Telegram or Signal? Welcome to the illusion called data security
New Delhi, Jan 17 (IANS) As millions shun WhatsApp and download new chat platforms in search for a secure experience, mind you that security is nothing but an illusion and there is no guarantee that Telegram or Signal may not be hacked in the future, especially when nation-state actors with highly sophisticated tools and huge resources are on the prowl.
Encryption is fundamentally flawed and once hackers get to know any vulnerability or bug in the whole data travel journey — apps, mobile operating system, public Wi-Fi, Cloud and the physical data centres — your personal and sensitive information is always at their mercy.
The Telegram development team is based in Dubai. The Telegram team had to leave Russia due to local IT regulations and has tried a number of locations as its base, including Berlin, London and Singapore. It does not store data within the boundaries of India.
Signal does not own its own data centres. The company is entirely Cloud based, which puts data at risk as cyber-attacks on Cloud-based services have increased in the recent past.
In case the data is compromised, India which does not have a dedicated law on privacy or on cyber security, will not be able to do much, unlike Europe which has a strong General Data Protection Regulation (GDPR) that treats the safety of its users’ data diligently and seriously.
According to Pavan Duggal, one of the nation’s top cyber law experts and a seasoned Supreme Court lawyer, if you are looking at complete and absolute security, you have to realise that security is a relative term.
“What was secure yesterday is not secure today and what is secure today will not be secure tomorrow. Blindfoldly relying upon these platforms would not suffice. There is a need for people to incorporate cyber security as a way of life,” Duggal told IANS.
Be it Pegasus software attack on WhatsApp or the great Twitter crypto hacking last year that compromised accounts of celebrities like US President-elect Joe Biden, former US President Barack Obama, Tesla CEO Elon Musk, Microsoft founder Bill Gates, Amazon founder Jeff Bezos (you name it), people are always facing the risk of losing their data.
The latest is the SolarWinds attack that has rocked the US agencies and several tech giants. It is not that the bad actors directly compromised their networks; they used a third-party software called Orion sold by IT management company SolarWinds to infiltrate the systems even of the US Department of Justice (DoJ),
The suspected Russian hackers installed a malware in the Orion software and accessed sensitive data belonging to at least 250 US government agencies and businesses. Around 18,000 private companies and government agencies downloaded the infected Orion software.
At least 24 big companies, including tech giants like Intel, Cisco, VMware Nvidia and even a cyber security firm FireEye, have suffered the ‘SolarWinds’ hack.
Microsoft discovered its systems were infiltrated “beyond just the presence of malicious ‘SolarWinds’ code.” The hackers were able to “view source code in a number of source code repositories”, the tech giant informed.
According to leading tech policy and media consultant Prasanto K. Roy, when WhatsApp discovered the Pegasus attack, it quickly fixed the vulnerability, informed users whom it could trace the hack to, informed the relevant governments and initiated legal proceedings against the spyware’s creators in the US federal court.
“Unlike WhatsApp/Facebook, competitors Signal or Telegram are unlikely to have the resources to do any or all of these in response to a bug. At the most, they’d fix the bug,” Roy told IANS.
Another big worry is that the present-day situation increasingly refers to a massive policy vacuum that exists in India in the context of protection of privacy and data.
“As of today, India does not have a dedicated law on privacy or on cyber security. Further, it still does not have a legal framework in place for protecting all kinds of data. The Personal Data Protection Bill, 2019 is pending consideration before the Joint Parliamentary Committee. Further, India does not have a dedicated policy on data localisation,” Duggal informed.
“The circumstances and ecosystem are very ripe for state and non-state actors to do activities aimed at prejudicially impacting the security, integrity, sovereignty and also cyber sovereign interests of India”.
Mere switching to new chat platforms alone may not suffice.
“You will have to inculcate new life skill sets which need to be built on the foundation of cyber security and data privacy,” he said, adding that the present law is extremely deficient and is incapable of protecting personal and data privacy.
The current Personal Data Protection Bill, 2019 leaves much to be desired and needs to be completely supplemented by an overhauled legislative framework, which can focus on the concerns and protection of rights of stakeholders concerning their data in the digital ecosystem.
Next time when any of the new apps you have shifted to are compromised, which chat or social media app do you have on your mind?
(Nishant Arora can be reached at email@example.com)