KOCHI: Union and state governments have warned public not to share vaccination certificates on public platforms as fraudsters could use that. Experts say personal details should not be shared with anybody. What are the reasons? TNIE finds out
How secure are your personal details you knowingly and unknowingly share on social media or when asked for that, say at a hospital or supermarket’s reception desk?
Next time, think before writing down your name and phone number in the visitor’s book of a shop or keying in for an online purchase, warn cybersecurity experts. Recently, the government of India and Cyberdome sounded alerts on social media, asking citizens not to publish their vaccination reports online.
“When you produce your vaccination report, you are exempted from restrictions at a lot of places including the airports during screening. Chances are that people may manipulate them and use them because it is almost impossible to manually verify the details at one go. Secondly, when you are displaying the vaccination report online, there is every chance the data thieves can grab your Aadhaar number and other details and exploit them,” said Pattathil Dhanya Menon, a cybercrime investigator.
“Earlier, when a passport was released or a driver’s licence was received, people used to announce it with a picture of the same. These are the kind of blunders that we knowingly do, giving chances for data thieves to invade our personal information. Surprisingly, some parents post the school identity cards of their wards without realising the risks involved in it. The risk factors are high when we publicise any kind of identity. When you make your vaccination report public, it has every crucial detail on the card, including the Aadhaar number,” Dhanya said.
Data is expensive
There are several agencies that are dependent on data mining and selling. “A valid name and a phone number are crucial data with a price value. Especially during a pandemic and lockdown, where everyone is in need of money, every piece of saleable information is a profit. People can manipulate them and use them for their benefit,” said Dhanya.
Basically, a vaccination report is health data. In India, we do not have a stringent data security policy like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the US, says Vinod T, who heads cybersecurity wing of a leading IT company based in Kerala. HIPAA strikes a balance that permits important uses of information with the protection of privacy of people who seek care and healing.
“If a person voluntarily discloses his personal details, either due to ignorance or due to complacency, it is his responsibility. But if the same data is leaked from the hospital or health centre or some other agency, that is a breach of personal identifiable information (PII) and medical information. There are several portals where you have to key in your details, which are likely to get leaked,” said Vinod.
Data mining is a paid gig
Vinod said there are several companies that collect and distribute data. “Agencies can calculate your buying power by using your mobile number collected, they can even calculate how much you are spending on a particular purchase (grocery, cosmetics, etc.) every month. There are also hackers in groups or companies working underground who can hack into your bank account,” he added.There is also a problem of lack of space to destroy the data once collected.
Rajesh Babu, managing director of Mirox India in Technopark, Thiruvananthapuram, feels the government should bring a unique identification system, like a Health UID, to store and access the health details of the citizens.
“Currently, when a patient is shifted from one hospital to another, they have only the recent health record and not the whole details. However, when a unique ID is present, this can be accessed, with the permission of the patient. There will be an authentication system. There are also issues related to lack of awareness and ignorance of the people. For example, there could be elderly people seeking help from a stranger in using their aadhaar card. All this will lead to security breach,” he said.
“In future, the data could be consolidated into a smart chip, so that the number need not be exposed. The information should be transferred only from one system to another system. Stringent rules and regulations from the government are required to protect the information,” Rajesh said.
POTENTIAL AREAS WHERE DATA CAN BE LEAKED
Shops
Hospitals
Online shopping sites
Online movie platforms
Ticketing platforms
Billings
Social media platforms
Raffle draws
WHAT IS PII?
Experts explain personally identifiable information (PII) as any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for deanonymising previously anonymous data can be considered PII. PII may include name, address, email, telephone number, date of birth, passport number, fingerprint, driver’s licence number or credit/debit card number — anything that can be used as an identity.