CAN I HAVE YOUR MOBILE NUMBER,SIR? – The Billion Dollar Industry Of Privacy Hacks Uncovered

August 2016- An Experiment With My Mobile Privacy – Refusal Conundrum

“Can I have your number, Sir” asks the petite looking lady at the reception at a restaurant as My friend and I, request a table for two. It seems like a regular question to her, one which in common knowledge, she might ask anyone and everyone who walks through the door. And most would just be done with it. You see, number is just a number. Maybe they needed for booking a table? Wait. Let me just ask you this straight up. What do they need it for? To send you regular updates about the offers and any other product launches, straight to your inbox. That much everyone knows. But what happens when I don’t want any updates from them? Coming back to the scenario I was in with my friend, as the lady asked me my number, this is what I could manage…

“What for?” I asked her as politely as I could. It’s not that I can’t stand pretty looking girls acting as if they have no mind of their own, albeit with a stupid smile plastered on their face, and incoherent English blurted out from their mouths, but I can’t stand stupidity, in general.

“To book a table, Sir..” she said managing to smile meekly at my curious deviation from the standard routing.

“I don’t have a mobile..” I said. Rather I lied. I had a mobile, the number of which, only five people on this planet knew. And I aspired to keep it that way.

“Ma’am…?” she asked my Trans friend. She was enjoying my unnerving act upon the poor receptionist, way too much to oblige. She shook her head sideways.

“Oh…hmm..” she excused herself for a moment and went inside to talk to the manager. The manager spoke animatedly to her, and then she came out with a certain disdain on her face.

“This way, Sir…” she led us in. While she had us sit at a centrally situated table, I spoke to her again.

“Can I have your number, ma’am.,” I said. Oh, don’t be mad at me. I wasn’t being rude. I was just driving home a point. And you know me. I like doing that. The question, of course, startled her. She didn’t even have the courtesy to ask me what for? I was asking her number just so I could send her my articles to read.

“No, Sir.,” she said and stormed off never to appear again over the course of our dinner. We had a good dinner, and I had a great drive to work this thing out. And by thing, I mean the way our privacy is conveniently syphoned off. Remove the setup of the restaurant and table booking, and play this scenario again. The lady asked me for my number. I denied. So what drives us to give away our numbers so easily? The bigger question that stuck with me that night after we reached home, was why the whole business of asking for numbers actually exists? Loyalty points, reward points, OTPs, Lucky Draw contests, Bookings, and more. If everyone is doing it, it must be a greatly rewarding business. Raw data was somehow translating into usable intelligence for someone somewhere. And the price of our privacy was great. Why am I making such a big fuss about sharing your number with random individuals or organizations? Allow me to elaborate. What does your data mean? And before we get into this, let me make one point very clear. No hotel, restaurant can disallow your admission on the basis of whether you provided your number or whether you gave them feedback either online or offline. Privacy is your choice. And the deep web black-market thrives on your information. You see, it’s not just about sending you updates or offers. It’s many folds more.

January 2017 – The Price Of Privacy – Our Talks With Jason Lyne, Team Leader – DataHorse – DeepWeb Portal

In my pursuit to understand the occurrence of Data Theft, and an overall purpose of understanding DeepWeb technologies, I came across a HexPortfolio by name, Halo56321. Assisted by my friend, who specializes in portfolio recognition and DeepWeb circuit building, I came to realise that the Hex, belonged to one team leader, or Marshall as they are referred to in the realm, of a group called DataHorse, a Belgium based team of Data analysts, who like five thousand other groups, specialized in provisioning Data, at an organizational and individual level to interested parties. Now the interested parties could range from simple hackers trying to infuse some private level phishing scams or credit card purchases, to organisations modelling their products or stock manipulation, or even the Governments to ensure an election win or exude sectoral power. Of course, someone who is aware of the DataTheft ergo DataPrivacy compromises, or the recent Facebook debacles, or who keenly follows technological developments across the world, would know that privacy has its own cause and effect. And definitely, it’s own price. The question of what price do we pay for our privacy? Is often heard in loud rumours across the board. The issue here of course, is notwithstanding the privacy leaks, I was intrigued into the data theft which was happening at a subliminal level of the human psyche. The data we were willingly giving out, should have a small price tag attached to it, yes? And so, this was my point of conversation with HexPortfolio Halo56321, when I finally established a bridge with him after a week of requesting. The following are the excerpts of our conversations…

What as per your understanding is the ‘value’ of privacy? We speak of the ‘price’ of privacy, but what exactly is the price, quantified and specified? And how does mobile privacy come into play?

Most people, analysts or graphers or statisticians, would tell you that Value of Privacy can be denoted as the amount of business an organization or firm stands to make by one quantum or measurable unit of data when converted into conversion. It’s true. But it’s not all that there is to it, you know. Behavioural sciences would speak of ‘loss of freedom to choose’ as the true cost of Value of Privacy. But that becomes redundant because there is no price for freedom. However, at a meta level, both the definitions of Value of Privacy, hold true. But they are not complete. I have been a part of DataPrivacy and Encryption business for almost around 20 years.

Initially, the Value of Privacy was a simpler term to understand. You see, back in the late 90’s, when perhaps only about 14% of the world’s population had access to any form of online means, mostly via Pirated Windows copies, or Linux, the term would just mean that someone could achieve access to your system. That’s all. And because there was no data available, or at least it was a collection of Bytes, no one really cared. The problem started when Online servers and network dependent OS’s much like Windows NT came into the picture. People were amazed by the internet, the websites, chat rooms, and so on. Then the Privacy cost meant someone using your credit card credentials to access products or subscriptions. All that any hacker or intruder would do, was deep dig your cookies and access your card information. That’s where the first definition comes to play.

By late 2008, the Internet exploded with new products and services. Suddenly, the internet offers not just e-commerce information, but purchase capabilities. And Google came into the picture. The online world was no longer about chat rooms and hidden profiles. The online world became a conglomerate of virtual lives. The keyword here is ‘lives’. Internet started replicating lives. Now that’s where the value of privacy underwent a drastic change in its understanding. The web technologies became human technologies. Internet of Things came about, and interconnectivity became the word of the day.

And so now in 2017, Data Privacy Loss meant in addition to ‘commerce syphoning’ and ‘loss of freedom’ became a more terrifying reality of ‘life replication’. Technology could now start to ‘replicate’ your life better than yourself. I can today ‘make you’ to be your true representation in the online world without you knowing. To me, that is the Value of Privacy. The absolute substitution of a personality. And I’m not talking about Social Media hacking, fake profiles, or tweets, none of that childish nonsense. The web world has gone beyond that.

Today the DeepMind technologies, funded by companies like ABC or Microsoft or Facebook no less, are intruding into your behavioural patterns, decision-making processes, online cognizance, and much more.

Coming to the second part of the question, what’s this got to do with mobile privacy. Simple explanation, the web is mobile based today, and thereby the above explanation can be directly carried through to the mobile platforms plane. However, as I said, gone are the days when telecom giants and data-crunching agencies loved getting your mobile numbers. Back then they would go out on a limb to get your numbers so that they could ‘push out’ SMS’s or Text’s about new products and services. Of course there was a thriving black market for this ‘numbers’ data, which were sold to the highest bidder, usually startup companies, fraudsters, banks and financial institutions, and other interested parties to reach out to an exponentially large number. The people data was readily available. And in one shot, they could promote their service across all of the urban population.

By 2009, a strange thing happened which disrupted the course of these so-called ‘database sales’. People started changing numbers by the day. Dual-Sim Mobiles flooded the market, and it became the in-thing. People started having two SIMS and would let one of their numbers die. I remember right after Tata Docomo came about, some seven months later, huge chunks of numbers in the black-market turned inactive and redundant. The prices dropped for the ‘packages’ (packages of numbers were sold as 10,000 numbers for Rs.7500, 25,000 numbers for Rs.15,000and so on). No one wanted to buy packages which were ripe with useless data. Now this business, actually prompted the telecom companies to come up with a proposal. Suffice to say it was hurting every company. A stream of their revenue had been cut-off. They came up with a solution called Mobile Number Portability.

MNP? One would say that this facility is a form of freedom, wouldn’t you say? You get to choose which network you want to activate without losing your number?

Yes, I do agree that for the most part, the facility itself looks as a form of freedom. But we need to understand why it was implemented, you know. In India, MNP (Mobile Number Portability) is what we call as ‘Donor-Led’. In US and Europe (again black market demand-supply equilibrium being a major factor) the mobile number portability is ‘Recipient-led’. Let me explain on it to make my point. In the US, if I am not satisfied with a network, let us AT&T, I can drop a text to any other network, for example, Vodafone and simply transfer my number to their network. The whole thing takes about 2 to 3 hours. This is called ‘Recipient led’. In India, the telecom industry wants you in a deadlock. Hence, they will force you to tell them if you are ‘porting’. Here if I am not satisfied with a network, say Uninor, and I want to change to say Airtel, then I have to tell Uninor and wait for them to ‘allow’ me to change. Where is the freedom of choice in that? It is a redundant practice, as Uninor now has, not hours, but days, 7 to 10 days precisely, to keep bugging me to stay. That undermines the whole purpose of choice. And true and fair competitive market is practically distorted. That’s all happening before our eyes. But when you want to do an MNP, there are larger things at play behind the scenes.

Imagine this. Numbers are individualistic data. A quantum of a person’s identity. Each quantum there-by in the black market or as it is now referred to as DeepWeb post-Snowden revelations is equivalent to stock. Like shares in the stock exchanges. Every telecom industry has its own representative ‘stock’ in the DeepWeb. The Telecom firm which has the highest numbers of the user base trades at the highest level. It creates demand and drives the scales of pricing of the aforementioned ‘packages’. A deviance comes when ‘interested parties’ observe transference data. You see, a government regulation, like KYC or a union facility, like MNP, puts the market into a ‘transference chaos’. Everyone is now unsure. So to maintain balance, specifically talking about MNP here, a buffer time is given to the representative stocks in the black market, to ‘offload’. In other words, you could say it’s like insider trading within the DeepWeb.

The packages are reshuffled to exclude those who are in ‘MNP period’ and uploaded back into the system. These MNP numbers, are collated into separate groups and given to the transferee network stock. On the onset, the number gets ported to a new network in 7 days. In the background, the user data is also transferred. That takes 7 days. So yeah, you think you are free. But actually, you aren’t. The DeepWeb representation ensures that. And that’s why 7 days, and not 2 or 3 hours for MNP. On the side note, the MNP’s have a value of their own calculated based on ‘duration of usage of the number, enrollment of the number in different services, and finally the recharge balance available’. Ever wondered why your recharge doesn’t carry over to the new network, with the MNP. Well, it’s sold with your data, and the ‘stock’ free fall is somewhat recovered.

For our readers, could you perhaps elaborate on the concepts of Mobile Identity, Enrollment Values and GeoTags, which we tend to hear a lot these days when one visits the DeepWeb?

They are pretty self-explanatory. Usually, GeoTags are called PinTags, to avoid confusion. You see, GeoTagsContra is also called GeoTags in normal parlance. Anyway, yes, the three terms are interconnected as you can understand. Continuing the discussion above, we now know that every data has its value in the market, either actively or inactively. Even dead data has its own analytical value, though the monetary value becomes zero. Coming back, Mobile Identity is simply put, ‘what-where-how’ usage of your mobile number.

The Three covenants can be explained as – What do you use your mobile number for? Where do you use your mobile number more often? How do you use your mobile number to do what you want? Similar sounding, these three covenants differ subtly. ‘What’ refers to your technical usage patterns – including Calls, Messages, Identities, Subscription services, Logins and OTPs, Surveys etc. ‘Where’ do you use it refers to locations – usage at home, office, restaurants, movie theatres, day or night times, summer or winter etc. ‘How’ do you use it is mainly towards behavioural patterns – how often do you call a number, how long do you talk, how well you receive an advertisement, how often do you click on the link etc.

These three in combination, constitute a person’s mobile identity. And like signature or finger print, the mobile identity of a person is truly unique. Although it has its own deviances. You see, factors like a lack of signal, will mostly prompt a set of individuals to stick to a pattern of calling or using their mobiles. Or in periods like emergencies or chaos or as was evidenced in Istanbul or Syria, the calling patterns are definitive and predictable. That apart, you understand the concept of Mobile Identity, yes? All things constant, each Mobile Identity is unique and reliable. However, it becomes highly unique and totally reliable when you couple Mobile Identity of a person with the individuals EV’s ie., Enrollment Values.

To understand EV’s one needs to extrapolate the Mobile Identity onto a plane of Behavior. In the ethical hacking field, EV’s are often called as “the comfort zones”. This include ‘what kind?’ imperatives. Simply put, an individual’s EV is calculated by the level of comfort he or she has in choice making. The choice could range from, a range of services offered, a range of subscriptions offered, a range of places on offer, a range of divulgence at offer etc. For example, a simple behavior in understanding, how comfortable are you in giving your mobile number, becomes a EV number. Say, you walk into a bar, and you are asked for a feedback in which there’s an entry for a mobile number. The choice you make there, becomes your EV.

According to a report prepared by Fredericks-Marsh in 2015, people are comfortable to give their numbers at places where there is food. And less likely to give their number if there’s alcohol served. Again, a higher number of users would prefer typing their number in a tab, than speak it out loud lest someone else should here it. That is your EV.

And an individual’s EV and Mobile Identity becomes a strong unique combination, which is hard to replicate, but highly valuable data for any interested party. Then comes the PinTags, which is self-explanatory. Till now, we know how a mobile user uses his mobile, for how long he uses it, and where he uses it, in addition to the choice he makes in giving out his information in a non-coercive manner. Theoretically, we have a pattern set for someone.

The question is how often does an individual repeat that pattern. Pattern become habits, and habits become a culture, as we know. So for every time, a pattern is repeated, a pin is dropped, counting it. To simply put, let us say, a person named Kim, uses her phone at an average of 3 hours per day at her home, and 4 hours at her office, and uses it to call her mom, and call her clients respectively in these times. This is her mobile identity. She is ok giving her number at restaurants but not ok giving her mobiles to online magazine subscriptions. This is her EV. Now, we need to ensure that it is not just a one-off act, but a repetitive action. A habit. Does she do it every year? Has her pattern changed. If yes, by how much. What’s the deviance and why. That becomes her PinTags or GeoTags. By extension, GeoTags Contra is the phenomenon of anticipating an individual to break his or her pattern. An anticipation of deviance is called GeoTags Contra in the online black market. Suffice to say, there are parties interested who want someone like Kim to follow the routine. And there are an equal number of parties, who want her to break the routine. As I said, every bit of data is highly valuable.

We understand that there is a certain codification to the data and its ever evolving, but when I see a normal mobile user, these things don’t really affect them. Yes, push notifications and messages are always there, much like cookies in a browser, but as it were we don’t really mind. So as a Data engineer, where do you see the mobile privacy truly affecting lives?

Nowhere and everywhere. Yes. That’s what we could define the privacy syphoning as. There’s no effect and there’s immense undeniable effect. It’s like an aeroplane moving at such great speed and such altitude, that it seems like it’s not even moving. Or time, when you don’t feel like anything is happening but something is always happening. What I mean to say is, the Data theft, resulting in Data sale, to Data utilization to Data influence happens so quickly and so smoothly that you hardly find any effect or repercussion. But gazillions of volumes of data is exchanged, bought and sold every second. That it is very common.

For an end user of course, in our case the mobile user, it all seems like some push notifications. Yeah, that’s the basic thing. Now, that’s just one of thousand more things ‘interested parties’ do. The classic example, Facebook’s breach to understand Voter trends during the Trump campaign. With trends, as we discussed earlier, come habits. And when so much is at stake, habits and cultures influence nations and continents. Following a simple data, let’s say something like, how many people actually follow a tag like, NoVote, gives you enough information to decide your speech campaigns. In the same manner, mobile identity and the combinations of Enrollment Values, give you unique data about a set culture information. With that information, I have a million investment decisions to make.

For example, in Berlin, there is a café called Kromikel where students go everyday to hangout. That much was known by everyone. At that point, mobile networks recognized this habit and started advertising their products to these students, simply because they were there everyday. They hoped that with youth connect, there would be a high number of conversions. As it so happened, a German based telecom company, was reeling for profits and was on the verge of business closure. The main complaint of the people using this network, let’s say ABC network, was that their network quality was poor in the urban Berlin. To reengineer their network towers and send strong networks they needed a budget which went above 300 Million Dollars. In a smart move, they experimented with an idea that they’d just increase their strength near this particular café, Kromikel. This would cost them only 10 Million Dollars. Obviously, the people who used the ABC network would be happy at that café at that point of time. But given the facts, they would be still be too less in number to actually effect anything financially. They needed more information. The network representatives, then scourged through the DeepWeb for solutions. They couldn’t find much in terms of service packages, products or technology. The solution however came to them through behavioral patterns. Kromikel was a café which attracted the young, who loved to use new technology. And so, ABC Network bought Kromikel café. And installed ‘signal booster’ devices, which looked no bigger than a PC Mouse, across the whole shop, quite visibly so. It was strange, new and something unheard of. These ‘signal boosters’ basically did nothing but jammed the signals. They were in fact ‘signal jammers’ which were cutting out any other network signals in the café over a radius of 200 meters. And they just installed a little stall outside the café, to sell these devices. Over the next fortnight, these ‘signal boosters’ so called, were installed across the city in thousands of homes. It dropped down other signals and ensured that only ABC’s network had some signal, even if it wasn’t a strong one. But this wasn’t the short game. ABC’s had a long strategy in mind with this move. Now that people were voluntarily purchasing these devices, not just for enhancing ABC’s network, but also it was a new piece of technology, other networks suddenly saw a demand for these machines and complaints kept piling up on their lack of service. In the next quarter, ABC’s stocks rose up, and it went onto actually install new towers eventually. This changed the face of a nation’s economy. All they did, was to observe the purchase patterns of a specified sample, their affiliation to all things new and so on.

Like this, there are several examples in India as well, where information from DeepWeb was utilized to control the lives of people. The classic example, Votes rigging. If I were a politician, the mobile identity of a person would become an undeniable asset for my victory. Let’s say I want to win at a particular area, and I know my sample set of people, I just have to know what do they do, where do they live and hang out, how much time do they spend on any particular item either online or offline. And then I filter out the people I am sure will vote for me, and purchase their numbers. Send them offers to a particular hotel, or observe their EV’s and send them agenda prepositions which affect them interpersonally. And I have their vote. And if the area, for example, has 10,000 people, I could get their mobile numbers for Rs.15,000 to Rs.20,000. And along with their patterns for Rs.1,00,000. Good money. Good results.

In our discussion earlier, you mentioned something interesting called ‘replicating lives’. In understanding how people behave I don’t see where the concept of replication comes. Yes, undeniable influence to choice or selection comes, but duplication is a different thing altogether.

One thing that every analyst will tell you is that people are predictable. Their patterns will eventually differ. Hence the term Entropy. The factors which make changes could be in millions. The things you see, the things you hear, analyse, study, collect and collate, everything. As per a Philadelphia study ‘Cumulative Sciences Of Mind And Its Human’ by Dr Jaquez Kollar, an individual’s singular decision is influenced by anywhere between 45 to 172 individual factors, which he terms as ‘thought strands’. They combine to form an opinion, or a choice, and in a favorable or otherwise ‘stimuli’ they become actions.

Every turn we take while on the drive home, every puck we shoot at play, every movie we stream, every new app we download, is influenced by minimum 45 thought strands, of which about 5 or 6 strands are ‘direct and active’ and rest all are ‘indirect influences’.

But what has all this got to do with the mobile DeepWeb market?

After 2015, analysts and collectors identified a new problem emerging in data being collected and collated. Mobile users started deviating from patterns. Even millions and zillions of calculations about behaviours started falling apart, because people started taking their own free will in not adhering to anything specific.

When the analysts or programmers or system developers couldn’t predict what they did anymore, they came up with a plan to do something which would ensure it. The best way of predicting a behavior, is to infuse it. That’s where the concept of ‘replicating lives’ came about in the late 2016. The idea was simple. The programmers collected and collated the data that you had and started reinforcing the same back to you. They forced you to stick to a pattern. Does it sound outlandish? Well, the simplest of examples based on a concept of ‘Sync Data’. Ever used it? Directly or indirectly? Yes. You change a device, your data is available again. You change your mobile, the whole data is migrated including your habits. The concept of ‘starting afresh’ or ‘new experience’ was slowly removed.

Account syncing enables, platforms like Google, Microsoft or Facebook to record where you went, and encouraged you to visit that again. ‘Memories on this day’ feature, ‘Places you’ve been to’, ‘Auto Album creation of past photos’ ‘You were watching this on Netflix’ ‘Your YouTube Autoplay’s’ etc.., were programmed to tell you to stick to a pattern.

When we talk about the mobiles platform, of course, you are familiar with App sync, backup and restore. You login to your new phone with your Gmail account, and everything that was in your old phone is downloaded. Nothing is lost. Nothing is new as well. In the DeepWeb, this ensures that the mobile users EV remains the same and active. In turn, the patterns and behavior are standardized and are made relevant. And the mobile identity remains the same as long as the person uses any kind of mobile.

In this scenario then, where do we see a resolution to it. What can one do to remain uninfluenced by the patterns and as you said behaviors from being exploited? What are the measures to be taken, so that we can use mobile phones with a certain degree of freedom of choice?

The simple answer is nothing.

(To Be Continued…)