Reverse engineering surveillance capitalism

By Iain Strutt

Iain has been involved in military, police and private security in Australia for over twenty five years, and has significant supervisory experience as a team leader & manager. As a licensed consultant he has acted for a diverse range of clients ranging in areas such as critical infrastructure, private & state facilities & film & television production. He has a particular interest in building management security systems & their operation, Health, Safety & Environment & cyber security The advent of the COVID-19 pandemic has seen many of us working from home for extended periods. A corresponding rise in online fraudulent activity is attributed to the wider use of the inter net and organised crime continues to adapt to these changes. The Australian Competition & Consumer Commission has reported a 55% increase in identity theft on last year’s figures with criminals targeting superannuation payouts, & welfare relief benefits. Identity theft (IDT) is fraudulent and involves ‘the use of dishonest and deceitful conduct to gain an unjust advantage...it is not specifically defined in legislation.' IDT can be used to assume an identity with or without the consent of a living person. The stolen identity of a child can be kept for years, to be used when the identity matures. IDT can be used for a practice known as ghosting, whereby a person assumes the identity of a dead person. The methods range from theft and impersonation, to theft and sale, the 'renting' of an identity and the deliberate manufacture and sale of high-quality forged documents by organised criminal gangs. Once a criminal establishes a false ID they can use it to gain advantage by applying for financial services, defrauding superannuation accounts, money laundering and immigration fraud. Phoenixing, which is a more complex form of IDT is a process to rid companies of their debt and avoid taxes 6,7,8,9,10.

Obtaining false identity documents would generally be in cash and difficult to trace. Likewise, transactions are conducted on Deep Web sites which specialise in the sale of high-quality identities. Transactions of this type would usually be conducted in Bitcoins or a similar digital currency. Another untraceable way identity can be purchased is through the hawala network of Islamic financiers and it is believed that Islamic terrorists use this system. Money transferred via a hawala banking system is extremely private and is unlikely to be reported or discovered by anyone other than the hawaladar, the transferor and the transferee.

A fraudulent Medicare card and a driver’s license can be bought relatively cheaply. A set of three; driver’s license, Medicare card plus a phone bill costs around A$500. These three combined are enough to establish a primary identity. High quality documents such as passports can range from A$1,500 up to A$30,000 for a genuine passport with false biodata details. Secondary identification can be used to

verify persons at international borders with no passport, with immediate entry denied until such times as the person’s identity can be positively verified. Supporting secondary documentation would give greater weight to a false identity if supporting a passport.

The Australian Criminal Intelligence Commission (ACIC) produced intelligence to improve the understanding of business email compromise scams; malware; anonymity features in cryptocurrencies; encryption on the Darknet; cybercriminal exploitation of government systems. Whilst the ACIC has had success overall, IDT figures are estimates only, due partly to legitimate businesses not wanting to advertise data theft by reporting it to police, as this avoids a loss of confidence in their enterprise. Individuals may not report incidents due to the embarrassment felt by crimes committed in their name. The rate of reporting when it is combined with the incidence of offences does not give any more clarity to the issue as it is not possible to isolate these two features. This leads to a conclusion that the uncertainty in increases are not just increases in reporting. Another factor that was identified was that the courts were either unwilling or not sufficiently equipped to calculate how much has been stolen in largely civil proceedings. Further, prosecutions can only give an indication of part of the picture and the extent of undetected IDT is still unknown.

The trend for large businesses and corporations to retain data is one area that has not been adequately addressed. Whether as users or customers, data is retained by businesses and corporations for their own purposes on an industrial scale due to the low cost of collection and storage. & the data farm concept has moved onto public networks which are being compromised. Any personal data, along with Facebook posts, tweets, app usage, phone records, website visits, licenses can be stored indefinitely and used for commercial advantage. Such data is acquired, analysed, packaged, sold, further analysed and resold. This data has been labelled ‘data exhaust.’ Presumably, once the data are redefined as waste material, their extraction and eventual monetization are less likely to be contested.

Data collection is now linked to computer networks and systems and the vulnerabilities to data storage now affects computer security. A huge data theft occurred recently due to a combination of ‘hacking, ransomware, remote server access and unauthorised access to email accounts’ with the finance company RI Advice group being held responsible. What this indicates is that to hold data for some unspecified marketing purpose can be a liability, and that companies are increasingly responsible for the data they hold, because for a technically proficient criminal, data is a cyber gold mine. Capping the retention time on certain data held by private enterprise would assist in the curbing of IDT. There must be a shift from permanent and perpetual memory to one of being able to be forgotten, to have the ability to erase personal metadata.

With the evidence available an accurate size of the IDT market due to its clandestine nature is still unknown. The methods to acquire, trade, manufacture and use false identification are known. IDT as a crime has increased along with the growth of the Internet and authorities have no real answer to the problem. An accurate assessment is not possible due to several factors, underreporting being one.. Cheap data storage and the value that a company gains by using the stored data indefinitely for market research purposes is also a significant factor if compromised. The fraudulent ID market in Australia and its' negative flow on effects are, therefore, likely to continue. To mitigate the threat, the storage of metadata should have a time limit to counter the persistent and increasing threat posed by illicit data mining by criminal organisations. The indications are that IDT will be with us for some & the Australian false ID market is, and will continue to be, an income source for organised criminal enterprises into the future.