PETALING JAYA: Malaysia has not been spared the scourge of online harms and cyber crimes, with losses in the billions of ringgit, says Derek Fernandez.
The Malaysian Communication and Multimedia Commission (MCMC) commissioner also said that non-financial losses due to these cyber crimes and online harms are significant and threaten the fabric of social cohesiveness, mental and physical health and the economic development of Malaysia.
"The sophistication of some of these scams make it very difficult for the average person to protect themselves adequately," Fernandez said in a statement Tuesday (Nov 7).
He added that anonymity is one of the four requirements needed to carry out cyber crimes and online fraud and more must be done to ensure the safety of the public.
"There must be a radical change in approach in ensuring that anyone who accesses a network facility must be able to be identified whenever they are online, more so when a crime has been committed," he said.
The full text of his statement can be read below:
Hiding behind Anonymity
By Derek Fernandez
THE worldwide surge in online harms and cybercrimes has cost the world trillions of dollars annually and is expected to rise substantially in the future. Malaysia has not been spared the scourge of online harms and cybercrimes, with record losses in the billions.
In addition, non-financial losses due to cybercrimes and online harms are significant and threaten the fabric of social cohesiveness, mental and physical health and the economic development of Malaysia.
One component of cybercrimes and online harms is online fraud, commonly known as “online scams”. Not a day passes without some report circulating in social media and in the mainstream press about a person being scammed out of their hard-earned money.
The sophistication of some of these scams make it very difficult for the average person to protect themselves adequately.
The same applies to online harms such as fake news. Often because of the calculated and deliberate use of social media technologies, a person who is a victim of fake, false and defamatory information is unable to effectively reply to the allegations because the “viral pathway” for the dissemination of the fake information is not readily available to the person who has been defamed.
Perhaps we need to come to the realisation that the huge problems we face today is a result of the unrestrained pursuit of digitalisation without a deep and responsible consideration for security.
In essence, the true cost of digitalisation has been totally understated and that security and safety have been viewed as an afterthought and not by design. Sadly, those who sing the mantra of digitalisation and its benefits have been slow to allocate sufficient resources to ensure the protection of the public and their customers.
Instead, they choose to place this responsibility solely in the hands of the government while they reap huge profits from digitalisation by operating the “digital highways”.
These digital highways in the form of financial payment systems, telecommunication systems, social media platforms and others provide valuable services for a fee. Sometimes this fee is not directly in money but is hidden in the monetisation of your data, which is of a non-negotiable condition for using the service.
In fact, the right to monetise data and to give/sell it to so called “strategic partners” creates considerable cybersecurity risk that such data will fall in to the wrong hands and be used to perpetuate scams and other criminal activity.
In most cases the actual digital technology being used to provide these services is ultimately foreign owned and the source codes belonging to foreign global corporations.
Ultimately payment has to be made to them in the form of licensing fees and other charges or benefits for as long as the technology continues to be used. However, when problems do occur, eg, when a person is scammed out of their savings on these platforms, defamed or cheated. many of these platforms “wash their hands” of their responsibility to compensate the victim, or force upon the victim the burden of proving that the victim was not negligent.
In some cases, they are painfully slow or refuse to take down material that is in breach of the law, false or defamatory, and is harming some individual.
This is akin to a toll concessionaire who charges the public a toll for using a highway and yet disavows responsibility or liability in the event an accident occurs because the highway has a pothole, is poorly lit, or a person is robbed on the highway.
Worse still there are cases where members of the public are forced to use these digital highways by being put to great inconvenience if they do not use it, or are discriminated against if they wish to use “other roads” such as attempting to make payments in a non-digital legal tender (cash) form.
It is therefore not surprising that countries all over the world have realized that there must be a radical change in approach towards digitalisation and cybersecurity in order for governments to carry out their primary obligation to protect their citizens from threats domestic and foreign. The present moves by Singapore and the European Union to start the conversation to shift legal liability, financial responsibility and accountability on those who profit the most from digitalisation, is a move intended to protect the harm being caused to the public.
There are essentially four requirements to commit an online scam. Each of these elements need to be dealt with individually and separately as part of a multi-layered defensive strategy.
These elements are:
- Anonymity;
- Access to a telecommunications network;
- Access to an account or payment system; and
- Targeting.
In this article I will deal specifically with the issue of anonymity, as it relates to cybercrimes and online harm in general.
Nearly all persons intending to commit a crime or engage in causing online harm do not wish to get caught and therefore want to remain anonymous. They strive to disguise and mask their identity, and committing online crimes gives them ample opportunity to do so.
You can defame someone and avoid being sued because the victim does not know who you are and is unable to find out.
You can “spoof” (mask) someone else’s phone number, or WhatsApp profile picture, to make it appear that you are someone other than who you really are. The bottom line is they do it because they know that you are unable to identify who they are, and therefore there must be a radical change in approach in ensuring that anyone who accesses a network facility must be able to be identified whenever they are online, more so when a crime has been committed.
This will enable the victim to take legal action in addition to the government prosecuting them under the law. To do this, the government must ensure that as a policy, no anonymous digital communication is to be allowed and anybody who communicates with another person must disclose their identity, which must be reasonably authenticated by the service provider that authorises the person who uses the service.
If such a communication takes place and the service provider cannot confirm the identity with reasonable diligence, they must be held financially liable to compensate any victim and liable to penalties.
The following methods should be discussed with stakeholders and considered to reduce the element of anonymity being used to avoid legal responsibility.
1. All social media, OTT platforms and digital service providers whether creating or hosting content, must be registered/licensed and subject to the relevant Malaysian laws governing those who provide network services.
2. All persons who access or use a network facility must be registered with strong proof of identity and the network service provider providing the network facility service or online platform must be made legally responsible for ensuring the same. Eg, the process of registration of SIM cards or registration for OTT Platform services must be improved with sufficient documentation to prove identity, of which the legal liability is strictly on the service provider.
3. Substantial fines must be imposed and made enforceable globally including against the IP rights of the service provider or OTT platform where there are serious breaches in relation to identification. Such fines should be based on a per centum of global revenue in serious cases.
4. No digital unsolicited communication without identification of the actual sender should be allowed on any platform or service.
5. All persons who receive unsolicited communications are entitled to immediately obtain from the service provider the identity of the actual person who sent the communication. As such the technology should be modified to allow this.
6. All service providers, including e-commerce platforms, must adopt a strict “know your customer” policy, and legal liability to compensate will be imposed on those platforms in the event of fraud conducted by an anonymous seller who was able to remain anonymous because of the failure of the platform to have strong identity verification procedures.
7. A central registry must be created so that deregistered phone numbers or roaming numbers are kept to enable effective anti-scam and anti-spam measures to be implemented, which should be mandatory.
8. All platforms that host fake news or defamatory material will be held liable in the event they fail to provide identity of the party which posted the defamatory material to the person defamed and who intends to seek legal redress.
While freedom of speech is to be cherished, there must be accountability for the exercise of that right. Where that freedom is used to commit a scam, a fraud, to defame some person or to commit a crime, accountability and justice can only be obtained if the perpetrator is not allowed to hide behind the veil of anonymity.
The duty to verify identity in relation to a digital service must fall upon the entity providing the digital service.
DEREK FERNANDEZ
The views expressed in the above article are the personal views of the writer.