hanging over citizens’ heads. To mitigate it, tracking systems have to be made decentralised and open-source, and should be designed in such a way that data is shared without any privacy breach. It’s true that data can save lives, but it has to be used in a way that it protects the core freedoms and rights of citizens.