Mexican standoff
By Dave Birch posted Apr 20 2011 at 6:45 PMAt last year's conference on The Macroeconomics of Mobile Money held at Columbia University in April 2010, Carol van Cleef (a partner at Paton Boggs LLP in Washington) gave a presentation on the "Opportunities and Dangers of E-Payments", in which she noted that the Mumbai terrorists used mobile phones and "showed themselves to be part of the mobile phone generation" (as, I imagine, they showed themselves to be part of the mass transit generation and the automatic weapons generation). She notes that the attackers were using their own phones (so the IMEIs could be tracked, making the life of law enforcement easier) and that they had purchased more than 37 SIMs in different names using false identification (so the compulsory SIM registration was shown to be pointless -- although some of the SIM card sellers were arrested). She also says that the most critical tool for drug traffickers in Canada is the prepaid phone (I'm sure she's wrong: I'll bet it's either cash or cars).
I remember thinking when I read this at the time that this continued law enforcement focus on the prepaid phone and the prepaid card, both of which are critical tools for financial inclusion, would end up with restrictions on both that would make no difference to criminals but would make life much harder for the financially excluded, because of the strong link between identity and money.
Why do I think that? Well it is just not clear to me that demanding strong proof of identity for prepaid products will help. In Mexico there is a national registry for prepaid phones and all purchasers are recorded and fingerprinted, the operators keep calls logs, texts and voice mail for a year (in a database only accessible with a court order -- or by criminals, I'd wager). All prepaid phones not in the registry were supposed to be turned off this month, although a quick round of googling and searching couldn't tell me whether this is actually happening or not. As I wrote a couple of weeks ago, in the context of the Mexican government's reward scheme for people who call in reports of money laundering:
Good luck to anyone who decides to report in person, or by telephone. SIM registration is mandatory in Mexico, which means that the money launderers will find you before the police do
[From Reputation does not depend on “real” identity]
If we focus on phones, for a moment, is it reasonable to assume that demanding identity in the purchase of phones (prepaid or otherwise) will do anything to reduce crime (or will it simply shift the crime to acquiring identities and actually raise the criminal premium on those identities?).
Eight men and one woman have been arrested on suspicion of conspiracy to defraud... calling expensive premium-rate numbers owned by the fraudsters that charge up to £10 a minute... O2 had a total of £1.2m stolen through premium phone lines throughout July, with police claiming that a West African gang bought the phones from high street stores using false identities.
[From British police arrest iPhone scam gang | News | TechRadar UK]
Like many similar scams, this isn't a mobile fraud or a payment fraud or any other kind of fraud: it's basic identity fraud, yet again. To some extent, therefore, one has to be a tiny bit unsympathetic to O2. Clearly, if they make everyone jump through hoops to get an iPhone then they won't sell very many of them. On the other hand, allowing people to take out contracts without really proving who they are or (and this is the commercial arrangement that is lacking) providing an identity that is underwritten by someone who will take liability for it being wrong, means accepting risk. Remember, it's not the mobile operators, handset manufacturers or criminals who pay for the police raids, the court system, the prison time: it's us, the taxpayer. So the distribution of risks is not aligned with the distribution of liabilities, as is so often the case in the world of identity fraud. This isn't a UK-only problem. It is very clear that in countries without secure national identity registers (ie, almost all countries), requiring mobile operators to determine the identity of subscribers (contract or prepaid) will solve nothing. This does not, by the way, mean that it is impossible to catch criminals. Far from it.
Deputy District Attorney Mena Guirguis said that after Manunga and her former boyfriend stopped dating in 2008, she took out a pre-paid cell phone in his sister-in-law's name, and started sending the threatening text messages to her regular cell phone... Her scheme was uncovered when the victims went to the phone store, talked with the salesman and learned that Manunga had bought the pre-paid phone under the sister-in-law's name, Guirguis said.
They reported that information to a Costa Mesa police detective, but by then a third arrest warrant had been issued for the sister-in-law. During a follow-up investigation, the detective discovered that most of the threatening text messages were sent when the pre-paid cell phone was in close proximity to Manjunga's home or work.
[From Woman jailed for making threats – to herself | sister, law, manunga - News - The Orange County Register]
What this story shows is that actual police work is helped by the perps using mobile phones, even if you don't know the identity of the person using the phone, because phones mean tracking and tracing and location. We read today that iPhones keep a complete record of everywhere they've been...
Apple iPhone users’ movements are being tracked and stored without their knowledge in a file that could easily be accessed by a snooping employer or jealous spouse, security researchers have found.
[From Apple iPhone tracks users' location in hidden file - Telegraph]
Surely it would be better to have criminals running around with iPhones, sending money to each other using mobile networks and generally becoming data points in the internet of things than to set rigorous, quite pointless identity barriers to keep them hidden.
Comments