Who makes spin-off money from cyber crime?

OPTA has a new task: Regulating mobile operators from disconnecting and/or charging their customers for unsolicited sms services/subscriptions. According to OPTA chair Chris Fonteijn most mobile operators have already made it known to comply to the new rules. Mobile phone operators made money from these unsolicited subscriptions. Are there other examples out there of what I call perverse incentives to not stop cyber crime? But first the idea behind the new legislation.

The new rules
In short OPTA is tasked with enforcing that mobile operators first check complaints from end users that a sms service subscription truly is unsolicited, before charging or eventually disconnecting the end user (and probably blacklist him or her). If the operators do not comply with this rule, they can be fined up to €450.000,=, per perpetration.

What makes a subscription unsolicited?
Everyone sees these adds: “Get a free ringtone here” or “You’ve received an invitation to date”. People who respond unwillingly were subscribing to a service they never asked for. Often young children were involved. The SMS service sometimes charged tremendous amounts for a single sms and both ways of the communication. As it also tended to be impossible to unsubscribe and no reference to the service provider was made, costs ran up and people complaint to their provider. The provider could claim only to transport the message, which in a strict legal sense is usually true. The provider would also have paid the sms service provider after subtracting their own share. So not always action was taken swiftly to stop the service.

Why do mobile operators need the regulatory incentive?

1. The first answer is simple: they tend to make money on the service they provide. Which is lucrative to keep up. But there is more.
2. They only pass on the messages to sms platforms, behind which are other, sometimes many layered, services. So there is or may be no direct (contractual) relation between mobile companies and the actual service provider.
3. It is a hassle for mobile providers to find out who is behind what service and whether this service is (il)legal.
4. Is it possible for a mobile provider to actually prove an end user’s subscription?
5. It costs them money if they have to investigate and claim already paid money back from a service provider that could be based anywhere in the world.
6. It is the customer who clicks on whatever add, so also a lack of awareness/alertness on his side is involved to.

It does not take an overly imaginative mind to assess that mobile providers will not be happy with this task.

Who else tends to make money from cyber crime?
There are many different parties involved around access to the Internet. Parties that may not even be overly aware of each other’s role. This is a liberalised, so mostly very commercial, environment and a few regional monopolies. Companies in a very competitive environment may not have incentives to deal with crime if this means a loss of revenue. Maybe it is time that a study was made to make all this more transparent.

If you care to scan the Internet, you will find lots of discussions on spam and cyber crime related complaints that are not followed up (until the cops or some other law enforcement agency show(s) up) by companies and institutions. From my own experience as an enforcer and consultant I know that discussions are fierce. There is a world to be gained, but who has exactly which role to play? The role OPTA is now given by law, is only one example of different measures that may be necessary in a much broader sense.

IGF as neutral meeting ground
At the IGF in Vilnius I propagated a workshop with representatives from all parties involved in Nairobi this September, to discuss this:
1. who has what role?;
2. what are perceived, commonly shared concerns?;
3. what could be possible steps forward?;
4. what is imperative to proceed and succeed?
This proved to be a too optimistic venture (at this moment).

How to continue?
By identifying per Internet (related) service what the role of the (service)providers is, it is also possible to enter dialogue. Through discussions on perceived threats, concerns and fears, it is possible to enter discussions in which these are mitigated. E.g. to identify where self-regulation is possible, through assessing together, i.e. government, regulators and industry, where regulation, a government provided clearing house, ruling or incentive is necessary to proceed towards (self-)regulation and a safer Internet. These interactions grow relationships, understanding for each other’s position and trust.

In the end (service) providers also lose money on crime, as they will get involved more and more in investigations, disruption to their services and daily business, possible court cases, perhaps come under attack or get hacked themselves, etc. The revenue from crime is a short lived profit, in the long run this may prove to be the opposite, a loss of revenue. This could be a strong incentive to enter dialogue for the different stakeholders in the Internet chain.

In search of the Silver Bullet
The sought after silver bullet against cyber crime is an amalgamation of different approaches and actions by very different stakeholders. An across the board approach is called for. A study into all the individual stakeholders in, and around, the Internet chain and their respective roles could be a first step towards an in-depth interaction and understanding.

Wout de Natris, De Natris Consult

Leiderdorp, 31 March 2011


About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Botnets, Cyber crime, Cyber education, Cyber security, International cooperation: cross border aspects, International cooperation: IP resources, spam and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s