After I published the analysis regarding the mirage of cryptocurrencies, I received an irresistible invitation: an IT consultant offered to give me a demonstration, in front of the laptop, of the connection between cryptocurrencies and the black market. The exercise turned into a three-hour discussion on cybersecurity, and ended with unexpected conclusions about identity theft for political purposes.
I was in my first year of college and about the third since I had been using the computer I had in front of me when my father sent me a message he’d received from a colleague: “If you receive an e-mail from an unknown source, with an attachment with a weird extension, don’t open it. It’s a trojan virus that infects your computer without your knowledge.” It seemed pretty serious, so during my next computer class, I asked the professor what he could tell us about these viruses.
Very persuasively, he told us “not to be afraid of any trojan. Anything that breaks on a computer can be repaired.” This motto—which I still believe in today, only differently worded—helped me enormously to accelerate my pace of learning to work on the computer, because it encouraged me to treat the computer not as a magical object, but as a sum of logical operations. All I had to do was calculate my actions.
I am tempted to look nostalgically at that time when I was convinced that I had nothing to lose by doing whatever I could think of on my computer, as long as I did not venture into “social” spaces with questionable legality. Social media didn’t exist, Google hadn’t even created Gmail yet, and big data was just an elitist hypothesis that hadn’t yet reached my ears. At the same time, hundreds of miles away from me, a young man seeking financial emancipation caused huge losses to people who, unlike me, used the computer for something other than school essays, video games, and occasional access to IRC. The method he had chosen was carding—stealing credit card numbers.
That was a time when most users would receive only about one e-mail a week and would usually show too little suspicion towards an e-mail which asked them to enter their card details to pay a tax. So the young man managed very easily to obtain card numbers, which he then used for shopping on international websites. Together with a few friends, he developed a small network through which the products would reach Romania, being deliverd right at the gate of the high school where they studied. They sold these goods for money that allowed them an extravagant lifestyle that their peers only saw in movies.
Face to face with the despair of his mother—who was forced to use her professional influence so he could escape the legal punishment his friends in the network had failed to escape—he switched camps.
The scheme worked for a while and our young man quietly took care of his “job” at the institute where his mother worked, because the organization was privileged with broadband internet access, while the majority of the population was only able to access the internet via dial-up.
One day, however, because he forgot to take a step in the security ritual by which he hid his actions, he got himself tracked down by the police. Face to face with the despair of his mother—who was forced to use her professional influence to escape the legal punishment his friends in the network had failed to escape—he switched camps. He says that since then, he still has had circumstances—some extremely pressing—in which he was tempted to “borrow” money at other people’s expense, but he decided not to do so.
Instead, he chose to use everything he had learned since 1995, when he received his first computer, working in the field of security risk assessment. He has had and still has several profitable businesses in the IT field. He likes to say that he grew up with the internet in Romania and that, due to the fact that he has always been a self-taught technician, there is no innovation in IT that he can’t understand if he puts his mind to it. I could say that his self-characterization resembles the motto of my computer science professor. But at this point in our history today, the teacher’s optimism is unfortunately no longer well-placed. The stakes have simply become too high.
Let the demonstration begin!
We are in a crowded mall in Bucharest and we connect to darknet, that network inhabited mostly by traffickers of all kinds and their customers.
The whole demonstration takes place on a temporary virtual machine, which we access remotely, on a laptop connected to the internet by phone. My source explains to me that many of the public wi-fi connections in malls, airports, restaurants and hotels are vulnerable to “man in the middle” attacks (i.e. through an intermediary who, during the connection, can clone his data). Although I sense that most users access the black market in the darknet through much simpler avenues (like this journalist from The Guardian), my source tends to be more cautious.
We enter Tor, an open source browser that works on the principle of anonymizing users. Tor (an acronym of The Onion Router) was created by the United States Naval Research Laboratory and is still funded by the US State Department. Tor sites are called “services” and do not have the usual lightweb suffixes (.com, .org, etc.), but usually use the .onion suffix. Due to the way it is built, the browser directs traffic through several servers and encrypts each of these “stops”.
For example, it displays us as connected from Germany. This not only allows users to remain completely anonymous, even to network administrators, but also provides access to the network even in countries where it has been censored. For example, the activists who participated in the “Arab Spring” are thought to have made full use of the communication options available through Tor.
Therefore, the legal users of the browser include the military, police officers, journalists, dissidents or regular users who want to keep their Internet use confidential.
Therefore, the legal users of the browser include the military, police officers, journalists, dissidents or regular users who want to keep the confidentiality of their internet traffic. But in addition to these, Tor also hosts a large segment of users who visit sites that are hidden from regular search engines, which sell illicit products (drugs and medicines, small military accessories, malware, child pornography and even people). In order to understand the roots of this principle of anonymization, however, we need to dig even deeper into history, to the libertarian past of the darknet. But first, let us understand what we are talking about when we refer to the “darknet”.
Darknet/darkweb vs deepweb
Although many use the terms deepweb and darknet/darkweb interchangeably, they represent different things. Deepweb describes sites/web pages that are not indexed by public search engines, but that can be accessed by the owners of a direct link/subscription through regular web browsers (some press journals, for example, do not allow indexing of articles that can be accessed by users only on a subscription basis).
Darknet and darkweb are parallel networks, which use the Internet, but are accessible only through dedicated browsers (such as Tor), and only after applying special settings/authorizations of the computer. The difference between darknet and darkweb is that the first refers to resources such as social networks, forums, gaming servers, while the second does not include any communication channel, only sites.
Darknet, explains political science and international relations professor Henry Farrell, is “a product of debates among technology-obsessed libertarians in the 1990s. These radicals hoped to combine cryptography and the internet into a universal solvent that would corrupt the bonds of government tyranny. New currencies, based on recent cryptographic advances, would undermine traditional fiat money, seizing the cash nexus from the grasp of the state.
‘Mix networks’, where everyone’s identity was hidden by multiple layers of encryption, would allow people to talk and engage in economic exchange without the government being able to see.”
What I saw in a darknet store
Today, seemingly far from the eyes of the government, the darknet trades products like the ones I could see with my own eyes, being sold on the White House Market service, a trading site only available in the darknet (now closed), where transactions were carried out based only on Monero, an anonymized cryptocurrency.
I saw packages with large quantities of medicines that can normally only be obtained with a prescription from a specialist (I saw a pack of 4,000 Clonazepam pills, an addictive tranquilizer, sold at a higher concentration than available in pharmacies being sold for $10,000); slimming drugs that were previously withdrawn from the market; passports, driving licenses, false identity documents; bulletproof vests; active card numbers and, most interestingly, cloned identities.
Banking a card with a few hundred dollars on it can cost as little as $10. The price is sometimes 24 times lower than the maximum card limit because, in addition to the price, the buyer also assumes the risk of paying for that card with their own freedom if caught. But the prices of footprints are much more variable.
Along with my source, I browsed through a few profiles for sale. There were identities that included Gmail, Facebook, Netflix accounts, and accounts on various clothing stores, but also passwords to banking services, trading sites, and savings accounts. The price for such a digital footprint differs depending on the variety of information it provides. The most expensive are the “fullz” identities (from full credentials, complete data). I saw footprints that cost a few dollars and others that cost over a hundred dollars, and this only in one “store”.
Comparitech surveyed the price lists available in almost 50 markets (stores) on the darknet and found that the most expensive complete identities belong to residents of Japan, the United Arab Emirates, and various European Union countries. On average, a footprint costs about $25. According to the same report, prices for card numbers range widely: from 11 cents to almost $1,000. In the United States alone, $712 billion in identity theft was reported in 2020.
All this identity trafficking, my source tells me, is paid for predominantly with cryptocurrencies. With the advantage of being much less transparent than fiat currencies, some of which are even highly anonymized (very complex operations are needed to nominally identify the source/recipient of a payment), virtual currencies are, therefore, an accessory of an infrastructure “bigger than we intuited. An accessory of a huge device, yes. This is the reason why their normalization is sought, their acceptance on a large scale, their consideration as the currency of the future with which we will be able to go and buy anything, anywhere…”
One of the things Professor Henry Farrell noticed when analysing the story of the famous Silk Road, a now-defunct darknet service, is that it followed an old pattern, originally identified by the philosopher Thomas Hobbes. The systems that are born outside of the law, as quasi mafia revolts against the organization of the state, end up becoming bureaucratized and become themselves miniature states, internally dominated by the same distrust shown to those outside the system.
Therefore, perhaps the most important lesson to be learned from all this discussion of the darknet as a paradise of confidentiality, and cryptocurrencies as a safe alternative to fiat currencies, would be to exercise sound caution over systemic reconstructions that promise, more obviously or not, futures that are merely utopian ideas.
But, from here on, the stakes my source is discussing are even higher
Source: Identity theft is the simplest and most common method of stealing data. There are several levels: you can steal a certain element or, more complex, steal the person altogether. You, at the moment, this year, are represented in society by a digital footprint. If I am able to copy your entire footprint, I become you. And you lose any advantage you have.
AK: But how do you do that? One’s digital identity is fragmented in so many directions…
S: Beginner hackers try to steal items; for example, to steal your credit card and buy things with your money, to steal your Facebook account and sell to others, or to steal your Spotify account and sell it to someone else, etc. A black hat (who is hacking with malicious intentions) steals thousands of identities and forms cohorts.
When someone does this, we are already talking about collective manipulation, maybe even global manipulation, which can reach the level of “history steering” (history steering, as a concept, belongs to the theory of political targeting mechanisms, but my source uses it in the sense of manipulating)—that is, to take a certain cohort of people and, without them knowing, to push them in a direction that you want.
There can be no comparison between the effects produced by a young person who buys cards to be able to move away from home, and the effects produced by politicians with serious funding, who buy clusters of psychological profiles obtained and alienated without consent, in order to use them in micro-targeting election campaigns. The Cambridge Analytica scandal is the best-known example of this practice. In 2010, data belonging to 87 million Facebook users was collected without their consent (stolen) by a British political consulting company, transformed into psychological profiles of users and sold for a fee in the presidential campaigns of Ted Cruz and Donald Trump, in 2016.
In 2018, Cambridge Analytica was disbanded, but former employees of the company later set up their own consulting firms. And Cambridge Analytica was just the company that caused a global scandal; it is not the only one that has resorted to micro-targeting for electoral purposes.
The practice of micro-targeting existed before Cambridge Analytica, and did not necessarily resort to illicit means of obtaining data. But what is this micro-targeting really? According to the AntiFake.ro project, which brings together Romanian experts in the field of communication and misinformation, “Micro-targeting uses our personal data to create very precise psychological profiles and to personalize advertising messages according to those profiles. For a decade already, marketing studies have confirmed that people are several hundred times more willing to click on an ad that addresses their specific profile.”
In other words, micro-targeting involves the massive collection of data, through technical means, using the footprint of internet users, (i.e. all those actions of ours on social media such as posts, likes, clicks, shares, images) which say something about us, about our preferences, concerns, moods and inclinations.
All this, corroborated by statisticians, can create a psychological portrait of that user. In election campaigns (as well as in advertising) knowing the preferences of the electorate is essential in order to ensure the match between the political message/appeal (to vote for/adhere to a certain policy) and the characteristics of the target audience. The stake is, of course, the direction of behaviour (voting, in the case of elections; buying behaviour in the case of advertising campaigns).
My source, a volunteer in the red-team of a recent candidate in the Romanian presidential election, explained to me that the biggest disadvantage of the fact that mass manipulation techniques are advancing with technology is the gap in knowledge and power between those being manipulated and those who have the capacity (technical and financial) to manipulate. Because the former are not educated about propaganda strategies, they easily become victims.
Even when obtained legally, these psychological profiles derived from our online activity can end up being used for propaganda purposes or in promoting ideologies contrary to our best interests. It was through micro-targeting that African-American citizens were easily given the false message that their votes do not matter, which generated a low turnout and representation of this cohort (read here the Bloomberg investigation that uncovered the strategy).
S: Everyone tries to ensure their cohort-targeting posts have as high a reach as possible. It’s what the Russians are doing now—and doing it very well (see investigations into Russian interference in the US elections, the pro-Brexit campaign, the European Parliament elections, etc.)—that is, manipulating crowds. You take a very large segment of the population and take it in a certain direction. If that segment of people is well chosen and targeted, it will bring with it a second natural cohort (of those converted by the first). This is what is called a “state sponsored attack.”
S: That’s why there is such a high stake put on you as a person. Because you represent a small number in a very large number. You are a footprint in a world that is extremely easy to manipulate.
AK: But shouldn’t it be the other way around? I mean, shouldn’t I matter less precisely because I’m just a small digit in a very large number?
S: No, because if everyone were considered small, the cohort could no longer be formed. We are all unimportant, but together we form the majority. No one is critical, but we are all important in a certain direction.
AK: At this point, what could an ordinary person do to minimize their digital footprint so that it is as manipulation-proof as possible?
S.: I honestly don’t know. I don’t think anything can be done. What could there be? Moving into the woods? Have you ever walked into a store? You’re in their system. Face recognition (identification by facial features), right? [For example] on the street. Are you walking around Paris? [You see] a large banner: “This city is video-surveilled.” If you are willing to always walk with a hood, pay only in cash and not wear any device with radio transmission, not even a Nokia 3310, then yes, you can say that you raise some difficulties to the system.
But the moment you carry a device with you that personalizes your ads based on what you’ve talked about in the last 60 minutes and you’re in a mall full of cameras that will probably have face recognition in 5 years, or in a store that, probably in 5-10 years, will have an AI that analyzes your purchases in the last 6 months and optimizes your shopping experience based on the transactions on your credit card…
You are a number. A number that, without your will, will be pushed right or left by consultants. Like me. Depending on what I think is ethical, from my point of view. Maybe my ethics are wrong. It’s great for me, but maybe it’s bad in itself. I don’t have the ability to do my own assessment. And that’s not good at all. Because, the moment you depend on the good intentions of a single John Doe, the world becomes a very dangerous place.
Coda
The time when a Trojan virus could, at most, erase my tiny collection of digital photos or prevent me from opening my computer without first having to reinstall its operating system (the two most serious cybersecurity risks I faced during college) is long gone. Today, not only have we digitized 99% of our photos and have no backup (neither digital nor printed), but, more importantly, we have become accustomed to storing extremely sensitive data on our computer, data which once obtained and exploited by ill-intended individuals, would cause us significant damage.
Having your email hacked may affect our professional credibility. We could easily lose money if we have the habit of ticking the option to store card data for subsequent purchases in our favorite online stores. We may need to block cards, or even accounts, and open new ones. We may wake up in debt for transactions that we did not make. And this can affect our financial history, which can make it difficult for us to obtain a loan. The losses are incalculable if the files captured by the hackers include sensitive documents or compromising photos. All this can affect us mentally more than we realise at first glance.
But probably the most difficult to calculate is the societal loss resulting from the proliferation of propaganda messages, as a result of the hijacking of our digital footprints. As my source said, it is probably too late to set out to practice a kind of digital asceticism. But, unlike the pessimism that sees us doomed to the condition of manipulable numbers, we can embrace the educated optimism in which we recognize our vulnerability, without being intimidated by it, and in which we protect ourselves through the only antivirus whose coverage never expires: continuous learning.