Who is selling personal information? Fighting against illegal activities requires starting with the entire industry chain

[[188850]]

The educational information of ordinary people will be sold at a slightly higher price than their ID card, while the personal information of a doctoral degree can be sold for 50-60 yuan; the most expensive information is company bank flow, which criminals will use to open POS machines, launder money, and commit crimes.

I don’t watch variety shows, but I was chosen as a lucky user by the show and “won the grand prize”; I just decided to buy a house, but I received a call from a real estate agent selling a small-property house... When talking about the telecom fraud and harassment calls I encountered in recent years, ViVi, who is a planner, was a little amused: "Compared with the telecom fraud scammers, joke makers are weak."

Nowadays, Chinese netizens, who are good at self-deprecation, are keen to post screenshots and recordings of harassing text messages and telecom fraud calls they have encountered on Weibo and forums. Some even choose to "actively tease" these salesmen and professional scammers. The purpose of doing so is, on the one hand, to entertain the public and add some spice to life; on the other hand, to remind netizens to prevent more people from being deceived.

So who is selling users' personal information? Who is using it to make a profit? How can we protect the security of personal information? How can we stop such illegal activities?

Fighting against illegal production is mostly passive

The black industry data that has been "evolving" driven by profit has a history of at least ten years. Today, the continuous combination of online and offline has exposed users' wealth and personal information online. The Internet, which was once poor, has now become a treasure land of gold and jade. At the Tencent Afternoon Tea a few days ago, Wan Tao, co-founder of Yiyun (Public Welfare Internet) Social Innovation Center & IDF Internet Threat Intelligence Laboratory, lamented that compared with the innovation ability of the black industry, enterprises lag behind in security, and the crackdown is mostly passive. The black industry is relatively low-level, and the high-profile approach is not down-to-earth.

Although low-level, the black industry has formed a strict transaction chain. After obtaining user account passwords, identity addresses and bank card information from the upstream through illegal means, the data is screened by database collision and database washing, and finally reaches the hands of criminals through purchase, and conducts telecommunications fraud and hacking transactions.

When finally carrying out telecom fraud, the black industry began to think about loopholes in the law. Wan Tao said that the law would lag behind, and the reporting or the gathering of clues would be too delayed. Once the black industry stuck to the reported amount to defraud, the victim would suffer a loss in silence.

Wu Chuang, producer of the Political and Legal Department of the Social News Department of CCTV, pointed out that sellers, buyers and fraud form a closed loop of the black industry, and both enterprises and regulatory authorities must create a gap.

Clear division of labor between buying and selling personal information

From a commercial perspective, businesses can only provide targeted services, personalized services, and precise services if they obtain more information about consumers, which is what consumers like. On the other hand, consumers want businesses to know nothing and still enjoy personalized services, which is obviously a paradox. Zhou Hanhua, a researcher at the Institute of Law of the Chinese Academy of Social Sciences and a member of the National Informatization Expert Advisory Committee, said that network security issues will eventually hinder the network society, e-commerce, and network social interactions.

At present, all large-scale illegal transactions of personal information are basically carried out through QQ groups, because QQ groups are not one-to-one transactions, and they are constantly filtering this information. If we want to make the behavior traceable, we need to make more use of big data to solve these problems.

Wu Chuang believes that the implementation of the real-name system will allow companies to get ahead, rather than follow the scammers. However, Fu Weigang, a researcher at the Shanghai Institute of Finance and Law, believes that the root cause of the large-scale leakage of personal information may be the real-name system. Without the real-name system, it is impossible to link phone numbers with personal information. The application of the real-name system should be more strictly restricted in laws and regulations.

He Xin, an expert from Tencent Security Management Department, said that the current sale of personal information has formed a black industry chain with clear division of labor and a very structured structure. First, there is the link of information leakage, then the link of dissemination and transaction, and finally the link of application profit. There are generally two ways of information leakage. One is the illegal intrusion of hackers, who steal a large amount of citizens' personal information through hacking and Trojans. The other is the insider, such as the internal staff of the unit who have access to personal information. They steal personal information and then sell this information online or offline.

In fact, there are two parties involved in the communication transaction: one is the data service provider, and the other is the information seller. These people have established different databases through some analysis and models, and even provided customized services, and then resold this information to profit-making black market elements. Black market elements will use this information for illegal marketing, such as calling you and asking if you need to buy a house or milk powder recently, or even telecommunications fraud and illegal investigations.

Fighting against illegal production requires joint efforts from multiple parties

After the black industry split and cooperated, the integration of government roles, corporate roles, industry roles, and public roles has not yet been achieved. While promoting counterattack cooperation, relevant departments should also reflect on whether data collection is excessive or insufficient.

Fu Weigang reminded that when websites collect personal information, they should adhere to the principle of minimum, and there is no need to collect so much data. The more information collected, the greater the risk. The same is true for information collected by commercial websites and governments. In most cases, it is not necessary to collect so much information. After the real-name system is implemented, the places where personal identity information is used will also be strictly restricted.

At the press conference of the Fifth Session of the 12th National People's Congress held on March 4, the conference spokesperson Fu Ying stated that the Ninth Amendment to the Criminal Law contains provisions for the protection of personal information; the Cybersecurity Law formulated last year also established basic rules for the protection of personal information, and clearly required network operators not to collect personal information that is not related to the information they provide. In addition, they cannot transfer information to others without the permission of the relevant persons.

In addition, Internet commentator Hong Bo pointed out sharply that the phenomenon of personal information trafficking is serious, but in fact it has little to do with Internet companies and telecom operators. Personal information security is a problem of the overall environment. In the absence of adequate legislative environment and law enforcement, the cost of law enforcement is quite high. It is unreasonable to put the blame on technology companies or operating companies.

He Xin said that last year Tencent investigated and dealt with 4,700 QQ groups that sold information, and that it was necessary to use the industrial chain to fight against the black industrial chain. First, from the perspective of laws and regulations, the setting of criminal liability should be improved to increase the cost of violations; second, the entire industry should unite to jointly create a safe ecosystem; third, it is hoped that the protection of the source will be strengthened, because many criminals will directly invade the websites of different institutions to obtain a large amount of personal information of citizens, and all institutions that have access to personal information of citizens at the source should strengthen their own security protection capabilities; finally, it is necessary to strengthen the education of users, hoping that every ordinary person can protect their personal information more consciously.