How the world has changed in a matter of weeks. With coronavirus spreading in more than 209 countries and territories around the world, governments have instituted lockdowns in many areas in an attempt to stem the spread of Covid-19. Workers have set up home offices where possible, juggling childcare and office responsibilities. Zoom parties have replaced dinner parties. Bingo has gone live on Facebook, while artists stream quarantine concerts direct from their living rooms to their fans.
It may be a small comfort to know that there are some things that never change. Less comforting is the unfortunate reality that we still have to be on our guard against privacy infringements, fraud and software that may give away more about us than we realise.
One person’s life-changing global pandemic is another’s business opportunity. Never has that been more true than for scam artists, who have been busy trying to turn the current coronavirus pandemic to their advantage.
One of the early scams was simply an adaptation of an older attempt. “I know every dirty little secret about your life,” the email said, before “proving” it by revealing a password, and threatening to give everyone in your life coronavirus unless a payment is made to a nominated bitcoin account.
Sound familiar? It was a widespread extortion scam that went around in 2018 and 2019, threatening to send explicit photographs to their family instead of coronavirus, but the general gist is the same. The password is an old one, gleaned from a previous security breach involving your email address, and the scammers are hoping to fool those who may reuse their passwords or don’t change them regularly.
Bank details
While the threat of giving someone coronavirus may not fool too many people, it is by no means the only threat out there.
The lockdown was barely a week old when members of the public were warned about a scam that tried to trick them into surrendering their banks details over the phone. Claiming to be from the Department of Employment Affairs and Social Protection, fraudsters were calling people who lost their jobs due to the outbreak to ask for bank details to process the payments.
However, the department never requests bank details from its customers by phone or on social media, only accepting them as part of a written application.
Other email-based scams came with links that claimed to asked people to click on links in emails purporting to contain public health information. However, when people clicked on those links, malware was released on to laptops or other devices to extract usernames and passwords for email accounts and bank accounts.
Some scammers have exploited the demand for protective gear, with fake websites offering protective masks and hand sanitisers that never existed; others have fraudulently solicited donations from the public to help fund Covid-19 efforts.
There are no exact figures on how much it has cost Irish people who have fallen victim to the fraud but in the UK experts estimate some £1.6 million has been obtained through fraudulent means. A report by internet security company Sophos found 2 per cent of all spam was now Covid-19-related, implying there is a wave of new scams headed straight for us.
Video conferencing
This brave new world of ours means we are all scrambling to find ways of keeping in touch with friends and family, as well as working from home where possible.
That has led to a massive increase in the number of people using video conferencing software, for example, and it has become very clear that none of us were prepared for this.
Take Zoom, for example. The US company has found itself under a very uncomfortable spotlight.The video-conferencing company appeared to be one of those flourishing in the current lockdown, increasing its user figures almost overnight as people sought alternate ways to stay in touch, to do business or just stay in business.
But then came the privacy concerns, with security researchers calling it “a privacy disaster” and “fundamentally corrupt”, and the hackers staging “Zoombombings”.
A Zoombombing, if you have yet to have the dubious pleasure, is where an uninvited person uses the service’s own features – the virtual backgrounds, sharing their screen or annotation – to share objectionable material. In one incident, the perpetrators used the annotation feature to scrawl racist words on the screen. Another abused the virtual backgrounds feature to display an offensive image to others in the meeting.
Closer to home, the GAA warned its clubs over use of the platform after an incident in which a children’s training session was hijacked by someone who shared explicit images to the session.
Zoom has acted on some of the complaints. From April 5th, the company has made waiting rooms for participants and passwords for meetings an automatically enabled setting, keeping unwanted users out and allowing hosts to screen those waiting for unwanted guests. There are also ways to disable some features, with the host of the meeting able to disallow the use of virtual backgrounds and block the ability of participants to share their screen to the meeting.
Access and encryption
The company also released an update for its Mac software after it emerged that the installer was using a trick more akin to malware, mimicking Apple’s security prompt.
But there are still some things people should be aware of. The meetings aren’t end-to-end encrypted, so someone could gain access to the stream.
Meetings can be recorded by the host but the default naming system for Zoom sessions means files uploaded to open storage services online can be easily found.
The in-meeting chat system, which allows attendees to message the entire meeting or directly speak to another attendee, is also included in the transcript of a session, regardless of who the message was sent to. That means the host can see all messages sent during the session at the end of the meeting, so you need to be careful of what you say.
Another setting – now disabled – measured attendee attention and alerted hosts if their attendees did not have the Zoom meeting window active for the entire session.
Zoom isn't the only one having uncomfortable questions asked of it. Social networking app Houseparty (which aims to act like a virtual reboot of the standard house party dynamic – you can join friends for a chat when they are in "rooms" with other people, for example) was the subject of claims it had been used to access unrelated third-party accounts. Houseparty, which is owned by games company Epic, said it was investigating the possibility that it had been part of a commercial smear campaign and has offered a $1 million bounty for anyone who can provide the evidence to prove it.
Apps against Covid-19
Social distancing is difficult. Humans are not meant to be solitary beings – well, most of us anyway. So the new measures that are designed to keep us safe may feel a little constricting, especially when we have no real idea of when they will end.
But surely there is a way that technology can help with that? Developers have been working on ways to use technology to fight the Covid-19 outbreak, although not everyone is comfortable with the idea of using apps to report on their health.
The European Union is getting involved here, with a toolkit for a pan-European approach on the use of mobile applications to track the spread of the coronavirus. Reuters reported on the move, which is in reaction to the roll-out by several EU countries of mobile apps that have been criticised by some data privacy activists who worry that they may become permanent once the coronavirus crisis is over.
“A fragmented and uncoordinated approach risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing serious harm to the single market and to fundamental rights and freedoms,” the document said. “It is therefore necessary to develop a common approach to the use of digital technologies and data in response to the current crisis.”
The EU will monitor and assess the effectiveness of the mobile apps, their interoperability and cross-border implications, and whether they comply with security, privacy and data protection rules. And there will be a strict limit on the processing of personal data, which will be destroyed when the virus crisis is under control, the Commission paper said.
The HSE, meanwhile, has said a contact tracing app is in the works, but concerns have already been raised about what it will involve. We don’t know yet what form it will take or what data it will gather, but regardless it must adhere to the laws on data protection, namely GDPR. The regulations give special protections to health data, which is considered particularly sensitive.
That will limit exactly what can be legally done with such apps here. According to solicitor and data privacy expert Fred Logue, any use of the data must be necessary and proportional, done in a way that has the least impact on people's rights.
“You can’t use a sledgehammer to crack a nut. The measures put in place to meet your objective can’t be so prejudicial that they’re actually worse than the problem they’re trying to solve or create problems that are worse,” he said.
Data protection
Part of the process should be a “data protection impact assessment”, Logue said, which is a form of risk assessment. They should be consulting NGOs and individuals and the public and they should be transparent about this because it’s lack of transparency that starts to give rise to conspiracy theories.”
The HSE app has not yet been released but similar apps are already in use in other countries, primarily in east Asia where government-sanctioned tracking apps cover everything from contact tracing and collecting data on the spread of the virus to enforcing quarantine rules and controlling movement across public transport and neighbourhoods.
Large-scale tracking of the population and indiscriminate use of location data is prohibited under European law. A case taken by Digital Rights Ireland to the European Court of Justice invalidated the EU data retention directive in 2014, and led to the adoption of tighter protections around the retention of personal data.
One way that the contact tracing could be carried out without impinging on people’s privacy is by using bluetooth, which is proximity-based instead of location data.
The key thing the Irish app must ensure though is transparency, Logue said, otherwise the Government risks building an app that is ineffective because people simply won’t use it.
“Going off and building it without doing that upfront – the transparency, the consultation – means that they risk wasting a whole lot of time and resources, building something that could be unlawful, and in any event won’t be used or people won’t trust. If they don’t do it properly, it’s going to waste way more time than than it will take to actually do the due diligence upfront – it’s kind of penny wise, pound foolish.”