If it hasn’t already been made clear by Facebook’s moves to cut off AggregateIQ and Cambridge Analytica from the platform following the data privacy fiasco that exploded last month, there are multiple companies who don’t play by the social network’s rules and abuse its users’ privacy.
But in recent years a batch of surveillance companies, operating in a far more clandestine manner to Cambridge Analytica and its partners, have been infiltrating all kinds of social media platforms. These spytech vendors are offering services not only to co-opt and influence social media groups with sockpuppet accounts, but will even deliver spyware via the fake profiles they create and hone across different platforms. And at least one of those businesses has been caught out shipping to a regime with a dubious human rights record.
Privacy activists are calling for action. “The idea that former spooks are available to buy to infiltrate political groups online is alarming. Imagine how such powers can be used to infiltrate pro-democracy or human rights groups in authoritarian states,” warned Edin Omanovic, head of Privacy International’s State Surveillance project. “Big surveillance companies are only able to do this because they exploit a broader ecosystem. Fundamentally, Facebook and other companies have a responsibility to protect their users.”
One of those surveillance vendors is Area S.p.A., a company which sold network monitoring tools to the Bashar Al-Assad regime in Syria in 2011. It was punished for that shipment in 2014 with a $100,000 fine from the U.S., the country from which it shipped the tech. And in 2016, the firm’s offices were raided by Italian authorities who ordered the seizure of millions in euros as part of an investigation into the possible breach of European law as a result of that same Syrian sale. (In response to questions on that issue, Area simply pointed Forbes to comments made by a deputy minister of the Italian Economic Development Ministry, which an Area spokesperson said showed “the correctness of the company behavior.” Those comments can be read in full, in Italian, here).
As for its social network exploitation, in a brochure obtained by Forbes from last year’s UK Anti-Terror Expo, Area describes its “MCR Virtual Human Intelligence” platform. Think of it as software that helps organize and manage a government agent’s fake profiles across different online spaces. Its aim is “not only to infiltrate agents within virtual communities of interest, but to support psychological operations (psyops) as well.” Those “communities” include “blogs, forums and social networks.”
For anyone wondering what psyops entails, Area goes into more detail in somewhat broken English: “Once acquired the trust of a specific group of interest, for the officer it is possible not only trying [to] identify its real members, but to gather useful information regarding its activities or to influence its choices for his own purposes.”
There’s anotherfeature on offer from Area that allows “the installation of spyware applications when the target communities wish to check our virtual identities.” This suggests that simply visiting a sockpuppet profile of an Area client can lead to malware infection (though keep in mind that surveillance companies are known to oversell and under-deliver).
The company, which also claims to have a base in the U.K., declined to offer more detail on how its social media tech worked. It wasn’t so shy in May last year, when it presented the technology to delegates at a Nato industry forum last June, however.
IPS, another Italian outfit that operates under parent company the Resi Group, has been talking up using social media for propaganda for some time. Over recent years, it’s been presenting at various ISS World Training events (surveillance industry trade shows known colloquially as wire tapper’s balls), where IPS staff have given talks on “how to monitor and influence public sentiment with a platform able to listen, analyze and react through propaganda campaigns on social media,” and “automatic exploitation” of social media. Another talk looks at “encrypted services like Facebook, WhatsApp and Telegram,” exploring “how social media intelligence benefits investigators in a holistic vision.”
Amongst its product set is a suite of tools labelled “Unconventional IP Intelligence.” That includes a service for Virtual HUMINT (virtual human intelligence), the same term used by Area for employing fake identities to gather information. Facebook is named as one of the platforms on which that IPS intelligence is based, alongside Twitter, Instagram, LinkedIn, YouTube, Google+ and Foursquare.
IPS was, in 2017, the focus on an undercover report from Al Jazeera, in which the company’s staff were seen talking about how it might be possible to circumvent sanctions and global export restrictions. The employees believed they were talking to a representative trying to ship surveillance kit to Iran and South Sudan. The company didn’t respond to requests for comment.
It’s highly likely both Area, IPS or anyone using Facebook data for surveillance is breaking the company’s rules. Facebook didn’t provide comment for this article, but pointed to policies that prohibit the exploitation of Facebook-held information for the purpose of online snooping. Mark Zuckerberg’s firm also does not allow accessing or collecting information using automated methods, such as harvesting bots or scrapers.
Not just an Italian job
Italians may have a specialty in surreptitious online businesses, but there are other companies across the globe who’ve offered similar services trying to manipulate social media users. One American firm, Ntrepid, attracted attention in 2011 when it was awarded a contract with United States Central Command (Centcom) for an “online persona management service” that was designed to help the U.S. influence online groups. But according to a Guardian report, Centcom said it was not not targeting American sites, including Facebook and Twitter. And Ntrepid said in an emailed statement it only used social media for marketing, not for intelligence.
The bustling Israeli surveillance scene has turned out some firms trying to sway social media denizens, two of which were snapped up by surveillance and cybersecurity giant Verint in the past year. They include Terrogence, which has previously sold to the U.S. government, and cultivates fake profiles, or what it calls virtual entities, to infiltrate online groups. Its apparent targets, according to its brochures and staff LinkedIn profiles, include terror, political and social groups. This is the same company that has been harvesting Facebook photos as fuel for a large facial recognition service called Face-Int, as detailed by Forbes on Monday.
No doubt there are many other businesses flying under the radar.
The personas of Palantir and HBGary
But the surveillance industry’s use of Facebook and other social media has a long history. Its origins can be traced to at least the turn of the last decade and the work of Aaron Barr, his government contractor HBGary and the Peter Thiel-funded surveillance monolith that is Palantir. (Note that it was a Palantir employee who ended up giving Cambridge Analytica the idea to exploit Facebook data, according to a Guardian report. Also note that Thiel was an early investor in Facebook).
Thanks to an archive of HBGary emails on Wikileaks, it’s easy to see how the world ended up with Cambridge Analytica. In one email from August 2010, between Barr and former Palantir analyst Aaron Zollman, the HBGary CEO talked up his work on developing Facebook personas.
In another email to Zollman from that August, Barr talked about the potential for gathering a vast amount of information from a single Facebook user. “What I have found is there is an immense amount of information peoples [sic] friends lists as well as other social media digital artifacts [sic] can tell us,” he wrote. “I think Palantir would be an awesome tool to present and use for analysis.”
It’s unclear if any product came of those machinations. Palantir cut off ties to HBGary in 2011 after plans on hacking Wikileaks emerged, following a breach at Barr’s firm. But his comments should’ve been a warning. A few years later, a researcher named Aleksandr Kogan created a Facebook app, a kind of personality quiz called thisisyourdigitallife, that signed up 270,000 users. Because they used Facebook Login to access the app, they gave permission to the application developer to gather a large amount of data from their profile. From that 270,000 base, Kogan was able to harvest information on 87 million Facebook users, possibly including their likes and their locations. And it was that dataset that Cambridge Analytica purchased and used to the benefit of the Trump campaign and the Super PACs that supported him.
It’s exactly the kind of data exploitation Barr was on to. “Those people that provide information and have their friends lists exposed provide an incredible social engineering and recon tool,” Barr wrote. It wasn’t until 2015 that Facebook changed its policies on how much data was accessible to apps on its platform. That was too late for millions of its users.