Blog

About the post: Images and videos are generative AI-created. Prompt: A somber-looking teenage boy in a jail-like cage embedded within motherboard-like circuitry, photorealistic. Tools: Midjourney, Luma.

The Role of Remote Biometric IDV in Combating Sextortion

TERRY BRENNER, LLM

In recent years, sextortion has emerged as a serious and growing threat, particularly to teenagers and other vulnerable members of society. This alarming trend has been linked to numerous tragedies, including several instances of self-harm and suicide.

As digital platforms continue to be exploited by malicious actors, it is necessary for a change of approach by the gatekeepers of social platforms and an attitude shift towards effective solutions to help protect vulnerable individuals from falling victim to these schemes.

The scale of the problem

Sextortion occurs when a person is tricked into sending explicit images (or revealing their sexual/gender orientation) online and then coerced into paying a ransom to prevent that information from being publicly released. According to US crime figures, reported cases more than doubled last year, reaching a staggering 26,700 incidents.

The true number of victims is likely much higher due to underreporting. The devastating impact of these crimes is evident in the heartbreaking story of Jordan, a 17-year-old who took his own life after being targeted by Nigeria-based sextortionists on Instagram.

How sextortion schemes operate

The modus operandi of these criminals typically involves creating fake profiles on social media platforms, often posing as attractive peers to gain the trust of their targets. They then manipulate victims into sharing explicit images, which are subsequently used as leverage for blackmail. 

The speed and efficiency with which these scams operate are shocking—in Jordan’s case, less than six hours elapsed between initial contact and his tragic decision.

Soft on enforcement

Social media platforms, including dating apps, are a rich source of targets for this activity. A key reason is that they are not creating strong enough “safe zones” for their users. These platforms use “ID Lite” when vetting who enters their community. 

There are a number of reasons for this approach:

1) Pushing user numbers: The platforms perceive that asking users to present their ID document during account creation or before engaging in private conversations may “create friction” in the customer journey. This in turn may lead to customer drop-off in signing on for the service, or usage thereof. Lower user numbers equals lower company value, which is based on membership subscriptions and/or advertising dollars (since more users equals more eyeballs for advertisers).

The truth in this concern is based on the narrative that the platform lays before its users. If a verification is preceded by a reference to the harm that may be permitted by an open door to the kingdom, users may be more inclined to accept the stricter standards—because it will protect them, too. Genuine users may be even more attracted to a community where access management and privacy protection is prioritized and better actualized.

2) Cost control: Effective biometric ID verification costs more than a penny. Different verification methods (to assess the credibility of a user entering the platform) have different costs and security benefits. Facial recognition, above all other biometric modalities, is substantially harder to fake than traditional methods like email verification, but it does price out higher.

A coherent and effective facial biometric verification process involves two steps: (1) the presentation of an ID document, and (2) the user taking a selfie. Step 1 should include ID document fraud analysis to ensure that the presented document is real, live, and present rather than a copy stolen from the dark web or a synthetically generated ID. Many solutions simply load an ID document with zero regard if that document is genuine or falsified—cheaper but not effective.

Step 2 should include a liveness test to make sure the presenting user is live and present. Many companies opt for passive liveness, which is the “Liveness Lite” option. Again, it’s cheaper but much less robust than the active liveness testing alternative. It is surprising, but sadly true, that many ID verification tools using passive liveness or weak active liveness still fall over when an imposter presents a photo of the genuine user from a mobile screen or lightly shakes a paper printout of a face.

A social media platform can lower its customer acquisition cost by a dime or two with a weaker verification tool and flash its bold check mark that, yes, this is a validated user. The cost savings of a flimsy ID verification solution somehow rises in importance above the cost of a mind—or a life.

3) Regulators don’t require a stricter approach: While our local representatives have the best of intentions to protect their communities, there is a prioritization on what issues to raise in the legislature. It took years for online children’s privacy concerns to gain enough public outcry for legislators across the US to hoist that flag. And when they did, they rolled out a series of state legislation that was no match for the social media unified front to push it down under appeal.

As for the bills that did get to the governor’s desk for signature, the draftsmen found a fix by settling on a “reasonable verification” standard that feeds right back into the “ID Lite”-type solutions mentioned above, which do not solve for the critical problems at hand. They provide a rationalization for social media companies to adopt the fuzzy and inaccurate ID tools mentioned above, while the criminals continue creating fake profiles and targeting vulnerable individuals. 

The potential of biometric IDV

Biometric IDV, done right, is not “ID Lite.” It could play a crucial role in creating a hygienic dating network and significantly reduce the ability of scammers to create and operate fake accounts.

In addition to the benefit of enhanced user verification and real-time authentication of users, other benefits include:

  • Age verification: Biometric data could be used to more accurately verify a user’s age, helping to protect minors from potential predators and ensuring age-appropriate interactions.
  • Cross-platform verification: A standardized biometric IDV system could be implemented across multiple platforms, making it more difficult for scammers to simply move to a different app when caught.

The impact on sextortion crime

Implementing such measures could create significant barriers for sextortion criminals. The Nigerian Cyber Crime Centre director, Uche Ifeanyi Henry, noted that many criminals are already moving from Nigeria to neighboring countries due to increased law enforcement activity. Adding robust IDV measures will further disrupt their operations.

It’s important to acknowledge that no single solution can completely eradicate the problem of sextortion. A comprehensive approach involving education, law enforcement cooperation, and technological solutions is necessary. 

Jenn Buta, mother of Jordan and now a prominent campaigner against sextortion, emphasizes the importance of raising awareness about the dangers and providing support to potential victims.

Balancing security and privacy

While remote biometric IDV shows promise in preventing sextortion, its implementation would need to be carefully considered to address privacy concerns and ensure the security of sensitive biometric data. Striking the right balance between security and user privacy is critical for widespread adoption.

Thoughtful tech includes privacy management tools and, importantly, options for redacting and purging personal data as efficiently as possible so that the social media platform is not a constant honeypot for different methods of cyber extortion.

United in facing the threat

The fight against sextortion requires a collaborative effort from technology companies, law enforcement agencies, educators, and communities. And most seriously from the networks that allow the predators to roam among their users. 

The wait-for-the-rules approach is short-sighted. Perhaps we should ask senior management that blocks a higher standard of verification: if it was your child on the receiving end of the high-risk communication, what would you do differently?

About the post:
Images and videos are generative AI-created. Prompt: A somber-looking teenage boy in a jail-like cage embedded within motherboard-like circuitry, photorealistic. Tools: Midjourney, Luma.

About the author:
Terry Brenner is the Head of Legal, Risk, and Compliance for IDVerse Americas. He oversees the company’s foray into this market, heeding to the sensitivities around data protection, inclusivity, biometrics, and privacy. With over two decades of legal experience, Brenner has served in a variety of roles across a diverse range of sectors.

x Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security