Four digits led to tech reporter Mat Honan’s digital life falling apart earlier this year: the four digits of a credit card that Amazon considers unimportant enough to display in the clear, but Apple considers secret enough to authenticate one of their customers. The people who wanted to hack Honan, used this flaw to take over Honan’s Apple ID account, which gave them access to his Gmail, which in turn allowed them access to his Twitter – which was what they were after in the first place.
Mat Honan is hardly a beginner when it comes to the Internet – and got hacked. His story shows how seriously we need to be taking privacy and sensitive information on the Internet. When communicating via the Internet, it’s usually best to assume that everything is public. When writing on Facebook, imagine your post turning up on the front page of the newspaper the next day. When accessing your Gmail account, remember that Google’s programmes are reading through every message to generate advertising for you. And when talking on skype, imagine the whole world is listening in.
Justice Nizamul Huq would have done well to remember all this when discussing the cases before the International Crimes Tribunal with Ziauddin Ahmed via skype and exchanged messages via e-mail. The reports had me facepalming at the naive belief, that this would somehow be a secure channel on which such sensitive issues could be discussed.
To be clear, I’m not arguing that Justice Huq got what he deserved. It is always wrong to get robbed, but you should seriously consider not leaving your front door unlocked. Especially, if you have valuables at home that would be irreplaceable if lost. A judge using unencrypted e-mail and skype* to correspond regarding one of the most important trials in the history of Bangladesh was essentially doing exactly that.
E-mail is like a postcard
This is because skype and e-mail – as generally used – are some of the most insecure forms of communication available.
The real-world equivalent of an e-mail is a postcard. E-mails are usually passed from server to server in the clear and any administrator of any one of these servers can read through the message, if he or she likes. Your e-mail company does this to weed out spam, if you’re living in certain countries your government is probably reading your messages and even in countries like Germany, ISP’s are obliged by counter-terrorism laws to search their users’ e-mail correspondence for certain keywords.
Same with skype. Forget that skype has repeatedly given out user data to security firms and national agencies. It’s been only a few weeks since reports surfaced about how a skype account could be stolen by anyone using only the e-mail address of their victim (Security hole allows anyone to hijack your Skype account using only your email address). The hole has since been plugged, but you really don’t want to be using skype to make sensitive calls.
Both e-mail and chat/voice conversations on the Internet can easily be made much more secure by using programs that support a form of public key encryption (Public-key cryptography). What it does is scramble the communication so that it can only be accessed by someone who is in possession of the right key. Since you generate your own keys, there’s no reason why they shouldn’t be completely secret – unless your computer has somehow been compromised. In which case there’s not much hope anyway (if you think this is the case, format your hard drive and reinstall your operating system).
The pitfalls of “Digital Bangladesh”
But the problem in Bangladesh is broader. This government’s catchphrase of a “Digital Bangladesh” conjures up ideas of technological progress, but fails to remember that living with the Internet and with a widespread computerization of our daily life also means that people need to be aware of what risks they’re getting themselves into. More importantly, the government needs to be putting in place standards that protect privacy and personal data – and enforcing them.
This, however, is hardly the case. One part of the “Digital Bangladesh” project seems to be a massive overhaul of the government’s websites. This has, shockingly, included the publication of thousands of sensitive data points. The fact that you can find the residential phone numbers of all the officers of the foreign ministry (including the minister’s) online, is just the tip of the iceberg. What is far more concerning is that many government institutions have published their employees’ “Personal Data Sheets” online – a record that includes sensitive contact information (including postal addresses, e-mail and mobile numbers), their National ID numbers, details on their education and details on their parents.
Remember Mat Honan? His hackers had far less information on him and took apart his life.
*I have absolutely no knowledge whether Mr. Huq was using encryption. I assume he wasn’t.
Lalon Sander is a Bangladeshi-German journalist.