Friday, December 24, 2021

Your PII at Risk

Hostile Acts in the Data Spheres: The Battles for Your Personally Identifiable Information

Dr. Frank Kardasz, MPA, Ed.D.

Editor: Ava Gozo.

December 24, 2021 (revised September 27, 2022)

The relentless barrage of cybercrimes involving data breaches, doxingโ€™s, deepfakes, identity thefts, intrusions, and malware are continuing attacks on those trying to preserve personal information, freedom, and finances.  Furthering the misdeeds are leak-prone data storage systems, lawful and unlawful surveillance operations, and ineffective laws. As this generation slowly succumbs to the rise of the data collection machines; the monetization, politicization and weaponization of information is an alarming reality and a wicked menace. This work discusses some of the factors involved in the data battles and concludes with some resources for protection and prevention.

Scam Alert

Some Terms of (the Dark) Art

Those new to the data malfeasance underworld may be unfamiliar with some of the commonly used terms. Here are definitions of four: Personally Identifiable Information (PII), Phishing, Doxing, and Deepfakes

Personally Identifiable Information

Personally Identifiable Information (PII) is information that, when used alone or with other relevant data, can identify an individual (Investopedia, 2021). PII can include date and place of birth, social security number, addresses, account information, maiden name, pet names, schools attended, graduation dates, and other identifiers. PII should be protected and kept confidential, but it is sometimes released and made available to those who would misuse it. One study showed that most consumers simply do not understand just how vulnerable their PII is (PYMNTS, 2018).

Phishing


Phishing is an exploit in which a perpetrator impersonates a legitimate business or reputable person to acquire private and sensitive information, such as credit card numbers, personal identification numbers (PINs) and passwords (Techopedia, 2021).  Phishing techniques are often seen in social media sites where otherwise amiable questions are posed for the purpose of slowly collecting information about the respondent.

Doxing

Doxing is the process of retrieving, hacking, and publishing other peopleโ€™s information such as names, addresses, phone numbers and credit card details. Doxing may be targeted toward a specific person or an organization. There are many reasons for doxing, but one of the most popular is coercion (Techopedia, 2021). Doxing is also a technique threatened in ransomware situations where the attackers threaten to publish Doxed information if the ransom is not paid.

Deepfake

Deepfake, also known as Synthetic Content, is a term for videos and presentations enhanced by artificial intelligence and other modern technology to present falsified results. One of the best examples of deepfakes involves the use of image processing to produce video of celebrities, politicians or others saying or doing things that they never actually said or did (Techopedia, 2021).

Some Users Place Themselves at Risk

In the relentless quest to gain fame, fortune, recognition, votes or clicks, vulnerable victims young and the old strive to become "influencersโ€ and seek to add subscribers via social media. And in those attention-seeking sometimes profit-motivated efforts, victims often expose far too much about themselves, their families and their finances; thus permitting data harvesters to develop targeted exploits. Incidents of Sextortion are being reported all across the US.

Preventing Sextortion

Depending upon ones geo-political situation, publicizing your personal information and wealth may have other unusual consequences. The New York Times reported that in China, bragging about your wealth may get you censored by the government.  The Chinese authorities have declared war on content deemed to be โ€œflaunting wealth" (Wang, 2021).

Unwitting Victims

Others are victimized through no fault of their own. Their PII data finds itself in the wrong place at the wrong time and that data is used in the furtherance of malicious cyber acts.

Synthetic Content, a.k.a. Deepfake

International concern is growing among law enforcement officials about Deepfakes. A 2021 FBI warning bulletin stated that malicious actors can be expected to leverage "synthetic content" (aka Deepfakes) for cyber and foreign influence operations.

 

As reported by the news show 60 minutes (Whittaker, 2021), the creators of deepfakes have the computer skill and power to make falsified onscreen look-alikes do or say anything. Oft-photographed celebrities and politicians are popular subjects of Deepfakes.  But soon, anyone whose image is available in Cyberspace could be deepfaked.  Disturbing new computer software applications now exist that undress and "nudify" images by using deep-learning algorithms to remove women's clothes and replace the clothing with nude body parts. The process transforms otherwise benign images into pornography (Cook, 2021).

data

Data Harvesting Profiteers - Commerce, Capitalism and Profit

In the book, The Age of Surveillance Capitalism, Shoshana Zuboff (2019) discusses the "rogue mutation of capitalism" that resulted in the current commercial surveillance industry.  It is an industry that quietly and invisibly collects and harvests data for financial and/or political gain.

 

According to Edward Snowden, "The invisibility of the data collection makes it so attractive to these companies because if you do not realize that they are collecting this data from you, and it is very private data, there is no way you are going to object to it. What they (the data mining companies) are selling is not information, they are selling our future, they are selling our past, they are selling our history or identity and ultimately stealing our power and making our stories work for them" (2021).

Children's Privacy at Risk

The ByteDance owned social networking site TikTok is facing a $29 million fine in the UK after it was determined that the company breached  child data protection laws for a two year period (Sawers, 2022).

Mobile devices are data collectors

Weak Efforts to Mitigate Data Collection

Mobile devices and Internet-connected systems are collectors and harvesters of personal data and information. After public pressure and awkward appearances at congressional subcommittee hearings, some data-mining and social networking executives are begrudgingly and slowly making changes. Apple now has added an "Ask App Not To Track" feature, but critics deride it as a smoke-and-mirrors function that permits apps associated with Apple to keep snooping anyway (Fowler, 2021).

Disturbing Anecdotes

Here are just a few troubling examples of the problems that innocent people have encountered through misidentification, identity theft, and harassment.

Cybervigilante Misidentification & Harassment:

In 2017, a Michigan man was misidentified by far-right websites as the driver of the car that plowed into a group of counter protesters in Charlottesville, Virginia.  The innocent man's home address was wrongly publicized, and he and his family were subjected to disturbing incidents of harassment. The family was devastated. Local police were forced to increase patrols at the mans home (Bowden, 2017).

In 2021, amateur online investigators misidentified rioters at the Capitol in Washington DC.  One misidentified man, a retired firefighter, received hateful calls and messages calling him a murderer and a terrorist. Subsequently a police officer was stationed outside his home for safety. Others wrongly associated with the Capitol riot included the actor Chuck Norris and comedian Kevin Seefried. Seefried was wrongly accused because he shares the same name as a man involved in the riot (Kornfield, 2021).

Facial Recognition Software Misidentification:

In 2020, a man was wrongly arrested when Detroit Police mis-matched him to a crime based on a facial recognition software match, but without any other corroborating information about the manโ€™s involvement in the crime. The man was arrested in front of his young daughters and suffered embarrassment and wrongful  incarceration (Ward, 2020).

Stolen Identity & Data Breaches & Doxing:

In 2011, a California grandmother spent a night in jail after being wrongly arrested for check fraud as the result of her identity being stolen. She lost $20,000 during the fraud and spent another $60,000 trying to prove her innocence (Fender, 2011). The true offender, 54-year-old Andrea Harris-Frazier, was eventually apprehended after victimizing 28 different people and charged with 43 counts of forgery and attempted theft (DataBreaches.net, n.d.).

In 2022, the identity of a gravely disabled Florida man was used by one or more fraudsters to create several fictitious businesses and defraud Medicare of $350,000 in fraudulent loans (Neal, 2022).

 

In 2020, at least 38 law enforcement officers who responded to riots in Portland, Oregon were doxed. Their personal information is believed to have been released by members of Antifa (Toledo, 2020).  After a 2022 shooting, Portland Police refused to release the identities of the officer involved, citing threats in the following statement:  "PPB has determined that there are credible security threats to officers involved in recent shootings and therefore, PPB is withholding the name of the involved member during the pendency of the doxing investigation. (Portland Police Bureau, 2022)."

 

In 2022, CISA released a bulletin with the following information about Ransomware and the theft and misuse of PII. Over the past several years, the education sector has been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff. Federal agencies anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk (CISA, 2022).

Laws and Legislative Hearings
Justice Scales

Laws and law enforcement officials in the United States are struggling to catch up to the growing calls to protect citizens from cybercrime and unlawful surveillance and data collection. In some cases, operations are believed to be taking place despite the legislative controls that were intended to protect data.

 

Confused legislators in the US have been questioning laws and the implementations of government surveillance operations. In a review of declassified CIA documents, Senate Intelligence Committee members Ron Wyden and Martin Heinrich said โ€œ...what these documents demonstrate is that many of the same concerns that Americans have about their privacy and civil liberties also apply to how the CIA collects and handles information under executive order and outside the FISA law.  In particular, these documents reveal serious problems associated with warrantless backdoor searches of Americans, the same issue that has generated bipartisan concern in the FISA contextโ€ (Wyden, 2022).

 

While legislators in Australia recently updated laws to improve oversight in the area of critical infrastructure, the US may be falling behind. Speaking on the OT and IoT Security Podcast, former Assistant US Attorney Jonathan Rusch commented about the state of Cybersecurity in the US, and compared the current US laws with prescient legislation in Australia.  Rusch said (21:30 min - 23:25 min):

 

"The situation in the United States is a polar opposite from Australia.  Despite multiple administrations in the US government, there is still no consistency of approach, no "This must be done".  As opposed to; "it would be really good If everybody would get behind the banner of cyber security and do more things".  My analogy would be for Australians; imagine if you were asked to play in a game of Australian rules football where you have not 7 but 50 or more different umpires, each with a different rule book who can penalize the players who step on to the field for any one of the violations that they see in their rule books; and there has to be no consistency between the rule books; and where the owners of the teams don't even want to shell out enough money to give the players proper footwear. That's the kind of fragmented, disjointed, asymmetrical kind of approach that we have currently in the United States and where P.S., some of our best efforts by law enforcement only come in after the damage has occurred, and then you bring in the investigators to try to find out how the catastrophic event happened."

 

The Children's Online Privacy Protection Act (COPPA) is one US law that has resulted in some success. In 2021, the US Dept. of Justice announced  a civil penalty of $2 million against the advertising platform OpenX Technologies Inc. According to Director Samuel Levine of the FTC, โ€œOpenX secretly collected location data and opened the door to privacy violations on a massive scale, including against children. Digital advertising gatekeepers may operate behind the scenes, but they are not above the law" (DOJ, 2021).

 

Oklahoma is one US state that recognized and legislated towards threats against active and retired law enforcement officers who are targets of doxing. A 2022 Oklahoma senate bill would add retired peace officers to the list of entities protected from having their personally identifiable information posted online by those with intent to threaten, intimidate or harass was passed unanimously by the Senate Judiciary Committee. Oklahoma SB1522 is a follow-up bill to one  filed last session, which protects law enforcement officers from doxing (McEachern, 2022).

Some Have Surrendered

Sadly, some people have simply surrendered and succumbed to the data mis-appropriators. Broadcaster Leo LaPorte, "The Tech Guy" waved the white surrender flag when he said, "Until we get real privacy laws, and companies start adhering to those laws and not finding loopholes; none of which is gonna happen anytime soon, you might as well just assume that if you are on the Internet; Facebook, Google, Apple, they all know what you are doing" (Laporte, 2021).

 

Surrendering to the data collectors is the path of least resistance, particularly among celebrities who have built careers upon the theory that 'Any publicity (whether good or bad) is good publicity'. Opposing this theory is the tragic litany of public figures whose life or welfare was cut short or endangered by stalkers who pursued and located them based on PII found in cyberspace.

Don't Give Up

Privacy advocate Rob Braxman (2021) said, "The (data privacy) opposition, like Google, is intent upon invading our privacy at every opportunity. We could give up; but I think we should consider this as a game, and if Google, Facebook and Amazon play tricks on us, we are entitled to play tricks on them."

 

Former law enforcement investigator and privacy advocate Michael Bazzell operates a service that help victims towards recovering their privacy and initiating steps towards anonymity.  His book, Extreme Privacy, (2021) discusses some of his many clients (without naming them), including government employees whose activities or investigations have made them targets of the criminals whom they have encountered.

Protect Yourself and Your Loved Ones: Mitigators and Preventative Measures

Protecting yourself in Cyberspace is a daunting challenge. There is no single foolproof solution. There are only mitigators that can bolster defenses. As the privacy wars continue, we should keep trying, and we should not give up.

Advice
Tips and Resources from Experts, Government, and Industry

IntelTechniques - Michael Bazzell

Excellent resources for data removal, credit freeze and other useful products.

๐Ÿ”น Best Tip: The Data Removal Workbook.

https://inteltechniques.com/links.html

Schneier on Security  - Bruce Schneier

Public interest technology Blog.
๐Ÿ”น Best Tip: Use the Signal Messaging Application for secure communications.
https://www.schneier.com/blog/archives/2017/05/t            he_us_senate_i.html

Federal Trade Commission (FTC) - Tips

Consumer protection tips regarding children, health, consumers, credit, data and other resources.

๐Ÿ”น Best Tip: Children's online privacy protection rule: A six-step compliance plan for your business. 

https://www.ftc.gov/tips-advice/business-center/privacy-and-security

Electronic Frontier Foundation (EFF) - Privacy Badger

A browser add-on that developers say stops advertisers and other third-party trackers.

๐Ÿ”น Best Tip: Install the Privacy Badger and UBlock Origin add-ons in your browser.

https://privacybadger.org/

Electronic Frontier Foundation (EFF) - Third party tracking

Explanations of methods and practices used by tech companies to track people.

๐Ÿ”น Best Tip: Check the permission on your mobile phone apps and remove unneeded permissions.

https://www.eff.org/wp/behind-the-one-way-mirror

Immigration and Customs Enforcement (ICE), Homeland Security Investigations (HSI) - Tools to keep children safe online

Information about protecting children.

๐Ÿ”น Best Tip: Make sure privacy settings are set to the strictest level possible for online gaming systems and electronic devices.

https://www.ice.gov/news/releases/ice-hsi-shares-tools-keep-children-safe-online

Cybersecurity & Infrastructure Security Agency (CISA) - Recommendations for protecting information.

Fact sheet to address the increase in malicious cyber actors using ransomware.

๐Ÿ”น Best Tip: Maintain offline, encrypted backups of data and regularly test your backups.

https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf

Conclusion

Although the onslaught of cyber-attacks will persist, users must continue the fight to shore up defenses against intrusions. Protecting PII is challenging and time consuming.  There is no single fix that can prevent all of the various types of cybercrimes. The best that one can do is to stay abreast of the current trends and continually implement the preventative measures suggested by IT experts.

References

Bazzell, Michael. (2021). Extreme Privacy: What it takes to Disappear. ISBN 9798729419395. https://inteltechniques.com/

 

Bazzell, Michael. (2021). Data Removal Workbook (PDF). https://inteltechniques.com/data/workbook.pdf

 

Bowden, John. (August 16, 2017). Man misidentified as Charlottesville driver by far-right sites in hiding: report. The Hill. https://thehill.com/homenews/news/346900-man-misidentified-as-charlottesville-driver-by-far-right-sites-in-hiding-report

 

Braxman, Rob. (November 24, 2021). Google Watches ALL Your Devices! How to Stop It. [Video]. https://www.youtube.com/watch?v=LLfoGAHrlQk

 

CISA. (September 6, 2022). National Cyber Awareness System. Alerts #StopRansomware: Vice Society. Alert (AA22-249A). #StopRansomware: Vice Society. https://www.cisa.gov/uscert/ncas/aler                    ts/aa22-249a

 

Cook, Jesselyn. (November 8, 2021). A Powerful New Deepfake Tool Has Digitally Undressed Thousands Of Women. HuffPost. https://www.huffingtonpost.co.uk/entry/deepfake-tool-nudify-women_n_6112d765e4b005ed49053822?ri18n=true

 

Cybersecurity & Infrastructure Security Agency. (n.d.). Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches. https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf

 

Cyphers, B.  and Gebhart. G. (December 2,  2019). Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance. Electronic Frontier Foundation. https://www.eff.org/wp/behind-the-one-way-mirror#Part4

 

DataBreaches.net. (February 11, 2020). CO: Woman Accused of Bilking 28 victims. https://www.databreaches.net/co-woman-accused-of-bilking-28-victims/ 

DOJ. (December 28, 2021). Advertising Platform OpenX Agrees to Injunctive Relief and $2 Million Payment in Case Alleging Violations of Childrenโ€™s Privacy Law. The United States Department of Justice, Justice News. https://www.justice.gov/opa/pr/advertising-platform-openx-agrees-injunctive-relief-and-2-million-payment-case-alleging 

FBI. (March 10, 2021). Malicious Actors Almost Certainly Will Leverage Synthetic Content for Cyber and Foreign Influence Operations. FBI, Dept. of Justice. Private Industry Notification. https://www.ic3.gov/Media/News/2021/210310-2.pdf

Fender, Jessica. (November 12, 2011). Victim of ID theft, once thought a suspect, helps solve her own case. The Denver Post. https://www.denverpost.com/2011/11/12/victim-of-id-theft-once-thought-a-suspect-helps-solve-her-own-case/

 

Fowler, G.A., and Hunter, T. (September 23, 2021). When you โ€˜Ask app not to track,โ€™ some iPhone apps keep snooping anyway. The Washington Post. https://www.washingtonpost.com/technology/2021/09/23/iphone-tracking/

 

FTC. (n.d.). Childrenโ€™s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business. Federal Trade Commission. https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance

 

Investopedia. (2021). Personally Identifiable Information. (PII). https://www.investopedia.com/terms/p/personally-identifiable-information-pii.asp

 

Kornfield, Meryl. (January 16, 2021). The wrong ID: Retired firefighter, comedian and Chuck Norris falsely accused of being Capitol rioters. The Washington Post. https://www.washingtonpost.com/technology/2021/01/16/sleuths-falsely-identify-rioters/

 

Laporte, Leo. (December 12, 2021). Podcast: The Tech Guy, Episode 1852, [hour -1:32]. https://twit.tv/shows/the-tech-guy. 

 

McEachern, Hunter. (February 9, 2022). Backing the Blue: Bill to protect retired law enforcement from doxing advances. Oklahoma's 4 News. https://kfor.com/news/oklahoma-legislature/backing-the-blue-bill-to-protect-retired-law-enforcement-from-doxing-advances/

 

Neal, David. J. (February 13, 2022). โ€˜He was almost dead.โ€™ $350,000 fraud investigation found Miami man, 84, in squalor. Miami Herald. https://www.msn.com/en-us/news/us/e2-80-98he-was-almost-dead-e2-80-99-miami-medicare-fraud-investigation-found-elderly-man-living-in-squalor/ar-AATMlnT

 

Portland Police Bureau. (July 29, 2022). Information related to Officer-Involved Shooting in SE Portland. https://www.portlandoregon.gov/police/news/read.cfm?id=442429&ec=3&ch=twitter

 

PYMNTS. (October 18, 2018). First Data: 34 Percent Of PII Has Been Compromised In 2018. Pymnts.com. https://www.pymnts.com/news/security-and-risk/2018/first-data-pii-compromised-cybersecurity/

 

Rusch, Jonathan. (March 4, 2021). Dissecting the Security Implications of the Australian Critical Infrastructure Act. The OT and IoT Security Podcast. [Audio Podcast]. https://tunein.com/podcasts/Technology-Podcasts/The-OT-and-IoT-Security-Podcast-p1354400/?topicId=161285361 

 

Sawyers, Paul. (September 26, 2022). TikTok faces $29M fine in UK for โ€˜failing to protect childrenโ€™s privacyโ€™. https://techcrunch.com/2022/09/26/tiktok-faces-29m-fine-in-uk-for-failing-to-protect-childrens-privacy/

 

Schneier, Bruce. (May 17, 2017). The US Senate is Using Signal. Schneier on  Security. https://www.schneier.com/blog/archives/2017/05/the_us_senate_i.html

 

Signal Messaging Application.  (n.d.). https://www.signal.org/ 

 

Snowden, Edward. (March 11, 2021). "I Remove it Before Using The Phone!" Edward Snowden. BrainStation. [Video]. https://www.youtube.com/watch?v=0dGqR4ue8dg

 

Techopedia. (2021). Phishing, Doxing. Janalta Interactive. https://www.techopedia.com/definition/4049/phishing, https://www.techopedia.com/definition/29025/doxing, https://www.techopedia.com/definition/33835/deepfake

 

Toledo, Arsenio. (July 23, 2020).  Law Enforcement Officers in Portland Doxed by Antifa. Newswars. https://www.newswars.com/law-enforcement-officers-in-portland-doxed-by-antifa/

 

Wang, V.  and Dong, J. (December 25, 2021). In China, Bragging About Your Wealth Can Get You Censored.  New York Times. https://www.nytimes.com/2021/12/25/world/asia/china-money.html

 

Ward, Jacob. (June 26, 2020). Facial Recognition Software Under Fire After Misidentification Causes Wrongful Arrest | NBC News NOW. [Video]. https://www.youtube.com/watch?v=Bxpx8izG5nA

 

Whittaker, Bill. (October 10, 2021). Synthetic Media: How deepfakes could soon change our world CBS News/60 Minutes. https://www.cbsnews.com/news/deepfake-artificial-intelligence-60-minutes-2021-10-10/

 

Wyden, Ron. (February 10, 2022). Wyden and Heinrich: Newly Declassified Documents Reveal Previously Secret CIA Bulk Collection, Problems With CIA Handling of Americansโ€™ Information. Senators Call for Critically Needed Transparency About CIA Bulk Collection; Documents Declassified at Wyden and Heinrichโ€™s Request. News Press Release. https://www.wyden.senate.gov/news/press-releases/wyden-and-heinrich-newly-declassified-documents-reveal-previously-secret-cia-bulk-collection-problems-with-cia-handling-of-americans-information

 

Zuboff, Shoshana. (2019).  The Age of Surveillance Capitalism: The fight for a human future at the new frontier of power.   ISBN-10 1610395697. www.publicaffairsbooks.co    m

 

=-=-=-=-=-=

=-=-=-=-=-=