Undercover agents target cybersecurity watchdog
By RAPHAEL SATTER
AP Cybersecurity Writer
Saturday, January 26
NEW YORK (AP) — The researchers who reported that Israeli software was used to spy on Washington Post journalist Jamal Khashoggi’s inner circle before his gruesome death are being targeted in turn by international undercover operatives, The Associated Press has found.
Twice in the past two months, men masquerading as socially conscious investors have lured members of the Citizen Lab internet watchdog group to meetings at luxury hotels to quiz them for hours about their work exposing Israeli surveillance and the details of their personal lives. In both cases, the researchers believe they were secretly recorded.
Citizen Lab Director Ron Deibert described the stunts as “a new low.”
“We condemn these sinister, underhanded activities in the strongest possible terms,” he said in a statement Friday. “Such a deceitful attack on an academic group like the Citizen Lab is an attack on academic freedom everywhere.”
Who these operatives are working for remains a riddle, but their tactics recall those of private investigators who assume elaborate false identities to gather intelligence or compromising material on critics of powerful figures in government or business.
Citizen Lab, based out of the Munk School of Global Affairs at the University of Toronto, has for years played a leading role in exposing state-backed hackers operating in places as far afield as Tibet, Ethiopia and Syria. Lately the group has drawn attention for its repeated exposés of an Israeli surveillance software vendor called the NSO Group, a firm whose wares have been used by governments to target journalists in Mexico, opposition figures in Panama and human rights activists in the Middle East.
In October, Citizen Lab reported that an iPhone belonging to one of Khashoggi’s confidantes had been infected by the NSO’s signature spy software only months before Khashoggi’s grisly murder. The friend, Saudi dissident Omar Abdulaziz, would later claim that the hacking had exposed Khashoggi’s private criticisms of the Saudi royal family to the Arab kingdom’s spies and thus “played a major role” in his death.
In a statement, NSO denied having anything to do with the undercover operations targeting Citizen Lab, “either directly or indirectly” and said it had neither hired nor asked anyone to hire private investigators to pursue the Canadian organization. “Any suggestion to the contrary is factually incorrect and nothing more than baseless speculation,” NSO said.
NSO has long denied that its software was used to target Khashoggi, although it has refused to comment when asked whether it has sold its software to the Saudi government more generally.
The first message reached Bahr Abdul Razzak, a Syrian refugee who works as a Citizen Lab researcher, Dec. 6, when a man calling himself Gary Bowman got in touch via LinkedIn. The man described himself as a South African financial technology executive based in Madrid.
“I came across your profile and think that the work you’ve done helping Syrian refugees and your extensive technical background could be a great fit for our new initiative,” Bowman wrote.
Abdul Razzak said he thought the proposal was a bit odd, but he eventually agreed to meet the man at Toronto’s swanky Shangri-La Hotel on the morning of Dec. 18.
The conversation got weird very quickly, Abdul Razzak said.
Instead of talking about refugees, Abdul Razzak said, Bowman grilled him about his work for Citizen Lab and its investigations into the use of NSO’s software. Abdul Razzak said Bowman appeared to be reading off cue cards, asking him if he was earning enough money and throwing out pointed questions about Israel, the war in Syria and Abdul Razzak’s religiosity.
“Do you pray?” Abdul Razzak recalled Bowman asking. “Why do you write only about NSO?” ”Do you write about it because it’s an Israeli company?” ”Do you hate Israel?”
Abdul Razzak said he emerged from the meeting feeling shaken. He alerted his Citizen Lab colleagues, who quickly determined that the breakfast get-together had been a ruse. Bowman’s supposed Madrid-based company, FlameTech, had no web presence beyond a LinkedIn page, a handful of social media profiles and an entry in the business information platform Crunchbase. A reverse image search revealed that the profile picture of the man listed as FlameTech’s chief executive, Mauricio Alonso, was a stock photograph.
“My immediate gut feeling was: ‘This is a fake,’” said John Scott-Railton, one of Abdul Razzak’s colleagues.
Scott-Railton flagged the incident to the AP, which confirmed that FlameTech was a digital facade.
Searches of the Orbis database of corporate records, which has data on some 300 million global companies, turned up no evidence of a Spanish firm called FlameTech or Flame Tech or any company anywhere in the world matching its description. Similarly, the AP found no record of FlameTech in Madrid’s official registry or of a Gary Bowman in the city’s telephone listings. An Orbis search for Alonso, the supposed chief executive, also drew a blank. When an AP reporter visited Madrid’s Crystal Tower high-rise, where FlameTech claimed to have 250 sq. meters (2,700 sq. feet) of office space, he could find no trace of the firm and calls to the number listed on its website went unanswered.
The AP was about to publish a story about the curious company when, on Jan. 9, Scott-Railton received an intriguing message of his own.
This time the contact came not from Bowman of FlameTech but from someone who identified himself as Michel Lambert, a director at the Paris-based agricultural technology firm CPW-Consulting.
Lambert had done his homework. In his introductory email , he referred to Scott-Railton’s early doctoral research on kite aerial photography — a mapping technique using kite-mounted cameras — and said he was “quite impressed.”
“We have a few projects and clients coming up that could significantly benefit from implementing Kite Aerial Photography,” he said.
Like FlameTech, CPW-Consulting was a fiction. Searches of Orbis and the French commercial court registry Infogreffe turned up no trace of the supposedly Paris-based company or indeed of any Paris-based company bearing the acronym CPW. And when the AP visited CPW’s alleged office there was no evidence of the company; the address was home to a mainly residential apartment building. Residents and the building’s caretaker said they had never heard of the firm.
Whoever dreamed up CPW had taken steps to ensure the illusion survived a casual web search, but even those efforts didn’t bear much scrutiny. The company had issued a help wanted ad, for example, seeking a digital mapping specialist for their Paris office, but Scott-Railton discovered that the language had been lifted almost word-for-word from an ad from an unrelated company seeking a mapping specialist in London. A blog post touted CPW as a major player in Africa, but an examination of the author’s profile suggests the article was the only one the blogger had ever written.
When Lambert suggested an in-person meeting in New York during a Jan. 19 phone call , Scott-Railton felt certain that Lambert was trying to set him up.
But Scott-Railton agreed to the meeting. He planned to lay a trap of his own.
Anyone watching Scott-Railton and Lambert laughing over wagyu beef and lobster bisque at the Peninsula Hotel’s upscale restaurant on Thursday afternoon might have mistaken the pair for friends.
In fact, the lunch was Spy vs. Spy. Scott-Railton had spent the night before trying to hide a homemade camera into his tie, he later told AP, eventually settling for a GoPro action camera and several recording devices hidden about his person. On the table, Lambert had placed a large pen in which Scott-Railton said he spotted a tiny camera lens peeking out from an opening in the top.
Lambert didn’t seem to be alone. At the beginning of the meal, a man sat behind him, holding up his phone as if to take pictures and then abruptly left the restaurant, having eaten nothing. Later, two or three men materialized at the bar and appeared to be monitoring proceedings.
Scott-Railton wasn’t alone either. A few tables away, two Associated Press journalists were making small talk as they waited for a signal from Scott-Railton, who had invited the reporters to observe the lunch from nearby and then interview Lambert near the end of the meal.
The conversation began with a discussion of kites, gossip about African politicians, and a detour through Scott-Railton’s family background. But Lambert, just like Bowman, eventually steered the talk to Citizen Lab and NSO.
“Work drama? Tell me, I like drama!” Lambert said at one point, according to Scott-Railton’s recording of the conversation. “Is there a big competition between the people inside Citizen Lab?” he asked later.
Like Bowman, Lambert appeared to be working off cue cards and occasionally made awkward conversational gambits. At one point he repeated a racist French expression, insisting it wasn’t offensive. He also asked Scott-Railton questions about the Holocaust, anti-Semitism and whether he grew up with any Jewish friends. At another point he asked whether there might not be a “racist element” to Citizen Lab’s interest in Israeli spyware.
After dessert arrived, the AP reporters approached Lambert at his table and asked him why his company didn’t seem to exist.
He seemed to stiffen.
“I know what I’m doing,” Lambert said, as he put his files — and his pen — into a bag. Then he stood up, bumped into a chair and walked off, saying “Ciao” and waving his hand, before returning because he had neglected to pay the bill.
As he paced around the restaurant waiting for the check, Lambert refused to answer questions about who he worked for or why no trace of his firm could be found.
“I don’t have to give you any explanation,” he said. He eventually retreated to a back room and closed the door.
Who Lambert and Bowman really are isn’t clear. Neither men returned emails, LinkedIn messages or phone calls. And despite their keen focus on NSO the AP has found no evidence of any link to the Israeli spyware merchant, which is adamant that it wasn’t involved.
The kind of aggressive investigative tactics used by the mystery men who targeted Citizen Lab have come under fire in the wake of the Harvey Weinstein sexual abuse scandal. Black Cube, an Israeli private investigation firm, apologized after The New Yorker and other media outlets revealed that the company’s operatives had used subterfuge and dirty tricks to help the Hollywood mogul suppress allegations of rape and sexual assault.
Scott-Railton and Abdul Razzak said they didn’t want to speculate about who was involved. But both said they believed they were being steered toward making controversial comments that could be used to blacken Citizen Lab’s reputation.
“It could be they wanted me to say, ‘Yes, I hate Israel,’ or ‘Yes, Citizen Lab is against NSO because it’s Israeli,’” said Abdul Razzak.
Scott-Railton said the elaborate, multinational operation was gratifying, in a way.
“People were paid to fly to a city to sit you down to an expensive meal and try to convince you to say bad things about your work, your colleagues and your employer,” he said.
“That means that your work is important.”
Lori Hinnant and Nicholas Garriga in Paris, Aritz Parra in Madrid, Josef Federman in Jerusalem and Joseph Frederick in New York contributed to this report.
Emails and a transcript relating to the undercover operatives:https://www.documentcloud.org/search/projectid:42174-Citizen-Lab-Undercover-Op
Raphael Satter can be reached at: http://raphaelsatter.com
Memos: Facebook allowed ‘friendly fraud’ to profit from kids
By MICHAEL LIEDTKE
AP Technology Writer
Saturday, January 26
SAN FRANCISCO (AP) — Facebook allowed children to rack up huge bills on digital games while the company rejected recommendations for addressing what it dubbed “friendly fraud,” according to newly released court documents.
The internal Facebook memos and other records were unsealed late Thursday to comply with a judge’s order in a federal court case settled in 2016.
The lawsuit, filed in San Jose, California, centered on allegations that Facebook knowingly milked teenagers by permitting them to spend hundreds of dollars buying additional features on games such as “Angry Birds” and “Barn Buddy” without their parents’ consent.
The documents show Facebook considered measures to reduce the chances of kids running up charges on parents’ credit cards without their knowledge. But the company didn’t adopt them for fear of undercutting the revenue growth that helps boost the company’s stock price — and its employees’ compensation.
The internal debate about how to address the recurring problem of kids spending big bucks behind their parents’ backs occurred from 2010 and 2014 — a period that included Facebook’s stock market debut in 2012. After going public at $38 per share, Facebook’s stock plummeted by 50 percent, intensifying the pressure on CEO Mark Zuckerberg and his management team to bring in more revenue.
None of the unsealed records, however, directly tie Facebook’s tolerance of “friendly fraud” to concerns about its slumping stock price during parts of 2012 and 2013.
A Facebook statement didn’t address its rejection of the recommendations. Instead, it said the company has offered refunds and changed its practices.
“We routinely examine our own practices, and in 2016 agreed to update our terms and provide dedicated resources for refund requests related to purchases made by minors on Facebook,” the Menlo Park, California, company said in a statement Friday.
Facebook isn’t the only prominent technology company that has been skewered for profiting from game-loving children who don’t always understand how much of their parents’ money they are spending while playing games in apps or websites.
Apple agreed to issue $32.5 million in refunds for allowing kids to make in-app purchases without parental consent as part of a 2014 settlement with the Federal Trade Commission. That same year, Google settled a similar case for $19 million with the same agency. In 2017, Amazon resolved another case involving up to $70 million in potential refunds owed for kids’ unauthorized spending on games.
But none of those companies had their dirty laundry aired quite like Facebook is now in a case that it thought it had closed a few years ago. The unflattering documents are emerging after the nonprofit Center for Investigative Reporting sought their release and U.S. District Judge Beth Freeman granted it.
To make matters worse for Facebook, the documents are coming out at a time when it is trying to repair the damage done to its reputation over the past 10 months from a scandal involving the data-mining firm Cambridge Analytica, and other debacles.
Facebook released the “friendly fraud” documents just as the Wall Street Journal was publishing an op-ed piece by Zuckerberg defending the company’s integrity and business principles.
But some of the information unsealed in the court case painted a picture of a predatory company.
In a 2013 discussion between two of the company’s employees, a 15-year-old Facebook user who had spent about $6,500 playing games is described as a “whale” — a term that gambling casinos use to describe people who make them a lot of money. The company decided to refuse a refund request from the teenager’s parents.
The documents also disclosed that some Facebook employees had proposed requiring minors and people over 90 years old to provide the first six digits of the credit card accounts before allowing purchase as a way to reduce unauthorized spending. But Facebook management decided against requiring that additional information because it might also discourage users outside those age ranges from spending, too.
In our Wi-Fi world, the internet still depends on undersea cables
Updated January 25, 2019 4.36pm EST
Author: Nicole Starosielski, Assistant Professor of Media, Culture and Communication, New York University
Disclosure statement: Nicole Starosielski does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
Recently a digital blackout in Tonga — caused by the severing of the country’s only undersea cable — generated widespread recognition of the submerged systems our connected world depends upon.
Not many people realize that undersea cables transport nearly 100 percent of transoceanic data traffic. These lines are laid on the very bottom of the ocean floor. They’re about as thick as a garden hose and carry the world’s internet, phone calls and even TV transmissions between continents at the speed of light. A single cable can carry tens of terabits of information per second.
While researching my book “The Undersea Network,” I realized that the cables we all rely on to send everything from email to banking information across the seas remain largely unregulated and undefended. Although they are laid by only a few companies – including the American company SubCom and the French company Alcatel-Lucent – and often funneled along narrow paths, the ocean’s vastness has often provided them protection. When one is broken, as the Tonga cable was this week, data traffic comes to a halt.
Far from wireless
The fact that we route internet traffic through the ocean – amidst deep-sea creatures and hydrothermal vents – runs counter to most people’s imaginings of the internet. Didn’t we develop satellites and Wi-Fi to transmit signals through the air? Haven’t we moved to the cloud? Undersea cable systems sound like a thing of the past.
The reality is that the cloud is actually under the ocean. Even though they might seem behind the times, fiber optic cables are actually state-of-the-art global communications technologies. Since they use light to encode information and remain unfettered by weather, cables carry data faster and cheaper than satellites. They crisscross the continents too – a message from New York to California also travels by fiber optic cable. These systems are not going to be replaced by aerial communications anytime soon.
A vulnerable system?
The biggest problem with cable systems is not technological – it’s human. Because they run underground, underwater and between telephone poles, cable systems populate the same spaces people do. As a result, they’re accidentally broken all the time. Local construction projects dig up terrestrial lines. Boaters drop anchors on cables. And submarines can pinpoint systems under the sea.
Most media coverage about these systems has been dominated by the question of vulnerability. Are global communications networks really at risk of disruption? What would happen if these cables were cut? Should we all be worrying about a digital blackout – whether caused by accident or terrorists?
The answer to this is not black and white. Any individual cable is always at risk, but likely far more so from boaters and fishermen than any saboteur. Over history, the single largest cause of disruption has been people unintentionally dropping anchors and nets. The International Cable Protection Committee has been working for years to prevent such breaks.
As a result, cables today are covered in steel armor and buried beneath the seafloor at their shore-ends, where the human threat is most concentrated. This provides some level of protection. In the deep sea, the ocean’s inaccessibility largely safeguards cables – they need only to be covered with a thin polyethylene sheath. It’s not that it’s much more difficult to sever cables in the deep ocean, it’s just that the primary forms of interference are less likely to happen. The sea is so big and the cables are so narrow, the probability isn’t that high that you’d run across one.
Sabotage has actually been rare in the history of undersea cables. There are certainly occurrences (though none recently), but these are disproportionately publicized. The World War I German raid of the Fanning Island cable station in the Pacific Ocean gets a lot of attention. And there was speculation about sabotage in the cable disruptions outside Alexandria, Egypt in 2008, which cut 70 percent of the country’s internet, affecting millions. Yet you hear little about the regular faults that occur, on average, about 200 times each year.
Redundancy provides some protection
The fact is it’s incredibly difficult to monitor these lines. Cable companies have been trying to do so for more than a century, since the first telegraph lines were laid in the 1800s. But the ocean is too vast and the lines simply too long. It would be impossible to stop every vessel that came anywhere near critical communications cables. Nations would need to create extremely long, “no-go” zones across the ocean, which itself would profoundly disrupt the economy. Even then, the cables could still be at risk from undersea landslides.
There are only several hundred cable systems that transport almost all transoceanic traffic around the world. And these often run through narrow pressure points where small disruptions can have massive impacts. Since each cable can carry an extraordinary amount of information, it’s not uncommon for an entire country to rely on only a handful of systems. In many places, like Tonga, it takes only a single cable cut to take out large swathes of the internet. If the right cables were disrupted at the right time, it could disrupt global internet traffic for weeks or even months.
The thing that protects global information traffic is the fact that there’s some redundancy built into the system. Since there is more cable capacity than there is traffic, when there is a break, information is automatically rerouted along other cables. Because there are many systems linking to the United States, and a lot of internet infrastructure is located here, a single cable outage is unlikely to cause any noticeable effect for Americans.
Any single cable line has been and will continue to be susceptible to disruption. And the only way around this is to build a more diverse system. But as things are, even though individual companies each look out for their own network, there is no economic incentive or supervisory body to ensure the global system as a whole is resilient. If there’s a vulnerability to worry about, this is it.
This is an updated version of an article originally published on Nov. 3, 2015.