Black Code: Inside the Battle for Cyberspace (17 page)

While the bill’s explicit details were ominous enough, a revelation that emerged almost by accident during the public debate was even more troubling. In making the case for the powers outlined in the proposed law, its backers accidentally let slip that Bill C-30 would legislate warrantless informal sharing of information
that was already going on between telecom companies and law enforcement and intelligence agencies
.
From documents released under federal access to information laws, University of Victoria doctoral
student and Internet privacy expert Christopher Parsons found that in 2010 the RCMP contacted ISPs for user name and address information more than 28,000 times without a warrant, with the ISPs complying nearly 95 percent of the time. Although meant to be a consolation to the bill’s critics, the revelation instead confirmed their worst fears: Canadian telecommunications companies and ISPs were already sharing data with law enforcement and intelligence agencies outside of judicial review! The bill would simply legislate that existing practice into law. “Other requests,” it seems, have been the norm in Canada for some time.

As I ponder these issues, I think of Public Safety Canada’s “Building Resilience Against Terrorism, Canada’s Counter-terrorism Strategy,” released in February 2012. This document warns of “extremism” and the possibility of “low-level violence by domestic issue-based groups” and appears to open the door to the surveillance of legitimate non-governmental advocacy organizations. The strategy also details the need to monitor “vulnerable individuals” who may be drawn into politically motivated violence. I wonder what such a policy could lead to when government agencies are empowered to access personal data from private companies. Where are the protections against abuse, the checks against politically motivated witch hunts?

The downloading of lawful access responsibilities to the private sector almost certainly will be reinforced by the opening up of new markets for the commercial exploitation of data. As companies are forced to surveil/police their networks and data, products and services are emerging that enable them to do so more effectively and efficiently. The American privacy researcher Chris Soghoian has studied how new policing responsibilities are affecting corporate behaviour, and how some companies derive revenues from charging fees for “lawful access.” He notes that the volume of requests received by one U.S.–based wireless carrier,
Sprint, grew so large that its 110-member electronic surveillance team could not keep up. As a result, Sprint automated the process by developing an interface that gives government agents direct access to users’ data: George Orwell’s
1984
in one fell swoop. Of course, Sprint charges a fee for this access, a fee that law enforcement agencies from the police to the FBI are more than willing to pay. In 2011, the Sprint direct-access interface was used by law enforcement agents more than 8 million times!

•  •  •

While the securitization of
cyberspace manifests itself in new laws and informal practices, part of the growing surge of “other requests” has to do with the incentives facing companies that own and operate cyberspace: when pressed with content take-down requests, the companies often opt for the cheap and easy solution rather than demanding due process, risking expensive legal battles, or getting expelled from lucrative markets. There are, of course, legitimate reasons for companies to comply with local laws and with law enforcement and intelligence agencies in the countries in which they operate. But increasingly such co-operation takes place in countries that do not have, or are watering down, legal checks and balances over cyber security. Also, many of these countries have a much broader notion of what constitutes a security threat, and too often human rights activists, political opposition groups, and free-speech advocates are included. In short, complying with “local law” can mean colluding with some very nasty regimes.

The trend towards “other requests” in cyberspace policing is a disturbing descent into the world of black code. We live in an era of unprecedented access to information, and many political parties campaign on platforms of transparency and openness. And yet, at the same time, we are gradually shifting the policing of cyberspace
to a dark world largely free from public accountability and independent oversight. In entrusting more and more information to third parties, we are signing away legal protections that should be guaranteed by those who have access to our data. Perversely, in liberal democratic countries we are lowering the standards around basic rights to privacy just as the centre of cyberspace gravity is shifting to less democratic parts of the world.

Underpinning this state intrusion (with self-interested or directed corporate backing) is a bald-faced public relations campaign that says essentially this: “If you’ve got nothing to hide, you’ve got nothing to worry about.” While it is abundantly clear that a generation raised on and through social media is extraordinarily lax about personal privacy; that, indeed, seems to make a point of “going public” as often as possible; that has shelved the secretly written diary stored in a personal lock-box for “Look at me!” Facebook exposure, it is also true that I don’t have a single friend, or know a single person of any age, who doesn’t have secrets that they want and need to keep to themselves. (Indeed, I wouldn’t trust any other such person; it is what makes them individual and interesting.) And yet, this campaign has been and continues to be extraordinarily successful. Like bystanders refusing to get involved when they witness that a crime is afoot, we have collectively stood by as cyberspace has been, and continues to be, compromised.

Long ago, the Canadian prime minister Pierre Elliott Trudeau may have insisted that “the state has no business in the bedrooms of the nation,” but the same does not hold true for privacy online. Today, our private chats are considered fair game, our need for online anonymity voided in the interests of “national security” and control over cyberspace. And so, we have the growing norm of “other requests,” a phenomenon that clearly illustrates why it is so important to lift the lid on cyberspace, to ask who controls the domain and what are they doing with our data? What happens to
our email after we hear the
woosh
of it leaving our screens? Is it shared with anyone without our consent? Under what circumstances? Many of the companies that own and operate the complex services and infrastructure of cyberspace reassure us that their services are secure and that our data remains confidential, but the devil is in the details, in those lengthy end-user licence agreements we agree to before using our BlackBerry, iPhone, or Gmail accounts. Take, for example, the Internet Services Privacy Policy of Rogers Yahoo! (my own ISP), which states the following: “Personal information collected for the Internet Service may be stored and processed in Canada, the United States or other countries and may be subject to the legal jurisdiction of these countries.” Other countries? Really? My data can be processed in another country and subject to its laws? Which countries? Whose laws?

In the universe of “other requests,” one can only guess.

“I own them!”
Nart Villeneuve said triumphantly.

“What do you mean, you own them?” I asked.

“Their entire database. The mother ship. Victims, referrals, revenues, cellphone numbers. Everything!”

“How?”

“Even bad guys have to back up their data.”

There is a 1960s episode of
Star Trek
in which the main characters, Captain Kirk and Spock, are confronted by their evil doppelgängers, physically identical to them in every way. Fifty years later, Facebook, the world’s largest social networking community, has been confronted by just such a doppelgänger: Koobface.

The Citizen Lab tracked the gang behind Koobface for months in 2010, watching their every move. Villeneuve was in it for the challenge of solving the puzzle, the thrill of the hunt. Our wider motivation, however, was to better understand cyber crime, and how crime, espionage, and warfare might be blurring together over and through cyberspace. Koobface was well known among the exclusive (and often contentious) club of technogeeks who study the malicious underworld of cyberspace. The Villeneuves of the world had been following it since the mid-2000s, when Koobface emerged as a menace to the growing social networking community that it so openly mocked and exploited. But no one had detailed knowledge of how Koobface worked or who the perpetrators
behind its vast reach were. Was it a well-organized crime syndicate? A few bored teenagers? Something else, perhaps more nefarious? Whatever the truth, Koobface was trolling across the world of social networking like a giant digital amoeba, consuming and spitting out unsuspecting victims. In 2010, the Russian security company Kaspersky Lab estimated that Koobface controlled nearly 800,000 computers worldwide, each belonging to users lured into its trap.

Becoming ensnared happens easily. Koobface sends a link over Facebook from a “friend” (who has already been infected) that says something outrageous or provocative, something like “OMG! Have you see this naked video of you?” Who wouldn’t follow that link? Or maybe another funny video of dancing kittens. Who wouldn’t enjoy such a thing? But for the hapless recipient, that one curious click leads into an abyss of viruses and trojan horses, and straight into Koobface’s grasp.

Koobface makes its money through pay-per-click and pay-per-install schemes. (“Pay-per-click” refers to a model whereby webmasters display third-party advertisements on their websites and earn income whenever Internet users click on these advertisement links. “Pay-per-install” refers to a model whereby the software of one company is promoted by a third party who is paid every time a user installs the software. Both are legitimate, but they have also been widely exploited by online criminals.) Once its malicious software is installed on a user’s computer their Internet requests and website visits are redirected without their consent or knowledge to sites that pay Koobface for each visit. Some of these websites are themselves honeypots for yet more cyber crime, such as for phony antivirus software that promises to clean up your computer’s hard drive by eliminating viruses and malignant files. Those initially victimized by Koobface are thus served up to other criminal entrepreneurs posing as good guys who promise to fix computer problems, but who, in fact, only make them worse. A cut of
the revenue from the sale of fake antivirus products is then given to Koobface. Joint ventures, strategic alliances, globally distributed production chains, “value-added” services, robust customer management databases, and multiple (and complementary) revenue streams: Koobface is one sophisticated post-industrial operation.

•  •  •

Just the same
, even the most meticulous criminals generally make mistakes. Our investigation really started with the discovery that Koobface backed up its entire database each and every day on a “zipped,” or compressed, file, and that they did so on an Internet-connected computer without any password protection. It was left wide open, there for the taking, a mistake that laid bare the entire operation from the inside out.

Downloading and opening the compressed file gave us almost complete access to Koobface’s operating infrastructure: how it worked (down to the finest detail), where the fraud was occurring, the worldwide locations of the compromised computers they had commandeered, and their revenue streams. We felt like voyeurs peeking through a window – with Koobface having no idea we were watching – justified in doing so given the lawless intent of those under our surveillance. Such privileged access gave us insight into the complexity and ingenuity of one of the world’s leading cyber-crime outfits, and a richer understanding of the hidden swamps of cyberspace.

A major hurdle Koobface had to overcome was the precautions Facebook had in place to prevent fake “friends” using their trusted network. Each new Facebook account requires a real person to fill out a “CAPTCHA” – clusters of wavy, sometimes illegible letters and numbers. (CAPTCHA is an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart.) As a
standard security precaution, Facebook requires a human being to visually identify the CAPTCHAS and reproduce them in a field in order to create a new account.

To get around the CAPTCHA problem, Koobface engaged in what the cyber crime expert Marc Goodman calls “crime-sourcing,” the outsourcing of all or part of a criminal act to a crowd of witting and unwitting individuals. With thousands of infected computers at its disposal, Koobface created a transnational assembly line of co-opted workers – the hapless computer owners themselves -who manually filled out the CAPTCHAS. It engineered a system through which a fake emergency pop-up window appeared on the screens of users throughout the world along with a box with the familiar Windows brand name and colour scheme carrying a startling warning: “Type the characters you see in the picture below. Time before shutdown 02:29, 02:28, 02:27, 02:26 …”

Faced with such a panic-inducing moment, most users complied simply to avoid the risk of having their computers crash and their work destroyed. And so, every day, by the thousands, in commandeered computers as far afield as Thailand, Canada, Mexico, China, and India, fake CAPTCHAS were entered, information fed through the Internet to the Koobface database, and from there to the legitimate Facebook account creation field, all properly sorted and organized in real time, with the account management system maintained by Koobface engineers. Problem solved.

Once the fraudulent Facebook accounts were created, Koobface encountered another hurdle: how would the enterprise accumulate “friends,” the necessary conduit for revenue? Only the most careless people would accept a friend invitation on Facebook from just anyone, so Koobface created a system that automatically culled through and recycled accounts they had compromised, taking bits and pieces of people’s identities to create Frankenstein-like friends. One person’s images would be combined with another’s birthday
and status information, and these were combined with the “likes” and “dislikes,” places of birth, and employment histories of other people. Combined in this way, that friend request from a vaguely familiar person might just be someone you knew from high school.
The name seems a little off, but I recognize that face from somewhere … Sure, why not? Accept
.