(not an April Fool's post, despite the date)
Richard A. Clarke, former counter-terrorism czar for both the Clinton and Bush administrations, had some strong words about the US Chamber of Commerce's aborted plans for discrediting its critics, which included spying on families, using malware to steal information, faking documents to embarrass its liberal opponents, and creating and using 'sock puppet' personas to infiltrate their targets.*
Clarke said of the US Chamber's plans to hack, impersonate, spy upon and steal from its perceived opponents:
"I think it’s a violation of 10USC. I think it’s a felony, and I think they should go to jail. You call them a large trade association, I call them a large political action group that took foreign money in the last election. But be that as it may, if you in the United States, if any American citizen anywhere in the world, because this is an extraterritorial law, so don’t think you can go to Bermuda and do it, if any American citizen anywhere in the world engages in unauthorized penetration, or identity theft, accessing a number through identity theft purposes, that’s a felony and if the Chamber of Commerce wants to try that, that’s fine with me because the FBI will be on their doorstep in a matter of hours."
(Although spokesmen for the US Chamber deny that it was planning anything of the kind, leaked memos say otherwise, including this December memo from Berico Technologies to the law firm Hunton & Williams that provides a status report on the work that Team Themis (Berico, Palantir and HBGary Federal) was doing for the US Chamber, and this January memo that discusses pricing quotes and preparation for their project presentation to the US Chamber. So it's pretty clear that whatever the US Chamber says, it's attempting to slam the barn door after the horses aren't just out but are playing tag in the field.)
However, what Clarke asserts as illegal for any US citizen apparently is not so for the US government. It might be inethical, intrusive and deceptive, but not illegal.
One of HBGary's other projects, as revealed in the memos, was a bid for a contract with the US Government to supply software that would let it manage an army of sock puppets, which could be used to impersonate people online. Each person could manipulate up to ten sock puppets. The RFP also sought a secure virtual private network to supply randomly selected IP addresses; static IP address management, so that each sock puppet could be managed by more than one person and present a believable identity, as well as servers to support the system. According to the RFP, the software was to be used at McDill Air Force Base in Florida, Kabul, Afghanistan and Baghdad. But that doesn't mean the sock puppets would be restricted to those areas -- they could be in computers all over the world.
It's recently been revealed that the U.S. government contracted HBGary Federal for the development of software which could create multiple fake social media profiles to manipulate and sway public opinion on controversial issues by promoting propaganda. It could also be used as surveillance to find public opinions with points of view the powers-that-be didn't like. It could then potentially have their "fake" people run smear campaigns against those "real" people. As disturbing as this is, it's not really new for U.S. intelligence or private intelligence firms to do the dirty work behind closed doors....
And, from Rawstory.com:
Ultimately, and perhaps in part because of the timing of the email release, HBGary did not receive the contract; instead it went to Anonymizer, a company acquired in 2008 by intelligence contractor Abraxas Corporation, because they had existing persona management software and abilities.
In the continuing saga of data security firm HBGary, a new caveat has come to light: not only did they plot to help destroy secrets outlet WikiLeaks and discredit progressive bloggers, they also crafted detailed proposals for software that manages online "personas," allowing a single human to assume the identities of as many fake people as they'd like....
In another document unearthed by "Anonymous," one of HBGary's employees also mentioned gaming geolocation services to make it appear as though selected fake persons were at actual events.
"There are a variety of social media tricks we can use to add a level of realness to all fictitious personas," it said.
The Guardian UK has been following this:
The US government's plan to use technology to create and manage fake identities for social interaction with terrorists is as appalling as it is amusing. It's appalling that in this era of greater transparency and accountability brought on by the internet, the US of all countries would try to systematise sock puppetry. It's appallingly stupid, for there's little doubt that the fakes will be unmasked. The net result of that will be the diminution, not the enhancement, of American credibility.
But the effort is amusing as well, for there is absolutely no need to spend millions of dollars to create fake identities online. Any child or troll can do it for free. Millions do. If the government insists on paying, it can use salesforce.com to monitor and join in chats. There is no shortage of social management tools marketers are using to find and mollify or drown out complainers. There's no shortage of social-media gurus, either....
Hell, if the government wants to spread information around the world without being detected, why doesn't it just use WikiLeaks? Oh, that's right. Secretary of State Hillary Clinton called WikiLeaks disclosures "not just an attack on America [but an] attack on the international community". The leaks, she said, "tear at the fabric" of government.
Yes, indeed, they tore at the fabric of the Tunisian government and helped launch the revolts in the Middle East and a wave of freedom – and, we hope, democracy – across borders. The movement of liberation we are witnessing came not from war and weapons or spying and subterfuge but from a force more powerful: transparency; openness; honesty.
And, in another article in the Guardian:
The project has been likened by web experts to China's attempts to control and restrict free speech on the internet. Critics are likely to complain that it will allow the US military to create a false consensus in online conversations, crowd out unwelcome opinions and smother commentaries or reports that do not correspond with its own objectives.
The discovery that the US military is developing false online personalities – known to users of social media as "sock puppets" – could also encourage other governments, private companies and non-government organisations to do the same.
The Centcom contract stipulates that each fake online persona must have a convincing background, history and supporting details, and that up to 50 US-based controllers should be able to operate false identities from their workstations "without fear of being discovered by sophisticated adversaries".
Centcom spokesman Commander Bill Speaks said: "The technology supports classified blogging activities on foreign-language websites to enable Centcom to counter violent extremist and enemy propaganda outside the US."
He said none of the interventions would be in English, as it would be unlawful to "address US audiences" with such technology, and any English-language use of social media by Centcom was always clearly attributed. The languages in which the interventions are conducted include Arabic, Farsi, Urdu and Pashto.
Centcom said it was not targeting any US-based web sites, in English or any other language, and specifically said it was not targeting Facebook or Twitter....
The sock puppet management software is part of Operation Earnest Voice, which US Central Command hopes will “counter extremist ideology and propaganda, and to ensure that credible voices in the region are heard,” according to a statement by Gen. Petraeus.
I'm not reassured by the statements that the sock puppet software will be used only in foreign languages and in dealing with web sites or social networks originating outside the US. The Internet is international; Americans look at sites originating outside the US every day. Also, the uses to which the sock puppets might be put include more than just surveillance on a social networking site, intrusive as that may be. They could act as a military-controlled virtual flash mob imitating a specific political party within a foreign country in order to destabilize its politics, or as a gang of trolls to shout down legitimate individual voices of protest whose message may call for freedom and democracy in countries where the US is too closely aligned with the repressive government.
Don't get me wrong -- there are legitimate reasons for police (as a branch of government) to use Facebook and similar sites, such as for community policing, to track cases of harassment and bullying, and to catch sex offenders soliciting children online. And police are already dealing with online impersonation cases, such as a man impersonating a firefighter, and, in Canada, a sock puppet impersonating a popular hockey player and making offensive comments.
But online undercover work by ordinary police is not the same as a government pursuing public policy ends by manipulating online personas. There's also no guarantee that these sock puppets will be entirely mythical persons as opposed to impersonations of real people. Thinking ahead, it's possible to envision a virtual debate of slanders, which the real people couldn't control and wouldn't participate in, to destroy both debaters in favor of a third party; or the overthrow of a people's rebellion by sock puppets impersonating their oppressors.
USCentcom may do exactly what it says it will with the software-- but there's no way for us to know that. There are no visible checks and balances here. And, since the ability to put government-based sock puppets into social networks now exists, it's always possible that someone will do it here, sooner or later. We have another election coming up in less than two years, and dirty political tricks are commonplace in American elections, much as I wish they weren't.
From The Tech Herald:
It’s been widely reported that terrorists are aware that their online movements are monitored. They actively post false information within their ranks to ferret out impostors. With this software, it would appear that the U.S. wants to take part in this game too. Yet, it isn’t clear what this propaganda push will accomplish in the long term, other than government approved comment spam.
On the other side of this coin, the persona management software of the scale discussed recently is as dangerous as it is powerful. Aaron Barr is still taking a public beating over his research and ideas, but it is important to remember he is well versed in social media and intelligence gathering.
At the same time, he cannot be the only one with the idea to collect and sell information, to anyone with cash in-hand, simply by using social networks. Moreover, his idea to develop personas to further information collection cannot be seen as a unique idea either.
But sales is only part of it, this technology can be used to promote. It can be used to advance an idea or grassroots movement. The government could use this strategy sure, but there is more value to the private sector when it comes to this type of use. Viral promotion can be used to leverage a brand, or it can be used to pass agendas....This alone should make everyone cautious. The concept isn’t new or original, but it isn’t something that was publicly discussed until recently.
The only way to prevent this technology from being abused is to enact tough laws that protect the privacy of anyone online. Adding to that is a need for social awareness, as in be sure you know what personal information exists about you online and know who it is you are associating with. Both options are far easier to write down than they are to accomplish sadly.
Both Anonymous and US Rep. Hank Johnson (D-GA) are concerned as well:
Interestingly, [Johnson] seems aligned with Anonymous in wanting to get to the bottom of some information that came out of the HBGary emails that showed that U.S. Central Command - the Pentagon group running the wars in Iraq and Afghanistan - put out a bid for software that can create and manage multiple social network personalities. Central command says it's to counter violent extremist ideology and enemy propaganda and will be used in Iraq and Afghanistan.
But both Anonymous and Johnson are worried what uses the software might be put to. Anonymous has launched what it calls Operation Metal Gear to investigate what the software does and why it's being developed. "We believe that Metal Gear [the Anonymous code name for the software] involves an army of fake cyber personalities immersed in social networking websites for the purposes of manipulating the mass population via influence, crawling information from major online communities (such as Facebook), and identifying anonymous personalities via correlating stored information from multiple sources to establish connections between separate online accounts, using this information to arrest dissidents and activists who work anonymously."
Since Anonymous claims responsibility for helping disrupt government Web sites in Egypt and other countries to lend support to uprisings, it falls into the category of those who might be arrested.
Johnson makes a connection between the plans to discredit individuals and organizations and the Metal Gear software for which Central Command put out the bid. "When those contractors using that kind of technology, developed pursuant to government contract and utilizing American tax payer dollars, then turn the tools into domestic surveillance and marketing to business organizations, with the goal of discrediting and disrupting and actually destroying organizations that disagree with their clients, doing that domestically is like turning spying tools on the very people who paid for them," Johnson says to forbes.com.
"You should not use tools developed to get at foreign terrorist agents on American citizens who are choosing to exercise their First Amendment rights."