by Dave Moore, CISSP
01/30/2022
As if hacker losses from identity theft weren’t bad enough, federal and local police continue to evade Constitutional search and seizure limitations by hiring crooks to steal the personal records of innocent citizens.
Starting somewhere around the early to mid 2000’s, numerous federal agencies, including the departments of Justice, Homeland Security, the FBI, the U.S. Marshal’s Service, and Immigrations and Customs, as well as police departments around the country started using so-called “data brokers” to gather personal information, such as phone records, to aid in investigations. This allowed them to bypass pesky subpoenas and search warrants, which are considered to be too annoying and time-consuming.
One way data brokers steal personal data is through a scheme called “pretexting.” Known in the hacker community as “social engineering,” pretexting often involves brokers contacting phone companies, credit agencies, health care providers and other personal data repositories, and pretending to be the person whose records they seek.
They will often offer up compromised credentials, such as Social Security numbers, as “proof” of identity in order to trick their targets into giving out even more private information. Many data brokers have admitted to using such tactics, as well as breaking into online accounts “hacker style” to steal private information. No matter how you try to pretty it up or explain it away, “pretexting” is nothing more than lying, and, if it’s not a crime, it should be. In my book, it’s just plain-old wrong.
Prices for personal information vary from thief to thief (oh, sorry, “data broker”), but Social Security information, university class schedules, employment records, medical records, school discipline records, social media histories, and cell phone records can all be had for a price.
If clients are willing to pay a premium, “surveillance agents” can buy the actual, real-time location a personal cell phone. Some law enforcement agencies have actually taken to buying and operating cell phone tower spoofers called “Stingrays,” in order to search and seize phone call and text messages. Thus far, courts have been reluctant to call such tactics “unconstitutional.”
Such tactics are not lost on the criminal element, though, and can backfire horribly. Criminals have money to spend on information from data brokers, too, and the technical know-how to use it. In one case, a Los Angeles police officer was murdered by drug dealers who hired data brokers to provide the officers’ personal pager information.
Different pricing tiers exist, also. One price for regular “general public” members, one price for gangsters, and one “price” for law enforcement agencies, who usually get their stolen information for free from brokers who wish to be “cooperative.”
U.S. Rep. Ed Whitfield, who chaired the House Energy and Commerce Subcommittee on Oversight and Investigations, first looked into this situation in 2006. At the time, eleven current and former owners of data brokerage companies summoned to appear refused to testify, prompting Whitfield to state, “Their silence shows the American people that this industry needs to be shut down.” Regarding the theft of information by brokers, Whitfield also said, “…[the data brokers] will impersonate and use everything available that they have to convince the person who has the information to share it with them, and it’s shocking how successful they are.”
Whitfield said his efforts to protect consumer records were not finished. “These hearings do not signal the end of this investigation, and I look forward to continuing our work to expose these shady activities. Identity theft is one of the fastest growing crimes in the country, and the American people need to know that Congress is doing everything it can to keep consumers private records secure.”
The hearings fell apart, without resolution or conclusions; nobody was fired, thrown in jail or lost their job, although a report was issued titled, “Internet Data Brokers: Who has access to your private records? “It’s good reading, if you care to look it up. No serious investigations into the same subject matter have been held since, and, although Facebook got yelled at over the Cambridge Analytica scandal, the results were pretty much the same.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd., he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.org