Privacy and Cybersecurity: Protecting Personal Data
Introduction
Increasing cases of massive personal data breaches suggest that Malaysians are at high risk of being the targets of scams. Police reports indicate that Malaysia loses an average of RM2 billion to scammers annually and that scammers possess accurate personal information of their targets. A 2017 data breach in Malaysia leaked the personal details, including home addresses and myKad numbers, of about 46.2 million mobile number subscribers nationwide. In April 2020, a 60-year-old hospital consultant from Pahang was scammed RM63,435 from his savings account shortly after sharing his online banking credentials on a fraudulent Bank Negara Malaysia website.
Furthermore, ChannelNewsAsia reported that over 20,000 private medical records of Malaysian patients were published online and could be freely accessed by any internet user worldwide. There has been concern that insurance companies may analyze leaked medical records and personal data to identify health risks and raise premium rates. Individuals could also face workplace discrimination due to their medical histories, which may reveal, for example, depression or pregnancy. It is clear that personal information should be properly protected and its use properly regulated.
Privacy is a fundamental human right recognized in the Universal Declaration of Human Rights of the United Nations and “information privacy” is defined as “the right to select what personal information about me is known to what people.” Despite recognising the value of privacy, internet users may be unaware of just how much of their personal data is being shared, to whom, and for what purposes.
In this article, we explore the question of privacy and security in a smartphone-enabled, data-driven world, specifically the risks associated with increased sharing of personal data, and suggest some ways individual users can protect their personal data.
What is personal data?
There are four types of consumer data that businesses collect: personal data, engagement data, behavioural data and attitudinal data. In this article, we limit our discussion to personal data.
Personal data refers to any data that contains personally identifiable information. Malaysia’s Personal Data Protection Act 2010 (Act 709) defines personal data as “any information…that relates directly or indirectly to a data subject, who is identified or identifiable from that information;” Singapore’s Personal Data Protection Act 2012 defines it as “…data, whether true or not, about an individual who can be identified from that data;” The European Commission defines it as “any information that relates to an identified or identifiable living individual” whereas the National Institute of Standards and Technology (NIST) of United States defines it as “information about specific individual…that can be used to identify the people who provided it.”
The European Union’s General Data Protection Regulation (GDPR) lists some examples of personal data including name, national identification number, location data, and even Internet protocol (IP) addresses that identify how a user is connecting to the internet.
Why are apps collecting personal data?
The COVID-19 pandemic has accelerated Malaysia’s transition to a cashless society. Financial institutions and e-wallet service providers reported a steep rise in the transaction volume of contactless payments and e-wallet adoption during the movement control order (MCO) as Malaysians try to minimize physical contact. For instance, the sign-up rate for Maybank’s MAE wallet doubled since the beginning of MCO and the bank also expected a 30% growth in its eDuit Raya transaction volume for Hari Raya celebration this year. Hong Leong Bank also witnessed a 13-fold increase in the total transactional value of e-wallet top-ups in two months from March to May 2020, as compared to the same period last year.
Similarly, two popular e-wallets in Malaysia reported growth in their number of users and transactions. GrabPay Malaysia has seen a 60% increase in new users with more than 8,000 new merchants signing up to use its digital service and its contactless transactions have increased 1.7 times since the implementation of MCO. Additionally, Touch ‘n Go’s eWallet saw an increase in e-wallet adoption among merchants as well as a surge in e-commerce volumes and online transactions during the MCO period.
Transitioning to the digital economy results in more people being more connected to the internet. Internet users share personal information with mobile applications or businesses in exchange for ostensibly free goods or services. Not only is money stored in e-wallets operated by private companies, but shared real-time location and personal information are stored in their databases too.
Smartphone apps can track our movements (e.g. whether we are sitting down or walking around), record our location, and read (some) text messages without any additional user action or input. Businesses process these data into useful information that helps them provide better user experiences and services to their customers. For example, an individual uses an e-wallet to pay for a flight planned via a travel app and receives a confirmation email, including personally identifying information such as name, travel dates, locations, and payment details. These details are shared across multiple apps to automatically generate an event with details of the flight in the calendar of the user’s smartphone.
What are the risks of sharing personal data?
Despite the fact that personal data contains personally identifiable information, some might argue that “I have nothing to hide therefore I have nothing to fear,” but the misuse of personal data can have unpleasant unintended consequences. Ride-sharing apps collect geolocation data to protect their drivers and passengers, but Uber’s location data ended up being exploited by its employees to stalk politicians, celebrities and ex-partners. Fitness app Strava includes a feature intended to enable runners to connect and build community, but the degree of personal data shared makes it easy to find out where a Strava user lives and what routes they usually run.
Apps are collecting more data than they actually need
A 2018 analysis by Symantec of the top 100 free mobile apps in Android and Apple iOS revealed that 89% of the apps on Android and 39% of the apps on Apple’s iOS requested risky permissions. Risky permissions refer to “permissions where the app requests data or resources that involve the user’s private information or could potentially affect the user’s stored data or the operation of other apps.” Some of the examples categorized as risky permissions by the study include access to location tracking, camera, audio recording, phone logs, calendar, contacts and SMS messages.
It was reported that Android apps requested more risky permissions compared to iOS apps. 45% of the Android apps analyzed requested access to track user location whereas only 25% of the iOS apps requested location access and 25% of the Android apps requested access to record audio while only 9% of the iOS apps requested similar access. Moreover, 15% of Android apps sought permissions to access text messages and 10% asked to access phone call logs. In contrast, such permissions are not accessible by iOS apps.
It is not clear that all these permissions are necessary for the apps to function properly. For example, a flashlight app on the Android OS sought permissions to access users’ location services, contacts, text messages, microphone for audio recording purposes and even permissions to make phone calls or to reroute outgoing calls. Symantec stressed that users should be mindful of the permissions they grant each app, putting the burden on the end user when it should perhaps be placed on app developers by prohibiting the requirement of unnecessary permissions.
Oversharing personal data puts users at risk not only of potential stalking and attempts to manipulate their behaviour, but also of their personal information being added to a database that may not be adequately secured and thus may be susceptible to hackers and data breaches. Such breaches put them at further risk of identity theft and scams.
What can individual users do to protect personal data?
Securing a database from cybersecurity threats is out of the control of individual users so, until holistic data protection legislation is passed, individuals are best served by learning about the risks of data sharing and taking steps to minimise those risks.
In addition to reviewing app permissions and evaluating whether the degree of personal data sharing is worth the benefits of the app, we suggest two more ways individual users can protect their personal data.
Be aware of phishing attacks; verify requests for personal data
Phishing is a type of online scam often used to steal personal information such as login credentials, bank account information or credit card numbers. Phishing attacks can occur through any form of communication, such as emails, phone calls, text messages, instant messages received on social media sites or advertisements. Phishing messages typically claim to come from a legitimate source such as a bank or a government agency. Not only will phishers use the email address, logo and other trademarks from the purported source to look authentic, they will also fabricate stories to panic message recipients into either giving away personal data or allowing their personal data to be tracked. Examples of phishing attacks include claiming a suspicious login attempt or unauthorized changes to the user’s account have been detected or requesting confirmation to verify sensitive personal information.
According to the Malaysian Communications and Multimedia Commission (MCMC), the majority of the phishing attacks detected in Malaysia targeted internet banking users to trick them into revealing their login credentials. Cybersecurity Malaysia (CSM) also reported receiving a total of 838 cases involving fraud, intrusion and cyber-harassment in the early states of the MCO between March 18 and April 7. Cybercriminals are quick in reacting towards global events, leveraging the pandemic to launch COVID-19 themed phishing emails or fraudulent websites filled with fake COVID-19 news.
Before sharing any information, internet users should take additional steps to confirm who is requesting their personal data and for what purpose. For example, users receiving a text message about an unexpected financial transaction should contact their bank’s customer service department to verify the message before responding to it. Users should also avoid clicking on links from suspicious emails without first verifying their source. Fraudulent websites look very similar to original websites, differing by only a letter or punctuation mark. Examples include changing the letter O to the number 0 or inserting additional characters and symbols that legitimate web addresses will not have.
Be aware of social media settings; limit access to personal data
Social media users tend to unknowingly overshare personal information on these platforms, whether checking in at a restaurant for a meal, tweeting about a new job promotion or sharing photos with location details in the background or in the photo geolocation tag. While these activities are meant to foster meaningful connections with friends and family, there are privacy risks to such online sharing activities.
Social media posts uploaded on the internet may include personal details that malicious actors could exploit to access sensitive accounts or commit identity theft. Background information such as schools attended, pet names or vacation photos could provide enough clues for cybercriminals to work out a user’s passwords.
Internet users should review privacy settings on their social media accounts to limit who can access their personal information. For example, on Facebook, users may want to avoid setting their posts to be public as that allows even non-Facebook users to access their information. Users may also want to consider reviewing their friend/follower list regularly to remove unfamiliar accounts that might be monitoring their posts.
Conclusion
Considering that personal data can be – and has been – misused when it falls into the wrong hands, there are several critical data governance questions we need to ask in this rapidly digitalising world: Who has access to our personal data? Where and how is our personal data being used and stored? What are the laws and regulations in place governing the access, use and storage of our personal data?
The responsibility of strengthening cybersecurity falls on the shoulders of all parties. It requires the efforts of both public and private sectors to coordinate and collaborate with each other in terms of capacity building and policy design and implementation.
As technology evolves and advances, the government could consider regularly reviewing and revising its existing regulations on personal data protection to ensure that data collected are secure and well-managed. Currently, the Personal Data Protection Act (PDPA) 2010 only protects inappropriate use of personal data for commercial purposes and the act does not apply to personal data processed outside of Malaysia. Additionally, there is no Data Breach Notification Rule in the PDPA 2010 yet so businesses that suffer a data breach are not legally obliged to notify the authorities, the public, or the victims of the data leak.
Existing data protection laws also lack provisions to address children’s digital privacy, personal data processed in non-commercial transactions and outside of Malaysia, as well as general online privacy issues such as geolocation data and browser cookies that could potentially track internet users.
Malaysia still has significant room for improvement in terms of cybersecurity and data protection. When the government takes the lead in data protection efforts through the introduction and strict enforcement of regulations, the private sector and the general public will slowly but surely follow.
