Cybersecurity to data privacy in the Time of COVID-19
Cybersecurity and data privacy, has somehow and should be the rule of thumb at a time of COVID-19 or at a stage we are recovering and in some being hit by a second wave and U.S is yet out of the loop yet. Can we say it was done on purpose job of bio-warfare? But the reality remains, it kills and does not look at color, race or anything else.
Somehow, I had convinced myself that, a decade ago, Stuxnet pulled us into the widening underscore of cybersecurity. If we only knew the life-and-death troubles that health practitioners face implementing those concepts. The COVID-19 pandemic posed and poses heightened cybersecurity and data privacy risks. With the rapid deployment of remote-working solutions, malicious actors already are and have attempted and are attempting to exploit weaknesses due to reduced IT staffing and the use of personal devices and insecure public and home networks.
Cybersecurity and public health are different challenges. Yet, the COVID-19 pandemic has cybersecurity relevance because it has remaindered us of long-standing problems, unresolved controversies, and unheeded warnings that continue to characterize cybersecurity.
COVID-19 has forced everyone, to become more dependent on the internet as desperate measures, such as social distancing, disrupt economic activity, and everyday life. In cyberspace, dependence creates vulnerability, and malicious attempts to exploits, unplanned societal shift online have proliferated. Law enforcement officials report that criminals are, among other things, selling fake COVID-19 cures online, posing as intergovernmental or governmental health organizations in phishing emails, and inserting malware into online resources tracking the pandemic.
“Criminals have used the Covid-19 crisis to carry out social engineering attacks, namely phishing emails through spam campaigns and more targeted attempts such as business email compromise (BEC). There is a long list of cyber-attacks against organizations and individuals, including phishing campaigns that distribute malware via malicious links and attachments, and execute malware and ransomware attacks that aim to profit from the global health concern.”
The UK Data Protection Regulator, the Information Commissioner’s Office, has picked up on the need for heightened vigilance of such attacks too and has issued guidance to individuals but I note that staff too should be reminded of the risks posed by cybercrime to both company confidential information and personal data controlled by their employer
Success in some countries, such as Taiwan and South Korea, at integrating smartphones and big data in the fight against COVID-19 encouraged other governments, such as the United Kingdom, to explore this strategy. This development connects to ongoing legal, ethical, and technological concerns about the cybersecurity of government databases and the privacy protections needed when governments collect and use personal information to monitor behavior. Post-pandemic reviews of COVID-19 will, in all likelihood, evaluate whether and how synergies created by more integration of big data and digital technologies should inform strategies for the next generation of disease surveillance and intervention policies. The damage done by COVID-19 might provide incentives for governments and public health experts to overlook cybersecurity and privacy concerns in favor of technological capabilities that promise results in preventing and controlling life-and-death emergencies.
The ways that COVID-19 highlights many cybersecurity problems invite the re-consideration of cybersecurity strategies and policies. A prominent effort to re-assess cybersecurity in the United States, the Cyberspace Solarium Commission, issued its report on March 10, just as the COVID-19 pandemic exploded beyond China. The commission concluded that—despite twenty years of policy concerns and action—public and private-sector cybersecurity in the United States remains inadequate.
What is data privacy and how has it evolved over time?
The right to privacy is a “fundamental human right” recognized in the United Nations Declaration of Human Rights, the International Covenant on Civil and Political Rights, and other international and regional treaties. Most countries recognize the right of privacy explicitly within their constitutions. While the definition varies, it may include the privacy of personal data or information (e.g., medical records); the protection of people’s bodies (e.g., drug testing) and personal space (e.g., homes); and the privacy of our communications (e.g., mail, telephones). Data security aims to ensure that any personal information that is collected, used, or stored is protected from unauthorized use.
The increased focus on data privacy and security has ushered in a new generation of government regulations. For example, in 2016 the European Union (EU) approved the General Data Protection Regulation (GDPR), which applies to the collection of data from residents by firms inside or outside of Europe. The cost of non-compliance with privacy regulations and requirements can be steep. Companies found to be non-compliant with the GDPR, for example, can be fined up to EUR€20 million, or 4% of a company’s annual turnover (whichever is higher). Many companies have been fined in recent years for data privacy violations or breaches, including British Airways (EUR€205 million in 2019), Marriott International (EUR€110 million in 2019), and Google Inc. (EUR€50 million in 2019) under the GDPR, as well as Facebook (USD$5 billion in 2019), Google and it’s subsidiary YouTube (USD$170 million) to the Federal Trade Commission (FTC).
How will data privacy and protection change as a result of COVID-19?
The COVID-19 pandemic has required governments and companies to adapt quickly to a rapidly evolving situation. While data and technology have an important role to play in helping companies and authorities identify, track, and monitor the spread of COVID-19, data privacy and security must remain important considerations. Once the immediate needs of the crisis have passed, companies and governments will need to:
- Verify compliance with privacy laws: Data that may have been collected under emergency acts, modified laws, or specific guidance related to COVID-19, will need to be identified and assessed to ensure that any ongoing collection, processing, or sharing of data is in compliance with all privacy laws.
- Confirm individuals’ consent and data rights: In cases where personal data will continue to be collected and/or held, companies and governments should ensure that consent is provided. While implicit consent or voluntary provision of data may have been adequate during the crisis under modified laws or requirements, explicit consent may be required moving forward, especially if the purpose for which the data is collected has changed.
- Verify data privacy and security: Technologies or processes, such as video conferencing, remote onboarding, or digital verifications, may have been implemented during the crisis without having gone through an organization’s normal third-party risk-management process. Companies should ensure that any gaps in the verification process are filled to avoid potential non-compliance with privacy laws or security violations.
Before the pandemic, one of the most important — and popular — movements in ethics and social justice was the push against technology-powered surveillance, especially AI technologies like facial recognition. It’s a rich topic centered around power that pits everyday people against the worst parts of big tech, overreaching law enforcement, and potential governmental abuse. “Surveillance capitalism” is as gross as its name implies, and speaking truth to that particular sort of power feels good.
Is it really such a bad thing if our COVID-19-related medical records go into a massive database that helps frontline health care workers battle the disease? Or if that data helps epidemiologists track the virus and understand how and where it spreads? Or aids researchers in developing cures? Who cares if we have to share some of our smartphone data to find out whether we’ve come into contact with a COVID-19 patient? Is it really that onerous to deploy facial recognition surveillance if it prevents super-spreaders from blithely infecting hundreds or thousands of people?
“Those are legitimate questions, but on the whole, it’s a dangerously shallow perspective to take.”
The dangers posed by a hasty and wholesale surrender of privacy and other freedoms are not theoretical. They’re just perhaps not as immediate and clear as the threat posed by the coronavirus. Giving up your privacy amounts to giving up your power, and it’s important to know who will hold onto all that data.
In some cases, it’s tech giants like Apple and Google, which are already not widely trusted, but it could also be AI surveillance tech companies like Palantir, or Clearview or Banjo, which have ties to far-right extremists. In other cases, your power flows directly into the government’s hands. Sometimes, as in the case of a tech company the government contracts to perform a task like facial recognition-powered surveillance, you could be giving your data and power to both at the same time.
That means if you agree to feed mobile companies your smartphone data now, it’s likely they’ll keep taking it. If you agree to quarantine enforcement measures that include facial recognition systems deployed all over a city, those systems will likely become a standard part of law enforcement after the quarantines are over. And so on.
This isn’t to say that the pandemic doesn’t require some tough tradeoffs — the difficult but crucially important part is understanding which concessions are acceptable and necessary and what legal and regulatory safeguards need to be put in place.
For a start, we can look at some general best practices. The International Principles on the Application of Human Rights to Communication Surveillance, which has been signed by hundreds of organizations worldwide, has for years insisted that any mass surveillance efforts must be necessary, adequate, and proportionate. Health officials, not law enforcement, need to drive the decision-making around data collection. Privacy considerations should be built into tools like contact tracing apps. Any compromises made in the name of public health need to be balanced against the costs to privacy, and if a surveillance system is installed, it needs to be dismantled when the emergent threat of the coronavirus subsides. Data collected during the pandemic must have legal protections, including stringent restrictions on who can access that data, for what purpose, and for how long.
This is a matter of life and death. But it’s about life and death now and life and death for years to come.
However, we need to see through the security of our personal and private data. It is against some process in some countries where liberty is prevalent but we are slowly walking out of that line where we need the data of each of us properly protected and by certain country laws to be properly authorized and signed offs to what becomes public or not. Let us prevailing see how all of this pans out in short, medium, and longer-term as I say usually the most properly unprotected data vault is the Government ones.
Name: Kris Seeburn, DSc, LLM
Current Title: Professor, Independent Consultant, chief Trainer on Cyberwarfare
City and Country: Washing DC, USA