-Riffat Ahmed and Khaled Khan
Not long ago, most of us tried our best to safeguard our personal information. We were too concerned about our privacy using online systems. Before the pandemic, many of us generally used to avoid unknown websites and online services that appeared suspicious for intruding on our privacy and tracking our Internet activities. When the pandemic hit, we gave up many of those precautions and worries about our privacy. Hang on a second. What is privacy in this context?
In brief, privacy means sensitive information must not be identified with the individual or the owner of the information. For example, someone admitted to Hospital X is suffering from disease Z. It is public information, not private. However, Ms. Haque admitted to Hospital X is suffering from disease Z. It is private information, not public anymore. Although privacy is closely related to confidentiality, they are not the same.
When the pandemic came, we shifted our entire range of daily activities online. The process has accelerated so fast that we did not take much time even to rethink the privacy consequences of shifting our entire lives online. When we see shops are closed, restaurants are non-operational, and we are not comfortable leaving our homes, we surrendered to online shopping. As the day goes by, we expose more and more of our privacy-related information to the unregulated Internet ecosystem. We have learned how to gradually relinquish our privacy concerns by giving away tons of our personal information and doing activities that possibly expose our personal information to unknown entities. We have begun to integrate more of our personal information with virtual systems and services that we use nowadays.
We need various online services during the pandemic because we do not want to visit physically many places. We now more frequently order groceries and food from online services, book transport from Uber or Pathao, engage in conversations over various communication apps and visit more unknown websites than we used to do before the pandemic. We know that most of these online services may compromise our privacy by collecting and using our personal information for other purposes. Anything we do using the virtual services, someone or some systems are most likely collecting our personal information in some way for making money out of this one way or another. Indeed, before the pandemic, we would not have been happy to sell our privacy for these online services that we consume almost daily these days.
Think about those online communication platforms that we use almost every day. We have dramatically increased our online communications and chats using all sorts of new apps, which were virtually non-existence to us before the pandemic. These include Zoom, BOTIM, Teams, IMO, VSee, and many more. These online apps have become integral apparatus of our daily communication activities. Most of us use Zoom or Teams to communicate with our co-workers almost daily. We discuss various issues ranging from sensitive business strategy to personnel matters over these online channels. We are passively telling the world where we are working, what is our principal responsibility, which projects we are currently steering, what strategies and business secrets we are adapting, and so on. Most of us do not hesitate to pass our privacy-related information over these online channels without any precaution. We not only communicate with our co-workers, but we also use these for virtual social events such as attending anniversaries, birthdays, political discussions, social gatherings, even janaza prayers for funerals.
We trust these communication apps and platforms without any reservations as well as without any credible assurances. It does not surprise us when we see the sudden appearance of unwanted, awkward, even embarrassing images in the middle of the school class session or corporate meetings while using these apps. Are these apps secure? Do they respect our privacy? Nay!
In the beginning, Zoom claimed that it had provided end-to-end encryption of all communication sessions, but later it appeared that it did not. We found that Zoom did not provide much privacy control over our conversations in the past. More surprisingly, Zoom used to send user information to Facebook and LinkedIn. Zoom was later caught for this, but the penalty for such a false claim was too light. We should not forget that most, not all, of these virtual technologies are the products of opportunistic businesses, designed and developed by people with little or no knowledge of privacy and cyber security. Worse yet, most of these data are stored probably on cloud storage managed by unnamed parties in undisclosed locations. We have virtually relinquished the control of our personal information to an array of such strangers.
Schools are now online, which means telling others passively how many kids we have and which grade and school they are going to. This remote schooling reveals tons of students’ personal information that we were quite hesitant to pass on over the Internet, even one year ago. In a virtual classroom, student information is no longer limited to only a name and roll call. The virtual session now includes location information, classroom images, addresses, even the health conditions of the students. Modern technologies can easily derive quite a lot of privacy-related information about the students out of these. This possibility is quite worrisome.
This pandemic also forces us to expose our health-related information to others. Some healthcare providers went one step further by offering patients remote online sessions to talk to their doctors without risk of visiting hospitals physically. The number of such services is not very high though in Bangladesh. Nevertheless, at first glance, this looks promising and a viable alternative. However, using virtual sessions with doctors introduces risks to our privacy. Unprotected apps such as Skype, Messenger, FaceTime, Zoom could easily leak our health-related sensitive information to someone else.
This pandemic has also compelled us to use Uber or Pathao more frequently than before to avoid public transport such as buses. For example, Uber and Pathao require us to disclose our location data. These apps know our travel patterns, such as the source location and destination of our travel, along with precise time and date. It can easily track us on where we are going and when. It can also determine if two persons using Uber from two different locations eventually ending up at the same destination regularly. It can use intelligent data analytics to derive a lot of similar privacy information.
An increasing number of people are using unsecured Internet with much lower protection; even some provide no security. We spend more time on Facebook and visiting kinds of stuff these days that would have otherwise been impossible before the pandemic. The most alarming of this trend is that many do not care much about their privacy nowadays. The threats to our privacy take advantage of our overwhelming use of unregulated and unsecured software. There is a serious concern about the intrusiveness of most of these platforms and apps to our personnel data and privacy. There are considerable risks posed in the handling and processing of our privacy-related data by the companies offering online services. We can see an interesting unwritten relationship has gradually developed between the users and the apps and various platforms. There is a silent privacy trade-off between the user and the apps. The user relinquishes their rights to privacy to the app; in exchange, the app provides online services and convenience.
Unfortunately, the pandemic has forced us to be more comfortable giving up our privacy and willingly exposing our personal data to virtual systems. Before the pandemic, this was virtually unthinkable. Now, we care less. Most alarming is that most of us struggle to grasp the basics of privacy and cyber security.
What choices do we have to minimize the risks? The foremost requirement is transparency, meaning the users must be informed about the privacy ensured by the software, such as how their data are protected both technically against cyber-attack and unauthorized sharing of these data. And this should be backed by legal bindings. In the workplace, including schools, employers should be required to provide virtual private network (VPN) connections so that all stakeholders can securely communicate remotely. Other measures can also be adapted, such as prohibiting unsecured apps, using multifactor identification, employing on-premise application security for remote access and security monitoring. In addition, workers need to be educated with guidelines and awareness of the basics of privacy. Risk-averse behavior and acts should become the norm in the society during this pandemic. Otherwise, we can only leave our privacy concerns at the mercy of the companies behind all those apps and platforms. We can only hope that they will respect our privacy, and they will not use our privacy-related data for other purposes. We also know that in most cases, they do not.
-Riffat Ahmed is the Chairperson of Siddiqui's International School, Treasurer of Bangladesh English Medium School Forum and a Psychology graduate from the University of Dhaka.
-Khaled Khan is an academic with interest in history, cyber security, cyber warfare and cyber defence policy. He currently teaches computer science and engineering at Qatar University.
Latest News