We are convening (and committing to draft) a cross-industry schema for hiring-risk signal sharing. We want partners to help us govern it.
The same threat actors target many victims. Public prosecution exhibits show foreign IT-worker operatives applying to dozens of companies with the same identity package; the laptop-farm IP ranges identified in 2025 federal raids served operatives placed at multiple Fortune 500 firms simultaneously. Today, when one organization detects and rejects a fraudulent applicant, that signal does not reach the next organization the same applicant approaches.
This is the same coordination problem that threat-intelligence sharing solved for malware fifteen years ago. It has the same solution shape, and Census Networks is committing to draft it, convene the partners, and contribute to it.
The extension reuses existing patterns where the analogy holds and adds new object types where it does not. The first-pass indicator types we are proposing:
IP and CIDR ranges, ASN observations, residential-proxy exit-node fingerprints, with provenance and decay metadata.
Privacy-preserving hashes of identity tuples observed in confirmed fraud, designed so two members can independently observe a hash collision without either disclosing the underlying identity.
Model-detected anomaly fingerprints associated with specific face-swap toolchains, as opposed to raw biometric data.
Institutions and employer entities observed in confirmed fraudulent claims, with confidence and decay metadata, gated on a quorum of independent member observations.
Irreversible aggregate features describing the shape of behavioral mismatches observed in confirmed fraud, with differential-privacy noise added at aggregation.
Known facilitator playbooks, interview-rehearsal artifacts, intermediary-network topologies, in shared narrative form.
Three primitives anchor that commitment.
No raw PII crosses tenant boundaries.
For the question "is this token in any other member's confirmed-fraud set?": answered probabilistically, with bounded false-positive rate, without revealing who reported it.
Members compute joint distributions without any one member observing the others' raw counts.
Open to security vendors, enterprise employers, and trusted industry associations who maintain a designated security and legal point of contact. New members admitted by quorum of existing members.
Indicators submitted with provenance, confidence, and decay; promotion from "reported" to "confirmed" requires a member's own confirmed-fraud incident or a quorum of members independently observing the same indicator.
A standing review panel, rotating across member companies, handles disputes about indicator validity and removal requests from candidates who believe they have been incorrectly listed.
Sharing under the cybersecurity-information-sharing safe-harbor analogues established by CISA 2015 and equivalent provisions, with member counsel jointly drafting the operational agreement.
Open under a permissive license, with a reference data model and example STIX/TAXII bindings.
Security vendors, enterprise employers, and policy bodies. Quarterly meetings, rotating chair, public minutes.
Hashed-identifier construction, Bloom-filter membership API, and MPC aggregation, all under an OSI-approved license.
Subject to customer consent and the curation rules above.
Sign on to the working group, or read the full proposal in the whitepaper (Section 6).