AlphaBay shut down: don’t let your personal data end up on an illegal marketplace!
Rédigé par Caroline MARTIN-FORISSIER
-
18 July 2017One of the most famous on-line marketplace for illegal goods, AphaBay, shut down abruptly last week. According to news media like the Wall Street Journal, this site was shut down following law-enforcement action. Even if the real reasons are not completely clear, it's an opportunity to draw attention on the various privacy issues associated with these kinds of online platforms.
From a zero-footprint to a risk-mitigation logic
Nicolas Christin, a Carnegie Mellon University researcher, presented the economic trends of the illicit retail industry on the internet during the International Conference of Data Economics held in Paris in June 2017. According to him, illegal marketplaces are hotbeds not only for weapons and drugs, but also for personal data trafficking (credit cards numbers, passwords...).
Before the internet era, the quantitative study of such a secret world was extremely complicated, because the main preoccupation of those actors was to leave as few tracks as possible. With the advent of the internet and sites like Silk Road, Alpha Bay, Agora, and a large number of sites whose names can be found in the study of Soska and Christin, the zero-footprint principle faded in order to leave room for a risk-mitigation principle. On the internet, customers want to know how qualitative the product they intend to buy is in order to “mitigate the risks related to such a sensitive transaction”. Consequently, illegal marketplaces display the volume and date of each vendor’s sales, and on some websites, the first and last letter of the buyer’s pseudo is also shown. The feedback system for vendors aims at attracting customers by introducing and strengthening trust in the transaction, just like Amazon and standard marketplaces promote trust within their own systems. According to Christin, it appears that the need for risk-mitigation surpasses the requirement to remain completely anonymous; therefore such sites provide relevant and useful data on cybercrime. The volume of sales gives researchers the opportunity to estimate the size of the industry, and for example, to demonstrate that there is just a small number of vendors who qualify as “big-fishes”, or that each time a site is taken down, a new one replaces it, and that therefore site closure is not a solution to cyber criminality. Privacy policies are generally easy to access as it is in their interest to explain how they deal with privacy. Privacy policies would indeed aim at reassuring buyers with respect to their privacy concerns and would thus contribute to user engagement in a transaction.
How to prevent the resale of your personal data on such sites…
Financial or health data have historically been the target of cybercriminals; and this trend is slowly extending to all types of personal data. Illicit marketplaces are platforms where such data can be easily sold by cybercriminals, once they have obtained them from websites where they were legally processed. However, their release can have terrible consequences on individual’s life, as the Ashley Madison data breach of 2015 has shown. How can dissemination of such data be limited? To combat the illegal sale of data on these sites, it is first important that individuals adopt good practices and raise awareness on privacy enhancing technologies (such as private browsing, better configuration of devices, encryption of sensitive data, the use of a VPN…)
While it is clear that not all will adopt the right practices, the legislator has also created provisions that will help to contain data breaches more efficiently and thus limit the risk of having personal data disclosed on the dark net. Articles 33 and 34 of the GDPR provide that the data controller must notify the data subject and the supervisory authority of certain personal data breaches. This provision entails transparency regarding the personal data breach in order to limit the impact of the breach, by helping individuals to adopt appropriate measures.