ASPIRE NEWS: A CASE OF BREACH OF PRIVACY

Russian hacker Aleksei Burkov sentenced to nine years in prison for payment fraud
29 June 2020
State sponsored Cyber attacks in Vogue
1 July 2020

The rise of the Coronavirus-19 pandemic has led the world to witness unprecedented times. The virus being a newly discovered virus is highly contagious and can spread my means of a mere human contact. While the countries all around the world are trying to develop a vaccine to cure the infected person of the deadly virus, many nations had imposed certain mandatory measures such as social distancing and lockdown in order to curb the spread of this disease.

Due to the lockdown imposed by various nations, people were forced to stay and work from
home and movement of all individuals were restricted except for essential matters. Since people were staying at home, there was a surge in cases of domestic violence around the world as the victim and the perpetrator lived in the vicinity of each other for longer durations. This led to the rise of what was called a ‘shadow pandemic’.

In a breach of online privacy that took place recently in the United States of America, details of victims as well as perpetrators of domestic violence were exposed in a massive data breach. The data breach took place as more than 4000 voice recording messages of the victims of domestic violence describing their names, addresses and identity of the perpetrators stored on AWS S3 bucket were exposed. This sensitive data breach originated from an app called Aspire News App that was designed to prevent the cases of domestic violence.

The Aspire News App was build by a United States non profit organisation When Georgia
Smiled. The app which could be installed on a user’s phone appeared as a news app. However, the app featured an emergency help section wherein the victims of domestic violence could record a message which they could send to trusted contacts at the time of emergency. This distress message contained victim’s details, home address, the nature of emergency and their current location. The developers of this app stored these voice recording on Amazon Web Services (AWS) S3 bucket. This AWS S3 bucket functioned as a cloud storage from where any files could be viewed and downloaded. Therefore, the victim’s details were stored on a publically accessible platform which exposed their personal details to the public.

This breach was discovered by vpnMentor which on discovering the same contacted the owner of the data, When Georgia Smiled organization as well as AWS service providers directly. The issue was resolved by the parties on June 24th , 2020. This data breach risked the life of the victims as the information exposed could be used to blackmail both the victim as well as the abuser. Moreover, it could put the victim in aggravated danger as the perpetrator may rebuke or punish the victim for trying to report the cases of violence to other persons.

This breach of security of the users could have been avoided by securing the bucket by means of end to end encryption as used on social media websites today. Also, the easy accessibility to download the files could also have been stopped by allowing the files to be download only by authenticated persons. Moreover the bucket could have also been secured by adding layers of protection such as biometrics and passwords.

Privacy of an individual is of extreme importance especially when it pertains to matters of
domestic life of a person. An app which is created to alleviate the hardships caused in the life of a woman cannot be expected to indulge in such serious security lapse as will risk the life of its users and would actually perpetrate the domestic violence. Though the matter has been solved by the concerned authorities, legal action may be initiated against Aspire News app and it’s parent company When Georgia Smiled.

-Manik Mahajan ( Intern, WCSF )

Leave a Reply

Your email address will not be published. Required fields are marked *