THE worldwide surge in online harm and cybercrime has cost the world trillions of dollars annually and is expected to rise substantially in the future.
Malaysia has not been spared the scourge of online harm and cybercrime, with record losses in the billions. In addition, nonfinancial losses due to cybercrimes and online harms are significant and threaten the fabric of social cohesiveness, mental and physical health, and the economic development of Malaysia.
The trend is that cybercrime and online harm are likely to pose a significant threat to the national socio-economic and financial structures of a country. In essence, it will evolve into a threat to national security.
One component of cybercrime and online harm is online fraud, commonly known as “online scams”. Not a day passes without some report circulating in social media and in the mainstream press about a person being scammed out of their hard-earned money.
The sophistication of some of these scams makes it very difficult for the average person to protect themselves adequately, despite the well-intentioned awareness and educational programmes on cybersecurity.
The same applies to online harms such as fake news or information intended to character assassinate or defame a person. Often, because of the calculated and deliberate use of social media technologies, a person who is a victim of fake, false, and defamatory information is unable to effectively reply to the allegations because the “viral pathway” for the dissemination of the fake information is not readily available to the person who has been defamed.
Perhaps we need to come to the realisation that the huge problems we face today are a result of the unrestrained pursuit of digitalisation without a deep and responsible consideration for security.
In essence, the true cost of digitalisation has been totally understated, and security and safety have been viewed as an afterthought and not by design. Sadly, those who sing the mantra of digitalisation and its benefits have been slow to allocate sufficient resources to ensure the protection of the public and their customers.
Instead, they choose to place this responsibility solely in the hands of the government while reaping huge profits from digitalisation by operating the “digital highways”.
These digital highways, in the form of financial payment systems, telecommunication systems, social media platforms, and others, provide valuable services for a fee.
Sometimes this fee is not directly in money but is hidden in the monetisation of your data, which is a non-negotiable condition for using the service. In fact, the right to monetise data and to give or sell it to so-called “strategic partners” creates a considerable cybersecurity risk that such data will fall into the wrong hands and be used to perpetuate scams and other criminal activity.
In most cases, the actual digital technology being used to provide these services is ultimately foreign-owned, with the source codes belonging to foreign global corporations.
Ultimately, payment has to be made to them in the form of licencing fees and other charges or benefits for as long as the technology continues to be used.
However, when problems do occur, e.g., when a person is scammed out of their savings on these platforms, defamed, cheated, sold fake and dangerous items, or driven to self-harm, among others, many of these platforms “wash their hands” of their responsibility to compensate the victim or force upon the victim the burden of proving that the victim was not negligent.
In some cases, they are painfully slow or refuse to take down material that is in breach of the law, false or defamatory, and is harming some individual.
This is akin to a toll concessionaire who charges the public a toll for using a highway and yet disavows responsibility or liability in the event an accident occurs because the highway has a pothole, is poorly lit, or a person is robbed on the highway.
Worse still, there are cases where members of the public are forced to use these digital highways by being put to great inconvenience if they do not use them or are discriminated against if they wish to use “other roads”, such as when attempting to make payments in a non-digital legal tender (cash) form.
It is therefore not surprising that countries all over the world have realised that there must be a radical change in approach towards digitalisation and cybersecurity for governments to carry out their primary obligation to protect their citizens from threats, domestic and foreign.
The present moves by Singapore and the European Union to start the conversation to shift legal liability, financial responsibility, and accountability to those who profit the most from digitalisation, are a move intended to protect the harm being caused to the public.
I cannot help but note that the issues in the paper I had written last year titled Cybersecurity – The need for a change in approach, have now ironically become a reality.
In essence, digitalisation, while bringing tremendous benefits, has also encouraged and empowered criminals on a scale never seen before. Using inherent weaknesses in digitalisation and the fact that security is more an afterthought than by design, the criminal or rogue actor is able to easily weaponise technology and its weaknesses on an industrial scale and wreak havoc on society.
The paper went on to state that technology alone cannot combat cybercrime but must be supplemented with robust risk allocation and loss adjustment policies so that those who financially benefit the most must bear the highest risk as they are in the best position to mitigate the losses.
Thus, the government must respond by ensuring that those who profit the most from digitalisation bear the highest responsibility for ensuring a safe digital banking, telecommunications, digital media, and digital payment ecosystem for their customers.
Customers must be viewed as assets and not products, and sufficient resources must be devoted to cybersecurity for users.
Ultimately, the legal responsibility for safety on the digital highway must be imposed on those who operate and collect “tolls” on these highways.
Similarly, the present approach to regulating the dissemination of fake or false information online with the intention to cause harm and/or defame a person must be radically changed to meet the challenges and threats due to evolving technology such as artificial intelligence, deep fakes, and voice replication.
There are essentially four requirements to commit an online scam. Each of these elements needs to be dealt with individually and separately as part of a multi-layered defensive strategy.
These elements are anonymity, access to a telecommunications network, access to an account or payment system, and targeting information.
A brief description of these elements is as follows:
1. Anonymity
This is a critical factor in online scams, as perpetrators often use false identities, masked IP addresses, or fake profiles to avoid being identified. Anonymity makes it difficult for victims to trace and hold scammers accountable. To address this, it is essential to establish a system that can verify the identity of individuals using online platforms and ensure that they can be identified when necessary.
2. Access to a telecommunications network
Scammers need access to the internet and various communication channels to reach potential victims. They exploit the global connectivity provided by telecommunications networks to execute their scams, whether through emails, social media, or messaging apps. Ensuring that these networks have robust security measures and can track and report suspicious activities will help mitigate this aspect of online scams.
3. Access to an account or payment system
Scammers often use compromised or fake accounts to conduct their fraudulent activities, such as sending phishing emails or setting up fake online stores. To combat this, it is important to implement strong authentication methods and continuous monitoring of account activities to detect and prevent unauthorised access.
4. Targeting information
Scammers gather information about potential victims, such as personal details or financial information, to tailor their scams. This requires them to employ tactics like social engineering or data breaches. Protecting personal information and educating users on privacy and security best practices can help mitigate this aspect of online scams.
In this article, I will deal specifically with the issue of anonymity as it relates to cybercrimes and online harm in general.
Nearly all persons intending to commit a crime or engage in causing online harm do not wish to get caught and therefore want to remain anonymous. They strive to disguise and mask their identity, and committing online crimes gives them ample opportunity to do so.
You can defame someone and avoid being sued because the victim does not know who you are and is unable to find out. You can scam someone while sitting at the beach in another country, away from the victim.
You can create a Telegram group to scam people by using false identities, mask numbers, and construct a group of other members, all part of the ruse to entice the target to invest money.
You can “spoof” (mask) someone else’s phone number or WhatsApp profile picture to make it appear that you are someone other than who you really are.
The bottom line is that they do it because they know that you are unable to identify who they are, and therefore there must be a radical change in approach in ensuring that anyone who accesses a network facility must be able to be identified whenever they are online, more so when a crime has been committed.
This will enable the victim to take legal action in addition to the government prosecuting them under the law. To do this, the government must ensure that, as a policy, no unsolicited communication is allowed, and anybody who communicates with another person must disclose their identity, which must be reasonably authenticated by the service provider that authorises the person who uses the service.
If such a communication takes place and the service provider cannot confirm the identity with reasonable diligence, they must be held financially liable to compensate any victim and liable to penalties.
For example, if a stranger walks up to you, calls you by name, and attempts to start a conversation, and you ask him to identify himself and he refuses to do so, this would be considered unacceptable and rude in daily life.
Similarly, it is equally unacceptable for a party to communicate online with you while refusing to identify themselves.
The following methods should be discussed with stakeholders and considered to reduce the element of anonymity being used to avoid legal responsibility.
All social media, OTT platforms, and digital service providers, whether creating or hosting content, must be registered or licenced and subject to the relevant Malaysian laws governing those who provide network services.
All persons who access or use a network facility must be registered with strong proof of identity, and the network service provider providing the network facility service or online platform must be made legally responsible for ensuring the same.
For example, the process of registration of SIM cards or registration for OTT platform services must be improved with sufficient documentation to prove identity, for which the legal liability is strictly on the service provider.
Substantial fines must be imposed and made enforceable globally, including against the IP rights of the service provider or OTT platform where there are serious breaches in relation to identification. Such fines should be based on a percentage of global revenue in serious cases.
No digital unsolicited communication without identification of the actual sender should be allowed on any platform or service.
All persons who receive unsolicited communications are entitled to immediately obtain from the service provider the identity of the actual person who sent the communication. As such, the technology should be modified to allow this.
All service providers, including e-commerce platforms, must adopt a strict “know your customer” policy, and legal liability to compensate will be imposed on those platforms in the event of fraud conducted by an anonymous seller who was able to remain anonymous because of the failure of the platform to have strong identity verification procedures.
A central registry must be created so that deregistered phone numbers or roaming numbers are kept enabling effective anti-scam and anti-spam measures to be implemented, which should be mandatory.
All platforms that host fake news or defamatory material will be held liable in the event they fail to provide the identity of the party that posted the defamatory material to the person defamed and who intends to seek legal redress.
While freedom of speech is to be cherished, there must be accountability for the exercise of that right. Where that freedom is used to commit a scam, a fraud, to defame some person, or to commit a crime, accountability and justice can only be obtained if the perpetrator is not allowed to hide behind the veil of anonymity.
The duty to verify identity in relation to a digital service must fall upon the entity providing the digital service. – November 8, 2023
Derek Fernandez is a commissioner for the Malaysian Communications and Multimedia Commission