Showing posts with label Ransom attack. Show all posts
Showing posts with label Ransom attack. Show all posts

Tuesday, September 7, 2021

Hurray … I am vaccinated: know the risks for updating vaccine-posts

CYBER CRIME AGAINST WOMEN BY DEBARATI HALDER

                                                    Image courtesy : Internet  



As on first week of September, 2021, India has reportedly vaccinated more than 67, 09, 59,968 people and several of them have also got fully vaccinated. Noticeably Covid vaccination drive is being conducted by the government and it necessarily includes sharing of certain sensitive personal data that have been included in the Aadhar data of every individual. Expectantly vaccination data is connected with the personal information including health information of the beneficiary as well.

Let me now explain how we the beneficiaries of Covid vaccination drive have knowingly shared our personal data and have invited risks of privacy infringement.

In 2020 when I was affected by Covid and wanted to be reassured that I am carrying the virus, I had sought for Covid testing like millions of us who have survived Covid. The government testing agencies were over flowing and this had happened in all cities across India. Medical shops got many of us connected with private labs who would be testing us ‘at the earliest’ to help us recover faster. Several people reported that even though they did not have symptoms, they were tested positive. Everyone suspected foul play, but we had to accept that the pandemic has touched all of us very dearly. Whether it was government labs or private labs, the individuals who would be taking the swab test were directed to mandatorily collect Aadhar data of the persons who were taking the tests. There were series of data sharing from private agencies to government agencies and in majority of the cases the data owners were never asked for their explicit permission for sharing their data. Added with this, we the general users of social media companies have shared about our levels of infections and recovery on social media platforms without giving it a thought that we are generating data that have potential to put us on risk for numerous kinds of cybercrimes including ransom attacks, bullying, stalking and doxing to name a few. During the very first phase of Covid-19 we have seen social exclusion with the Covid 19 victims and their families. There had been several cases of shaming on the social media for victims of Covid-19. Somehow such ‘harassments’ of victims of Covid and their families may be attributed to the data generated by people who had been infected and survived Covid.

Most of us would never understand how such data sharing would have affected us. Resultant, most people have shared about their vaccination details, which should have been considered as part of sensitive personal health data. Let me explain how we have unknowingly shared such data and have invited risks:

Many people who had vaccine may have taken selfies or may have allowed their family members to take photographs of being vaccinated. These images may have been immediately shared on social media profiles with date of vaccination and the name of the vaccine. Further, several vaccination centers had also offered galleries for taking photographs. Some may argue that vaccine beneficiaries may not have shared the personal data including secret numbers or registration details that may be availed from the government platforms. But not to forget, this is an age of social engineering.  Hackers and ransom attackers are smart to connect facial images, geo-locations, Aadhar details with date and time stamp to access sensitive personal data stored on platforms which may not provide much security to the privacy of the data owners.

Such apprehensions are not baseless. In December, 2020,  Pfitzer had reportedly shared the bad news of being targeted by cyber criminals.[1] Again, in June, 2021 news about possible hacking of CoWin platform made the government to consider for investigation of the entire issue.[2]

Why we need to be considered for this issue and what does the law say? The answer basically centers on the liability of the websites/social media companies to protect our data. Two issues must be understood here: the liability of the companies/body corporates (especially the vaccine production companies and the vaccine administering stakeholders) in whose data base our sensitive health data including the vaccine data is being stored, and  the liability of the social media companies on whose platform we are sharing our own data in the form of selfies, pictures etc. S.43A of the Information Technology Act, 2000(amended in 2008) makes the body corporates liable for protection of the data of the clients/customers/beneficiaries. If the integrity and confidentiality of the data is infringed, the body corporates need to compensate the damages. There may be huge legal battles for this and body corporates may always prima facie deny their negligence. Not to forget, they may outsource the entire work of data generation, data storing and maintaining the confidentiality of the data to the third parties and resultant, they may need to face layers of liability charges. This does not happen in case of social media companies. The later have explicit policies and agreement clauses that majority of the users of the platforms ignore. These clauses and policies clearly demonstrate the company’s due diligence clauses. In other words, the companies very clearly state that they will remove some posts if the same are offensive and fall within their own category of offensive posts. They would also bear the liability of securing confidentiality of  the profiles. But they would not take any liability if the users themselves “knowingly” post something which is self-damaging. For understanding this, we have take close look on S.79 of the Information Technology Act, 2000(amended in 2008) which elaborates website liabilities and immunity clauses for the websites from third party liabilities. In short, websites will not be liable for any ransom attack, hacking or any other forms of online harassment if the users “knowingly” upload some contents which may attract perpetrators. “Knowingly” here corresponds with the meaning of “awareness”. The websites expect their users to be aware of the risks of posting certain contents which would be self-damaging.  

We should rejoice the winning over the pandemic but not at the cost of our privacy and security. Be aware, stay safe and spread positive awareness.

Please note: Please note: Please  do not violate the copyright of this writeup. Please site it as Halder Debarati (2021) Hurray … I am vaccinated: know the risks for updating vaccine-posts @https://debaraticyberspace.blogspot.com/2021/09/hurray-i-am-vaccinated-know-risks-for.html

 

 



[1] See in Stubbs.J(2021) Hackers steal Pfizer/BioNTech COVID-19 vaccine data in Europe, companies say . published in https://www.reuters.com/article/uk-ema-cyber/hackers-steal-pfizer-biontech-covid-19-vaccine-data-in-europe-companies-say-idUKKBN28J1VF on December 10,2020.

[2] See for more in Jaswal M(June 2021) Claims of Cowin system, hacking, data breach baseless: Health ministry . Available @ https://www.livemint.com/news/india/claims-of-cowin-system-hacking-data-breach-baseless-health-ministry-11623489372000.html published on June 12,2021