Think about the top threats facing the world right now — what would you say they are? If you listed climate change, natural disasters, and extreme weather events, you’d be right. You’d also be right if you mentioned “cyber attacks” and “data fraud or theft” — at least according to the World Economic Forum.
Every year, the international nonprofit seeks out the opinions of nearly 1,000 thought leaders and experts to compile its annual Global Risks Report. The verdict for 2019: cybercrimes, alongside the environment, are a big source of worry. And it isn’t hard to see why.
With so many people living digital lives these days, the impact of a computer system getting hacked or an online database being breached holds immense potential to affect a wide swathe of the population. The list is long, but just ask Facebook’s nearly 50 million users, Marriott’s 500 million guests, Cathay Pacific’s 9.4 million customers, or closer to home, SingHealth’s 1.5 million patients — all of whom had their personal data leaked in cyberattacks over the past 14 months.
Preserving privacy in today’s world in is a pressing issue because “information about us is collected by more and more parties, whether it’s the government, telcos or banks,” says Associate Professor Terence Sim, a biometrics expert at the NUS School of Computing and principal investigator at N-CRiPT, the university’s new data privacy research centre.
“Also, a lot of our information is in the digital form, which is far easier to compromise in the sense of people copying it, altering it, and spreading it,” Prof Sim says.
As we traverse the Internet going about the daily business of our lives, we inadvertently leave traces of our identity and personality scattered in the wake of our digital footprints — in the photos and phone contacts we store in the Cloud, in our shopping and streaming preferences, in the tweets and Instagram Stories we post, and in the identity numbers, bank and medical information we entrust to organisations and government entities to store online. But when unscrupulous agents obtain such information and our privacy is lost, the consequences can be far-reaching.
At best, you receive unsolicited marketing calls or emails, says Prof Sim. At worse, someone could use your personal data to impersonate or blackmail you.
Therefore, preserving online privacy is paramount, he says. And the first line of defence is ensuring good security. Prof Sim explains: “If security is lax, you can forget about privacy. The bad guys hack in and help themselves to all your data and you’re doomed.”
“I think many people confuse privacy and security,” says Prof Sim, who has written extensively about the topic. “They’re actually different notions.” Privacy is about controlling how personal data is used, whereas security is about preventing unauthorised access to something.
A privacy breach occurs when, for example, a company conducts a lucky draw and publishes the winners’ NRIC numbers in the local newspaper. In contrast, when someone hacks into a military computer to steal secrets on how to make weapons, that’s considered a security breach.
In some instances, both privacy and security are compromised. This happened with Singapore’s worst data leak, the 2018 SingHealth attack, when the cyber espionage group Whitefly hacked into the patient database system (a security breach) and stole personal data of millions (a privacy breach).
Multiple defence lines
In many instances, the onus is on governments to protect their citizens’ privacy. While countries such as Australia and Canada have some sort of Privacy Act (Singapore has the Personal Data Protection Act), most haven’t explicitly incorporated privacy into their constitution.
Legislation is being drawn up but this often take a long time to pass. A quicker way to improve protection, Prof Sim says, is to work via industry, to encourage firms to voluntarily adopt privacy best practices.
In January this year, Singapore launched the Data Protection Trustmark Certification (DPTM), which recognises businesses that have robust data protection policies, processes and practices in place. Firms apply to the scheme on a voluntary basis, and are assessed by the Infocomm Media Development Authority. If they pass muster, companies are allowed to display the Certification Mark — a blue and purple logo bearing a tick within a shield — on their website, products, and other marketing materials for up to three years, signalling to customers that their brand can be trusted when it comes to data protection.
Individuals, too, can play an active role in helping to preserve their own personal data, says Prof Sim. “Don’t be too eager to sign up for lucky draws and store memberships” that ask for copious amounts of information,” he says. And be suspicious when firms, especially non-governmental organisations, ask for your NRIC number. Just as important, be wary of revealing too much information on social media.
“Don’t be too eager to part with your personal information, think about what you’re giving away,” says Prof Sim. Being more mindful of how to preserve personal privacy is a notion that people need to be made more aware of, which is one reason why the NUS Centre for Research in Privacy Technologies (N-CRiPT) was established earlier this year.
Funded by Singapore’s National Research Foundation, N-CRiPT is the region’s first institution solely dedicated to data privacy. Here, researchers such as Prof Sim are toiling away to develop technologies that will help preserve the privacy of individuals and organisations. Ongoing projects include the Privacy Advisor, an intelligence software that will help screen social media posts and alert you to what you might be inadvertently revealing; and another that explores ways to assess and quantify privacy risk so that companies can offer potentially offer insurance for breaches. These, and other ideas, will be explored in blog posts to come — so stay tuned.
To protect your privacy in the digital world, keep these tips in mind:
• Be careful how much you reveal on social media
• Remember that it’s now illegal for non-governmental and non-medical agencies to ask for your NRIC number
• Don’t be too eager to disclose personal information in lucky draws, sweepstakes, etc.
• When you install smartphone apps, consider if it’s really necessary to grant them access to your contacts, photos, location, etc.