Spam and text-based scams

We’ve all had to contend with unsolicited communications and messages meant to facilitate fraud. They’ve been around for a long time. It’s just that once the internet became an integral part of our lives, their use became more rampant and caused more harm as a consequence.

Today, many of us have learned our lessons. So much so that most would now be quick to dismiss any email purporting to come from a Nigerian prince, the administrator of a recently deceased millionaire, a lottery company, or even a distant relative in distress in some foreign country.

Apart from our informed and more cautious approach, email providers and site hosting companies have also developed filters that weed out most of them as soon as they land on our accounts. There is a reason why we now have default “spam” or “junk” folders.

Unfortunately, before we got to celebrate these notable gains, the smart phone was introduced to the world. With it came the resurgence of spam and text-based scams—this time, via SMS capable of accommodating embedded links that lead to fake or phishing websites.

In the spate of recruitment scam and bank fraud incidents last year, malicious SMS figured prominently in many of the cases. Some victims admitted to clicking on links featured in the messages. They ended up giving away their money and bank credentials to fraudsters and other cybercriminals.

These past couple of weeks, these types of messages are again hogging the headlines.

What has gotten people all riled up this time is this new wave of messages that already feature their real name or some variant thereof. The new modus lends a more intimate feel to the communication, much to the recipients’ alarm and consternation. The attack is more personal, given how it makes plain that a serious privacy intrusion has just occurred.

Even Supreme Court Justice Leonen could not avoid expressing distress over the matter, going so far as to offer a theory regarding the possible source of the personal data. He suggests that a “data provider” has probably leaked or sold its database to whoever is behind these anonymous messages.

He’s not alone. In fact, on both social media and mainstream media, people have been more specific with their suspicions. Telecommunications firms, chat applications, e-money issuers, e-commerce platforms, online lending companies, banks, and contact tracing apps are just some of the entities identified as possibly leaking information.

Unfortunately, without a whistleblower or a confession from someone directly involved in this criminal enterprise, it’s nearly impossible for investigators to confirm any of these speculations. Personal data is being collected and processed on a daily basis by so many different organizations—for valid reasons. In nearly all instances, people turn over their personal data voluntarily, with nary a second thought or moment of hesitation.

But all it takes is for one rogue employee to copy and sell his organization’s database for a simple rule violation to snowball into a monstrosity like the one we’re now forced to confront. Mind you, it’s not difficult to get buyers for this sort of material. There is huge market for it online, as a quick search is sure to confirm. Back when I was still with the National Privacy Commission, one particular site (“pinoydatabase.com”) actually ended up in our crosshairs. While that site was eventually taken down, many like it exist today in plain sight.

On a related note, let’s not forget how many massive data breaches have occurred just these past several years. The crucial information now being used for all these anonymous messages (e.g., people’s names and contact numbers) may be sourced from nearly all of them. One could then argue that any one of those affected organizations could potentially share some of the blame for the current mess we’re in.

But nowhere is the difficulty of such task of determining the source of a data leak more obvious than in the overwhelming misdirected reaction of almost all parties concerned. While they continue to hypothesize and offer guesses as to who is giving away people’s information, most of their energy is spent harboring an unhealthy obsession with SIM card registration as the ultimate solution to the problem.

Legislators, regulators, and even the public at large believe that if only one could attach a name to every SIM card out there, we’d be waving goodbye (for good) to all these spam and text-based scams in no time. They fail to appreciate how much of a knee-jerk reaction this approach is and how this seemingly simple fix is short-sighted and may end up blowing up in our faces in the long run.

To be clear, despite the global popularity of SIM card registration, there is very little evidence being offered regarding its effectiveness in curbing criminal activities. If that seems surprising, it shouldn’t be. Not when there is a constantly growing list of strategies designed to circumvent this particular type of regulation, including: (1) SIM cloning; (2) SIM swapping; (3) sending texts anonymously by email; (4) sending texts anonymously via messaging websites; (5) sending texts anonymously using smartphone apps; (6) sending messages via stolen phones; and (7) sending messages using SIM cards purchased abroad.

With these many options out there, it looks like a simple shift in tactics is all it takes for scammers and other fraudsters to render a SIM card registry useless and instead turn it into one big security liability. From a database meant to prevent problems, it might actually end up perpetuating them or making them worse.

But that doesn’t have to be the case. We can steer clear of that fate.

Policymakers, regulators, law enforcement authorities, and even industry stakeholders need to take off their horse blinders and look at this problem with a fresh pair of eyes. They must possess both the willingness and a genuine commitment to explore all options, instead of repeatedly hovering around this one measure that is in and of itself fraught with risks—intended or otherwise. Also, lest we forget, SIM card registration only claims to address one side of the equation. It does absolutely nothing to address leaking databases. A fair point to make to be sure.

To illustrate this point further, allow me to share my experience when I presided over this privacy workshop about three months ago. The participants came from all over Southeast Asia. I realized then that it was a perfect opportunity to look into this issue with spam and text-based scams, and how SIM card registration helped in addressing it (if at all), because most countries in the region do have such a policy in place.

I asked them a simple question: who among those living in countries that have SIM card registration can attest to it having effectively resolved their spam and text-based scam problem? Nobody. To this day, they continue to get anonymous messages just like us. Worse, they now also have to worry about what their governments are using their registration data for.

We should let that point sink in. It’s telling us something. The sooner we realize what that is, the more likely we’ll be able to figure out solutions to this problem with spam and text-based scams that are actually viable and effective.

Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He works for the University Data Protection Office of the Ateneo de Manila University, the Foundation for Media Alternatives, and the LIGHTS Institute. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.