Author: Isha Mittal University of Petroleum & Energy Studies, Dehradun Co-Author: Utkarsh Singh University of Petroleum & Energy Studies, Dehradun Editor: Muskaan Vijay National Law University, Odisha
ABSTRACT
As the infection through the deadly corona virus increased exponentially the country realise that the data analytics, contract tracing might be needed for the country to check the spread of the covid-19 pandemic. To complete this task the central and state government needed the personal data of all the citizens throughout the country. Using the personal information of the user through their Android phones the government kept record of the persons contact with the others.
Although various private universities and colleges developed software that were used to identify the potential risk of infection near you, the central government launched the controversial “Aarogya setu” application to enable contract racing and improve the situation for the public. On 29th April 2020 this app was made mandatory for all the sector employees to be downloaded and used on their phones by the Ministry of Home affairs. The type of mobile data and application that is being into question is divided into three categories: understanding general population movement, potential proximity to COVID-19 positive individuals and advice on measures for self-quarantine and the collection of information from patients for statistical analysis.
Even to collect the statistical information, the government has started using an application C-19 COVID Symptom Tracker’, but these require applications like GPS, Bluetooth to be kept on.
As due to the pandemic, the working pattern of the companies and the employees’ changes overnight from working at offices to making their homes offices, the companies had to take care of data privacy breaches as well. So, the organizations identified four data privacy and government risks: individual, compliance and regulation, physical and human rights, which the companies have to consider because of the changing of the work environment.
COVID 19: Impact on Data Privacy, Protection and Security
Why data privacy must be SAFEGUARDED IN times of COVID-19?
Cyber terrorists usually use the computer as a tool, target, or both for their unlawful act either to gain information, which can result in heavy loss to the owner of the intangible sensitive information. Internet is the only medium by which the offenders can gain such price sensitive information of anything, nowadays the biggest threat is of the breach of privacy as the privacy is of the crucial thing which can even destroy one’s life.
As the infection through the deadly coronavirus increased exponentially the country realizes that the data analytics, contract tracing might be needed for the country to check the spread of the COVID-19 pandemic. To complete this task the central and state government needed the personal data of all the citizens throughout the country. Using the personal information of the user through their Android phones the government kept records of the person’s contact with the others.
COVID-19 has brought to the public a huge workforce shift from office-based to remote work (work from home) which is more likely to be permanent than temporary. This huge workforce shift created chaos amongst the people, leading to an increase in cyber-attacks, posing several cyber-security challenges to the individuals.[1]
Due to the pandemic, the working pattern of the companies, and the employee’s changes overnight from working at offices to making their homes offices, the companies had to take care of data privacy breaches as well. So, the organizations identified four data privacy and government risks: individual, compliance and regulation, physical and human rights, which the companies have to consider because of the changing of the work environment.
PRESENT LEGAL STRUCTURE FOR DATA PROTECTION IN INDIA
To date, there hasn’t been any specific legislation on data protection in India. But the Indian legislature has amended section 43(A) and Section 72(A) gives the right it off compensation for disclosure of personal information.
Personal data is protected through the judgments given by courts under common law. In the landmark judgment given in case of justice K.S Puttaswamy and another versus Union of India the apex court has recognized the right to privacy as a fundamental right under article 21 of the constitution and has been recognized as a part of life and personal liberty. The fundamental rights can only be made enforced against the state and its instrumentalities. In the same judgment, the Supreme Court held that if someone wants to enforce the fundamental right against any private entity then it requires legislative intervention. Therefore the union government constituted a committee to draught the statute on data protection. After this committee proposed and drafted personal data protection bill 2019 known as the PDP bill. This will be India’s first legislative act on the protection of personal data.
Though it seems that after this, the legal structure for the protection of user data will be more protected and secured but it has to keep it in mind that for now, it is only a drafted bill and not a legislative act. Having a tally of data around March to April 2020 it has been seen that the cyber-attacks have increased it is86% [2]in these weeks. It has also been seen that cybercrime has jumped in both private and state-sponsored departments.
In the present era, India doesn’t have any national regulatory authority in case of the protection of personal data. The PDP bill mentions the creation of a data protection Authority of India that will be responsible for protecting the data of people and preventing misuse of personal data. Almost every business across the country’s economy will have to meet the condition of the bills. This doesn’t only include E-Commerce or IT companies but also real estate, companies, hospitals have to follow the condition of the bills. Now if the bill comes into force the businesses will have to tell the customers about what data do they collect and practice. And also it gives consumers the right to withdraw their consent.
LOCATION TRACKING APPLICATIONS & DATA PRIVACY
Although various private universities and colleges developed software that was used to identify the potential risk of infection near you, the central government launched the controversial “Aarogya Setu” application to enable contract racing and improve the situation for the public. On 29th April 2020, this app was made mandatory for all the sector employees to be downloaded and used on their phones by the Ministry of Home affairs. The type of mobile data and application that is being into question is divided into three categories: understanding general population movement, potential proximity to COVID-19 positive individuals and advice on measures for self-quarantine and the collection of information from patients for statistical analysis.
The controversy of the app“Aarogya Setu”
Recently, the Indian government launched an online mobile application on 2nd April 2020 named “Arayoga Setu[3]”, developed by National Informatics Centre. It soon came into controversy for violating the privacy of the users using it. This application uses the smartphone’s GPS and Bluetooth, which then keeps the record of all the apps the users, came in contact with, and alerts the users if any of those contacts made tests positive for COVID-19. Along with this record, it keeps a GPS record as well, which saves all those places that the device has been to in the last 15- minute interval. Looking at this privacy intrusion, Kerala High Court heard its petition as Kerala was the first Indian state to report a positive coronavirus case. Thus, Kerala High Court heard the petition that feared data leak of the personal details of COVID-19 patients by hospitals from this application. So, recently a Congress leader moved to the Kerala High Court with a writ petition that challenged the constitutionality of the Centre to make the mandatory use of the Aarogya Setu App in the mobile phone of every individual.
This application, despite violating the privacy of the individual and going against the privacy law, it is mandatory for the people to download it and have access to it, while they are traveling by air or by rail, else they aren’t granted to travel.
Tracking the Cyber RISKS to COVID-19 Four data privacy and government challenges that were identified are:
Individual Risks:
Is even an individual’s privacy at risk?
As the name itself suggests that these risks are being done on the individuals when they operate and use the technology. During the lockdown period amidst COVID-19, these risks were highly recognized by the companies. The working pattern of the companies was completely changed and so the way the employees operated the technology and the software of the company also changed drastically, as seen in the UK during the lockdown period. As ever before, amongst the other pandemics that came in the world, Coronavirus was the one that completely changed the working and living perspective of the people. This COVID-19 made people completely reliable over their home broadbands and the home computers and laptops for the remote working and doing communications of their companies, which usually used private and sensitive sites of the company and might pose some danger to the home modems.
Employees using home broadbands and networks provide the hackers a less robust broadband connection which helps them to take the advantage of the workplace disruption as staying away from secure office locations is open to various risks and challenges, so it becomes easier for the hackers to penetrate the employee’s system. Also, the employees, since are doing work from home, no company official know who is around them, and might happen that, that information had to be kept confidential, which is now known to a lot of individuals who might be the family member only at first. Not only this but sometimes for doing the companies work at home, the employees require the usage of cloud storage, thus, there is an increase in the adoption and distribution of the cloud by different companies to its employees so that the employees could access the platforms and the services they require for doing the task.
Since staying at home, makes the broadband connections unsafe for the employees doing the official work, the companies while providing the cloud storage need to ensure that the cloud storage and the other software that they are providing remains secure and meets the necessary regulations to protect the company itself and the data from the outside world.
Government bans 59 Chinese apps stating it a security issue
Amidst this pandemic, the Chinese apps as well as products posed an immense threat to the country’s sovereignty and security, so the government decided to put a ban over the Chinese apps [4]and prevent them from extracting data from the mobile phones of the Indian citizens. In this danger, the government banned over 59 Chinese mobile applications that included the top social media platforms such as TikTok, Helo, WeChat, and Hago, as there were several privacy concerns. Later it was also noticed that, during this pandemic itself, there were clashes between India and China at the border, so mobile applications such as ShareIT, UC Browser, and even the shopping apps like ClubFactory were banned amid these clashes between the two. The ban on these mobile applications was imposed under Section 69A of the Information Technology Act read with the rules [5]of the Information Technology Act.
Buying Liquor or giving an opportunity to Hackers?
As pandemic grew across the country, the hackers smelled this lockdown as an opportunity to make money and fool people in every possible way. Since there was nearly no time left for the people to purchase alcohol for the duration of lockdown people got desperate in getting the alcohol at any cost. It was observed that as the lockdown was slightly lifted in various cities, the crowd gathered around the wine and liquor shops since 6 in the morning to get the liquor. To prevent this gathering of the crowd around the liquor shops various shop owners and also the Government of a few of the states allowed for the online delivery of liquor.
There are also states as Chhattisgarh, Odisha, Tamil Nadu, and West Bengal where the official website has been carried out for the public to purchase these online.
But many of the states and cities haven’t made such portals for the purchase of liquor. In those cases, people are getting fooled on a daily basis. Various fake links have been made and circulated over social media. Since social media is a platform where people are more active and easily fall as victims for purchasing through those links thinking it to be the easy way. Before doing it hardly few people think regarding how genuine, it is. People fill their details and further make online payments. After this, people keep on waiting for a few days to week thinking the delivery is being delayed but actually, there is no one at the backend who is genuinely providing you liquor. It’s just a group of hackers who misuse this pandemic time and take your money without giving anything.
Compliance and Regulation Risk:
What do they mean?
Generally, the workspace and all the important space is kept at the office place only. But since the lockdown continued, the employees had no other option except to work from home, due to which the usage of cloud storage increased, and due to which compliance and regulation risk came into place as several organizations working was affected. These risks that were incurred by the companies need to know the local legislation that was abiding by them and even inform the employees regarding the same so that they can work accordingly. All the companies at the same time must ensure that the employees that are having the access to the cloud storage data are handling it properly, and must see to it that no other third person from the company asks for any such access. Also, the employees must be taught how they should work at home, so that it makes them clearer, making the system and the software secure from the outside attacks. The company can also have a separate them that maps and keeps a check on what the employees are accessing and block it if it is not required or provide access if necessary.
Mobile network disabled for days, should you worry about it?
Have you been in a situation where you find that your mobile network is suspended for many days or it can be weeks? It may sound something casual but actually, it is reasonable to worry. There is a fraud known as sim swap fraud which can take place and disappearing off mobile networks can be a part of this. There have been various cases where people lost.
Recently, there was a fraud that was being taken place in India, which was regarding the “sim swapping”. Sim swap fraud means someone else buys a new sim from the same network operator as yours and operate all your banking functions because your bank account it will be operating from the same mobile number which is being soon disabled in your mobile network and it is being used by someone else at the same time. Hackers also get away sometimes with the crime by faulty KYC checking.
In this, it was said that many people would be receiving calls from the companies to swap their sim from 2G or 3G to 4G cards, although there was no such legal notice given by the companies. And later, people fell into the trap, making the hackers completely clear their accounts.
How the hacker gets access to your information?
In India, customers are influenced by the hackers over a phone call using tricks as the customer has won prizes and he has to send his bank details to receive the price. The other example may be as you have been selected for the job at XYZ position at the XYZ office and you need to fill your details through which they get access to your Aadhar card and other documents.
Apart from this these details can also be stolen using malware short provisions they also attack the victim’s phone for a laptop to get the victim’s personal information and it may also result in stealing identity and creating fake documents.
Using your details the fraudsters make customer fake ID proof and approach the mobile operator and request the mobile operator to block the working sim and issue a new sim by giving reasons that your phone is lost or SIM is damaged.
After this verification, the mobile operator issues a new SIM with the same mobile number to the fraudster. After the new sim is issued the mobile network from the genuine customer gets disappeared as the SIM gets disabled and blocked. Through this, the genuine customer stops getting the details which they used to get on the same, and all the details rather are regarding banking or any other function is being sent to the new issued by the fraudster. For completion of 90% transaction, the final confirmation goes through by giving the OTP of the user. But once the SIM is swap dead being used by someone else the user didn’t even know he has been kept in dark and loses his money.
Now the fraudster starts banking transactions from the victim’s account which details he got earlier, and now by generating a password the OTP is being sent to the newly issued mobile number and the genuine customer doesn’t have a bit idea about it.
During this lockdown phase, when people were controlled from going out or visiting banks, the hackers came into the “Sim Card Upgrade fraud[6]” where a person in Ahmadabad fell into this trap and lodged a complaint to a cybercrime police station of alleging him to upgrade his sim from 2G to 4G, and on this behalf, the cybercriminals withdraw an amount of Rs 1, 93,035 from his bank account in multiple transactions. Thus, this case was registered under Section 406, 420 IPC, and the IT Act against the cheats. So, beware of the fraud calls, as everyone believes that doing online is better in this lockdown period, but at the same time, several cyber-crimes are going on these days.
How to be aware of such fraud?
If your mobile network has been continuously disabled for days and also goes up to week immediately contact the network operator regarding this. Also, in your bank accounts keep your mobile number as well as email id both updated so that you can get the alerts at both places.
Physical Risks:
What are the physical risks? Do they even exist?
Physical risks are those wherein an outsider, maybe an agent or a factor can cause harm to the system even without any contact or any acquaintance from anyone. So, doing official work by staying at home while being away from the secure office locations, for more than 15 days can be unsafe and open to several risks for the company.
This is a world of technology, where gadgets are more into use then doing the manual work, so even the smallest thing these days is made up of chips and uses artificial intelligence in it. Every company wants his company’s data must remain protected and be in safe hands. Ireland has told the people working in the legal profession, not to conduct any work, related to calls when they are near any virtual assistant AI technology devices, to avoid any privacy or data breaches, as these devices have the capability of recording the information. The organizations must also check their remote connectivity capacity be it Virtual Private Network (VPN) or Virtual Desktop Infrastructure (VDI) interfaces that can help them increase their remote access, in the places which are partially or completely closed.
Other physical risks that can be considered and can be said to be the most common one are people around you while you are working from home, as the company might need to keep some data to remain confidential without being know to the third person, be it be your family members or any guest that visits your house. Companies must make sure that the employees are working in a secure environment where their information can be held securely and remain confidential from the outside world. Companies and the organizations can look into the risks of data privacy and the required security so that the employees could be told about it, and they take up the precautionary measures to prevent it, instead of the companies using control apps or monitoring apps to monitor their clients and the employees.
Problems faced by society at large-
Flaws in ZOOM: Who else is hearing the call?
A few days back a lot of issues with the use of zoom app and various threats[7] regarding cybersecurity were seen over the net. What were those threats, what were the actual vulnerabilities, and how the app overcomes it? As the entire world went into lockdown the usage of zoom app grew around 400% in April. Various employees and professionals use the zoom app to hold on previous meetings and discussions as they were working from home.
The news that might be flashed on the news channels was regarding the “Zoom video-conferencing app[8]”, which was said that it is not a safe platform and several countries also said that there was a security concern with this application. Soon then, several countries like Germany, Taiwan, and Singapore banned this app. The Cyber Coordination Centre (CyCord) of the ministry of home affairs also said that Zoom is not a safe platform for video conferencing. The Cyber Security Agency has also pointed out certain significant weaknesses of this application which can make the users vulnerable to the cyber-attacks leading to the leakage of personal as well as office information to the criminals. The government also received complaints regarding the leaking of the passwords to the third party and the criminals hijacking the video calls midway through the on-going conferences and the ted talks.
What were the flaws?
A Cybersecurity official mainly discovered two major flaws in the zoom app and it are stated that it allows the hackers to sneak into the user’s privacy via webcam is their microphone. It was discovered by a former NSA hacker.
Patrick Wardle that there was a bug that allows the hackers to access Windows password and another which allows physical access to the Mac device by taking control of their webcam and
Once the hacker gets access to the device it allows him to anonymously install spyware or malware on the victimized device.
There was one more bug that allows the hacker to intercept the audio and video feats of the zone and compromise it. It was due to this that in various meetings head field or pornographic content it was displayed.
Was the leak of meeting id by UK Prime Minister Boris Johnson due to zoom app flaws?
Whenever the zoom app is talked about its cybersecurity issues, the incident of Prime Minister of UK is said as a zoom app security flaw. But in this matter, the concern was that it was not due to any information leakage by the bugs in zoom app but it was a mistake by the prime minister himself that he will do zoom ID for the cabinet meeting on Twitter, the social media. Not only the meeting ID you also shared some of the cabinet ministers’ user names
Is zoom safe to use now?
From 9th May 2020, some released new updates that enhanced its security.
Passwords now to be required for any meeting.
If your meeting doesn’t ask for a password the meeting isn’t saved anyone with the meeting ID or the link can join the meeting but now with the password, the person who will have both ID and password will only join the meeting.
Meeting rooms- add on a feature by default.
Another problem associated with the zoom app was any third person was able to enter into a meeting without being letting by the host. After this feature, anyone who wishes to join the meeting has to stay in the waiting room and it will be allowed by the host. It may result in a delay of yours to enter the meeting but it’s certainly worth the security.
Zoom bought the security company for an end to end encryption[9]
Zoom acquired secure messaging and file sharing service key bases. Keypad aims to provide contributions to zooms 90-day plan to enhance privacy and security capabilities.
Contact-Tracing Application- Posing dangers digitally
With the soaring of COVID-19 infections in Britain, the government reached a point where they thought it could be a game-changer when they developed a contact-tracing application[10], and soon, the country would become Corona free by the smartphone app that was launched and could automate some of the human contact tracers and detect the person with the symptoms of COVID-19, but soon this application was found infeasible as it required manual contact tracing, which could not help to control the pandemic. So, the NHS started developing a new application which when later came into force, started discovering some technical issues like it was not detecting all the users using this application, the Apple users could not keep up there Bluetooth on due to its design, and various other technical glitches, thus it kept holding the individual’s data which might later pose a threat to their privacy.
Privacy concerns over the country Netherlands!
Recently privacy concerns were raised on mobile apps to help track and control the spread of coronavirus in the Netherlands[11]. The government there launches an app similar to that, which was launched by Britain’s government. They launched an application to trace COVID-19 cases by researching contacts between people with virus infection. Using Bluetooth, the app user’s phone could automatically locate the person in the vicinity of the user, if anyone has tested positive for it. Through these Bluetooth connections, the application used to store it locally with a unique number, and then the application used to load the entire list of the unique numbers where the coronavirus patients are being discovered. If any person was found positive in the vicinity, the application used to send a message to the number which was connected with their Bluetooth connections. The government later put forward certain guidelines that were required for the application regarding the privacy and the information security of the users. For this circulation, seven apps were selected and the researchers found that six out of seven apps had security problems. An application named- Covid-19 Alert, reported a data breach in which almost 200 names, email addresses, and encrypted passwords of another application to which these applications were linked to online.
Thus, during the COVID-19 pandemic, and its lockdown, the data security was posing a major threat to the people and the companies, as the systems were less robust and could be made easily accessible to them.
Human Rights Risks:
Do human rights also pose risks?
Human rights risks are generally the legal risks, which if not managed properly can cause the confidential data to get leaked, so the businesses should carefully consider these risks and manage them in their corporate structures as well as with the third party. There are several human rights risks as well which the humans must be made clear with. But as the risks that are very common these days are regarding the intrusion of the criminal into the company’s server and the system to steal the data. For this, the company managers and the MDs have started to keep few teams or monitor themselves to the employees working under them regarding their working habits and how well they able to balance working with other things and kinds of stuff. But sometimes accessing the employee’s 24×7 results in personal infringement of human rights as the person is being continuously tracked and kept known about his whereabouts, which is illegal. But, as a coin has two sides, the other side, is used by the businessman to keep a proper check on the productivity levels, instead of keeping a check on his employees and their working, which in turn, does not results in the encroachment into the personal life of an employee, and thus maintains the employee’s privacy. The best way to avoid these human rights-related risks is to identify the human rights risks in the entire process of the system and the employees and take effective measures to avoid these risks from increasing and coming into the picture again.
Is Aarogya Setu infringing human rights?
During this pandemic, technologies are being used to monitor and track people around for whether they are infected or not, which is nothing but violating human rights. In India- a mobile application – “Aarogya Setu” is used to track the infected persons, in the UK, there are several mobile phone companies that are tracking individual’s location, and using this information, they are tracking infected persons and groups around them.
But has anyone ever thought that for how long is this information being shared? Or are they violating human rights? How long the personal data that you share is is being shared and what all details does it take into account?
Transparency is very important between the company and the individuals (employees) as it makes both the user as well as the organization clear of what is being shared and for how long. It also avoids personal infringements. But looking into the current scenario, the legislation, and the tracking will soon end up destroying the individual’s rights in the long-term duration, thus the legislation and the time limits have to be considered.
CONCLUSION
As our Prime minister, Narendra Modi, have announced the concept of “Aatmnirbhar Bharat”, and asked India to make “opportunity for disaster”, the group of hackers have seen opportunities in this epidemic and looted many individuals and tried making profits through these means. You need to have a little knowledge atleast to be aware of not being the next victim of cyber crime. Although stay home is advised, and work from home is increased, it’s very important to be protected. Various activities and fake campaigns have been going around the world and people fall as victim of it.
Impact of covid 19 on data security has just been started and will impact thousands if proper precautions are not taken on time. Although people may find difficulty getting salaries in this time, still people should not blindly follow any such online portal for earning if given to them in this time.
End Notes:
[1]https://www.reuters.com/article/us-health-coronavirus-india-fraud/scammers-try-selling-worlds-tallest-statue-as-pandemic-boosts-indias-cyber-crime-idUSKBN21P0KH
[2]https://www.cio.com/article/3533248/coronavirus-lockdown-leads-to-an-enterprise-wide-work-from-home-wfh-in-india.html
[4]https://economictimes.indiatimes.com/tech/software/india-bans-59-chinese-apps-including-tiktok-helo-wechat/articleshow/76694814.cms
[6] https://economictimes.indiatimes.com/tech/internet/zoom-video-conferencing-app-is-not-a-safe-plarform-home-ministry-cautions-users/articleshow/75181094.cms?from=mdr
[8] https://economictimes.indiatimes.com/tech/internet/zoom-video-conferencing-app-is-not-a-safe-plarform-home-ministry-cautions-users/articleshow/75181094.cms?from=mdr
[9] https://blog.zoom.us/zoom-acquires-keybase-and-announces-goal-of-developing-the-most-broadly-used-enterprise-end-to-end-encryption-offering/