Data harvesting – scammers profit from your memories (safety guide)

Data harvesting is when personally identifiable information is data harvested by social media, apps, scammers, AI, and just plain cybercrooks.

My daughter gave me an annual subscription to an app that sends you weekly questions with AI prompting to answer, ostensively so that the daughter and family can get to know Dad better.

It is data harvesting at its worst. Poor Dad is subjected to weekly cleverly socially engineered questions that open his life to endless potential scams. Worse, it is now aided by AI that knows what buttons to push. They also sell your data to advertisers, affiliate marketers, price comparison websites, social media, funeral homes, charities, and more.

XXXX provides a beautiful and secure online space to gather, share, and preserve memories, stories, photos, and messages celebrating your life. It’s a lasting tribute where family and friends can connect and remember together, no matter where they are.

But they promise privacy – and you are an eternal optimist

There is no third-party assessment of privacy policies or way to enforce them. The main tricks (subterfuge) include:

  • Define the site owner as ‘We’, including suppliers, affiliates, marketers, data brokers, governments, etc.
  • Define data as anything on their servers; in short, they own that and can do whatever they want.
  • Not defining which cloud or country your data is stored in. ‘We   comply with the requirements of the applicable laws in the respective [cloud] jurisdictions.’ Chances are that it is China, and the PLA and Communist Party have untethered rights to any data on Chinese clouds.
  • No sharing data without your consent (which you gave by using the service). Many use nested policies so that agreement with one means agreement with all.
  • They won’t sell your data (but that does not include rent!).
  • Log in with Facebook or TikTok social media to give them automatic access to your data there.
  • Many refer to the European Commission’s GDPR, UK Data Protection Act, and Californian California Consumer Privacy Act, but this is more of a placebo effect to make you think they comply.
  • Not stating the applicable law for the policy
  • Future Sale: It cannot be guaranteed that a future owner will not change current privacy policies, knowing that these sites are mainly for scams.

Privacy policies are not worth the zeros and ones they are written on.

Data Harvesting is the river of gold to scammers

In this case, the 52 questions and AI prompting lull you into a false sense of security when building your profile. They might include

  • Date of birth: What significant event happened in the year you were born? AI adds, “Why not enter MM/DD/YYYY and your birth city, and we can search for you?”
  • Mother’s Maiden Name: What are your earliest memories of your mum? AI adds, tell your mum’s story. Where was she born? Do you know the date? (A typical ID question).
  • School: When and where did you go to school? What was your first teacher’s name? (Another typical ID question).
  • What was your favourite pet? What was their name? (Another typical ID question).
  • Location: What do you like about where you live? What are your favourite stores, gyms, and cafes? Give a shout-out for good service. (This helps scammers localise the scam).
  • What are your children’s and grandchildren’s names? Tell us about them. (This helps scammers personalist the scam appeal).

As time passes, the questions get more personal, aiming to extract sensitive information. This information may include an individual’s racial or ethnic origin, sexual orientation, political opinions, membership of a political association, religious or philosophical beliefs, trade union or other professional body membership, criminal record, or health information gleaned.

I could go on, but you get the drift. This is all personal information that helps build your dark web profile. It goes into the data-harvesting pressure cooker until it is cooked enough to serve up a scam.

Name names, please?

Libel laws preclude us from reporting on matters other than public interest. Without being trite, this includes any service that asks for personal information.

You first notice the professional-looking website littered with quotes from happy users or media outlets– all lies. Or you see it has been reviewed by so-called trustworthy review sites with hundreds to thousands of positive reviews. This is called review stuffing.

You can buy fake reviews from review factories in places like Hong Kong, India and the Philippines, where English is usually the first language. Payment is a few dollars (big money to them). The aim is to boost product ratings or take down a competitor’s ratings. More recently, fake review factories in the Middle East have helped to finance a war.

There are comprehensive Reddit Boards and YouTube tutorials that teach people how to write fake reviews. Thousands of workers submit fake reviews to Fakebook, Google, Amazon, Trustpilot, Reviews.Org, and anywhere else they can find an audience. Boosting means many reviews suddenly appear (as evidenced by a timeline). Taking down a competitor takes longer – a concerted attack over many months.

Why can’t these sites be identified and taken down?

The Internet is the Wild West, and there are no Sheriffs. There are over 2 billion domains and about 500 million legitimate websites (owned by governments, enterprises and individuals using the web for promotion, sales, and information).

About 2 million are active fake websites, with 45-60,000 new sites appearing and a similar number disappearing each week. In Australia, ASIC blocks about 20 of these sites daily.

About 1 million can be activated in a heart-beat and are primarily registered in Russia, China, India, Southeast Asia, Turkey, and Persian countries for dark web and scam use.

CyberShack’s view – data harvesting is all because you overshare online

If a website or service asks for personal information, forget it. Simple common sense. Because once on the internet, it is there forever.

The hidden metadata allows the dark web to file that in your profile and then nefarious AI determines when you are ripe for the picking.

If you want to document your life, there are many easier, safer, and cheaper ways to keep an electronic diary. Use Word, or jot down a few thoughts and email them to yourself.

Further reading

AI scams – damned clever and hard to spot

What’s your data worth on the dark web?

Brought to you by CyberShack.com.au