Digital security expert shares tips on how to protect your data while working remotely
'Our 24/7 deeply connected lives make us very vulnerable,' says Citizen Lab's John Scott-Railton
In light of the COVID-19 pandemic, we are spending more time online than ever before, which makes us vulnerable to privacy and security threats, according to a researcher at a digital security think tank.
"The way that we have reconnected has been pretty much whatever we can get our hands on, as quickly as possible. And that means that some things — even very sensitive things that we would otherwise do in person — are now happening online," John Scott-Railton, senior researcher at the University of Toronto's Citizen Lab, explained.
Many Canadians moved their work, education and social lives online, following the physical distancing guidelines to reduce the spread of the coronavirus. In a recent blog post, Scott-Railton said our personal and work data is "much less secure, harder to defend, and easier to snoop on" under these circumstances.
On Friday, Citizen Lab released a report, co-authored by Scott-Railton, that identifies security concerns about Zoom, a video conferencing tool that has been a popular means of connecting with friends and family online during the pandemic.
In an interview with Spark host Nora Young, Scott-Railton shared insights on the current state of online privacy and offered some advice on how to protect data on personal devices and stay safe online.
Here is part of their conversation.
Can you highlight some of the security risks associated with working from home, on our own computers and using our own software?
I think we have lots of different kinds of risks. Once upon a time, the home computer was used for some Netflix-and-chilling and maybe the occasional word processing to dust off a CV or do a homework assignment.
Now, in many cases, that device is being dragooned into doing serious work. But since it's never been salient to us that that device is a potential target for hackers, it may not be very secure. It may even already have some malware on it.
When the digital lines between work and home are further blurred, it just means that there are many new ways for the attackers to gain access to our sensitive work communications. For example, a hacker could easily target that computer or those work accounts using much less sophisticated techniques than they would've had to use to target work accounts. And yet now, unlike perhaps a month ago, it may very well be that sensitive work stuff has spilled over those devices and those accounts.
What are some of the things that people working from home can do to reduce the risk of bad actors snooping on them or hacking equipment?
For individuals, the Citizen Lab has put together a free online resource. When you visit that website, you answer a series of simple questions, and then it spits out a series of accessible recommendations.
It turns out that the simplest thing most users can do is enabling two-factor authentication on their accounts. Other examples include things like making sure that our laptops, if available, use encryption software. Another is ensuring that the chat apps that we use are secure and robust and use end-to-end encryption.
There's a big difference between a service that claims that it encrypts your data and a service that encrypts your data end-to-end. End-to-end encryption means your communication with the person you're interacting with is encrypted between you and them — which means if it's working, nobody other than you and the party you're talking to will be able to snoop on what you're saying.
The simplest thing most users can do is enabling two-factor authentication on their accounts.- John Scott-Railton, senior researcher at the Citizen Lab
Video conferencing is something a lot of people are doing a lot now that maybe they weren't doing before. Are there steps that people can take to protect their privacy around video conferencing?
What I would urge people to do is carefully watch reporting in the coming weeks around the security of video conferencing apps.
- What is 'Zoom bombing'? Scientist threatened while defending PhD online
- REPORT Read Citizen Lab's new report on the confidentiality of Zoom meetings
I think people stand to learn a lot, and I would encourage people to be prepared to course-correct if they need to, if they learn that an app they may be using is not as secure as they thought.
Do you think for these platforms in general, there's a problem of an enormous amount of stress on their systems? Does that pose security risks, with so many more people using these services now?
In general, many of the more popular video conferencing pieces of software that we're using are not fully stress-tested for their security features. There are apps with robust end-to-end security features: Signal, WhatsApp are two good examples of those.
I would encourage people to be prepared to course-correct ... if they learn that an app they may be using is not as secure as they thought.- John Scott-Railton
The more popular video-conferencing apps that are larger, there's often a tradeoff in security. And that tradeoff may mean that things are not as secure as people would like to feel.
What would you like to see happen, from the device-manufacturing end, in terms of improving privacy and security, especially for people working from home?
Many devices that we carry around with us still have substantial security flaws and vulnerabilities. And suddenly, this may be a concern in a large-scale way for all the businesses that now rely on their employees to be connected a hundred per cent of the time.
Our truly 24/7 deeply connected lives right now make us very vulnerable.
We are now in a situation where our lives and our online lives have merged in ways that they never have before. It's my hope that this time will make it salient to everyone why it's absolutely essential that when you need it, you should have access to encrypted communications.
I assume you're working remotely as well. How do you ensure your own security?
One of the biggest enemies of security is people tricking you into doing something. Everyone has had the experience of scrolling through their emails or messages and seeing something alarming, something that tricks you into clicking.
This is an opportunity for a field day for phishing, focusing on coronavirus-style information.
We're all at home, we're a million newly minted epidemiologists, trying desperately to get information about something terrifying. That makes us vulnerable.
The advice that I would give is if you're experiencing, as you're reading through your inbox or scrolling through your messages, a message and a link that really generates alarm, that makes you really want to click, that is the moment to slow down, be mindful, and check before clicking.
This interview has been edited for length and clarity. Click 'Listen' at the top of the page to hear the full conversation with John Scott-Railton.