I framed it as exploitation. it is. but I stopped at the harvesting.
UnitBuilds didn't stop there. over a series of comments, he walked through what happens after the 30ドル — and it's worse than anything I'd written.
the part the verification step doesn't tell you
when you complete a biometric check — face the camera, look left, look right — you're not just proving you're human. legally, you're authorizing.
not authorizing this one transaction. authorizing the account. anything done with it, by anyone, from that point forward, is yours. that's not a loophole. that's the definition of authentication.
as UnitBuilds put it:
"they can contest in court, but they won't win, by law they can't win, because the very definition of the authentication is that you, as yourself, fully authorize yourself and anyone else by proxy, to use your account to do with, for whatever purposes, assuming full responsibility for it."
the person who took the 30ドル didn't sign up to be liable for whatever happens next. but the law doesn't have a category for "deceived into authorizing." it has a category for "authorized." and once you're in that category, you're not fighting the bill. you're fighting jailtime.
what "fighting jailtime" actually looks like
UnitBuilds laid out the scenarios plainly:
a bad actor uses the harvested identity to rack up charges, commit fraud, or worse. the account holder — the person who took the 30ドル — has no idea any of this happened. months later, maybe years later, they get a job offer overseas. they travel. at the border, there's a warrant. for a crime committed using their face, on the other side of the planet, by someone they've never met.
or the company affected sues. the debt is structured for someone earning a developer's salary in a wealthy country. the person actually liable is earning 100ドル a month.
"imagine that, an entire month's pay gone, on a single ai subscription they never even knew existed, from a bank account they never made. and they don't have the finances to actually fight it in court."
that's UnitBuilds describing namibia specifically — people working full contracts, 8 to 5, for 100ドル a month. not informal work. not gig work. contracted employment. wiped out by a bill that was never theirs, with no path to contest it, because contesting it costs more than the bill itself.
the version where you don't even get the 30ドル
the scenario above assumes someone got paid. UnitBuilds described a worse one: phishing.
a fake overseas job offer. "all you have to do is submit your id and do the facial verification, and send the code that's sms'd to you." it looks exactly like a routine hiring process. and then:
"that's the last you ever hear of them."
no payment. no awareness that you were ever part of a supply chain. just a verification step that felt normal, and a liability that surfaces however long it takes for someone to misuse it.
this isn't new, it's just wearing new clothes
UnitBuilds has watched this pattern before ai existed. bank impersonation calls — spoofed numbers, confident voices, "confirm your account details" — targeting pensioners who grew up trusting that a call from the bank was actually the bank.
"life-savings gone from pensioners, who have no means of earning it back or fighting the bank for it. some had to choose between food on the table and paying their wifi, losing access to communication with everyone they know, for the sake of not going hungry, because someone scammed them out of 50 years worth of hard work."
whatsapp cloning works the same way — impersonate a relative, get the verification code, clone the account, spread it to the entire contact list, harvest more identities, repeat.
the throughline, in his words:
"it's a system built on accountability, not morality, and the legal system is there to defend the dollar not the person."
in namibia, you go to prison longer for poaching a cow than for murder.
the part that has nothing to do with biometrics
then UnitBuilds introduced something I hadn't considered at all: hardware identity theft.
two forms. the first is shadow proxy networks — malware that quietly routes traffic through your residential gateway, so someone else's activity travels under your ip, your network, your name.
the second is newer and stranger. you buy a windows 11 laptop. secure boot signs the hardware to your microsoft account the moment you log in. from that point, you're the authorized owner of that device — and liable for whatever it does — until you go through the process of manually removing it from your account's device list. format it, sell it, give it away: none of that breaks the link. the new owner is using hardware that's still, in microsoft's records, yours.
"a small little detail they don't tell you when they say it's 'for your data security.'"
the mechanism is identical to the biometric one. ownership and liability bound to an identity that doesn't update when the physical reality changes. the gap between who actually controls something and who's legally responsible for it is where all of this lives — bodies, devices, accounts, doesn't matter. the structure repeats.
the sentence underneath all of it
a developer going by self-correcting systems read the original piece and named the pattern precisely:
"a control that can't see its own downstream doesn't stop the harm, it relocates it."
that's what every layer of this is. kyc doesn't stop fraud — it relocates the verification burden onto someone with no stake in the outcome. secure boot doesn't stop hardware theft — it relocates ownership liability onto whoever's account it happened to be signed into. every fix moves the cost. none of them eliminate it. they just choose, by design or by accident, who absorbs it.
the people who absorb it are consistently the people least equipped to refuse, least equipped to understand what they're agreeing to, and least equipped to fight it once it lands.
UnitBuilds runs Halo Cybersecurity adjacent work and built NMCP, a rust-based mcp implementation. everything quoted here, he gave permission to use directly — his words, not mine, paraphrased into something smaller than what he actually said.
most of what's true in this piece, he wrote first, out loud, in a comment thread.
AI helped me research, structure, and edit this piece. The arguments, the examples, and the opinions are mine and UnitBuilds'. So is whatever's wrong with them.