Illegal trading of personal data difficult to control
Minh Hoang, a businessman in Hanoi, is tired of spam calls and messages that come both day and night.
The spam calls and texts include ads for real estate projects, life insurance products, offers for credit cards, bank loans, bonds, fake degrees and certificates, online gambling, and recently cryptocurrencies.
Hoang called the mobile service operator's switchboard to report the spam calls and messages, but after that he received even more spam messages and calls.
“The network operator lets their customers deal with spam messages and calls themselves. They said that they use AI technology to control and block spam, but in fact subscribers receive dozens of spam calls and messages each day," said Hoang.
Hoang's case is common. He and many others have to download apps from Google Play or Apple app store to block spam and messages.
According to statistics from the Department of Information Security of the Ministry of Information and Communications, the total number of subscribers who made spam calls and who were blocked from July 2020 to March 2021 was 128,970. In March 2021, 17,276 subscribers were blocked for this reason.
The act of buying and selling personal data in Vietnam is in two forms. Businesses that provide services that collect personal data of customers allow third parties to access the data, and the third parties transfer and trade the data. Or, businesses actively collect personal information of customers to have personal data to sell.
Personal data is offered for sale online on many sites such as databox, databoxviet, laydata, laydata, khodata, databox, fff, cokhach, and vltoolkit. The data packages for sale relate to many areas, with details about account balance, financial capacity or position and income.
The price is also surprisingly cheap, ranging from VND600,000-VND800,000/information of 1,000 people, or VND500,000-VND1 million for 1,000 phone numbers. In addition, there is a form of automatic fee collection from VND5,000-VND15,000 per download of personal data files.
After a preliminary check, the Ministry of Public Security discovered more than 60 organizations and individuals involved in illegal trading and use of personal information and data in cyberspace, including companies providing technology solutions, real estate brokers, banking officers, government agencies, and people who have access to e-government systems in education, healthcare, securities, hospitals.
In addition, some service companies sell software to collect personal information, which is hidden in sales websites. When users visit these websites, businesses will collect in-depth personal information.
It is dangerous that criminals conduct unauthorized collection of personal information by using malicious code, and software with spying features to steal personal data.
Some cases have been reported: files containing the data of 163,666,400 Zing ID accounts of VNG Company; more than 5 million emails and tens of thousands of payment card information such as visas, credit cards... allegedly belonging to The Gioi Di Dong and Dien May Xanh... were posted online.
Most recently, on May 13, 2021, a hacker offered to sell the personal information authentication (KYC) data of nearly 10,000 Vietnamese people.
On May 18, 2021, the police broke up a large-scale data collection, appropriation, and trading ring with data illegally collected, appropriated, traded and used of nearly 1,300 GB, containing billions of data about individuals and organizations nationwide.
This shows the lack of responsibility and loose management of some organizations with personal information and data about customers.
New policies needed to protect online personal data
In Vietnam, sellers and buyers of personal data are often not afraid of the law as they think that in the online environment such transactions are difficult to detect, especially when they are done in closed groups and on websites with servers based abroad, or via social networks.
The Constitution and the 2015 Civil Code both have provisions on protection, secrecy and inviolability for "private life, personal secrets, family secrets" and "letters, telephones, telegrams and other forms of personal electronic information".
According to the Penal Code, violators can be imprisoned for up to 7 years for "illegally releasing or using information on computer and telecommunications networks". In addition, depending on the severity of the violation, the violator will be fined VND40 million to VND70 million.
The draft Decree on Personal Data Protection compiled by the Ministry of Public Security has yet to be issued. Notably, Article 22 of the draft decree stipulates administrative penalties for violations of regulations on the handling of personal data, ranging from fines of VND50 million to VND80 million.
However, there should be additional penalties for individuals, businesses and organizations that commit violations in the management, security, and use of personal data.
Violators should be banned from working in specialized areas for a certain period of time, or their professional license should be revoked, because the profit from selling data is often higher than the fine.
The National Cyber Security Center (NCSC) recommends that each individual, in order not to be taken advantage of by criminals or become a victim of phishing attacks, should be equipped with knowledge to avoid fraudulent situations.
NCSC also recommends that users should ensure the safety of online accounts such as bank accounts, e-wallets, email, and Facebook, especially accounts with online payments.
According to cybersecurity experts, the protection of user data is a matter that requires coordination from many sides, and preventing data leakage requires efforts from the affected users themselves. Citizens must know how to react when personal information is stolen which will help users prevent cybercriminals from exploiting information in the future.
As soon as suspicious access to the account is detected, users should immediately contact the service provider to waive responsibility when something goes wrong. In this case, when personal data unexpectedly becomes publicly available, users can avoid long-term consequences after personal information is stolen by monitoring their financial activities because this is still an area of interest for cybercriminals.
Protecting personal data as well as strictly dealing with violations of organizations and individuals infringing on privacy rights or illegally buying and selling personal information pose urgent legal issues. It is a must to improve the legal system immediately as Vietnam's regulations on personal data trading are not keeping up with developments in the world. The social and technological landscape is changing rapidly.
Organizations and businesses that manage personal data must constantly upgrade their technology and security systems as well as comply with the State's regulations related to personal data protection.
Lawyer Le Minh Toan (Le Minh Law Company)
Personal information such as identity cards, selfie images and others of 9,667 people are being posted and offered for sale on the Internet for $9,000.
The move by Vietnam's Ministry of Public Security is essential as it is the personal information protection that shows respect for the right of each person.