stand by for mind control

NATO Group Catfished Soldiers To Prove A Point About Privacy
Issie Lapowski, Wired, Feb 18 2019

The phony facebook pages looked just like the real thing. They were designed to mimic pages that service-members use to connect. One appeared to be geared toward a large-scale military exercise in Europe and was populated by a handful of accounts that appeared to be real service-members. In reality, both the pages and the accounts were created and operated by researchers at NATO Strategic Communications Center of Excellence, a research group that’s affiliated with NATO. They were acting as a “red team” on behalf of the military to test just how much they could influence soldiers’ real-world actions through social media manipulation. Nora Biteniece, a software engineer who helped design the project, told WIRED:

We attempted to answer three questions. The first question is, what can we find out about a military exercise just from open source data. What can we find out about the participants from open source data, and can we use all this data to influence the participants’ behaviors against their given orders.

The researchers discovered that you can find out a lot from open source data, including Facebook profiles and people-search websites. And yes, the data can be used to influence members of the armed forces. The total cost of the scheme? Sixty dollars, suggesting a frighteningly low bar for any malicious actor looking to manipulate people online. StratCom published its findings last week in a new report which Biteniece, her coauthor Sebastian Bay and their fellow StratCom researchers presented Thursday at a HPSCI hearing on social media manipulation. The experiment underscores just how much personal information is free for the taking on social media, and, perhaps even more troubling, exactly how it can be used against even those of us who are the best positioned to resist it. Janis Sarts, director of NATO StratCom:

We’re talking professional soldiers that are supposed to be very prepared. If you compare that to an ordinary citizen … it would be so much easier.

Many of the details about how the operation worked remain classified, including precisely where it took place and which Allied force was involved. The StratCom group ran the drill during an exercise with approval of the military, but service members weren’t aware of what was happening. Over four weeks, the researchers developed fake pages and closed groups on Facebook that looked like they were associated with the military exercise, as well as profiles impersonating service members both real and imagined. To recruit soldiers to the pages, they used targeted Facebook advertising. Those pages then promoted the closed groups the researchers had created. Inside the groups, the researchers used their phony accounts to ask the real service members questions about their battalions and their work. They also used these accounts to “friend” service members. According to the report, Facebook’s Suggested Friends feature proved helpful in surfacing additional targets. The researchers also tracked down service members’ Instagram and Twitter accounts and searched for other information available online, some of which a bad actor might be able to exploit. Biteniece says:

We managed to find quite a lot of data on individual people, which would include sensitive information, like a serviceman having a wife and also being on dating apps.

By the end of the exercise, the researchers identified 150 soldiers, found the locations of several battalions, tracked troop movements, and compelled service members to engage in “undesirable behavior,” including leaving their positions against orders. Sarts says:

Every person has a button. For somebody there’s a financial issue, for somebody it’s a very appealing date, for somebody it’s a family thing. It’s varied, but everybody has a button. The point is, what’s openly available online is sufficient to know what that is.

Members of the military happen to be particularly high-profile targets for scams like catfishing and sextortion. Recently, a group of inmates in South Carolina were busted for allegedly blackmailing 442 service members using fake personas on online dating services. Not only can these tactics hit service members’ wallets, they may also represent a security risk if the victims have access to sensitive information. A Facebook spox said:

We welcome researchers who inform social media and technology companies of their findings in a responsible manner. Social engineering and other scams continue to be a challenge for people using technology worldwide. We encourage people to not accept suspicious requests and to report suspicious messages, which try to trick people into sharing personal and sensitive business information.

Facebook has taken a firm stance against networks of fake pages and accounts designed to manipulate the public, ever since the company discovered a widespread Russian propaganda campaign designed to influence Pindostan’s 2016 Presidential election. Facebook prohibits what it calls “coordinated inauthentic behavior” and has suspended thousands of accounts, pages, and groups engaged in this kind of trickery all around the world. The company has scaled up its safety and security team to 30,000 people over the last year, and it also offers users guidance on dealing with phishing. But the StratCom report shows that Facebook’s efforts to crack down on this activity are having only middling success. Of the three pages the group created, one was shut down within a matter of hours, while the other two were cut off two weeks later after being reported to Facebook. Two out of the five phony profiles they created were never suspended. Neither were the closed groups. And StratCom’s experiment was tiny in comparison to the scams that some bad actors run, using hundreds of accounts, profiles, and pages. Bay says:

We did this to test social media companies’ statements that they’re doing a lot to investigate and protect against malicious activity. Obviously, if it takes two people three weeks to find vulnerabilities within this context, they’re not doing enough.

The researchers suggest some specific changes Facebook could make that would have made their experiment more difficult. For instance, they encourage the company to establish stricter control over its Suggested Friends feature, so it’s not so easy to map out members of a given group. For the military group that OK’d the research, the experiment effectively acted as a drill. But for the rest of us, and certainly for the social media platforms implicated in the report, the researchers hope it will serve as concrete evidence of why a fuzzy concept like privacy matters and what steps can be taken to protect it. Bay says:

We need to put more pressure on social media to address these vulnerabilities that can be used for the detriment of national security for individuals and for society as a whole.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.