Andreas Mahn
All news
Wide Angle

Cyber Safety and Data Protection

Exploring cyber safety challenges and solutions for safeguarding sensitive data in the film industry.
Andreas Mahn
Copy link

Over the last few years we have seen and welcomed the strengthening of provisions for physical and mental health and safety in the film industry. One area that’s lacking are good mechanisms for ensuring we are safe in the digital world.

Many productions have steered away from hard copy paperwork and embraced digital and online solutions. Gone are the days where crew members, on their first day on the job, had to make their way to the production office and fill out what felt like a phone book-sized stack of forms. Instead, the norm is now usually a link in an email, prompting us to fill out those same forms online. And more recently of course we have seen CoViD declaration forms added to that, at times including questions concerning vaccination status but also details about our recent work commitments and movements around the country. Recently this has morphed into a more generic “don’t come to work if you’re unwell!” clause. By and large, the questions asked in those forms and declarations are being asked for good reason in order to provide the production the information needed to proceed with a project in a safe, legal and organised manner.

Some people will debate whether or not anyone, let alone a production company, should ask about their vaccination status or if we should be vaccinated in the first place. But this not what this article is about.

Collecting all that information and data is vastly beneficial and superior to maintaining hard copies and paper records – in most cases. The fact that we, for example, distribute call sheets in digital form by email, including having the ability to communicate last minute changes has probably saved a forest the size of a small African country alone.

However, collecting data and information online, but also communicating digitally comes with challenges, liabilities and responsibilities. Those who communicate electronically and collect data, e.g. the production office, and those who consume that communication and provide data, e.g. crew members, clearly benefit from this communication and data collection. But the means of transmitting that data has many pitfalls.

Anyone who is using a “free” email provider such as Gmail should be aware by now that Google in some form or other, will be listening in, in order to use that info to serve you up some topical advertisement eventually. While that is rather harmless and quite literally the price we pay for using a free online service, it becomes more problematic when we consider what information we share and how, or if at all, it gets protected.

So the pitfalls range from being dished up ads, to uncertainty about which info we share, where it is stored and who has access to it.

Communicating by email using free email services is considered not safe; email traffic is easily spied on. Cloud storage solutions may store sensitive information offshore, i.e. outside the jurisdiction of the NZ legal system. Also, the cloud storage provider may read (and learn from) what is stored on their servers. That same provider may shut up shop any time or simply delete data, change their terms of service. It is now entirely conceivable that a bored overseas billionaire buys up your email provider and checks on your vaccination status.

On the other hand, we should expect and demand that productions keep our information and (personal) data safe. Just in the same vein as productions frequently ask us to keep information about them safe – for example by making us sign non-disclosure agreements. In fact, it’s obviously in the production's interest that no information in their context ends up in the wrong hands. It is therefore pertinent that any bit of data and information is treated in the most secure and responsible way – from anyone involved in a project.

The problem is that digital communication and storing data in “the cloud” has become so simple and ubiquitous that we tend to overlook the pitfalls. Providers of what we use as digital communication mechanisms of course make this so simple; it is accessible and usable to the broadest possible user base. For the Googles and Facebooks of this world, this is because we are not their clients but rather their products which they on-sell to their advertising clients. And while many alternatives to email exist, mostly in the form of messenger apps such as WhatsApp, Signal or WeChat it is safe to assume that in fact everyone has and uses email yet only a subset will use any one or more of the messenger apps.

Scenarios

Here are a number of scenarios that are typical of how we share data with productions and where this is problematic.

“Email me your driver’s licence”

Many productions ask me for an image of my driver's license – presumably so they can see evidence that I am in fact entitled to drive a (company hired) car, but also as this is frequently required by car rental companies as part of their rental agreements. So far so good. The issue is that I’ve sent that image by email, possibly (in fact, frequently) to a production crew member’s private email address.

That bears two risks: Someone along the way could get hold of an image of my driver’s license and use it in an unauthorised way, e.g. as basis to forge a driver's license or use it instead of their own license to hire a car. They could also use it to steal my identity.

Finally, my (email-) contact details end up in that crew member's account. If their account gets hacked, my details will end up in the wrong hands. I frequently get spam emails from accounts that have either obviously been hacked or where a hacker has at least worked out that whatever name they use as sender in a phishing email is known to me.

Let me be clear, I am not suggesting that any production crew member has ever abused my email (or driver’s license). I am merely flagging that risk. Email accounts get hacked, or it could be the next email recipient who pinches my info, or their employer, who knows. The point is that the moment I send my info via any unsecure mechanism, I totally lose control over what I have sent.

Of course, I completely understand that for the sake of efficiency I possibly need to accept that risk (If I don’t send that driver’s license, it immediately gets a bit more complicated). But I can ask for that risk to be minimised – more on that later.

Personal details

In the context of the CoViD pandemic, we got used to declaring our vaccination status and have accepted sharing test results, often in connection with our NHI number. Also, questions about known medical issues as well as dietary requirements are now the norm. Again, this is usually done for good reasons so that a production can ensure adequate H&S procedures are in place, and the right food on the lunch table.

The stakes are a bit higher in this scenario; most people would probably object to having their medical issues shared with anyone except those who actually need to know. Our NHI number is another bit of information that could be used to steal one’s identity or that can be used to gain access to our medical records.

This, in turn, opens the door to a bad person using this for extortion or simply to embarrass us. But at the heart of it again is the email traffic should any of that info have been sent via email.

Even if it may have been collected via an online form (such as Google forms, Airtable or similar), it is still not necessarily secure. As a crew member, we normally don’t know who has access to that data in the production office: The producer? Production manager? The office runner..? We don’t know if any of these persons have their access removed once the production is over. Or can the runner in 10 years' time still look up what details I may have provided at the time.

(Fun exercise: check your own Google drive or your Dropbox and look for items that have been shared with you. In my case, I have access to documents that were used for projects many years ago, often with interesting details such as contacts, phone numbers, etc. I also have shared access to files that simply got reused for other projects, not just the ones I was actually involved in. Or check your spam folder to see which past and present crew members have the greatest offer ever available exclusively to you).

We’re feeding information about us to the data giants where it stays forever. I’m sort of okay with Google knowing that I can’t eat macadamia nuts, but I don’t think they need to know if I’m married or not (or to whom), what sort of vaccinations I have, where I’ve been in the last few weeks and for what reason, or what sort of medical issues I might be facing.

Data security

Another aspect of cyber security is that it is not just in a crew member’s interest to have adequate data protection in place but of course also for the production itself. As mentioned earlier, many productions go to great lengths to at least arrange legal protection of their IP, their relationship to crew, as well as a number of other organisational matter by making us sign contracts and NDAs. Often we are also being reminded that we are not allowed to take pictures to share on social media. In other words, productions are already aware that they need to take active steps to ensure nothing of their own data and information ends up in the wrong hands, or can be used against them.

Yet contracts and deal memos are also frequently signed or distributed via email and cloud solutions such as Google drive or Airtable. Over the last few years a number to film industry specific solutions have emerged such as Showtools, Studio Binder or MyDaes. Other, more department specific, solutions may exist, but in any case a production would need to be prudent how their information stored with an online service is being used, and stored. These questions spring to mind:

• Where in the world is the data stored?

• How reliable is that service?

• Does it look like it’s been created last century and hasn’t been updated?

• Is it likely to still exist next month, with the same owner, under the same user agreement?

• What else is the data being used for?

• Is it being analysed for marketing purposes?

• What safety measures are in place?

• What techniques are in place to prevent unauthorized access?

At least one of the film specific service providers, Moneypenny’s MyDaeS, poses a significant security risk, as it stores user passwords in plain text. If you have ever worked on a production using MyDaes you will have noticed this when they send you the welcome email: It contains your password in plain text. Requesting a change of password will send you a new one, also in plain text. This means that anyone at Moneypenny who has access to their database will have full unlimited access to all data stored with them by a production. Since they are sending out passwords in plain text it would be very easy to gain access to someone else's data. Unsecure services like Moneypenny thus have the potential to put a whole production at risk by exposing their and their crew members data.

Making all of a production’s data and communication watertight is not a simple undertaking. Not even the communication between crew members and production office is easy to reign in. Even if a production company chooses to use their own email server (rather than relying on production crew members’ private email accounts), yet I send the image of my driver’s license via my own gmail address that still gives Google the opportunity to harvest that bit of info about me.

Increase cyber safety

So what can we do? There are however a number of steps that can be taken to increase cyber safety and data protection across the board:

Production

• Commit to keep crew members’ data safe, legally, or at least contractually binding. This is not more to ask than a production asking a crew member signing an NDA.

• Consider implementing the roll of a data protection manager, who is in charge of all data collected by a production. They would ensure that all data is kept safe and only disseminated where and when it is needed. They would ensure any data goes offline or is deleted when it is no longer needed.

• If a data protection manager is not doable, declare who (by name or crew role) has access to the data a crew member has provided.

• At the end of a job, tie up the loose ends, i.e. delete what’s no longer needed and remove access for those people who no longer require it. And let the crew members know this has happened.

• Consider communicating via channels that a production has control over, such as their own web and email server, based in NZ.

• Consider using NZ based cloud services and web servers with full disclosure over their protection mechanisms.

• Only ask for info that is actually needed.

• Declare why it is needed.

• Don’t ask for information more than once.

• Provide alternative means of collecting information in case a member is not comfortable sharing any piece of information or data online. E.g. instead of asking a crew member to upload an image of their passport to an insecure server such as MyDaeS, consider if the data protection manager can check and confirm if that crew member is legally allowed to work in NZ or entitled to work on a film commission funded project. This could be done without making any hard- or soft-copies.

• For basic cyber-safety, don’t send any documents in file formats that are known to be attack vectors for spam or phishing, i.e. don’t send .doc or .xls files. When communicating using 3rd party services such as payroll providers make sure the correct context is evident otherwise recipients (or the email provider itself) may class it as spam.

Crew

Usually there is little options to sharing some of your data. But if you feel too much is being asked talk to production to see if they actually need it (I often find that forms are being reused from other projects which ask for details that do not pertain to the job at hand). Let production know that you’re not comfortable sharing some info.

Ask production to not share any of the data you’ve provided for any other purpose. This may be little more than a token gesture but at least it raises awareness that you take your data serious.

Rather than sending information by email, consider sharing it via a cloud service you trust, or via a mechanism that’s encrypted such as most messenger systems. (WhatsApp counts as a safe messaging option as it is encrypted, and there is no evidence so far (as of Feb 2023) that Meta (Facebook's and WhatsApps’ owner is reading along).)

As a last resort, you could consider providing incomplete information though you have to be aware of the consequences if that could be read as you providing false information which may be in breach of your contractual obligations.

image.png
image.png
image.png
image.png
No items found.

Related articles

View all
Wide Angle

Staying Sane in a Mad Business

Wide Angle
Staying Sane in a Mad Business
Exploring mental health challenges in the screen industry, from workplace pressures to seeking support.
film industry, mental health, screen industry challenges, anxiety, depression, workplace stress, creative professionals, crew well-being, emotional health, bipolar disorder, addiction, suicide risk, work instability, long hours, job security, film crew, resilience, mental health awareness, industry support, creative industries, Graeme Tuckett, coping strategies.
Exploring mental health challenges in the screen industry, from workplace pressures to seeking support.
Graeme Tuckett
December 1, 2022
Wide Angle

Darkness Falls

Wide Angle
Darkness Falls
Exploring the mental toll, burnout, and silence surrounding mental health in the screen industry.
film industry mental health, screen industry challenges, burnout in filmmaking, stress in production, freelance struggles, Murray Newey, mental health awareness, screen industry culture, filmmaking addiction, long hours in film, hierarchical pressure, coping mechanisms, self-doubt, sleep deprivation, bullying in the industry, freelance uncertainty, dream collapse, emotional toll of filmmaking, industry support, mental health advocacy.
Exploring the mental toll, burnout, and silence surrounding mental health in the screen industry.
Waka Attewell
September 1, 2022
Wide Angle

20 Years of Guerilla Filmmaking - 48Hours

Wide Angle
20 Years of Guerilla Filmmaking - 48Hours
Marking two decades of the Vista Foundation 48Hours film competition, a cornerstone of New Zealand's filmmaking.
48Hours film competition, guerrilla filmmaking, New Zealand filmmaking, Ant Timpson, filmmaking challenges, MiniDV, rapid film production, amateur filmmaking, professional filmmaking, film technology evolution, future filmmakers, film industry careers, YouTube creators, Viva La Dirt League, Taika Waititi, filmmaking legacy, filmmaking technology, 4k films, mobile filmmaking, film competition prizes, filmmaking enthusiasm, Vista Foundation, film community, national film event, filmmaking innovation, short film creation, filmmaking workshops.
Marking two decades of the Vista Foundation 48Hours film competition, a cornerstone of New Zealand's filmmaking.
Ruth Korver
June 1, 2022
Wide Angle

One Story Out of Hundreds

Wide Angle
One Story Out of Hundreds
Reflecting on mental health challenges, resilience, and the importance of connection in the film industry.
mental health, film industry, resilience, depression, anxiety, ADHD, neurodiversity, personal reflection, coping strategies, support networks, loneliness, connection, vulnerability, seeking help, mental health awareness, film set culture, life challenges, community support, personal growth, reaching out, GT.
Reflecting on mental health challenges, resilience, and the importance of connection in the film industry.
Graeme Tuckett
March 1, 2022
Wide Angle

A Stranger to the Truth

Wide Angle
A Stranger to the Truth
Reflections on the brutal yet rewarding realities of the film industry, from teaching to on-set experiences.
film school, teaching film, industry week, production reality, long shoots, TVC, remote workflows, film industry, creative excitement, film business, student learning, film craft, film industry challenges, ego in filmmaking, ‘c’ stand, grip truck, filmmaking process, budget issues, wage struggles, Ponzi scheme, Country Calendar, filmmaking addiction, on-set life, industry expectations.
Reflections on the brutal yet rewarding realities of the film industry, from teaching to on-set experiences.
Waka Attewell
December 1, 2021
Wide Angle

Where Have All the Kiwi Soundtracks Gone?

Wide Angle
Where Have All the Kiwi Soundtracks Gone?
Exploring the rich history of New Zealand film soundtracks and the potential for a revival through vinyl reissues.
Kiwi film scores, New Zealand cinema, Dave Dobbyn, Footrot Flats, Rhian Sheehan, film composition, music industry, film soundtracks, Michael Nyman, The Piano, vinyl reissues, boutique record labels, film music history, SJD, Karl Steven, The Phoenix Foundation, Taika Cohen, music for film, soundtrack albums, Belief: The Possession of Janet Moses, international audience, Flying Nun, Smash Palace, soundtrack culture, film fans, music collectors, Kiwi musical history.
Exploring the rich history of New Zealand film soundtracks and the potential for a revival through vinyl reissues.
Simon Sweetman
September 1, 2021