October 15, 2018

Careem and Facebook data breach episodes should be seen as lessons

If there is one thing we have learnt in the past few weeks, it is that our data is invaluable and worth buck loads of money.

Facebook-Cambridge Analytica’s recent crisis also reveals how we remain unprotected in the digital world. While we may have volunteered information to Facebook, hacking at Careem was slightly more serious. It showed how vulnerable we really are.

With technological advancements in today’s era, our personal data is becoming accessible through unsought channels and data breaches are becoming increasingly common.

Pakistan is no stranger to such issues. Last year, it was reported that data of the National Database Regulatory Authority (NADRA) fell in the ‘wrong hands’. The body denied the reports.

Nevertheless, growing exposure to digital channels also makes our data vulnerable to theft, yet people remain unaware. This is primarily because, unlike traditional theft, data leaks are out of sight.

This highlights the dire need for a digital rights protection agency to respond to and redress these issues.

Hacked data: A for anonymous, B for breach, C for Careem

Digital platforms, which have sprung from affordable internet connections and the need to ease consumers’ experience, have expanded to become a necessity to operate and function. The introduction of 3G/4G mobile broadband services in Pakistan has multiplied the online space.  As of March, the broadband user base reached 53.6 million, whereas the country’s overall mobile subscription has increased to 148 million, which makes 72.9% of the total population.

At some point or the other, every person is required to feed their personal data to certain digital platforms. Social media and cloud computing search engines, like Facebook, Twitter and Google, monitor and record every activity of the user, including their location, likes, dislikes, personality and such other things.

How is your data being shared?

Everything users type on Google’s search engine is recorded and used for screening out information. The search engine has numerous data centres for this purpose, so every time the person uses any of Google’s platforms, they get connected to one of its data centres.

Even random personality quizzes you take on any social media platform or mobile applications make you voluntarily turn over psychographic information, like your personality type, choice and preferences, friends’ network etc.

Other than that, the expanding online space has made online shopping very convenient, which instigates shoppers to buy online and inject their data into different websites. Retail banking has gained popularity as more people prefer to conduct contactless transactions. People are now relying more on digital and card payments.

The banks also keep a track of your financial practices and routine, and then store it. This first hand data acquired by all these platforms can be stored and used by different advertisers, including the telecom companies who sell customers’ data to third parties.

Who uses this data?

The reams of personal data that you drive into these websites then become accessible to multiple parties. Massive amounts of data are traded for brand promotions. Even the businesses that you trust are extracting your information as many companies also have a key role of customer account management, where sales personnel manage accounts of their clients and monitor their purchase behaviour and activities.

Careem admits to mass data leak

This is a huge business as major advertisers make use of this data to look into customers’ habits and target their prospects. The purchases triggered by these advertisements become a forced choice as unsolicited information is fed to them.

Adverse effects of data’s exposure?

Facebook’s Cambridge Analytica fiasco tells us about how users allowed unfettered access to their personal data. Cambridge Analytica is said to garner millions of people’s profiles by constructing a personality quiz application, which was then used by Trump campaigners to target voters.

As much as the data is being stored on digital platforms, it becomes susceptible to data breaches.

Cybercrime has become widespread and hackers keep looking for a way to invade the privacy of individuals and businesses at large. Recently, Energy Transfer Partners, a Texas-based gas pipeline operator, also reported a breach in their communication channels, due to which the company suspended its channels for a while.

The online business model has changed. The government has a TAP (Terminal Access Point) on international fibers, enabling it to monitor the traffic flowing through data peering points or cable operators.

The government in order to block certain URLs or filter toxic content can tap into even the encrypted or https data, which is the secure version of http and used to protect confidential information like online banking or online shopping.

All the information you thought was secure could be exposed. Secure communication channels, user IDs and passwords, right to opinion for activists are no longer secure. This information could be misused, but we have a weak precedent of accountability.

What experts say

Bolo Bhi founder and Director Farieha Aziz told The Express Tribune that the data filtration system not only restricts peace but also creates privacy concerns, especially if it plans to have a secure protocol like Https. “The Pakistan Telecommunication Authority (PTA) had stated that if the government tampers with https traffic then e-banking online, especially secure transactions would be compromised.

“We have very little knowledge and very little is being done in terms of securing the average citizen who uses the internet whether by the policy or traffic regulatory framework.”

Current laws

Applicable laws in the telecommunication sector as of today fall under the Electronic Transaction Ordinance 2002, which provides the recognition to electronic documents, transactions and communication.

However, when it comes to data breach, then the cybercrime bill, or the Prevention of Electronic Crimes Act (PECA) 2016, would be applicable to deal with online crimes or wrestle with terrorism in the unregulated cyberspace. Aziz said the government has failed to bring a data protection law, or a privacy law to ensure lawful protection of online data.

She said there are also no set guidelines for white hacking. “These ethical hackers look at securities, loopholes in websites. Initial few sections of cybercrime law talks about unauthorised access and interception of data and white hacking potentially comes under that and will be criminalised.”

Aziz said that there is a lot of grey area, with oversimplification of several laws that make it seem like acts are being overcriminalised.

“ We need an entire environment that caters to our protection and unfortunately, we do not have that.”

Need for a digital rights protection agency

One solution to all these problems is the formation of a digital protection agency that could construct a legal framework for dealing with ill-obtained information, act as a watchdog over the government and determine data breaches that are currently occurring.

This agency could keep a check and balance over data breaches, cybercrime and filtration of toxic data. The government needs to monitor traffic for the protection of certain illicit activities, but what if the government starts surveillance to the extent of suffocating.

For this purpose, the digital protection agency could act as an overseer of government’s agenda.

Their job would be to mine data breaches and ensure constant oversight, by creating awareness, administering and enforcing laws, levying fines, unveiling data breaches occurring on anyone’s account and rate websites with respect to how secure they are.

Businesses remain at a risk of cybercrimes, and need a platform that can provide assistance to them for the implementation of defenses to protect data.

These authorities could rightly determine the data breaches occurring on an individual or a corporation’s account, in exchange of a fee, by the way of white hacking. They could use specific information like your email address, contact information and such other information to determine the fissures on your account. This platform can help us understand how exposed our data is and how bad the situation is.

No comments

leave a comment