Zlatan’s Dispute is the Tip of the Iceberg: On the Cusp of Identity Theft on Steroids

Blockchain enables an irrefutable and readily ascertainable ownership verification – either an authorized use appears as a transaction on the ledger or not.

Zlatan Ibrahimovic has openly disputed the use of his name, image, likeness (NIL), aka image rights, in the electronic game industry.  The legal challenge for athletes and celebrities, as well as institutional brands, centers around who owns what data rights? 

Ownership of data, on an equivalent level as property ownership, is a topic I have written about here.  Yet, the data ownership controversy for a celebrity or a valuable brand is but one small facet of a far darker dilemma:  the specter of limitless and infinitesimal misappropriation of Digital Identity.  That is, a sort of identity theft at scale – including a scaled theft of corporate or brand identity (i.e., not just losses to human privacy).  Let’s call this threat Digital Identity Theft.  What is it? 



For context, consider that: 

  1. Hacking schemes already commonly create ephemeral, authentic-looking sites that mimic legitimate sites to trick users to trust the site.  Sometimes alternatively called typosquatting or homograph domains, this attack often utilizes the Internationalized Domain Names (IDN) – such as substituting the Latin letter ‘a’ with the Cyrillic letter ‘a’, as described in this article.  Various fraudulent schemes can be carried out from causing a visitor to believe the visited site is authentic. 
  2. The proliferation of Top Level Domains (TLD) – with new TLDs emerging continuously – provides further opportunity for new look-alike sites to misappropriate legitimate brands for fraudulent schemes.
  3. Where things get unhindered and destabilized is with blockchain domain registrations.  Whereas ICANN and the Domain Name Registrars require a registration process, which ostensibly enables some potential oversight and enforcement from abuse, the decentralized and distributed blockchain architecture enables bad actors to much more efficiently escape detection.  The cybercriminals have already figured this out – as this article highlights the bulletproof advantages of blockchain domains for botnet command and control.  As the article highlights:  “the blockchain is considered ‘uncensorable’ and ‘tamper-proof,’ because it doesn’t have any overarching authority or managerial entity.”

Without Data Ownership, it’s a Game of Whack-a-Mole

How blockchain domains create a destabilizing environment for brand protection is through infinitesimal scaling and detection obstacles.  Let’s just stick with NIL or brand knockoff threats.  Attackers can create a near-endless supply of ephemeral look-alike sites which mimic the target’s site or NIL, and point traffic there via social media or find other schemes to rip-off someone’s NIL rights.  Here’s an article for illustration of unauthorized intellectual property offered for sale as an NFT (fortunately, takedown authorities can be used to have NFTs removed from the marketplace).         

Blockchain domains can be exploited for malicious objectives in ways that harm celebrities and valuable brands.  Cybercriminals can spin up multiple fraudulent domains, and inactivate them at will, at a tempo that a) makes detection extremely difficult, and b) renders enforcement into a game of whack-a-mole.  As quickly as a scheme is taken down, a replacement scheme pops up.   

Sports-ISAO Efforts in Monitoring for NIL and Brand Abuse

Sports-ISAO just completed its 4th Olympic Games cyber threats monitoring effort during Beijing 2022.  Although threat reports production is ongoing, an observation worth noting here is that Sports-ISAO once again detected rampant ad fraud attacks.  Moreover, the ad fraud involved domain abuse strategies along the lines of the typosquatting and alternating active site dynamics noted above. 

Additionally, Sports-ISAO previously engaged in elite athlete and valuable brand monitoring in support of an England International football star, as well as a top club in the Premier League in England.  The monitoring, which included social media abuse and cyberattack scans, revealed a high volume of typosquatting and other brand exploitation schemes. 

Finally, Sports-ISAO modelled sport-focused ad fraud samples and determined that sport is a highly lucrative and heavily targeted industry for various cybercrime schemes.  Because of the high dollar sponsorships, broadcast revenues, fan engagement, and advertising spend, sport represents a target rich environment for threat actors.

Combating the Threats with Data Ownership and Infringement Monitoring 

As this writing posits, brand owners – both individual athletes and corporate entities – should pursue a Digital Identity strategy.  Ownership of property enables a more efficient enforcement strategy under both property law (i.e., for infringements), as well as the ability to pursue online takedowns of infringing content.  Secondly, the data owner must protect its ownership through monitoring.  Athletes and brands in sport have a special need for these protections given the tendency of cyberattacks upon the sector. 

As the article above also points out, ownership of brand assets on the blockchain is particularly important.  Its distributed ledger technology and smart contracts provide a mechanism for efficient enforcement.  That is, blockchain enables an irrefutable and readily ascertainable ownership verification – either an authorized use appears as a transaction on the ledger or not.  If not appearing on the ledger, then ipso facto it is an unauthorized use.  

Web3 is Coming – Own Your Data!  

Identity Theft in Web2.0 was bad – it will be far worse in Web3.  Identity Theft in a Web2.0 world had limits; whereas a theft of one’s Digital Identity in a Web3 environment is exponentially worse because of an incalculable quantity of imposter or knockoff uses.  Ownership of one’s Digital Identity – Digital Identity Sovereignty™ –  requires individuals and entities to take a stand, to stake a claim of ownership of their data.  And, to monitor for misuse. 

Finally, laws must be improved around data ownership.