Aiding and Abetting Criminal Activity

December 9, 2014

That’s what our phone companies are doing. It is an offence to harass people. It is fraud to entice people into believing that they have money due to them when the caller has no evidence that that is the case. It is an offence to hold people’s data without their permission. It is fraud to lie to persuade people to reveal their personal information. According to a government task force, a BILLION of these crimes are committed every year, with the assistance of our phone companies.
Our telecoms companies are making money out of these crooks, one way or another. They are certainly making no effort to prevent their infrastructure being used for criminal activity, despite being fully aware of the scale of what is going on. All we get is mealy mouthed platitudes recommending that we take actions which are either unfeasible or ineffective. Let’s get a few facts straight on just how useless these recommendations are.

  • Register with TPS? It’s a waste of time.
    • TPS doesn’t actually do anything with complaints
    • The crooks ignore TPS anyway
  • Block callers?
    • The crooks are spoofing numbers so blocking one number has little effect
  • Don’t answer if the number is withheld?
    • There are, unfortunately, some genuine companies which call from withheld numbers, ignoring good customer service for their own administrative convenience
  • Don’t answer if you don’t recognise the number?
    • Few if any people have complete knowledge of all the numbers they could be called from, whether personal or business. A child whose phone battery is dead could borrow a friend’s phone to call so no parent can afford to ignore unknown numbers. A friend can change phone number. A business contact could call from a landline when you only have their mobile number recorded. There is a host of reasons why a call from an unknown number could be both valid and important.

There are various reporting mechanisms – the ICO, Action Fraud, TPS, Ofcom, to name but a few. All those websites are badly designed. Their automated responses are uninformative and, in the case of Action Fraud, hide the content of their response in a dubious looking attachment. There is little if any evidence of any use being made of the information provided by these routes.
It would not be unreasonable to expect phone companies to make significant and meaningful effort to prevent their infrastructure being used to harass people, commit large scale fraud, and commit widespread identity theft. It would not be unreasonable to expect legitimate organisations not to behave in a way which emulates crooked behaviour.
Here are a few suggestions for the Nuisance Call Task Force.

  • Make it an offence to spoof a number
  • Make it an offence to deliver a call with a spoofed number
  • Make it an offence for a commercial organisation to withhold their number
  • Make it an offence for any organisation to sell or give away the personal details they collect
  • Limit the period for which an organisation can retain personal details and use them for sales and marketing
  • Create a single, simple, effective means of reporting the numbers used by scammers
  • Use the scammer reporting facility to create and maintain a single database of numbers recognised as being used by scammers
  • Make the database publicly visible
  • Flag numbers which are consistently being used in a criminal manner – say after 10 reports of the number as one which makes scam / harassing calls
  • Make it an offence for a phone company to issue the scamming number to anyone
  • Make the ban on reissue of scammer numbers meaningful – say a 10 year ban on their reissue
  • Make use of existing legislation to prosecute scammers for harassment as well as data protection and telecoms offences
  • Hold the directors of those companies responsible – directors of the calling company, its parent company, and any company on whose behalf it makes outbound calls
  • Since the crimes are being committed in this country in the homes of those being called, ignore the country of residence of those responsible for the scams and arrest any responsible directors who set foot in this country
  • Recognise that it is individuals who are responsible for encouraging / permitting these crimes and hold all directors responsible and liable to prosecution
  • Set penalties so that they automatically include both default and a significant fine

So why does the DeliveryDemon thinks this would work?

  • It will create an incentive for phone companies to take responsibility for the way in which they allow their infrastructure to be used
  • It would prevent genuine customers from being issued with numbers which people have blocked because the numbers were being used for scam calls
  • It would prevent banks from grooming their customers to give away security information to people who call them – for over a decade banks’ cavalier attitude to customer security has been demonstrated time and again when they make outbound calls to customers and proceed to ask for passwords and other sensitive information
  • It would encourage organisations to start to take data protection seriously
  • It would do away with the loophole which allows all the enforcement organisations to abdicate responsibility for scam calls originating overseas
  • A mandatory penalty of imprisonment would prevent those responsible from buying their way out of loss of liberty
    Significant fines for every offence would start to undermine the business model which makes scam calls profitable.

Let’s face it, we are talking of 32 crimes every second of every day. If our politicians and legislature and police and regulators aren’t prepared to take this seriously, the DeliveryDemon wonders what the hell we pay them for.

Advertisements

Harassment – The Crime Committed By Nuisance Cold Callers and Similar Scammers

November 6, 2014

We’ve all had it, the persistent calls at ridiculous hours, with recorded or spoken scripts riddled with lies. The smarmy sleazy voices. They pretend to represent or be authorised by government departments. They pretend they know about a claim or right you have. They pretend you have to do something because of new legislation. They lie and lie and lie. They want your money for some dubious product, and people have been scammed out of thousands of pounds this way. They want your personal information, and giving them that is a large step on the way to the hell of ID theft and further fraud.

They got your data from somewhere illegally, and once one bunch of these crooks have your data it gets sold around. Try as you will, you can’t stop it. It’s not just data breaches. It’s not just small naïve organisations not being good enough with their data security. It’s not just all these marketing offers. Government departments have been publishing sensitive personal data for years, and two of the biggest are doing their damndest to start selling it on a large scale to all and sundry – step forward HMRC and the NHS. We have in the space of a few short years been forced into dealing with constant harassment within our homes.

I’m actually surprised that telecoms companies aren’t protesting about this. There’s been a lot of recent publicity about people giving up on landlines for the simple reason that the bulk of calls come from fraudsters autodialling or using illegally obtained information. At least with a mobile you can cut the call off. When it comes to the primitive technology of landlines, the caller has control and can block your line.
With elections coming up we’re getting mealy mouthed platitudes from politicians about doing something to stop this. Why haven’t they done it before? The legislation already exists. These calls easily fall within harassment legislation and it is a criminal offence.
• It certainly distresses people to be constantly interrupted
• Frequently numbers are withheld, which is intrinsically threatening since the caller appears to be untraceable
• Many of these calls are silent, which is particularly threatening.
• A frequent tactic is to pretend that there is legislation which means the called person must do something
• The callers refuse to say where they obtained the personal information they so clearly have, which is a tactic of intimidation – ‘we know about you, we won’t say how’
• Buying or selling or passing on illegally obtained information is certainly harassment since it perpetuates and escalates the distress being caused.

The CPS provides the following definition of harassment:
‘the term harassment is used to cover the ‘causing alarm or distress’ offences under section 2 of the Protection from Harassment Act 1997…. The term can also include harassment by two or more defendants against an individual or harassment against more than one victim.
Although harassment is not specifically defined in section 7(2) of the PHA, it can include repeated attempts to impose unwanted communications and contact upon a victim in a manner that could be expected to cause distress or fear in any reasonable person.
A prosecution under section 2 or 4 requires proof of harassment. In addition, there must be evidence to prove the conduct was targeted at an individual, was calculated to alarm or cause him/her distress, and was oppressive and unreasonable.
Closely connected groups may also be subjected to ‘collective’ harassment. The primary intention of this type of harassment is not generally directed at an individual but rather at members of a group. This could include: members of the same family; residents of a particular neighbourhood; groups of a specific identity including ethnicity or sexuality, for example, the racial harassment of the users of a specific ethnic community centre; harassment of a group of disabled people; harassment of gay clubs; or of those engaged in a specific trade or profession.

Well, distress is being caused on a large scale. There are very clearly repeated attempts to impose unwanted communication, and there is no realistic opt out – the so called opt out option on automated calls has long been recognised as being used as confirmation that the person called is gullible so a good target for further harassment.

As to evidence, since these scammers are being allowed by telecoms providers to withhold numbers or display numbers, there’s not a lot the victim can do. But the information is flowing through the telecoms companies. They make money from these calls. In effect they are abetting fraud and harassment by doing this. Let’s see them forced to take some responsibility.

Are individuals being targeted on the basis of ‘protected characteristics’? Look at the age profiles. Ask people who have hit 50 or 60 or 70. Ask people who have started getting a state pension. Age is a recognised trigger for increasing volumes of scam calls. The fraudsters assume that older people are easier to intimidate into parting with information and money, and sometimes they are right. It may be the targeting of people who grew up in more innocent times and who, by retiring, are predictably likely to be at home at times to suit scammers. It may be people who are vulnerable through bereavement, particularly if the late spouse took responsibility for financial matters. It is more common for elderly people to be confused, through dementia or medication, so less resistive to scams. It sure as hell means that these scammers are targeting people on the basis of the protected characteristic of age.

Of course the people doing all this cannot help but be fully aware that they are following a course of conduct which amounts to harassment. It takes little intelligent thought to recognise the conduct as unreasonable. In fact it takes a highly determined effort at self-deception to find even the flimsiest framework which shows the conduct as anything other than deceptive, dishonest, unreasonable, and intimidating.

They know all of this when they buy data without checking it has been legally obtained so the defence of legitimate trade does not apply. They know it when they sell the data on illegitimately. They know it when they autodial. They know it when they phone TPS registered numbers. They know it when they write and approve scripts full of lies. They know it when they train their staff.

They? The Board of Directors, obviously, and also those in senior management who promote and collude with harassing behaviour. That covers operational management and strategic decision making. It covers HR when they set targets which depend on harassment producing results. It covers those who accept financial reports based on results obtained by harassment. It covers auditors who turn a blind eye to the way a company generates its profits. It covers those businesses which provide outsourced outbound calling services and pretend that they have no responsibility for the legitimacy of the data they use for calling. They are all executing or colluding with institutionalised practices of harassment.

There is of course Data Protection legislation, but that is too weak to be useful, more so since it relies on civil prosecution by the victim, and the harassment is executed in a way which prevents the victim from getting access to the necessary proof.

Under Protection From Harassment legislation, a perpetrator can be imprisoned for up to 6 months and fined up to £5000. The legislation for punishment exists. The cases exist to prosecute. The data is available to prosecute. Yet there has yet to be a prosecution. Not a single politician has risen from their backside to ask why there have been no prosecutions.

The DeliveryDemon, like a lot of people, is pretty quick to recognise scammers and tell them where to go. They are still a bloody nuisance and their calls are still harassment. She would dearly love to hear just one actual or prospective MP actually stand up and ask – loudly – for action to be taken using the ample legislation which is already in place.

Yes, let’s see the Action Fraud database being used to collect details of these harassers. And Data Protection reports. And Ofcom reports. And TPS reports. All the data collection mechanisms exist. Let’s see a campaign encouraging the victims to report their harassers. Let’s see some pressure on the telecoms companies to take responsibility for ensuring that their networks are not used for harassment. And let’s see the data being used for prosecutions.

We have seen a few prosecutions in other sectors for blatant criminal activity. Doing the same to the decision makers in nuisance cold calling organisations just might prompt an improvement in their behaviour.


Delivering Libellous Content

March 17, 2014

The DeliveryDemon had to chuckle at this article http://www.pressgazette.co.uk/content/dont-let-internet-linked-stories-land-you-libel-writ

The law has certainly been working hard to catch up with technology, and the impact of this sort of libel is very real to those who are libelled. But the legal profession is missing a trick here. Behind the scenes, there is technology which looks for keywords and tries to interpret them. By and large this software is still remarkably primitive. It has yet to get to grips with the ability to interpret the context. Basically it lacks ‘intelligence’. It is designed to provide an answer at the expense of providing a sensible answer.

Google predictive text gives some good examples of what can happen http://www.telegraph.co.uk/technology/google/6161567/The-20-funniest-suggestions-from-Google-Suggest.html and various mobile phone predictive text engines can be even funnier. The automated parsers used by recruiters cannot distinguish between Coral the bookmaker and Coral the programming language. Amazon’s ‘you might like’ suggestions suggest you buy an identical item to a recent purchase, with a different brand name.

To some extent, many of these tools are designed to depend on data which is not quality-controlled in any effective way. Certainly an Amazon vendor will enter the keywords likely to maximise search hits. that can mean the entry of keywords with little relation to the product being sold.

Google is one of the more sophisticated players since its product depends on understanding what a searcher is likely to want, but the Telegraph article shows how primitive the logic is. Asking users to log in and relating searches to their search history has the potential to improve search result quality, but people are becoming increasingly sensitive to the amount of their data held by large corporations, and legislators are starting to respond to those concerns, so relying on users logging in may not be the most fruitful development path for this type of tool.

The examples in libel article certainly have merit. Either the tool is not fit for purpose, or it is being used unintelligently. A fairly obvious solution would be for the news website to flag articles as being either positive or adverse, provided the tool refrains from coming up with links to ‘similar’ articles unless they were also flagged as adverse. If the tool can do this, the web publisher is at fault. If the tool can’t do it, then there are two potential breaches. The tool may be inadequate for the purpose for which it is being sold. Or the web publisher may be making inappropriate use of the tool. Of course, when a payment model is based on click throughs, the incentives tend not to favour anything which limits the number of links displayed.

A fruitful approach for legislators would be to look beyond individual libels and examine the capabilities of current tools, and the processes which web publishers use to to mitigate the risks arising from tool limitations.


Delivering Demands for Blind Acquiescence

June 13, 2012

The DeliveryDemon is becoming increasingly fed up with growing expectations of blind acquiescence. It may make it easier for an organisation to use ill-trained operatives and unintelligent processes if customers mindlessly comply with demands for vast amounts of sensitive personal information despite the absence of justification for the request. After all, if everyone provides every piece of information which might be required for every conceivable circumstance, the admin drone can just tick a load of boxes and the organisation doesn’t have to bother making the effort of deciding which information is actually required. And the DeliveryDemon is fully aware that many such demands for information are purely box ticking exercises, with no intelligent use being made of the information gathered. She is also fully aware that, when no thought is applied to deciding which information is needed, it is highly likely that an equal lack of intelligence and diligence is applied to the storage and management of information collected.

This rant was provoked by the need to go through a ‘proof of ID’ process, where the conversation with the call centre went something like this:

DD – You don’t need my marriage certificate since I never changed my name – why do you need my divorce documentation?

CC – It’s the regulations

DD – Which regulations?

CC – HMRC regulations

DD – Which HMRC regulations?

CC – I’ll check with my supervisor

CC calls back – It’s our own rules

DD – Why do you need it?

CC – It’s our rules

DD – If you need it you have a duty to explain why it’s needed

CC – I’ll get someone to call you back

CC2 calls back – We might be able to accept copies with a letter

DD – That wasn’t my question. You have already said you don’t need my marriage documentation since I have never changed my name. Why do you need my divorce documentation?

CC2 – We don’t need it.

Unfortunately, this sort of conversation is, in the DeliveryDemon’s experience, all too common. Far too many organisations feel entitled to pressurising customers into providing information well in excess of the organisation’s real need. Let’s look at what actually happened here.

  • First there was a request for information without an adequate explanation of why it was required.
  • Second there was the assumption that a reference to some unspecified regulations would make a customer stop asking questions.
  • Third there was an assumption that a reference to HMRC would stop a persistent customer from asking questions.
  • Fourth, there was an admission that it wasn’t valid to blame the law or the taxman, that this was an internal blocker.
  • Fifth there was an attempt to avoid the issue by offering an alternative (certificate copies), in the hope that the customer would be fed up enough to comply.
  • Sixth was the admission that the information was not required.

This was not an isolated incident. The DeliveryDemon frequently encounters organisations which behave as though Data Protection legislation didn’t apply to them. If there is a genuine need for a piece of information in one specific instance, they embed the requirement in their general process. They try to blame the law, or various bureaucratic bodies. Call centre operatives are trained to give woolly and misleading responses to questions about the need for information. They expect the customer to be acquiescent and unquestioning, in the interests of lazy process.

It is simply not good enough. The DeliveryDemon is familiar with data protection provisions, and has a good understanding of how a wide range of businesses operate. This puts her in a good position to challenge demands for excessive information. Not everyone is so lucky.

It’s not a matter of being awkward. Our personal data has value, and the cost to the individual of identity theft is massive. Both the law and business ethics demand that organisations only collect the data they need, and on the basis of explicit customer agreement and understanding. It is shocking how many organisations are prepared to ignore both the law and ethical considerations. Unfortunately, the UK’s enforcement of data protection legislation is weakly and tardily applied – enforced would be too strong a word. It’s down to the customer to resist the tsunami of demands. The DeliveryDemon recommends the following questions:

  • Why do you need it?
  • Which legislation requires it?
  • No, I need to know exactly which legislation so I can check the requirement.
  • Who will have access to it?
  • How will it be kept secure?
  • How long will it be held?