by Marc Goodman
To avoid the pain and ridicule, Amanda switched schools and moved to a different town. Sadly for her, the persecution continued. Her stalker followed her activities online and created a fresh Facebook page to advise her new teachers and classmates of her topless video. At the new school, the bullying in class got so bad that a group of girls attacked her on the playground, punching her and pushing her into a muddy ditch. Adding insult to injury, the perpetrators even posted a video of their attack on YouTube. Amanda went home that afternoon and drank from a gallon of bleach in an effort to bring all her pain and suffering to an end. She was rushed by ambulance to a hospital, where her stomach was pumped. Though Amanda survived, the harassment continued. On her Facebook page, other students posted photographs of Clorox containers and encouraged her to “try harder next time.” In response, on September 7, 2012, Todd posted a nine-minute YouTube video detailing her struggle with bullying and self-harm. In the deeply emotional video, Amanda shared her experiences of being bullied, while powerfully moving music played in the background. Shortly thereafter, the pain became too much for Amanda to bear, and she committed suicide at the age of fifteen.
Amanda’s video went viral after her death and was viewed millions of times. Some police thought that Amanda could have been a victim of “cappers,” a disturbing trend in which gangs of online pedophiles revel in coercing kids into stripping on camera and recording them. Worse, the pedophiles then use the videos to blackmail teens into performing more explicit sex acts online and in person. The tragedy of the Amanda Todd affair is multifold. A young girl innocently leaks data about herself online and is stalked on social media and in the real world, leading to her death. But tragic though it may be, this is not an isolated occurrence, and the speed at which the trend is growing is disturbing. Big data bring with them big risks, and even information innocuously shared by an adult can be used by pedophiles.
In 2011, police in Melbourne, Australia, uncovered a number of child molesters targeting lonely single mothers with young daughters by trawling their online profiles and searching references to their children. The goal of the pedophiles was to work their way into the home, usually using a false name and pretense, in an effort to begin a relationship with the child’s mother. Once invited into the home and welcomed there, the pedophile would use his time alone to ultimately target the single mom’s young daughters. Criminals and predators play by different rules and are happy to use all our data as fodder for a wide variety of unwanted consequences.
Haters Gonna Hate
Your social media profile may also make you vulnerable to another type of attack—a hate crime—one in which bigots, racists, and homophobes target individuals online based on their race, religion, creed, color, gender, or sexual orientation. Such incidents have taken place on Facebook, Instagram, ICQ, Twitter, and numerous other social media services. Facebook was accused of hosting so much violent hate speech that CNN ran a story titled “Facebook/Hatebook?” to document the phenomenon.
Online data allow criminals to locate victims based on the attacker’s individual biases. In one case, an assailant in Texas targeted a gay man whom he met on the social media platform MeetMe.com. After arranging a rendezvous with the victim, the attacker kidnapped him, beat him unconscious, bound his wrists, and threw him into the trunk of his car before dumping him on the roadway. Brice Johnson of Fort Worth was charged in the attack and upon his arrest said he just wanted to teach the gay man a lesson but admitted “the joke may have gone too far.”
As horrific as the Texas incident was, the volume of hate crimes involving social media in the United States pales in comparison to that in Russia, with thousands of attacks credited to an emerging neo-Nazi youth movement in the country. In a one-hour documentary produced for the U.K.’s Channel 4, reporters documented over fifteen hundred kidnappings in which bands of vigilantes hunted young gay men on the streets and online. The victims, mostly teenagers, are kidnapped, assaulted, and terrorized during their abductions, which are often boldly filmed. The attackers fear no retribution from complicit police in the country and thus have posted videos of their brutal attacks on both Facebook and Instagram in an effort to further humiliate those injured. Despite the volumes of documentary evidence posted online in hundreds of cases, no arrests or prosecutions have ever occurred, even when the victims were murdered or left permanently disabled—an odd incongruity given the ability of Russian police to systemically monitor all Internet activity in the country across all social media channels.
Burglary 2.0
Have you ever casually posted on Facebook that you were going on vacation? A strikingly large percentage of people will talk about their future travel plans online, mentioning how much they are looking forward to their trip to Disney World or their weekend beach getaway. What they don’t realize, however, is that criminals are perfectly capable of scraping these data off the Internet and using them for their own purposes (think Goodman’s law: the more data you produce and store, the more organized crime is happy to consume).
In the old days, if a burglar wanted to target a particular home, he would traditionally look for the telltale signs that the residents were away on vacation—a pile of newspapers in front of the house or a porch light that remained off at night. But even burglars have modernized their tools and are increasingly using technology to find their targets and property to steal. Welcome to the world of burglary 2.0. These criminals are increasingly searching your postings on Facebook, Google+, and Twitter and using the data you leak there for lead generation purposes, just as would any other good salesman or prospector. To highlight this threat, a group of Dutch computer developers concerned by our oversharing created a Web site called PleaseRobMe.com. There they aggregated locational data from people’s tweets and Foursquare check-ins and created a searchable database of the information collected. The result: would-be burglars could check by postal code and see who was away and for how long and was thus suitable for burglary. It’s criminal target selection at the click of a mouse.
The threat is not purely hypothetical: real-world burglars are indeed monitoring social data. One such example was uncovered in 2010 when a group of local criminals in Nashua, New Hampshire, turned to Facebook to determine when victims were away from their homes. Nashua police discovered that this crime ring checked Facebook updates of their victims before carrying out more than fifty break-ins and stealing nearly $200,000 in property during their burglary spree. These are not your grandfather’s burglars, and criminals are rapidly adapting to technologies that help them commit more crime. According to a 2011 study of convicted burglars in the U.K., 78 percent of them admitted monitoring Facebook, Twitter, and Foursquare before pinpointing a specific home to rob. They also admitted using tools such as Google’s Street View to scope out the property beforehand and plan escape routes when fleeing from the scene of the crime. The results highlight the ways in which criminals can use the data we are leaking against us.
Another way in which burglars are targeting you is via the locational data embedded in the files you’ve posted online. As noted previously, these so-called metadata are silently implanted and hidden in the photographs, videos, and status updates you share with others via your mobile devices and reveal the date and time the photograph was taken, the serial number of the phone or camera, and, most important, the longitude and latitude (GPS coordinates) of where the picture was snapped. The metadata containing this information, though not immediately obvious when watching a video or viewing a picture, lie there readily accessible by anybody who knows how to download a simple browser plug-in to access them. With any one of hundreds of free tools, suddenly your photographs come to life and magically appear on a Google Map that allows anybody to zoom in on the precise location where the picture was taken. Such is the miracle of cyber casing—using hidden geo-locational data to plan one’s crimes.
Those very same metadata are contained in millions of photographs posted to sale and auction sites such as Craigslist and eBay.
For example, a photograph of a diamond ring or an iPad posted on Craigslist might have embedded with it the precise location of your home where the photograph was taken. This information allows tech-savvy thieves to use Craigslist as nothing more than a shopping catalog for goods soon to be stolen.
When Keri McMullen and Kurt Pendleton of New Albany, Indiana, decided to sell their plasma TV and stereo system, they posted photographs of the items online. A few days later, the couple mentioned on Facebook they would be attending a concert in nearby Louisville that Saturday night. That’s all the information that thieves needed to burglarize the home containing the electronic goods they were seeking. The burglars knew they could take their time because the couple would be at the concert for hours. In the end, the couple were robbed of their flat-screen television, two laptops, a stereo rack and all its components, and a high-end 35 mm digital camera. This is but one of several ways in which criminals too are engaging in e-commerce, cyber casing your home from the inside with the data you are leaking.
Targeted Scams and Targeted Killings
Another way in which criminals take advantage of your online vacation postings and travel status updates is by scamming your grandparents. Yes, criminals monitor your social media and watch you post your vacation photographs online in real time. Once you’ve done so, con artists analyze your social networks looking for elderly relatives, usually grandparents, whom they notify of your “unfortunate accident.” The scam goes something like this: “Hello, Grandma? Yes, I have some terrible news. Your grandson Peter was involved in a terrible accident in Barbados. The hospital won’t accept his American insurance and refuses to treat him until we put down $10,000 for the surgery. If you don’t help, Grandma, he may not make it.” How do criminals get away with this? Because we help them, though unwittingly, through the information we share in the new world of big data. Facebook tells the world—including organized crime—exactly who our grandparents are and how to find good old aunt Margaret to pressure her: “It’s looking really bad … Peter has gone into a coma … Please send the funds immediately!” Hundreds of victims have been defrauded by the scam, and millions of dollars have been sent via Western Union and MoneyGram as a result.
While Internet scammers monitoring your social media accounts may cost you a few thousand dollars, when narcos follow you on Twitter, it may cost you your life. Drug cartels implement a wide variety of sophisticated counterintelligence programs to collect data from social media platforms, blogs, and government tip lines as a means of exposing potential threats.
Comments made online that are perceived to be unfavorable to the cartels are dealt with swiftly. In September 2011, just across the Texas border in Nuevo Laredo, Mexico, residents on their way to work awoke to find two bodies strung up by their arms and legs, hanging in the air from a pedestrian overpass. The victims, a man and a woman in their twenties, had been badly tortured, and the female was fully disemboweled. Above the dangling bodies read an ominous warning on a large posted sign: “This will happen to all the internet snitches … Be warned, we’ve got our eye on you. Signed, Z,” a reference to the Zetas, one of Mexico’s largest and most violent drug cartels. These cartels are equally savvy with their social media campaigns, uploading photographs and videos of themselves on Facebook and Twitter in the act of decapitating their victims with chain saws and machetes.
Meanwhile, terrorists not only leverage social media for operational purposes, as we saw in Mumbai, but also tweet in real time to drive public opinion and cause more fear among their targets. During the September 2013 assault on the Westgate shopping mall in Nairobi, Kenya, members of the al-Shabab group who carried out the attack live tweeted their slaughter from inside the shopping center. The Somali-based terrorists murdered sixty-three innocent civilians and wounded nearly two hundred more. The group even posted photographs on Twitpic of the carnage inside the Westgate and accused the Kenyan government itself of destroying the shopping center, using the hashtag #Westgate.
Counterintelligence Implications of Leaked Government Data
Organized crime and narcotics organizations are using social media to gather intelligence on government and law enforcement officials. For example, when two Maricopa County, Arizona, sheriff’s deputies pulled over a vehicle in 2010 for DUI, a search of the vehicle uncovered a variety of data CDs, including one with the names, photographs, and Facebook profiles of nearly thirty patrol and undercover officers. Non-state actors and hacktivist groups such as Anonymous and LulzSec also go after the social data leaked by government officials.
In a 2012 incident, the hacktivist group LulzSec demonstrated its power to even go after the FBI. Because the hacktivist organization had begun to tap the personal e-mail addresses of individual police officers, especially those working the cyber-crime beat, they were able to intercept an e-mail message notification of a conference call taking place between the FBI, Scotland Yard, and several other global police agencies. The topic of the call? A discussion of “the on-going investigations related to Anonymous, LulzSec, Antisec and other associated splinter groups.” Once in possession of the e-mail, the hacktivists merely used the dial-in information and access code to silently participate in the call. As the world’s premier law enforcement organizations discussed the case against Anonymous and LulzSec, there the hackers sat on the line listening to police unknowingly brief them on the status of the investigation. The call was even recorded by LulzSec, which then posted it to YouTube, greatly embarrassing the police authorities involved and undermining their investigation.
So No Online Profile Is Better, Right?
Not necessarily. Given all the risks from posting social data online, it may seem as if not participating in Facebook or LinkedIn would be the obvious solution. But a social media boycott brings its own challenges. If you don’t own and control your own online persona, it’s extremely easy for a criminal to aggregate the known public information about you and create a social media profile for you and use it for a wide variety of criminal activity, ranging from identity theft to espionage. Indeed, there are many such examples of this occurring, particularly for high-profile individuals. For instance, in late 2010, an organized crime group commandeered the identity of the secretary-general of Interpol, Ron Noble, and created a Facebook Web page for him. The criminals took his official photograph from Interpol’s own Web site and extracted data from his official biography to build out his fake Facebook profile. The organized crime group began friending other senior law enforcement officials around the world in the persona of Noble and posed operational questions of them via the social media service. In particular, criminals posing as Noble tried to gather intelligence regarding Operation Infra-red, an Interpol global undercover operation to locate and arrest high-priority international fugitives. It is unclear how many fell for the ruse and how much data is shared, but dozens of the world’s most senior police officials accepted the purported friend requests.
The Spy Who Liked Me
Industrial espionage too has found a powerful ally in social networks. In the second chapter of this book, we learned about the Massachusetts windturbine firm AMSC, which lost nearly a billion dollars of valuation after its computer source code was stolen via a Chinese espionage operation. What wasn’t explained, however, is how the attack was carried out.
When the Chinese officials decided to purloin the source code on behalf of Sinovel, a state-owned company whose wind turbines were supplied by AMSC, a simple check of LinkedIn would have provided their agents with access to the roster of employees working at the Massachusetts firm. Once the Chinese had completed a review of all employees and their positions, a list was generated highlighting those targets likely to have best access to AMSC’s highly prized source code. One such person identified was a Serbian engineer working for AMSC’s office in Austria by the name of Dejan Karabasevic.
The Chinese began monitoring Karabasevic across a variety of social media sites such as LinkedIn, Facebook, and Twitter. They learned he was going t
hrough a nasty divorce and had recently been demoted at work—the exact types of vulnerabilities any modern intelligence agency looks for when targeting potential recruits. Through his various postings, the Chinese were able to re-create Karabasevic’s “pattern of life”—plotting on a map his favorite coffee shops, gyms, and restaurants, his home and office, his travel times, and his daily routines. They also learned that he had a penchant for Asian women. Armed with all of this information, the Chinese began their recruitment process.
Chinese handlers approached Karabasevic and offered him a “consulting” opportunity to work with them. In the end, they were readily able to persuade Karabasevic to provide the source code (secret sauce) that allowed Sinovel to build its own wind turbines without AMSC. Most important for Karabasevic, his Chinese handlers established an office in Beijing for him and promised “all the human contact he could want … in particular with female co-workers.” After the theft occurred, hundreds of Skype chats and e-mail messages were uncovered between Karabasevic and his Chinese handlers. In one note Karabasevic wrote, “All girls need money. I need girls. Sinovel needs me.” To allay his financial concerns, meet his companionship needs, and bolster Sinovel’s bottom line, the Chinese offered Karabasevic $1.7 million for the source code. The economics of the deal were fascinating and instructive: Karabasevic receives $1.7 million; AMSC loses a billion dollars in valuation and intellectual property, which Sinovel captures by purportedly selling pirated AMSC products around the world. A great return on investment for Sinovel and for those unencumbered by the moral implications of such dealings.