FOR tech companies, it’s all about data, since their growth depends on it. While collecting data, companies often lose sight of the privacy aspect, resulting in privacy violation for millions of people. The recent Facebook-Cambridge Analytica crisis raised such concerns. Even in Pakistan, as computer and internet usage has grown, we’ve seen increasing data breaches, both in state-owned and private companies.
In 2017, systems at the Punjab Land Records Authority were hacked. Officials thought running systems off the internet would safeguard them, but then someone used a USB-internet to dash their hopes. This led to a suspension of services, and consequently, to loss of productivity.
Last year, WikiLeaks reported that data was stolen from the National Database Registration Authority although the latter denied it. Nadra is Pakistan’s primary data registry, containing sensitive personal information of citizens. Breaching such a critical database would leave citizens perilously exposed.
Careem, an international ride-hailing startup also operating locally, and used by many, recently saw a massive data breach. In a press release some weeks ago, it said that customers’ names, email addresses, phone numbers and trip data were stolen, but there were few details. For one, what constitutes trip data? And there was limited information about the scope of the breach across different regions and its causes.
Meanwhile, customers and drivers did not know how to find out whether/how they were affected. Moreover, the announcement came three months after the breach, which is not nearly soon enough for customers to be able to safeguard themselves.
Protecting personal data is not a priority for companies.
What can such a data breach mean to an individual? You normally don’t share your phone number, address and detailed trip information with a stranger. In the age of big data and artificial intelligence, manipulation becomes a reality with access to a large set of personal and trip data.
As leading security researcher Ross Anderson has pointed out, cybercrime costs a fortune. There are direct losses, including money withdrawn from victims’ accounts and the time and productivity loss involved in resetting accounts.
Anderson also describes indirect losses. After a breach, a firm loses a fair amount of the trust of its customers and its reputation, leading in turn to lost business opportunities and revenues.
Moreover, companies incur defence costs in order to prevent additional security breaches. This may entail buying security products, training employees and engagement with law enforcement. Anderson concludes that the sum of direct losses, indirect losses, and defence expenses is a significant cost to society itself.
If all this is so pricey, then why aren’t privacy and security taken more seriously by our tech companies? The first reason is the lack of high-quality software security and privacy curriculum in many of our computer science schools. Most software engineers are not well-versed in how to safeguard software code and data against common security vulnerabilities. The same people are promoted to senior positions, and security and privacy never get the attention they need. Second is that the protection of data and privacy is never a priority for companies, in the absence of stringent regulations.
Regulations and their enforcement are the answer, because there are clear signs that privacy is not being taken seriously. I recently bought a book from a local online bookstore and had to reset my password. I was surprised to find my password as plaintext in the password reset email, which meant they were not storing sensitive information securely. Worryingly, this means my data is not only exposed to their employees, but that hackers will also rejoice upon finding my password in plaintext in case of a breach. Some ventures are still letting users sign up with weak passwords, which is contradictory to the advice to practise good password management.
Given the current security practices, local companies are not operating in a territory that implements stringent data protection regulation, such as the General Data Protection Regulation in the EU (going into effect on May 25). For example, per GDPR, a request for consent for data collection must be in simple and plain language, instead of illegible legalese. Moreover, a data breach has to be announced within 72 hours. Also, as per the regulation, users should be able to easily export and erase data.
Violation of GDPR can result in huge fines. There is a wide gulf between what some local companies are doing with personal data and privacy and what stringent regulations (like GDPR) require.
In the short term, making systems compliant with such regulations will come with a cost. However, regulation and its enforcement will not only protect the privacy of users, but also allow societies and companies to operate with confidence in the longer run.
The writer works in the technology sector.
Published in Dawn, May 13th, 2018