“The problem is that today it is really difficult for users to understand what data they are sharing with whom, the value of each information that is being shared, and the consequences when that information were to be leaked or misused,” Mehta adds.

Understanding new threats

With a background in computer science, Mehta is a member of UBC’s Security and Privacy Group, a research collective formed in 2023. She notes that data security can be compromised on different levels of a device – the end product available to users and the supporting hardware the application.

“To protect data, therefore, we may need to build security mechanisms at various different layers in the software and the hardware stack,” she explains.

To secure data against this complex system of threats, Mehta advocates for a collaborative approach between individuals, institutions and governments. As computer scientists and engineers innovate new tools to secure technology, the assistant professor points to a persistent challenge – increasing user awareness of security threats. Her solution is more investment in cybersecurity education, not only at the graduate level, but for undergraduate and high school students as well.

“At UBC, some students participate in capture-the-flag competitions, where students typically have to solve challenges to break vulnerable software or websites and find hidden ‘flags’ as rewards,” she adds.

When it comes to educating the public, technical jargon is also a barrier. Mehta advises defining technical terminology with the use of everyday, physical objects, such as explaining personal data through the concept of house keys. As another example, she illustrates how data scraping is similar to an individual taking notes of car details as well as people’s commute schedules in and out of a neighborhood.

“This information is technically public,” she explains. “But when collected in scale and used for, say advertising different car deals to everyone in the neighborhood, it can start to feel invasive.”

Drawing the line

Established in 2007, Data Privacy Week marks the anniversary of the first legally recognized international treaty for data protection, Convention 108. Since its beginning, data concerns have only continued to grow, particularly with the development of artificial intelligence (AI). For Mehta, AI’s ability to increase technology’s speed and reach brings about new concerns, including ones that extend beyond personal data privacy.

“For instance, AI is used for creating rich personalized profiles of users and to algorithmically make decisions related to hiring [and] loan applications,” she adds. “These tools are susceptible to bias and discrimination against individuals.”

The conversation around data privacy is also complicated by what Mehta refers to as a “trade-off”: the careful balancing act between protecting one’s personal data but also providing that data for access to helpful personalized services. Using the popular social media platform, Instagram, as an example, the assistant professor points out how an individual can use the application to find recipes for chocolate cakes, revealing their personal preferences and allowing the technology to connect them with similar users.

“And this is probably fine, until Instagram were to start sharing information about people interested in chocolate cakes with, say, pharmacies who start advertising weight-loss drugs to all these people,” she explains.

The line between what is acceptable and what poses a serious threat is not always easy to identify, particularly in a field where what is legal may not be entirely ethical. Mehta points to previous cases where companies legally collected large amounts of data but then distributed the data in ways that were problematic.

“In these scenarios, the companies exploit users’ lack of understanding and inability to control where and how their data is being used,” she adds.

Returning to potential solutions, Mehta sees the government’s role as one of regulatory oversight – holding technology companies accountable for cybersecurity malpractice. She notes that this regulation is a balancing act, considering the responsibility of protecting user privacy while leaving room for socially and economically beneficial innovations.

With files from Faiz Ahmed.

For more information, see www.aasthakm.github.io . For more information on UBC’s Security and Privacy Group, see www.spg.cs.ubc.ca. For information on UBC’s Data Privacy Week events, see www.privacymatters.ubc.ca/data-privacy-week .