Securing personal data

• Present laws do not criminalise poor data protection practices that cause inappropriate data disclosures

Every morning, most of us wake up to dozens of text messages from various known brands as well as local businesses that somehow have our contact information and can regularly communicate with us without our approval to sell their products or services in a tailored method.

Sometimes regarded as the new oil, online storage of data in centralised systems is no less than a resource containing highly sophisticated information structures that are prone to be misused by hackers and third-party operators. Data breaches have become a regular news item in mainstream press with their far-reaching implications on private and corporate lives.

So how does one build an effective cybersecurity programme to avoid huge monetary damages apart from embarrassment? And, what are the individual rights to privacy in their digital data against business or government misuse and inappropriate disclosures?

Pakistan has had its fair share of high-profile cyber attacks, the most recent being in November 2018 when the FIA admitted that security of all Pakistani banks has been compromised after data from “almost all” the banks was stolen. Not long ago, in April 2018, Careem had identified a cyber-attack involving unauthorised access to their system, resulting in data theft of over 14 million users including 4-6 million users in Pakistan whose data was put at risk. In both these cases, the general public was affected as a large amount of user data was leaked out of fragile systems.

Phishing is the most common method used by data hackers to obtain sensitive information such as usernames, passwords and credit card details by disguising themselves as a trustworthy entity in an electronic communication, mainly through emails. In October, it was reported that various groups various government bodies, military entities, telecommunications companies and educational institutions in Pakistan are falling prey to the campaign of spear phishing documents – email-spoofing to seek unauthorised access to sensitive information.

An interesting discussion in this regard was organised at the LUMS titled BigC 2018 to help the people develop an understanding of how personal data can be protected. In his presentation, Dr Rafae Bhatti, Director of Security and Compliance at Mode Analytic, USA, showed a five-pillar approach to protect the databases containing sensitive information.

Dr Muhammad Fareed Zaffar, LUMS assistant professor of computer science, demonstrated that personal data of almost any individual can be retrieved from top smartphone apps

Security control implementation; proper prioritisation; building security culture; appropriate breach disclosure and; compliance and regulatory framework are the steps with can, according to Dr Bhatti, help corporations stay ahead of data breaches.

Dr Bhatti recommends corporations and government bodies to run mock phishing campaigns, be proactive in identifying suspicious activities and put proper checks and balances on the online systems containing sensitive information. He was of the view that even big banks don’t take online heists seriously to avoid embarrassment, urging all stakeholders to follow the PCI security standards.

Dr Muhammad Shumail Mazahir, an assistant professor at the LUMS business school, called on the marketers to use ethical and appropriate channels to promote their products and services rather than hacking personal data and targeting tailor-made ads to subsets of consumers. He believes that there are better ways available.

Citing Hipaa regulations, Anjum Majeed, Global Rescue LLC, USA, said that when it was announced in the US that only relevant person can have your data, programmers stopped using social security numbers in the data structures, suggesting that same should be done with the CNIC here. He pointed out that people can also be identified by their gender, age, and date of birth to keep other portions of data anonymous.

To understand how easily third parties can recover anyone’s data, Dr Muhammad Fareed Zaffar, LUMS assistant professor of computer science, cited studies his team did to demonstrate that personal data of 30 out of top 50 online smartphone apps in Pakistan, from ride-hailing companies to food delivery services, can be compromised. He pointed out that personal data of almost any individual can be retrieved due to the companies’ poor data protection practices. Even the databases of NADRA, ECP and PITB are easy to penetrate, he claimed, regretting that when these concerns are conveyed to impacted parties in a responsible manner, either no heed is paid or threat of lawsuit is imposed in the name of criminal offence and privacy breach.

Big Data can be protected using three ways of sanitisation, according to Dr Basit Shafiq, an associate Computer Science professor. Firstly, noise can be added to the databases of corporations and government so that personal information is unidentifiable. Secondly, large sets of data can be made anonymous by assigning codes. Thirdly, one can use simulate general properties of the available information which have same statistical properties such that exact information remains hidden. Dr Shafiq firmly believes that there are ways to preserve data through technology and this is exactly how technologically advanced countries have learned over the years to stay one step ahead of data brokers and hackers.

Dr Ali Qizilbash, former chair of LUMS Department of Law and Policy, emphasised that while the existing legislation on cybercrimes do discuss the prospects of individual protection and forbids unauthorised data consumption, these laws do not criminalise poor data protection practices that result in inappropriate data disclosures which is why there is no such legal course, or noteworthy prosecutions. In his opinion, personal data is being disclosed despite there being laws against it while the protection of right to privacy is guaranteed by the article 14 of the constitution.