Hello. This is the Department of Justice…
A bot from an unknown number
Commerce has forever run-on information: from ascertaining market segments, calculating demand, dealing with invoices, or remembering whether your regular customers prefer shaken or stirred. Modern business has taken the use of information in day-to-day activities and multiplied it a thousand-fold, to the point where information peddling has become a lively industry itself, transforming economies into information producing and consuming machines (Lengel). Customers of information companies use this information to reduce uncertainty; using data to better target, service, or introduce new kinds of products to the market, with the notion that the information correctly identifies a demand. The applications of information are nigh endless; it is thus the demand for the data commodity is high, and the rising prices reflect this. A firm is a at a distinct advantage if it cannot afford useful data, or perhaps they want information that cannot be obtained without dubious means but would put them at a distinct advantage over direct competitors. It is thus people turn to a bustling and growing marketplace: the information black market.
Black market information markets typically contain buyers and sellers of illegally obtained information, credentials, identities, credit cards, or anything someone is willing to exchange currency for. Individuals and organizations can purchase or sell information to engage in a variety of activities both malicious and benign. Ever gotten a call from the “revenue service”, or perhaps the “justice department”; usually a bot asks you to provide a credit card or to phone another number to resolve the situation. Chances are your number was acquired through the security breach of a service you willingly provided it to. The number was then obtained through the leak or sold to someone wanting to make a quick buck out of social engineering. This is a typically transaction in the information black market, and many cyber criminals involve themselves by attempting to access the databases of large organizations to steal user/customer data and peddle it to those who can profit from it. Innocent business decisions can be greatly enhanced using black-market data. Even browser cookies have become peddled wares at various information chop shops (Krebs on Security); the black market meta will continue to evolve as the world becomes more digitized, and new threats will emerge through the growing demand for user data and confidential information.
It is concerning to think that information pertaining to you is out there, and not you nor anybody knows who has it or what it is being used for. As the information black market grows, and chop shop operations become more sophisticated, it is not too farfetched to think that cyber criminal will turn on each other to an even greater extent than what was posted at KrebsonSecurity.com. I imagine at some point there will be services to wipe one’s information off information markets, where you would pay to have a hacker breach a shop and remove info pertaining to yourself. The demand for information as a commodity will only grow, and as information becomes more extensive, intimate, and essential to our everyday lives, it is reasonable to think that the conflict surrounding information will grow as well, analogous to the conflict involving commodities such as natural gas. It’s even more concerning that information you willingly entrust to companies or organizations is being used in the same manner as those in the information black market, as we will touch on next.
We live in an information economy. The problem is that information’s usually impossible to get, at least in the right place, at the right time.
Steve Jobs
The legality surrounding information gathering and selling by corporations is murky at best, with most lawmakers being unable to keep up with the rapid progression and innovation around technology. The Wall Street Journal reported that in 2020 Amazon was actively “scooping up information from independent sellers” (Diaz, 2020) to gain the upper hand in creating competing products. Whether these sellers are legitimate enterprises or not, the precedent is set; information is an invaluable commodity that will eagerly be purchased, or sold, all in the name of profit. The demand for useful information will only feed the black market and make hacking or breaching a more lucrative profession that is worth the legal risks. I feel in the future we will see more aggressive, organized, and invasive hacking operations as payoffs become grander. The upside to this is that as the monetary gains from security breaching increases, so too will the demand for protection against these attacks, creating opportunities for those in the cyber security field, or those who find ways to better encrypt and protect personal information. The development of attack and defense methodologies are near parallel, so one should not believe the situation to be hopeless. However, nobody wants to be the subject of a new breaching technique before it can be effectively countered, making the threat looming and indeed daunting.
It is also interesting to think about how many “breaches” were accidental. If the money is right, are companies letting their databases be unlawfully perused, and if not now, will they? How will the evolution of data and data structures affect the war between info bandits and law enforcement? In terms of the information economy, I believe we are in the Wild West, and personally I think the situation will have to get worse before it will get better. Let me know what you guys think of the information black market, and how it may have affected you in the past or continues to affect you.
Sources:
Diaz, J. (2020, December 15). Amazon, Tiktok, Facebook, others ordered to explain what they do with User Data. NPR. Retrieved January 23, 2022, from https://www.npr.org/2020/12/15/946583479/amazon-tiktok-facebook-others-ordered-to-explain-what-they-do-with-user-data
JOURNALISM AND MASS COMMUNICATION – Vol. II – The Information Economy and the Internet – Laura Lengel, from https://www.eolss.net/sample-chapters/C04/E6-33-03-01.pdf
Crime Shop Sells Hacked Logins to Other Crime Shops – KrebsonSecurity, from https://krebsonsecurity.com/2022/01/crime-shop-sells-hacked-logins-to-other-crime-shops/
I’ve personally been “pwned” before as a result of data-leaks from some old accounts I made when I was younger. Luckily nothing came out of it except I will get the odd email in my junk folder with my old password as a subject-line.
This automated script will often claim that they gained access to your web-cam and got your password by hacking you on an “adult website” lol. They state that if you don’t send them bitcoin to a specific address that they’ll send the vid of your face and what you were watching on the site to your facebook friends list. Oddly enough they don’t go through the trouble of finding out your name, so it’s pretty funny to read.
I think the war on cybercrime is very similar to the war on drugs, where demand for illegal goods/information will inevitably triumph in the long-run. There’s no need to eliminate all cyber-attacks as this seems like an impossible task, but mitigating the damage it causes seems to be the best approach, at least for now.
I agree, as with all things good and bad, if there’s a demand and someone is willing to pay, someone out there will supply it. I feel the demand for information among companies will only increase as certain data becomes more critical for business operations. Criminals will also want chop shop data to do nefarious things.
Great read Simon.
Your right about the laws around information being very muddy, and lobbying from these mega corporations definitely doesn’t help.
My question is who should be responsible for information leaks? Should laws be written to force companies Facebook and Google to have to reimburse it’s users for leaking their information? If so what does reimbursement look like, would al victims involved be paid the same?
Legally it’s very tricky. Most companies state in their terms and conditions that if they follow due diligence and act reasonably in good faith, they are not legally liable for data leaks and breaches, so they cannot be beaten in court. Data and information issues are a risk you take when you use a company’s service or use the internet, just like getting into an accident while driving a car is a risk, and I think that’s likely how it will stay so companies aren’t forced out of business due to the legality of operating on the internet, which would leave all parties worse off by far.
Very well written Simon.
Your right about the laws around information being very muddy, and lobbying from these mega corporations definitely doesn’t help.
My question is who should be responsible for information leaks? Should laws be written to force companies Facebook and Google to have to reimburse it’s users for leaking their information? If so what does reimbursement look like, would al victims involved be paid the same?
Good point, what is the proper reimbursement for leaked information? Would it depend on how the information was leaked, how it was used, or who took the information? And what sort of metric can we use to put a price on the damages caused? I can see why it has taken lawmakers so long to address these issues, as they are tricky ideas to put into laws. (Although that being said, the fact that its tricky does not mean the lawmakers shouldn’t try to address these issues)
Great post Simon! I have heard about the information blackmarket briefly when topics reach mainstream media (such as the Cambridge Analytica and Facebook scandal), however, I didn’t fully appreciate the full extent to which information is collected, traded, and sold today until I read your post. I fully agree that this area is very concerning; as the value of information increases, demand will as well, regardless of how the information was collected. I think that it is imperative that governments begin recruiting experts to develop better security and privacy laws. Until then however, I will personally try to reduce my own digital footprint to prevent any unintended, or malicious data collection of my personal information.
I both feel bad for lawmakers and I don’t. On one hand, many lawmakers are from previous generations and have trouble understanding new technology and the use of information, let alone the nuances around it, which makes me think that the legislative departments in many countries are lacking in their abilities to protect their citizens legally. On the other hand, technology evolves so fast that it seems by the time a law is passed, that technology or subset of a technology has become obsolete, and nobody benefits from the passing of the law. Hopefully this changes, but not enough where government becomes TOO good at passing laws involving technology and information, if you know what I mean.
Great post Simon! I have heard about the information black market briefly when topics reach mainstream media (such as the Cambridge Analytica and Facebook scandal), however, I didn’t fully appreciate the full extent to which information is collected, traded, and sold today until I read your post. I fully agree that this area is very concerning; as the value of information increases, demand will as well, regardless of how the information was collected. I think that it is imperative that governments begin recruiting experts to develop better security and privacy laws. Until then however, I will personally try to reduce my own digital footprint to prevent any unintended, or malicious data collection of my personal information.
Great read, really an interesting article. The idea that information is the new oil, or even gold is one that I love. In the modern technological world, there is truly nothing more valuable. Like Theo said above, the Cambridge Analytica and Facebook scandal is really interesting to look into if you’re interested in the information market and how it can be used (dubiously legally) in the real world. The Great Hack is a documentary that touches on this, and shows how people’s data and information was used to target them rather than others to perhaps alter the outcomes of democratic elections, and if we have our information being used against us for that, is the election still truly democratic or is it inherently rigged? All in all, this topic as a whole is incredible, and I love seeing other people take an interest in it and how their data is being used!
Dubious is a good word to describe many of the uses of information for profit. While an action may not be technically illegal, it is morally wrong, or wrong enough where someone goes to great lengths to hide what they are doing. The whole infotech scene is coloured in grey; the best thing people can do to better protect themselves is to better understand what they put out on the internet, what every action does and doesn’t give somebody else, because the truth is we do not have much, or any control over what others do with our information once it is out there.
Hey Simon this is an informative post. I actually was subjected to a phone scam numerous times but luckily I was aware and did not fall into those, but I know many people did. My old phone number got too many phising calls that I have to switch phone number and service provider, but somehow the scam artist is still able to obtain my new number and personal information. I could not think any other reason beside the service provider sell their customer data. It seems to be a social norm nowadays for tech companies to sell customer data to each other, at the end one of those informations would end up in the wrong hands. I believe the current laws about privacy are not suffice enough to protect consumers and their personal data, and we have to implement a much stricter law to fight the data-selling on the black market.
The worst part is that your phone number may not have been leaked by your service provider on intentionally; it could have been somehow retrieved by attackers, or even more likely, leaked through some less secure service that had your phone number stored on it. Even some cookies may contain your phone number, and perhaps somehow a cookie was used or pulled off your browser by another website or application and the data was subsequently leaked. It is currently nearly impossible to ascertain where exactly your number was leaked from or how it got to that database in the first place. While I would pay attention with how our service provider may handle your personal info and data, there isn’t much use bringing up the issue with them because chances are they have as much idea as you do in regards to how your phone number got into the phisherman’s hands. Thank you for reading.
Great post!
I totally agree with your points in your blog. With the development of technologies, there is much more personal information “flowing” in our society. Some of these flows of information can be recognized by us and are legal, but some of them are illegal and in the dark. My parents bought a luxury condo in the downtown area of my home city in 2016. After that, they have been receiving multiple phone calls about condo advertisements for almost six years. They tried to ask the person in one of these phone calls how he got my parents’ phone number, that person said he bought the phone number from the black market. He also said the information sellers in the black market preferred to classify the personal information they had got based on the personal information owners’ wealth.
I think the best way to deal with the problems that you have mentioned in your blog is to ask governments around the world to make rules and policies together to restrict(not control) the information flowing. Moreover, there should be some global non-government organizations supervising the governments not to control the information flowing.