Desperate for information on ventilators and plasma, Mumbai-based professional Rupali Jha (name changed) had shared her phone number on Twitter, seeking medical aid for a family member infected with COVID-19.
While Jha found a ventilator much to her relief, she had no idea what awaited her. As her number was circulated widely, she started receiving unsolicited photos and traumatising messages from several men across the country.
Narrating her ordeal in a tweet, Jha said “Been looking for plasma donors, and my no has been around in some groups + stories. I've fielded calls from men asking me if I'm single, if I can share photos, my DP is nice etc, and 1 "friend" who said he'd help if 'at least now you go on a date with me' Some men are DISGUSTING. [sic]"
The second wave of COVID has presented unprecedented challenges. On one hand, social media is being used to ensure that medical aid is provided to those in need, on the other, personal info shared on social media is a ticking time bomb.
In a bid to amplify their requests, patients and their relatives are posting personal information on social media platforms. Details, such as patient’s name, attendant’s name, address, COVID-19 positive report, medical prescription, ‘Aadhaar card’, etc, are being widely shared.
This data freely surfacing online can be used by cyberespionage groups and cybercrime perpetrators.
The Quint spoke to Kazim Rizvi, Founding Director of The Dialogue, a privacy policy think tank, and cybersecurity researcher Sourajeet Majumder to understand how you can stay safe while posting SOS requests on social media platforms.
What Qualifies as Sensitive Data?
Before digging deeper, it is important to understand what qualifies as sensitive information.
Sensitive data refers to a subset of personal data that requires enhanced protection owing to the kind of the information that falls under the following categories:
- Passwords
- Bank account details
- Credit/debit card details
- Present and past health records
- Sexual orientation
- Biometric data
At present, under the SPDI Rules issued under the IT Act, this is an exhaustive list consisting of the aforementioned kinds of data, explains Rizvi.
'Prioritising Life Before Privacy'
It must be duly noted that SOS requests are made when a person desperately needs help and is willing to do all it takes to arrange for aid.
Rizvi told The Quint that in such circumstances, a rational person should strive to ensure that his SOS request is perceived genuine by putting up a vivid description of his needs without giving out his 'sensitive personal data’.
Giving an example, Rizvi said, "give your social media account handle instead of your phone number to receive verified leads. Mention that you are not posting sensitive personal data and expect everyone to respect this privacy-respecting step."
As a society we have also normalised the behaviour of sharing Aadhaar information and it is becoming a norm unless we put an end to it.
Just like the government asks for Aadhaar to provide public services, now most medical store owners ask for prescription, RT-PCR reports, and Aadhaar card before giving out antiviral medicines like FabiFlu. This must change, the government too must intervene here to ensure that such practices are stopped.Kazim Rizvi, Founding Director of The Dialogue
How Can Cyber Attackers Use This Data?
There are multiple ways a cyber criminal can use this data, especially when helpless people are sharing their identity documents, medical prescriptions, exact geo location and bank details as a part of their SOS requests.
Cyber security researcher Majumder believes that cyberespionage groups easily sell such data in bulk batches to buyers on the dark web at a certain amount.
A recent scam involves asking for advance payment with fake promises to provide COVID-19 medical supplies.
“Many have notified in India that SOS calls for oxygen cylinders/ concentrators etc lead them to sellers who are selling at twice the price owing to the demand-supply gap and want 50 percent money in advance”, Rizvi added.
Dos & Don'ts on Posting SOS Requests
While posting such SOS requests it is indeed important to keep in mind certain crucial safeguards to ensure that one gets the right kind of help and his sensitive data is not misused for malicious purposes.
Rizvi lists a few points to safeguard data:
Dos
- Name, city, social media account handle or Email ID (but not both), and vivid description of your needs.
- While details like address should not be disclosed on social media it is undeniably important to share ‘approximate area of residence’ (without your house number etc.)
- Sharing your social media account details when you have posted the SOS request on a particular social media platform, is better than giving your phone number.
- Once help is received permanently, delete your SOS request.
- Use appropriate hashtags like #COVIDIndiaSOS, #COVIDEmergencyIndia etc. and tag people in authority and also those with a large follower base to get the message amplified.
Don'ts
- Medical records, Aadhaar card or any government ID, phone number, RT-PCR report and medical bills
- In worst case scenarios, use redacted versions of medical bills while seeking financial help in fundraising requests for medical assistance.
- Do not make advance payments or share your financial details unless you have verified the correctness of the resource.
- On certain platforms you might have to make your account public so that the post gets more views and is shared widely. At such times, make sure that you first archive any sensitive post/photographs etc. on your account that you feel inappropriate for public viewing or access.
Considering the safety as an important aspect and to protect the privacy of the consumers and their data and to safeguard the digital identity of the mobile users, Doosra, a Hyderabad based company, first-of-its-kind solution, it is a 10-Digit, SIM free virtual mobile number which users can share at any place where they are compelled to share their personal mobile numbers.
It helps to get rid of endless spam calls and messages, and it reduces the risks of getting defrauded. The app currently is providing a free six-month plan for COVID-19 volunteers.
Telemarketing Companies Might Use SOS Request Data
SOS requests which are considered as sensitive data might be used by major insurance and telemarketing companies. "From the SOS requests they can easily figure out your needs, any kind of ailments, contact information and thus run targeted advertisements using SMS, emails or phone calls," Majumder added.
Eventually, they will be able to manipulate you into purchasing their products or enrol you into an insurance policy, which you wouldn't normally want to.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)