16.1 C
New York

Privacy Protection in Singaporean Live Streaming Platforms

Published:

With the entertainment and attention that a broadcast may attract, there are also unwanted and negative consequences. Anyone can broadcast content, and viewers can also be anyone, including friends, family, colleagues, strangers, or even employers. In an effort to attract viewers and gratify them, broadcasters may divulge too much personal information or act in ways that should not be seen by people in certain social groups. Viewers may also be negatively affected by contributing to a broadcast. This is seen in an incident on Twitch where a 12-year-old boy, who calmly committed suicide by hanging himself after making a goodbye video, was encouraged and trolled by other viewers to go through with it. With the difficulty and complexity to control or change what has already been broadcasted, there needs to be strong preventative measures to protect the privacy of all parties involved.

Live streaming Singapore platforms offer an exhilarating way to communicate with others around the world. With merely a phone or computer and an internet connection, broadcasters can connect with a mass audience in real-time via live streaming Singapore. For instance, Twitch, owned by Amazon, is the world’s leading social video platform and community for gamers. Also, according to a report on brand intimacy in Covid-19 times, social media was the sector that has gained the most in building intimate bonds with consumers in Singapore in 2020. This trend will likely continue and lead to more interest and activity in live streaming in Singapore.

Overview of live streaming platforms in Singapore

There are many platforms that are primarily designed to be the live streaming platform, and many others that have added a live streaming feature to their existing platform. In this section, we are looking solely at platforms created to be live stream focused, as opposed to the likes of Facebook, Instagram, YouTube, Periscope, and many others. This includes the larger primarily gaming focused platforms like Twitch, and also the newer breed of mobile focused live streaming platforms. A non-exhaustive list of the types of live streaming platforms are VOD/TV Platforms, Social Platforms, E-commerce, Gaming and Mobile. Each of these will have differing features, and will each be relevant to different parts of the population. Streams can also be done on personal websites using dedicated live streaming software such as OBS or Xsplit, and then linked to via social media. In these cases, we are only focusing on the platforms themselves.

Importance of privacy protection in live streaming

A reason for this adoption would be the increase in internet and smartphone usage in Singapore. A study by reported that Singapore has 4.83 million internet users (88% of the population) and 4.18 million active social media users. With the availability of wireless technology, it allows live streaming to take place almost anywhere and at any time. It is highly predictable that the number of live streamers would increase as the number of internet and smartphone users increases in Singapore. With the promise of potential meaningful interactions and convenience in streaming, it is inevitable that live streaming is becoming a trend in the digital lifestyle for Singaporeans.

Live streaming has been prominently adopted as part of the digital lifestyle for many Singaporeans. There are currently over 30 different live streaming platforms available on the Android and Apple app stores. These platforms act as a powerful means to connect people and meet new friends. In a study by the Institute of Policy Studies, they found that 6 in 10 Singaporeans would be interested in using digital social networking tools to befriend a foreigner in Singapore. The study also found that more than half of Singaporeans are positive about foreigners and local residents interacting through digital social networking. Live streaming can enable such interaction to take place, breaking down social barriers and enabling users to have a richer interaction experience with people of different backgrounds.

Privacy Policies and Regulations

In 2012, Section 15 of the Singapore Personal Data Protection Act (PDPA) was introduced, addressing the issue of data protection in relation to the online environment. The PDPA establishes a data protection law that comprises various rules governing the collection, use, disclosure, and care of personal data. It recognizes both the rights of individuals to protect their personal data and the needs of organizations to collect, use, and disclose personal data for legitimate and reasonable purposes. This comprises a well-balanced framework and is in line with global trends in data protection laws. However, the PDPA has two distinct sets of rules, one for data protection and another for the Do Not Call (DNC) registry. The DNC provisions came into effect on 2 January 2014, with the formation of a national DNC registry. The DNC provisions aim to address the growing nuisance of unsolicited telemarketing calls and messages by giving individuals greater control over their personal data and to build greater public trust through the regulation of unsolicited telemarketing messages. It is right to say that this portrays the image of a ‘no spam, no scam, good business’ Singapore. The PDPA does not cover the public sector, as the act only affects private organizations, while the data protection provisions only come into effect in 2014 for the private sector.

Singaporean laws and regulations on privacy protection

Another key factor in privacy protection is the effectiveness of the enforcement power of sector-specific laws and regulations. A sector-specific law/regulation is a legal rule that applies to a particular industry, product, business, or service and must be followed by all organizations. An example of such a law in the context of privacy protection is the Banking Act. The Banking Act contains private and confidential statutes in relation to a particular individual’s bank account and looks to prevent the misuse of such information provided by banks. This would come in various forms including transmission of this information to an affiliated company, misuse of knowledge, and selling of the information to other parties.

The Personal Data and Protection Act (PDPA), which came into effect on 2nd July 2014, has a primary function of governing the collection, use, and disclosure of personal data by organizations in a manner which recognizes the right of individuals to protect their personal data and the need of organizations to collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate in circumstances. It consists of 9 main provisions concerning the collection, usage, and disclosure of personal data as well as the administration of the do not call registry and enforcement of the law.

Singapore is one of the fastest globalizing countries in the world and is consistently reinventing itself to make the island-city competitive and attractive. This could be seen in the government’s recent plan in developing Singapore as an information communication hub. Singapore is investing billions of dollars to build up an ultra-high speed national broadband network which can deliver, among many things, three-dimensional high definition movies to every home and devices. With the coming advancements in technology, there are growing concerns about privacy protection in Singapore as more data will be used and extracted for various purposes including initiatives that have an effect on the quality of life for Singaporeans. This includes projects on intelligent homes, urban planning, and healthcare for the elderly. In this paper, I aim to review the effectiveness of privacy protection in Singapore and suggest improvements to the current regulatory framework.

Privacy policies of popular live streaming platforms

An example is Twitch.tv, who like many others states that they will not sell or share user information with third parties and promises to keep the information private and secure. But they also state that users should keep in mind that information can still be shared to a certain extent, and they cannot guarantee that user content on the site will not be seen by those who are not authorized to view it. They say that users take full responsibility for the risk of this happening. At the other end of the spectrum, NicoNico’s policy is more ambiguous and does not specifically address every aspect of how and where user information is used.

Most of the widely used streaming platforms all have their own policies on privacy. They all usually require users to agree to their terms of service and privacy policies upon signing up for an account. Some state that the only personally identifiable information that they collect is an IP address and email address, but if a user purchases a premium service with the site, the payment information is stored and some personally identifiable information is collected in that process. Usually, it is stated that the information is only used to improve the service of the site or provide custom content/advertisements to the user. Some policies are more lax and say that the information is only used for internal purposes and won’t be shared with any outside companies. Others say that the information is shared with third-party service providers, but the identity of these third-party companies is not entirely clear. Then there are some cases where the information is clearly shared with outside companies, and in some scenarios, this can include the possibility of the user data being transferred to and processed in other countries, regardless of whether or not the laws in those countries exempt privacy protection.

Measures for Privacy Protection

Any transmitted data, especially personal information such as a user’s identification and credit card information, must be encrypted. This includes transmissions over the Internet to databases and transmissions between application servers.

Data encryption transforms the original information, known as plaintext, into an encoded form known as ciphertext or simply ciphertext. Only those possessing the cipherkey will be able to decrypt the ciphertext back to the original plaintext. Measures for privacy protection require encryption of personal information to ensure that if any information is intercepted, it cannot be understood by the interceptor without the cipherkey. This secures any information exposure aside from leakage of the original plaintext, and even if the original information is leaked, it would be incomprehensible.

A combination of username and password is perhaps the most widely used form of user authentication. However, plain text passwords are easily stolen, and many people use the same passwords for many different accounts, making this method a security risk. Other methods include smart card pairing with a password, or biometric data password, which cannot be stolen or lost, but may be considered invasive of privacy.

User authentication is the process of identifying a person with control over the user’s identity. This ensures that the person using the account is the real user. In case of any fraudulent activities from any parties, there will be evidence stating that the identity was stolen or falsely used. Although no exact method of user authentication is foolproof, the percentage of misleading the control of an account can be greatly minimized.

User authentication and verification processes

In comparison to various social media platforms, Facebook in particular has a relatively high level of user authentication in which users are prompted to enter a text code sent to their mobile phones whenever there is a login from a new location. This ensures that the user is aware of the login attempt and is able to protect their account from being accessed by others. For live streaming platforms, mobile phone verification can be used as a tool to ensure that each account is only tied to one individual. An SMS code can be sent to the mobile phone of the user upon registration of an account or login from a new location. This code must then be entered to continue, similarly to the method used by Facebook. Although this method is not failsafe due to the prevalence of multiple SIM card ownership, it is still much stronger than using an email address as a means of user identity.

User authentication and verification mechanisms are the first line of defense in safeguarding and protecting user information. Currently, most live streaming platforms only require users to have an email address and password to create an account. This level of authentication is not reliable for ensuring the security of user information. An email address is not representative of the true identity of an individual, and it is relatively simple to create multiple email accounts. Passwords are also not foolproof for ensuring that an individual’s account is accessed only by the rightful user. With the increasing prevalence of account hijacking and stolen passwords, more stringent measures are needed to verify the true identity of a user.

Encryption and secure data transmission

The encryption ensures that if the data is intercepted during the transmission, it will not be readable to the interceptor because they will not have the key which is required to decrypt the information. This effectively renders the stolen data useless to the interceptor as they will be unable to understand its content.

An encryption algorithm is a mathematical process used to perform encryption on a piece of data, converting the original data into a form which may be unreadable to an individual who is not aware of the algorithm key. Encryption is widely recognized as the best way to protect private information on the internet. Encryption technology changes the original data into a coded version of the data which can only be decrypted by the intended recipient. Encryption technologies work by using an algorithm to scramble the message, which can only be unscrambled using a specific key.

Secure data transmission is a means for transmitting information between a data sender and a data receiver such that nobody else can access the data. IMessage functions as a normal SMS application. Basically, if the recipient is not using an iOS device, the message will be sent as an SMS message and the iPhone won’t differentiate. To do this, the data sender uses an encryption algorithm to encrypt the data, and the data receiver uses a decryption algorithm to decrypt the data.

User control over personal information

Privacy entails the right to advanced notice of policy changes affecting the handling of personal information, and choice about how personal information is used for purposes other than those to which consent has been given, as well as the means to exercise other privacy rights. In order to provide user control over personal information, there must be ways to access the data, as well as to correct it. Notification and consent on personal data collection and use ensure that users are informed, and can make choices about whether to provide personal information. It allows an organization to set data use policies, and give notice, thus defining the limits of data collection and use. User access to data is typically provided through a data access API. The API permits a user to view, and in some cases delete, their personal data, as well as to monitor use of the API. The more sensitive the data, the more we require strong user authentication and proof of identity for data access. Finally, maintaining data integrity is important as inaccurate data can be as detrimental as no data. This usually involves some form of data correction request from the user, and may lead to a temporary suspension of data processing, where the user can correct the data before processing resumes.

Challenges and Future Trends

Finally, the future trend to improve privacy protection will be migration to the cloud environment due to its scalability and cost efficiency. The cloud environment is not confined to the physical boundaries of any jurisdiction, and there are few data sovereignty service providers that promise to store and process the data within the specific country. Live streaming platforms can select the virtual servers in a country that harbors low privacy risk, and data processing can be done ex post facto way to classify and encrypt the data before replicating it to the data storage.

Enforcement agencies also require real-time monitoring capability to view live broadcasts by the particular suspect and to detect if he is still using the AS to perform illegal activities. AS can use the DPI-based system to detect the suspect by tracking his distributed IP address, but it is a challenging task to find the user in cases where a dynamic IP environment is used. User tracking by IP address is also privacy intrusive, which needs to be justified in interception law. In Singapore, an interception warrant is valid only for one year, and the procedural code provides for the destruction of records obtained from lawful interception after a period of 2 years. This will have an impact on the storage and maintenance of the intercepted records by the enforcement agencies.

Challenges are concerned with the AS as they have to store the records of the users, but due to some hygiene issues, it is difficult to archive records. The reason to archive the record is when a legal enforcement agency looks for a particular suspect, then on the request of the enforcement agency, AS has to provide the record if it is available, regarding the particular suspect. AS can decide to archive the record on the functional level based on the category of the registered users, but it is still a challenging task to maintain archived records to comply with the law.

Challenges faced by live streaming platforms in privacy protection

A survey by Symantec (2010) showed that Singaporean enterprise servers were considered easy targets by hackers, putting the private data stored in these servers in danger. This makes it all the more pertinent for local live streaming service providers to deal with privacy protection.

Typically, the most common private knowledge that users would provide when using these services would be an email address for user registration purposes. Other private knowledge might include home address and credit card details for subscription-based video on demand services. These data are stored in databases which are vulnerable to attacks by hackers.

One recent instance would be the cyber-attack on a preferred international live streaming service where hackers had illegally accessed personal data of 2.2 million users. This incident demonstrates the susceptibility of online audio and video streaming services to privacy breaches.

Privacy protection in Singapore requires the drama to safeguard private data against unauthorized access and use by implementing data privacy laws. However, these laws don’t provide explicit guidelines on private knowledge protection for online audio and video streaming services. Therefore, the local live streaming service providers aren’t bound by these laws to guard the private data of their users. This presents an enormous challenge as users’ private data are susceptible to be accessed and misused by third parties.

Emerging trends in privacy protection for live streaming platforms

Privacy settings on media sharing are the basic feature to maintain privacy protection. It allows users to set the media whether it is publicly accessed, accessed only by friends, or kept as private media. An advanced feature might allow users to limit viewership based on specific criteria, for example age, location, or interest categories. However, it is not effective for the media that has already been shared publicly. The content creators must anticipate and prevent any unwanted access to their media.

Privacy protection has become an important issue in live streaming platforms due to the openness and potential media on the internet. It is not easy to find an appropriate level of privacy protection as the media is public and should be accessed easily at any time if it is shared. And it is not only the audience but also the content creators, celebrities for example, who desire more privacy protection, especially for the media of their ordinary life. Live streaming platforms have to protect privacy from any possibilities: harm or misuse of the media for every kind of user.

Recent articles