“Breaches, tech challenges and hunger for data made 2018 a terrible year for data privacy”
Call it a coming of age, as drama-laden as a rom-com, but without the mushy, feel-good happy stuff. 2018 was the year when we all finally lost our innocence, and woke up to a world where we didn’t really have much control over our privacy. From social media giants that want all the data they can get their hands on, to facepalm-worthy incidents of bad security practices, to governments that rolled out the old ‘national security’ bogey to gain more oversight of what their citizens are up to, it’s all been rather exhausting. While we’d need a heck of a lot of space to go into every big incident in this space, here’s a quick look at some of the most significant events:
Another reason to dislike Facebook
Few tech companies get so much flak as Facebook – but let’s admit it, there’s something scary about a company knowing so much about so many. To make matters worse, it hasn’t been able to keep that data safe. In November, a report claimed hackers had managed to gain access to private messages of around 81,000 users (Facebook denies it was at fault, and says third-party apps and browser extensions might be to blame). But that really wasn’t the worst: that just might be the revelation that the private data of 87 million users was shared with third-party analytics companies without proper user consent. But wait, there’s more – Facebook later admitted that a security breach had exposed the data of 50 million users.
Aadhar: Full speed ahead and damn the torpedoes
Without getting into a debate about the usefulness of Aadhar, one thing’s clear – bank accounts, driving licenses, Income Tax records, phone connections… a lot of stuff is connected to your Aadhar. But while it makes things easy for service providers (and folks who hate making photocopies of half a dozen ID and address proofs), it also seems to have made things easy for the criminal-minded. Here’s a short list of what all went down in making Aadhar seem as leaky as a bucket that’s been shot up with an assault rifle:
There was a report which claimed Aadhar enrolment staff who’d been laid off were selling people’s Aadhar details for as little as Rs 500. Another report warned the Aadhar enrolment app might have been hacked to enable generation of new Aadhar numbers. Meanwhile, there was this bright spark who was arrested for allegedly accessing the Aadhar database. Then French security researcher Robert Baptiste (aka Elliot Alderson) claimed he’d found gaping flaws in the mAadhar app.
Security firm Gemalto also dived into the mess, publishing a report that claimed nearly a billion Aadhar IDs had been compromised. Gemalto later withdrew the report, and published a retraction (and apology), but it still makes you wonder, doesn’t it? Search around and you’ll find many scary stories about Aadhar, but we’ll end this here with this: a SIM card distributor apparently activated 3,000 SIM cards using Aadhar numbers and ‘polymer printed’ fingerprints.
The next question for Quora – “is my data safe”
Quora is a popular website in India, and if you’re a frequent user, you might want to read this – in early December, Quora announced that it had been the victim of “a third party who gained unauthorised access to one of our systems”. In all, the data (including email addresses and other data from sites you might have integrated) of around 100 million Quora users, was leaked.
Marriott Starwood loses credit card numbers
It’s one of the biggest hotel groups around, which makes this quite a serious incident. In November, Marriott revealed there had been “unauthorised access to the Starwood network since 2014”. It turns out hackers had managed to gain access to their guest reservation database (potentially affecting up to 500 million people), and obtained data which included, amongst other stuff, credit card numbers.
Google+ bug exposes your (and your friends’) data
Google+ might have been decently popular for a while, but what killed it eventually may not be lack of user interest. A bug had been letting third-party developers get access to user data – not just of the users who were using the apps, but also their friends!
New powers for law enforcement
It might not really be breaking news (the legal provisions exist since 2009), but a new notification for the Indian Home Ministry made news by allowing 10 law enforcement agencies (including the Income Tax department and Delhi Police) to monitor, intercept, and decrypt “any information generated, transmitted, received or stored in any computer resource”. The Home Ministry was later forced to clarify that no ‘blanket’ powers had been issued to any agency and that this was consistent with Indian laws. Still, it doesn’t inspire much confidence!
CSI: New Delhi? The government wants your DNA
They have your fingerprints, what next? Well, it’s your DNA! No, this isn’t from some movie set in a dystopian future, but from 2018. The Union Cabinet has approved a bill allowing for the collection of DNA from people who might be in ‘conflict’ with the law. Similar provisions exist in many other nations and DNA has been a great help to law enforcement agencies (and has also cleared the names of many innocent people who were wrongly convicted), but given the often politicised nature of policing, it’d be normal for citizens to worry.
Social media tracking might be happening as we speak
In September, a report alleged that the government was using a custom-built tool to track social media users – the tool can reportedly identify influencers, track ‘sentiment’, and even track negative comments – capabilities that seem frightening and straight out of Black Mirror. Interestingly, similar projects seem to be underway in China (which isn’t a democracy), where the government is developing tools to assign scores to its citizen by taking into account a very wide range of data.
Australia tries to ban encryption
Meanwhile, there’s a storm brewing Down Under. In a highly criticised move, the Australian Parliament cleared a law which could force companies to decrypt users’ private data. Critics say that not only will this worsen data security by adding a weak link to the chain, but that the law lacks clarity and might not have enough safeguards.
All that might sound rather scary, but while we can’t cut off and insulate ourselves from our always-on, always-connected world, there are some basic steps you can take to protect your safety and privacy – we won’t go into much detail here, but will leave you with a quick checklist you can follow:
- Update your devices frequently: Software updates often fix critical bugs that can be exploited by hackers. Phones, laptops, routers… this applies to every device you use. Don’t also forget to update any anti-malware app or software you use.
- Be wary of unknown Wi-Fi networks: Your data is only as safe as the network you’re on. Airports can be a scary thing with multiple networks (and it can be hard to tell which is the official, authorised Wi-Fi)
- Get a VPN if you’re a frequent traveller: Travel a lot? Use cafe and airport Wi-Fi a lot? Invest in a reliable VPN.
- Protect your passwords: – Password security doesn’t just mean using a complex password. Never reuse passwords, don’t leave them written down on sticky notes, and use a good password manager (like KeePass).
- Back up everything essential: Cloud services make life convenient in this era of fast, cheap internet. But don’t rely on these to be a backup – bugs, hackers, and even inadvertent violations of the Terms of Service can cost you access to your data. Always backup your critical data on hard disks, preferably ones that offer encryption. (many portable models offer this).
- Secure your Wi-Fi: Change the default administrator password, use a separate guest account for visitors, and always password-protect your network.
- Don’t trust just about any service or app: Make sure that the mobile app stores, social media plugins Chrome extensions, or any other software, app or service you use are trustworthy. Malicious apps have been know to pass undetected for months in app stores so avoid unknown, too-good-to-be-true apps.