Hostile Acts in the Data Spheres:
The Battles for Your Personally Identifiable Information
Dr. Frank Kardasz, MPA, Ed.D.
Editor: Ava Gozo.
December 24, 2021 (revised September 27, 2022)
The relentless barrage of cybercrimes involving data
breaches, doxing’s, deepfakes, identity thefts, intrusions, and malware are
continuing attacks on those trying to preserve personal information, freedom,
and finances. Furthering the misdeeds
are leak-prone data storage systems, lawful and unlawful surveillance operations, and ineffective laws. As this generation
slowly succumbs to the rise of the data collection machines; the monetization,
politicization and weaponization of information is an alarming reality and a
wicked menace. This work discusses some of the factors involved in the data
battles and concludes with some resources for protection and prevention.
Some Terms of (the Dark) Art
Those new to the data malfeasance underworld may be
unfamiliar with some of the commonly used terms. Here are definitions of four:
Personally Identifiable Information (PII), Phishing, Doxing, and Deepfakes
Personally Identifiable Information
Personally Identifiable Information
(PII) is information that, when used alone or with other relevant data, can
identify an individual (Investopedia, 2021). PII can include date and place of
birth, social security number, addresses, account information, maiden name, pet
names, schools attended, graduation dates, and other identifiers. PII should be
protected and kept confidential, but it is sometimes released and made
available to those who would misuse it. One study showed that most consumers
simply do not understand just how vulnerable their PII is (PYMNTS, 2018).
Phishing
Phishing is an exploit in which a
perpetrator impersonates a legitimate business or reputable person to acquire
private and sensitive information, such as credit card numbers, personal
identification numbers (PINs) and passwords (Techopedia, 2021).
Phishing techniques are often seen in social
media sites where otherwise amiable questions are posed for the purpose of
slowly collecting information about the respondent.
Doxing
Doxing is the process of
retrieving, hacking, and publishing other people’s information such as names,
addresses, phone numbers and credit card details. Doxing may be targeted toward
a specific person or an organization. There are many reasons for doxing, but
one of the most popular is coercion (Techopedia, 2021). Doxing is also a
technique threatened in ransomware situations where the attackers threaten to
publish Doxed information if the ransom is not paid.
Deepfake
Deepfake, also known as Synthetic Content, is a term for videos and
presentations enhanced by artificial intelligence and other modern technology
to present falsified results. One of the best examples of deepfakes involves
the use of image processing to produce video of celebrities, politicians or
others saying or doing things that they never actually said or did (Techopedia,
2021).
Some Users Place Themselves at Risk
In the relentless quest to gain fame, fortune, recognition,
votes or clicks, vulnerable victims young and the old strive to become
"influencers” and seek to add subscribers via social media. And in those
attention-seeking sometimes profit-motivated efforts, victims often expose far too much about themselves,
their families and their finances; thus permitting data harvesters to develop
targeted exploits. Incidents of Sextortion are being reported all across the US.
Depending upon ones geo-political situation, publicizing your personal information and wealth may have other unusual consequences. The New York Times reported that in China, bragging about your wealth may get you censored by the government. The Chinese authorities have declared war on content deemed to be “flaunting wealth" (Wang, 2021).
Unwitting Victims
Others are victimized through no fault of their own. Their
PII data finds itself in the wrong place at the wrong time and that data is
used in the furtherance of malicious cyber acts.
Synthetic Content, a.k.a. Deepfake
International concern is growing among law enforcement
officials about Deepfakes. A 2021 FBI warning bulletin stated that malicious
actors can be expected to leverage "synthetic content" (aka
Deepfakes) for cyber and foreign influence operations.
As reported by the news show 60 minutes
(Whittaker, 2021), the creators of deepfakes have the computer skill and power
to make falsified onscreen look-alikes do or say anything. Oft-photographed
celebrities and politicians are popular subjects of Deepfakes. But soon, anyone whose image is available in
Cyberspace could be deepfaked.
Disturbing new computer software applications now exist that undress and
"nudify" images by using deep-learning algorithms to remove women's
clothes and replace the clothing with nude body parts. The process transforms
otherwise benign images into pornography (Cook, 2021).
Data Harvesting Profiteers - Commerce, Capitalism and Profit
In the book, The Age of Surveillance Capitalism, Shoshana
Zuboff (2019) discusses the "rogue mutation of capitalism" that
resulted in the current commercial surveillance industry. It is an industry that quietly and invisibly
collects and harvests data for financial and/or political gain.
According to Edward Snowden, "The invisibility of the
data collection makes it so attractive to these companies because if you do not
realize that they are collecting this data from you, and it is very private data,
there is no way you are going to object to it. What they (the data mining
companies) are selling is not information, they are selling our future, they
are selling our past, they are selling our history or identity and ultimately
stealing our power and making our stories work for them" (2021).
Children's Privacy at Risk
The ByteDance owned social networking site TikTok is facing a $29 million fine in the UK after it was determined that the company breached child data protection laws for a two year period (Sawers, 2022).
Weak Efforts to Mitigate Data Collection
Mobile devices and Internet-connected systems are collectors and harvesters of personal data and information. After public pressure and awkward appearances at
congressional subcommittee hearings, some data-mining and social networking executives are begrudgingly and slowly making changes. Apple now has added an
"Ask App Not To Track" feature, but critics deride it as a
smoke-and-mirrors function that permits apps associated with Apple to keep
snooping anyway (Fowler, 2021).
Disturbing Anecdotes
Here are just a few troubling examples of the problems that
innocent people have encountered through misidentification, identity theft, and
harassment.
Cybervigilante Misidentification & Harassment:
In 2017, a Michigan man was misidentified by far-right
websites as the driver of the car that plowed into a group of counter
protesters in Charlottesville, Virginia.
The innocent man's home address was wrongly publicized, and he and his
family were subjected to disturbing incidents of harassment. The family was
devastated. Local police were forced to increase patrols at the mans home
(Bowden, 2017).
In 2021, amateur online investigators misidentified rioters
at the Capitol in Washington DC. One
misidentified man, a retired firefighter, received hateful calls and messages
calling him a murderer and a terrorist. Subsequently a police officer was
stationed outside his home for safety. Others wrongly associated with the
Capitol riot included the actor Chuck Norris and comedian Kevin Seefried.
Seefried was wrongly accused because he shares the same name as a man involved
in the riot (Kornfield, 2021).
Facial Recognition Software Misidentification:
In 2020, a man was wrongly arrested when Detroit Police
mis-matched him to a crime based on a facial recognition software match, but
without any other corroborating information about the man’s involvement in the
crime. The man was arrested in front of his young daughters and suffered
embarrassment and wrongful incarceration (Ward, 2020).
Stolen Identity & Data Breaches & Doxing:
In 2011, a California grandmother spent a night in jail
after being wrongly arrested for check fraud as the result of her identity
being stolen. She lost $20,000 during
the fraud and spent another $60,000 trying to prove her innocence (Fender,
2011). The true offender, 54-year-old Andrea Harris-Frazier, was eventually
apprehended after victimizing 28 different people and charged with 43 counts of
forgery and attempted theft (DataBreaches.net, n.d.).
In 2022, the identity of a gravely disabled Florida man was used by one or more fraudsters to create several fictitious businesses and defraud Medicare of $350,000 in fraudulent loans (Neal, 2022).
In 2020, at least 38 law enforcement officers who responded to riots in Portland, Oregon were doxed. Their personal information is believed to have been released by members of Antifa (Toledo, 2020). After a 2022 shooting, Portland Police refused to release the identities of the officer involved, citing threats in the following statement: "PPB has determined that there are credible security threats to officers involved in recent shootings and therefore, PPB is withholding the name of the involved member during the pendency of the doxing investigation. (Portland Police Bureau, 2022)."
In 2022, CISA released a bulletin with the following information about Ransomware and the theft and misuse of PII. Over the past several years, the education sector has been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff. Federal agencies anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk (CISA, 2022).
Laws and Legislative Hearings
Laws and law enforcement officials in the United States are
struggling to catch up to the growing calls to protect citizens from
cybercrime and unlawful surveillance and data collection. In some cases, operations are believed to be taking place despite the legislative controls that were intended to protect data.
Confused legislators in the US have been questioning laws and the implementations of government surveillance operations. In a review of declassified CIA documents, Senate Intelligence Committee members Ron Wyden and Martin Heinrich said “...what these documents demonstrate is that many of the same concerns that Americans have about their privacy and civil liberties also apply to how the CIA collects and handles information under executive order and outside the FISA law. In particular, these documents reveal serious problems associated with warrantless backdoor searches of Americans, the same issue that has generated bipartisan concern in the FISA context” (Wyden, 2022).
While legislators in
Australia recently updated laws to improve oversight in the area of critical
infrastructure, the US may be falling behind. Speaking on the OT and IoT Security Podcast, former Assistant US
Attorney Jonathan Rusch commented about the state of Cybersecurity in the US, and
compared the current US laws with prescient legislation in Australia. Rusch said (21:30 min - 23:25 min):
"The situation in the United
States is a polar opposite from Australia.
Despite multiple administrations in the US government, there is still no
consistency of approach, no "This must be done". As opposed to; "it would be really good
If everybody would get behind the banner of cyber security and do more
things". My analogy would be for
Australians; imagine if you were asked to play in a game of Australian rules
football where you have not 7 but 50 or more different umpires, each with a
different rule book who can penalize the players who step on to the field for
any one of the violations that they see in their rule books; and there has to be
no consistency between the rule books; and where the owners of the teams don't
even want to shell out enough money to give the players proper footwear. That's the kind of fragmented, disjointed,
asymmetrical kind of approach that we have currently in the United States and
where P.S., some of our best efforts by law enforcement only come in after the
damage has occurred, and then you bring in the investigators to try to find out
how the catastrophic event happened."
The Children's Online Privacy Protection Act (COPPA) is one US law that has resulted in some success. In 2021, the US Dept. of Justice announced a civil penalty of $2 million against the advertising platform OpenX Technologies Inc. According to Director Samuel Levine of the FTC, “OpenX secretly collected location data and opened the door to privacy
violations on a massive scale, including against children. Digital advertising gatekeepers may operate behind the scenes, but they
are not above the law" (DOJ, 2021).
Oklahoma is one US state that recognized and legislated towards threats against active and retired law enforcement officers who are targets of doxing. A 2022 Oklahoma senate bill would add retired peace officers to the list of entities protected from having their personally identifiable information posted online by those with intent to threaten, intimidate or harass was passed unanimously by the Senate Judiciary Committee. Oklahoma SB1522 is a follow-up bill to one filed last session, which protects law enforcement officers from doxing (McEachern, 2022).
Some Have Surrendered
Sadly, some people have simply surrendered and succumbed to
the data mis-appropriators. Broadcaster
Leo LaPorte, "The Tech Guy" waved the white surrender flag when he
said, "Until we get real privacy laws, and companies start adhering to
those laws and not finding loopholes; none of which is gonna happen anytime
soon, you might as well just assume that if you are on the Internet; Facebook,
Google, Apple, they all know what you are doing" (Laporte, 2021).
Surrendering to the data collectors is the path of least
resistance, particularly among celebrities who have built careers upon the
theory that 'Any publicity (whether good or bad) is good publicity'. Opposing
this theory is the tragic litany of public figures whose life or welfare was
cut short or endangered by stalkers who pursued and located them based on PII
found in cyberspace.
Don't Give Up
Privacy advocate Rob Braxman (2021) said, "The (data
privacy) opposition, like Google, is intent upon invading our privacy at every
opportunity. We could give up; but I think we should consider this as a game,
and if Google, Facebook and Amazon play tricks on us, we are entitled to play
tricks on them."
Former law enforcement investigator and privacy advocate
Michael Bazzell operates a service that help victims
towards recovering their privacy and initiating steps towards anonymity. His book, Extreme Privacy, (2021)
discusses some of his many clients (without naming them), including government
employees whose activities or investigations have made them targets of the
criminals whom they have encountered.
Protect Yourself and Your Loved Ones: Mitigators and Preventative Measures
Protecting yourself in Cyberspace is a daunting challenge.
There is no single foolproof solution. There are only mitigators that can
bolster defenses. As the privacy wars continue, we should keep trying, and we
should not give up.
Tips and Resources from Experts, Government, and Industry
IntelTechniques - Michael Bazzell
Excellent resources for data
removal, credit freeze and other useful products.
🔹 Best Tip: The Data Removal
Workbook.
https://inteltechniques.com/links.html
Schneier on Security - Bruce Schneier
Federal Trade Commission (FTC) - Tips
Consumer protection tips regarding
children, health, consumers, credit, data and other resources.
🔹 Best Tip: Children's online privacy
protection rule: A six-step compliance plan for your business.
https://www.ftc.gov/tips-advice/business-center/privacy-and-security
Electronic Frontier Foundation (EFF) - Privacy
Badger
A browser add-on that developers
say stops advertisers and other third-party trackers.
🔹 Best Tip: Install the Privacy
Badger and UBlock Origin add-ons in your browser.
https://privacybadger.org/
Electronic Frontier Foundation (EFF) - Third party
tracking
Explanations of methods and
practices used by tech companies to track people.
🔹 Best Tip: Check the permission on
your mobile phone apps and remove unneeded permissions.
https://www.eff.org/wp/behind-the-one-way-mirror
Immigration and Customs Enforcement (ICE),
Homeland Security Investigations (HSI) - Tools to keep children safe online
Information about protecting
children.
🔹 Best Tip: Make sure privacy
settings are set to the strictest level possible for online gaming systems and
electronic devices.
https://www.ice.gov/news/releases/ice-hsi-shares-tools-keep-children-safe-online
Cybersecurity & Infrastructure Security Agency
(CISA) - Recommendations for protecting information.
Fact sheet to address the increase
in malicious cyber actors using ransomware.
🔹 Best Tip: Maintain offline,
encrypted backups of data and regularly test your backups.
https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf
Conclusion
Although the onslaught of cyber-attacks will persist, users
must continue the fight to shore up defenses against intrusions. Protecting PII
is challenging and time consuming. There
is no single fix that can prevent all of the various types of cybercrimes. The
best that one can do is to stay abreast of the current trends and continually
implement the preventative measures suggested by IT experts.
References
Bazzell, Michael. (2021). Extreme Privacy: What it takes to
Disappear. ISBN 9798729419395. https://inteltechniques.com/
Bazzell, Michael. (2021). Data Removal Workbook (PDF).
https://inteltechniques.com/data/workbook.pdf
Bowden, John. (August 16, 2017). Man misidentified as
Charlottesville driver by far-right sites in hiding: report. The Hill.
https://thehill.com/homenews/news/346900-man-misidentified-as-charlottesville-driver-by-far-right-sites-in-hiding-report
Braxman, Rob. (November 24, 2021). Google Watches ALL Your
Devices! How to Stop It. [Video]. https://www.youtube.com/watch?v=LLfoGAHrlQk
CISA. (September 6, 2022). National Cyber Awareness System. Alerts #StopRansomware: Vice Society. Alert (AA22-249A). #StopRansomware: Vice Society. https://www.cisa.gov/uscert/ncas/aler ts/aa22-249a
Cook, Jesselyn. (November 8, 2021). A Powerful New Deepfake
Tool Has Digitally Undressed Thousands Of Women. HuffPost.
https://www.huffingtonpost.co.uk/entry/deepfake-tool-nudify-women_n_6112d765e4b005ed49053822?ri18n=true
Cybersecurity & Infrastructure Security Agency. (n.d.).
Protecting Sensitive and Personal Information from Ransomware-Caused Data
Breaches.
https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf
Cyphers, B. and
Gebhart. G. (December 2, 2019). Behind
the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance.
Electronic Frontier Foundation. https://www.eff.org/wp/behind-the-one-way-mirror#Part4
DataBreaches.net. (February 11, 2020). CO: Woman Accused of
Bilking 28 victims.
https://www.databreaches.net/co-woman-accused-of-bilking-28-victims/
DOJ. (December 28, 2021). Advertising Platform OpenX Agrees to Injunctive
Relief and $2 Million Payment in Case Alleging Violations of Children’s
Privacy Law. The United States Department of Justice, Justice News. https://www.justice.gov/opa/pr/advertising-platform-openx-agrees-injunctive-relief-and-2-million-payment-case-alleging
FBI. (March 10, 2021). Malicious Actors Almost Certainly
Will Leverage Synthetic Content for Cyber and Foreign Influence Operations.
FBI, Dept. of Justice. Private Industry Notification.
https://www.ic3.gov/Media/News/2021/210310-2.pdf
Fender, Jessica. (November 12, 2011). Victim of ID theft,
once thought a suspect, helps solve her own case. The Denver Post.
https://www.denverpost.com/2011/11/12/victim-of-id-theft-once-thought-a-suspect-helps-solve-her-own-case/
Fowler, G.A., and Hunter, T. (September 23, 2021). When you
‘Ask app not to track,’ some iPhone apps keep snooping anyway. The Washington
Post. https://www.washingtonpost.com/technology/2021/09/23/iphone-tracking/
FTC. (n.d.). Children’s Online Privacy Protection Rule: A
Six-Step Compliance Plan for Your Business. Federal Trade Commission.
https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance
Investopedia. (2021). Personally Identifiable Information.
(PII).
https://www.investopedia.com/terms/p/personally-identifiable-information-pii.asp
Kornfield, Meryl. (January 16, 2021). The wrong ID: Retired
firefighter, comedian and Chuck Norris falsely accused of being Capitol
rioters. The Washington Post.
https://www.washingtonpost.com/technology/2021/01/16/sleuths-falsely-identify-rioters/
Laporte, Leo. (December 12, 2021). Podcast: The Tech Guy,
Episode 1852, [hour -1:32]. https://twit.tv/shows/the-tech-guy.
McEachern, Hunter. (February 9, 2022). Backing the Blue: Bill to protect retired law enforcement from doxing advances. Oklahoma's 4 News. https://kfor.com/news/oklahoma-legislature/backing-the-blue-bill-to-protect-retired-law-enforcement-from-doxing-advances/
Neal, David. J. (February 13, 2022). ‘He was almost dead.’ $350,000 fraud investigation found Miami man, 84, in squalor. Miami Herald. https://www.msn.com/en-us/news/us/e2-80-98he-was-almost-dead-e2-80-99-miami-medicare-fraud-investigation-found-elderly-man-living-in-squalor/ar-AATMlnT
Portland Police Bureau. (July 29, 2022). Information related to Officer-Involved Shooting in SE Portland. https://www.portlandoregon.gov/police/news/read.cfm?id=442429&ec=3&ch=twitter
PYMNTS. (October 18, 2018). First Data: 34 Percent Of PII
Has Been Compromised In 2018. Pymnts.com.
https://www.pymnts.com/news/security-and-risk/2018/first-data-pii-compromised-cybersecurity/
Rusch, Jonathan. (March 4, 2021). Dissecting the Security
Implications of the Australian Critical Infrastructure Act. The OT and IoT
Security Podcast. [Audio Podcast].
https://tunein.com/podcasts/Technology-Podcasts/The-OT-and-IoT-Security-Podcast-p1354400/?topicId=161285361
Sawyers, Paul. (September 26, 2022). TikTok faces $29M fine in UK for ‘failing to protect children’s privacy’. https://techcrunch.com/2022/09/26/tiktok-faces-29m-fine-in-uk-for-failing-to-protect-childrens-privacy/
Schneier, Bruce. (May 17, 2017). The US Senate is Using Signal. Schneier on Security. https://www.schneier.com/blog/archives/2017/05/the_us_senate_i.html
Signal Messaging Application. (n.d.). https://www.signal.org/
Snowden, Edward. (March 11, 2021). "I Remove it Before
Using The Phone!" Edward Snowden. BrainStation. [Video].
https://www.youtube.com/watch?v=0dGqR4ue8dg
Techopedia. (2021). Phishing, Doxing. Janalta Interactive.
https://www.techopedia.com/definition/4049/phishing,
https://www.techopedia.com/definition/29025/doxing,
https://www.techopedia.com/definition/33835/deepfake
Toledo, Arsenio. (July 23, 2020). Law Enforcement Officers in Portland Doxed by Antifa. Newswars. https://www.newswars.com/law-enforcement-officers-in-portland-doxed-by-antifa/
Wang, V. and Dong, J. (December 25, 2021). In China, Bragging About Your Wealth Can Get You Censored. New York Times. https://www.nytimes.com/2021/12/25/world/asia/china-money.html
Ward, Jacob. (June 26, 2020). Facial Recognition Software
Under Fire After Misidentification Causes Wrongful Arrest | NBC News NOW.
[Video]. https://www.youtube.com/watch?v=Bxpx8izG5nA
Whittaker, Bill. (October 10, 2021). Synthetic Media: How
deepfakes could soon change our world CBS News/60 Minutes. https://www.cbsnews.com/news/deepfake-artificial-intelligence-60-minutes-2021-10-10/
Wyden, Ron. (February 10, 2022). Wyden and Heinrich: Newly Declassified Documents Reveal Previously Secret CIA Bulk Collection, Problems With CIA Handling of Americans’ Information. Senators Call for Critically Needed Transparency About CIA Bulk Collection; Documents Declassified at Wyden and Heinrich’s Request. News Press Release. https://www.wyden.senate.gov/news/press-releases/wyden-and-heinrich-newly-declassified-documents-reveal-previously-secret-cia-bulk-collection-problems-with-cia-handling-of-americans-information
Zuboff, Shoshana. (2019).
The Age of Surveillance Capitalism: The fight for a human future at the
new frontier of power. ISBN-10
1610395697. www.publicaffairsbooks.co m
=-=-=-=-=-=
=-=-=-=-=-=
