At a glance.
- Twitter verified accounts hijacked, suspended.
- TikTok's censorship regime.
- US policy toward hostile information operations seems to have grown more assertive.
- Russian influence operations in the last UK general election.
- The surprising spread (and unsurprising appeal) of conspiracy misinformation.
- Academic paper mills, the replication crisis, and mis- or disinformation.
Twitter's blue checks get blue penciled.
Twitter sustained a major hack late yesterday afternoon, around 5:30 US Eastern Daylight Time. The incident embarrassed the company with takeovers of high-profile, verified accounts. The attack seems to have involved extensive and effective social engineering, perhaps, according to Motherboard, a bribed insider. The Wall Street Journal and others list Bill Gates, Kanye West, Joe Biden, Barack Obama, Elon Musk, Uber, and Apple Inc. among the owners of affected, blue-checked accounts. Reuters reports that Twitter took the "extraordinary" step of suspending many verified accounts until it could get a handle on the problem.
The incident's extent and preparation seem disproportionate to its ostensible objective, a hackneyed, grubby Bitcoin advance fee scam in which an impersonator offers to return the mark's donation many times over. The wallet set up to receive donations accumulated about $100,000, but that sum probably doesn't represent the actual take, given the common criminal practice of salting their wallets with their own funds, the better to lend plausibility to the whole greasy imposture.
But this seems like a mean return on investment: it doesn't make a lot of sense as crime. And some observers are speculating that the incident could represent misdirection. Maybe the hackers are after people’s direct messages, or account details. It seems unlikely that all of the high-profile Twitter accounts used in the nominal Bitcoin scam are actually generally run by the individuals they belong to (as opposed to assistants or publicists), and it seems even more unlikely that any DMs would prove to be particularly revealing. But other accounts could have been quietly accessed, and the whole episode does introduce a further degree of caution and mistrust with respect to what Internet users see promulgated in social media.
It may also have been a demonstration, intended to show that social media aren’t the undisruptable channels of communication we might complacently take them to be, especially given the increasingly imposing role they’ve come to play in political campaigns and even emergency communications. The Telegraph notes with decently restrained alarm that one of the accounts taken offline was a National Weather Service feed that provides emergency tornado warnings. And, of course, there were tornadoes in Illinois during the outage.
TikTok, privacy, free speech, and content moderation.
At the end of last week there was an interesting volte-face at Amazon. The cloud and e-commerce giant told its employees last Friday morning to delete TikTok, but then withdrew the order as an "error," the Wall Street Journal reports. The first email that went out said, “Due to security risks, the TikTok app is no longer permitted on mobile devices that access Amazon email. If you have TikTok on your device, you must remove it by 10-Jul to retain mobile access to Amazon email. At this time, using TikTok from your Amazon laptop browser is allowed.”
In what appeared to be a striking corporate about-face, the company later that day said it was in fact just a simple mistake. “This morning’s email to some of our employees was sent in error,” an Amazon representative said later Friday. “There is no change to our policies right now with regard to TikTok.” There was no further comment.
Whatever was going on over at Amazon, TikTok has come in for criticism for its security and privacy, some well-founded, some spurious, and others a simple consequence of the company’s Chinese ownership and what that entails for its relationship with the Chinese government. The US Department of Defense has told service members to avoid using the app, but Amazon’s apparent ban was apparently just a mistake.
The Telegraph has a long and interesting exclusive on TikTok’s sister company, Douyin, which operates within China. Douyin has apparently been using facial recognition software to monitor users’ apparent ages, perhaps to identify foreigners using the platform, and assigning “safety ratings” that score users for “upholding public order and good customs.” These practices service from the corporate parent both Douyin and TikTok share, ByteDance.
TikTok has already been banned in India, and is facing close scrutiny of its implications for privacy and security in both the UK and the US. The company gave what the Telegraph characterized as evasive answers to questions about whether it followed the same policies as Douyin ("TikTok takes the safety of our younger users seriously,” and so on) but TikTok did say, "TikTok has never provided user data to the Chinese government, nor would we if asked to do so."
Douyin's approach to content moderation will strike most as indefensible. It's harder to articulate principled, viewpoint-neutral (which is to say classically liberal) grounds on which it's different from the content moderation currently being urged on Facebook, and to some (limping) extent practiced by Twitter.
US responses to information operations and cyberattacks.
Two US policies came to light (or returned to light) over the past week.
US President Trump said, in an interview the Washington Post published late Friday, that he had authorized a US Cyber Command response to Russian interference in the 2018 midterm elections. The Post had reported on the cyber operation in February 2019, sourcing the story to unnamed US officials, but this is the first time the President has claimed direct involvement. The attack knocked the Internet Research Agency offline in a demonstration intended, it was said at the time, to show the Russian government that cyber operations, particularly influence operations, would not be "cost-free." The New York Times says the 2018 operation was intended as both a deterrent and a realistic test of US capabilities against an actual adversary. Thus there was signalling (we know who you are and what you're up to), interdiction of a hostile influence campaign, and a direct imposition of costs.
The second and in many ways more interesting story comes from an anonymously sourced piece in Yahoo that a 2018 Presidential finding authorized the US Central Intelligence Agency to conduct offensive cyber operations against a range of foreign targets. Russia, Iran, China, and North Korea figured prominently on the target list, according to unnamed former US Government officials. The activities authorized extended beyond intelligence collection to include actively disruptive measures and influence operations. The finding was sufficiently broad to encompass organizations credibly believed to be acting on behalf of or in cooperation with hostile intelligence services.
The active measures the CIA was authorized to take included actions against financial institutions, kinetic effects against infrastructure, and “hack and dump” operations in which documents are taken and posted when and where they could be expected to influence opinion. The people speaking on background for the story told the reporters that Langley had been to some extent divided on the advisability of offensive cyber operations, but that the CIA had sought such authority for years, going back at least two Administrations. They had expected both Presidents Bush and Obama to sign a relevant finding, but neither did. They had not expected such a finding from President Trump and were pleased when it was signed. Or more than pleased: “People were doing backflips in the hallways,” one of the unnamed former officials told Yahoo’s reporters.
Former CIA general counsel Robert Eatinger, who did speak on the record, had no knowledge of the 2018 finding, but he did confirm that there had for some time been two camps at Langley: those who saw restraint in cyberspace as prudent and valuable, and others who sought authority for more offensive cyber operations.
Yahoo says that neither the CIA nor the National Security Council responded to their questions.
Independently of either report, the Council on Foreign Relations this Monday published an essay that outlined a variety of traditional ripostes to Russian influence operations that might contribute to election security.
Russian influence operations and Britain's 2019 election: lies' bodyguard of truth.
The UK's Foreign Secretary informed Parliament today that Russian operators targeted the 2019 elections, seeking to influence voters through illicitly obtained "sensitive Government documents relating to the UK-US Free Trade Agreement." The campaign staged the material through Reddit. It was a leak-and-dump campaign, with amplification through multiple channels. UK officials did not see a comprehensive, intensive influence effort, but they did observe what they take to be nonetheless a clear attempt by Russian actors to shape voting. There is also no sense in the Foreign Secretary's statement that the documents were faked or otherwise bogus, but they were leaked, dumped, and amplified in ways calculated to influence public opinion.
The spread and tenacity of misinformation.
QAnon, that American source of much tenuously grounded, predominantly right-wing conspiracy theory, seems to have legs. Foreign Policy reports that QAnon is finding an audience in Canada, and, even more surprisingly, in Iran. Iranian dissident groups, one called "Restart" in particular, have found much to like in QAnon's worldview. Particularly the sense that worldview communicates that President Trump is aligned with them against the mullahs, and that the mullahs have been permitted to have their way so long because of the passive or active connivance of what QAnon would call the "deep state," the enduring American mandarin class. In Canada there's a fringe audience for the view that Prime Minister Trudeau is conspiring with the north-of-the-border version of the deep state to transform the country into a communist dictatorship.
Does the replication crisis count as misinformation, disinformation, bad science, or a smashing of privilege?
We're asking for a friend. Seriously, though, the ongoing "replication crisis" in which peer-reviewed scientific publications report results that other investigators increasingly prove unable to replicate is difficult to assess. It's affected behavioral sciences more than physical sciences, although it's been seen even there as well. Diagnoses vary: pressure to publish, lack of interest in publishing negative results, fundamental disciplinary confusion have all been cited as possible causes. But here's one interesting development: the Wall Street Journal reports that one-hundred-twenty-one papers published in international peer-reviewed biomedical journals over the last four years appear to have been whacked out of what appears to be a "paper mill" in China. The reasons for the fraud (if fraud it is) are unclear, but seem probably to involve an unpleasant artifact of the academic market as opposed to a centrally directed program of disinformation.