Legal Loopholes Allow Scammers to Thrive
(Beijing) — The recent deaths of two students from the same city in Shandong province who fell victim to phone scammers have led to a public outcry over the failure to enforce privacy laws and the lack of oversight of certain telecom services that have allowed con artists to operate.
Xu Yuyu, an impoverished schoolgirl, died of heart failure on Aug. 19, two days after she lost an entire semester's worth of college tuition to a scammer who had pretended to be a local education official. Fraudsters told her to transfer money so that she could access her financial aid. Four days later, another college student from Xu's hometown of Linyi died after falling prey to another con artist who pretended to be a police officer and demanded that the boy repay a bank loan that he had never taken, local media reported.
Calls from tricksters who pretend to be government officials or the police are one of the most common scams in China. On Aug. 29, a lecturer at the prestigious Tsinghua University in Beijing was swindled out of over 17 million yuan ($2.6 million) by fraudsters who pretended to be law enforcement officials.
Phone scams and internet phishing schemes have been on the rise, with nearly 285,000 such cases registered in the first half alone, causing a loss of over 8 billion yuan, data from the Ministry of Public Security showed. Last year, there were 590,000 complaints of telephone and Internet scams that had swindled nearly 22 billion yuan, official data showed. The number of phone scams rose nearly one-third in 2015 compared with the previous year, and Internet fraud more than doubled, it said.
The lack of adequate laws to prevent private information leaks and an earlier legal loophole that allowed telecom operators to sell subscriptions without checking any identification documents have created a safe haven for scammers, experts said.
In the case of 19-year-old Xu Yuyu, she received the scam call within days after applying for financial aid at the local education bureau, raising concerns that her private data may have been leaked. Police have detained six suspects allegedly linked to the scam, but are still investigating how they could have managed to get Xu's information.
Plugging the Leaks
A June survey by the Internet Society of China, a non-government industry association, found that 4 out of 5 Internet users in the country had experienced a private-information leak.
A thriving underground market of information dealers collect all sorts of personal data such as ID numbers and addresses from businesses and even government agencies and then sell it to advertisers and even scammers. This has led to the high number of data leaks, said Wan Renguo, a mobile security expert at the Internet security services company Qihoo360.
Authorities have focused on preventing hacking, but they must step up efforts to crack down on this widespread practice of insiders who have access to huge databases selling client data, Wang said.
An information dealer Caixin contacted online said he can provide all kinds of information, including a list of contacts for university professors, and ID information and phone numbers of elderly citizens, who are the most vulnerable scams. About 2,000 data points could be purchased by anyone for about 100 yuan, and the larger the volume, the cheaper it gets, said the dealer, who wished to remain anonymous.
Under China's criminal law, those who are found guilty of selling personal information face up to seven years in prison. But enforcement is difficult because under current laws, victims have to present evidence themselves to prove how their personal information was leaked and how the losses were incurred, said Zhao Zhanling, a legal adviser at the Internet Society of China.
This is because China lacks a national Data Protection Law similar to that in the European Union.
"Personal information leaks and phone scams were widespread partly due to the absence of a national law," said Long Weiqiu, a law professor at Beihang University in Beijing.
There were about 200 different legal clauses scattered in different laws linked to protecting private data, but legal experts say these rules are vague.
The government has stepped up efforts to address this issue by announcing revisions to both the Consumer Rights Protection Law and the Cyber Security Law — two of the most important pieces of legislation dealing with privacy issues.
On Aug. 5, the State Administration of Industry and Commerce released the latest draft of the Consumer Rights Protection Law for public comment. It specifically prohibits companies from using client data for marketing via electronic messages or telemarketing calls unless consumers have consented to it. It also extends protection to biometric data. The second draft of the Cyber Security Law was also published in July, and is expected to come into effect by the end of the year. That also tightens rules on data collected by smartphones, websites, etc.
But regulators seem to be playing catch-up to con artists who have found new ways to cover their tracks.
Scammers who called Xu Yuyu used a number registered with a mobile virtual network operator called YuanTel in Beijing, two telecom sector employees said.
These virtual network operators offer cheaper voice and video calls and text messaging services using infrastructure leased from other mobile networks, and until recently, subscribers could get a connection without submitting any identification documents.
An investigation by the Internet security unit of Ministry of Industry and Information Technology (MIIT) in July found that over one-third of retailers linked to virtual network operators flouted government rules for real-name registrations.
The big three state-owned telecom operators — China Mobile, China Unicom and China Telecom — turned a blind eye to the questionable operations of some virtual network operators, fearing that strict enforcement of real-name registration rules could erode their bottom lines, said Tu Zipei, an information security specialist, in a commentary published on Caixin.
The government has ordered telecom network operators to collect identification proof from all subscribers by June 30.
But some scammers were now using equipment that can interrupt and tamper with telecom signals, which enables them to alter their caller ID, so that victims believe they were receiving calls from official numbers. They were also using bulk messaging software to send text messages masked as notices from telecom operators, banks and other institutions to thousands of users. These new technologies and equipment makes it much harder to track scammers, said Fu Liang, an independent telecoms industry analyst.
When Liu, a businessman from Hunan, received a call from a man who claimed to be a social security bureau official from a city in far-away Fujian province and said his social security card was used for carry out "an illegal activity," his first hunch was to suspect it was a scammer.
But the caller knew his national identification number, which doubles as his social security ID, and his date of birth, leaving Liu with nagging doubts.
A few minutes later, he got another call from someone who claimed to be a police officer from the same city, who said Liu's social security card and bank account was used to launder money. Liu cut the call and quickly dialed 114 for directory inquiries, and was shocked to learn that the previous call had come from an official phone number registered under Quanzhou city's public security bureau.
Liu said he decided to trust the caller and had transferred 1 million yuan from his personal bank account to "an official account for verification" to prove his innocence. This was in October, and Liu says he hasn't able to trace the caller or his money since.
In Liu's case, scammers had used a widespread technology to spoof their caller ID, several telecom industry experts said.
- MOST POPULAR