Are Social Media Platforms Engaging In Legal Cyberwarfare?
How does cyber attribution function in a world where private companies are increasingly engaging in the kinds of activities once relegated to the exclusive domain of the nation state? From tracking dissidents’ physical and virtual movements in real-time to building rich interest and behavioral profiles to nudge nonconforming users towards desired behaviors to removing speech they disagree with, social media companies are increasingly associated with the outcomes once reserved for government cyber attacks. What does this profound shift in the cyber landscape portend for how we attribute and understand cyber action in the coming years, especially as these companies conduct these activities entirely within the scope of and with the protection of the law?
Facebook made headlines earlier this year for its mass physical surveillance program whereby it repurposes the cell phones of selected users into real-time location tracking beacons, allowing Facebook to see their geographic location and alerting the company if they approach a Facebook facility. The company states it uses the technology only to track those users it deems a “threat” but notably stopped short of denying having used the technology to track journalists who have written negative stories about it and lawmakers contemplating regulation that might impact its profits.
In this regard Facebook is in good company, with many repressive regimes around the world turning to cellular providers and app makers to provide them with real-time location tracking of those they deem to be “threats” to the state, such as promoting democratic ideals.
In many cases countries leverage cyber action to compromise users’ devices or the networks they connect to in order to load spyware onto their devices or harvest location streams from their telecommunications providers.
In Facebook’s case, it merely repurposed its existing app that users have voluntarily loaded onto their phones, turning their own device into a tracking beacon without their knowledge or permission.
Countries frequently engage in cyber activities to gather intelligence on adversaries and friends alike, compiling rich detailed profiles of their interests and behaviors in order to nudge them towards specific behaviors or actions. In many cases these compromises seek to harvest data from those individual’s social media accounts in an acknowledgement of just how much information we share online.
Facebook, of course, has no need to engage in cyber activity to track us. We voluntarily conduct our communications activities within its walled garden and when we venture outside to the open Web, an ever-growing fraction of the sites we visit voluntarily allow Facebook or its partners to install tracking software on their sites that allows the company to continue surveilling us from afar.
What about censorship? The use of DDOS attacks to silence dissenting voices has long been a critical tool in the repressive nation state playbook.
Facebook engages in identical behavior, deleting posts and deactivating entire accounts with the flip of a digital switch, silencing every voice that falls afoul of its ever-changing rules of acceptable speech. Even a US Senator’s call for increased regulation of Facebook was not immune to being silenced due to Facebook disagreeing with how it referenced its logo.
When we think of cyber attribution and response, we typically think of companies as victims and states or criminal organizations as the perpetrators.
Instead, social media companies are engaging in the very same activities, but lawfully, using their own platforms to conduct the same actions of surveillance, tracking, profiling and silencing.
When a nation state hacks into a foreign cellular company to plant a tracking bug to monitor the real-time location of a high value target, the attribution process and range of potential responses are understood within the existing context of law enforcement, covert action and diplomacy. When Facebook secretly transforms its mobile app into a real-time tracking beacon running directly on a user’s device and that user had voluntarily installed the app and legally agreed to allow Facebook to do anything it wanted to their phone, the attribution is clear, but the response is far less understood. Under the laws of most countries, Facebook’s actions are not only not considered criminal actions but are in fact actively protected by the law.
If Facebook were to track the real-time location of all US lawmakers through their phones and the phones of their aides, their actions would be entirely legal under US law, yet the end result is no different than if an adversarial state had done so. In fact, nations like China and Russia could simply embed personnel within Facebook to leverage this data to state effect.
How do countries respond in a landscape where the cyber activities are legal but the results are the indistinguishable from actions typically associated with state or criminal efforts?
More troubling is that companies themselves are now setting policy for their own needs. Facebook does not track, profile and censor users based on the daily whims of the US Government. It does so based on its own economic needs, meaning a handful of private citizens are setting policy and directing actions that, if conducted by a nation state, would be considered cyber warfare potentially warranting a military response.
Worse, Facebook’s needs may place it in direct conflict with the needs and interests of the United States, making it effectively an adversary.
Putting this all together, as social media platforms increasingly take on the roles of governments, the activities they engage in, from surveillance to profiling to silencing debate, are those traditionally enforced by governments through cyber action. As nations must increasingly grapple with what amounts to lawful private cyber warfare, what will this mean for attribution, deterrence and response in this brave new cyber landscape?