We’ve all been victims of that prank where you’re chatting with a friend online and you realise halfway through the conversation that someone else has been seated at their computer, pretending to be them.
A few years ago, that was the extent of the risk you faced, when it came to identity theft online.
Today, each of us has so much personal digital data floating around that it is possible for someone to steal an entire online identity and cause very real damage offline.
“Every individual is now a data generator and transmitter,” says cyber-security expert and Supreme Court lawyer Pawan Duggal. “We generate data that is continuously collected by government agencies and private companies. That data can be monetised, manipulated and misused in many ways.”
Google yourself and the first layer of that data, the most basic information, pops up. This will typically be fragments of personal information and references to your social media presence on Facebook, LinkedIn, Twitter, Instagram, Flickr etc.
This is the data that you know about.
It is just a fraction of what can be unearthed with a little digging.
“What is really scary is the data that you don’t know is constantly being collected, like location data,” says mobile telephony expert Nikhil Pahwa, CEO of media analysis agency Medianama. “Any switched-on mobile phone, for instance, can be located to accuracies of less than 100 metres. If location-specific apps like GPS are switched on, the mobile can be located to within 3 metres.”
Multiple apps collect location data and track your movements 24x7. Apart from your mobile phone, if you use a smart card to pay a road-toll or access public transport, you can be tracked by that as well.
RFID technology — radio frequency identification — with its tiny tags, is used in everything from smart toll cards to clothes and car tyres. RFID tagging is an easy way to track merchandise and prevent pilfering. But the RFID tag often stays in the product after it is sold, and can be read through clothes or wallets at distances of 20 metres or more.
RFID readers are widely available and not very expensive.
Location data, which is used in a wide range of apps and can be cited as evidence in a criminal case, is not covered under Indian data-protection laws.
“Your location data can be misused with legal impunity since it isn’t even defined as sensitive personal data. This is a big gap in the law,” says Duggal.
There is talk, for instance, of certain companies using location data to confirm that employees not in the office are actually where they say they are.
On the financial front, every time you swipe a credit or debit card you release more digital information. Your PAN is also easily accessible, since it is quoted in multiple transactions.
A marketer may analyse credit card purchases and deduce likely interests. Online retail giant Amazon uses such deduction algorithms when it offers hints such as ‘People who looked at this product also viewed the following products’. Google and Yahoo use similar analyses, as do desi players like Myntra and Flipkart.
Biometric usage is also catching on. Land registration deeds use scanned fingerprints and photos, which are uploaded on government databases. Laptops and mobile phones are increasingly protected via fingerprint recognition, which means this data can be captured by private players too.
Put these bits and pieces together, with just a little online snooping, and you could create a detailed composite of an individual’s identity, daily routine, spending patterns, friends and family circle, even how much they earn or pay in taxes.
The next big data-gathering explosion will be in the realm of DNA. This data is now being collected in criminal cases and civil suits such as divorce and paternity. In addition, people are being tested by medical labs for DNA-related conditions. Connect a DNA profile to medical expenses and you have a very good idea of somebody’s health status.
This may sound like crime fiction, but the basis for it is visible everywhere, if you know where to look. To take a real-life example, I received a phone call yesterday from a new work contact and that was followed by an email exchange. So, I have a name, an email, a mobile number, an office number, and a place of work. In turn, that person holds a dossier of similar data about me.
I can, without much effort, learn what this person looks like, their residential area or home address, marital status, children, hobbies, vehicle ownership, daily travel patterns, holidays, friends’ circle (including common friends), political views.
That person could also get to know my life in equally mind-boggling detail and yet, we’ve never even met face-to-face.
(Devangshu Datta writes on technology, finance and the confluence of the two)
Online data offline crimes
Conned by a Nigerian scamster
Savitri Rai (name changed), an IT professional and recent divorcee, was looking for love on an online matrimonial site and she found a man who started out as a friend and was soon talking marriage.
‘Akash Nayar’ said he was a software engineer living and working in the UK. Investigators believe he picked that profession because it matched the information he had viewed about her online.
After showing her parents a photograph he sent her and receiving their blessing, she exchanged mobile numbers and the two began chatting online. He declined to use Skype, saying the first time they saw each other should be in person.
Two months later, in September this year, he said he was headed to Bangalore to meet her. A day later, he called and said he had been detained at Immigration in Delhi and needed to pay a fine of Rs 1 lakh in order to leave.
She transferred the money to his bank account. Over the following two weeks, he got an additional Rs 14 lakh from Rai, claiming he needed to pay off CBI and Enforcement Directorate officials.
He then stopped taking her calls, and she approached the police. “It turned out that the entire operation had been an elaborate scam by Nigerian fraudsters,” says police inspector Mahadevaiah Reddy.
The police have been unable to trace the accused.
— Naveen Ammembala
Cheated of Rs 36 lakh by fake fiancé
A chance meeting with a seemingly eligible bachelor on a popular online matrimonial website, followed by a marriage proposal via email and a much-anticipated meeting that never happened, left a woman journalist poorer by Rs 36 lakh in Delhi last year.
“The police have been investigating for three months but have no leads,” says the victim, who is in her late 40s.
Her purported suitor introduced himself as Ben Spencer, a contractor with a petroleum giant based in Sacramento, California.
“My apprehensions about chatting with and eventually accepting a proposal from someone I had met online were more or less allayed since he was registered on the matrimonial website,” she says.
After months of chatting, Spencer said he wanted to visit the woman during an upcoming trip to south Asia.
Then, as such scams usually go, he ‘got stuck’ at Customs, supposedly because he was carrying an unusually high sum in cash — he told the victim it was $1 million — and needed help bribing his way out.
“I kept sending him money for an attorney, hotel bills, fine and taxes,” says the victim.
In October 2012, the man disappeared.
“None of my calls or messages was ever answered,” she says.
— Jatin Anand
Stalked for 18 months, maligned on Facebook
Three years ago, mass media graduate Arpita Roy (name changed), 25, joined the Kolkata edition of an English daily and, during one of her first assignments, met and exchanged phone numbers with a senior reporter on the same beat.
“Within days, he started texting me, saying he was bewitched by me,” says Roy. The messages came in a constant stream, but since they contained nothing offensive, Roy did not feel she had enough basis for a police complaint.
The man then began sending her messages from multiple phone numbers, filling her mailbox with his pleas and sentimental outpourings.
“Then he texted me saying that he had seen me smoking at my office gate and entering a pub with a couple of my male colleagues. I began to feel that he was stalking me,” says Roy.
In his next step, the man found her on Facebook and tricked her into befriending him by creating a fake profile featuring the photograph of a woman.
“Once I responded, he went berserk. He picked up photos of me from the Facebook account and made strange collages, and began posting nasty things about me on his timeline,” says Roy.
Finally, after 18 months of the escalating harassment, Roy lodged a complaint with the cyber-crime cell and the man was nabbed.
“He stopped bothering me after the police spoke to him and his family, but I have since become extremely cautious when exchanging personal details and responding to Facebook friend requests,” says Roy. “I have also applied strict privacy settings to my Facebook account.”
— Arpit Basu