Posts

In Two So-Called Fact Checks of Facebook, NYT Forgets Everything It Knows about Indictments

/62 Comments/in , , /by

In both this Scott Shane article and this “fact check” of Facebook VP Rob Goldman’s recent tweets on Russian trolls’ use of Facebook (which President Trump then picked up), the NYT has twice forgotten everything it knows about indictments, and in the process failed to properly analyze last week’s Internet Research Agency indictment.

In Shane’s article, he attempts to fact check Goldman using the indictment.

Facebook’s vice president for advertising, Rob Goldman, said on Twitter on Friday, “I have seen all of the Russian ads and I can say very definitively that swaying the election was *NOT* the main goal” — a statement that President Trump retweeted.

But Mr. Mueller’s indictment repeatedly states that the Russian operation was designed not just to provoke division among Americans but also to denigrate Hillary Clinton and support her rivals, mainly Mr. Trump. The hashtags the Russian operation used included #Trump2016, #TrumpTrain, #MAGA and #Hillary4Prison, and one Russian operative was reprimanded for “a low number of posts dedicated to criticizing Hillary Clinton,” the indictment says.

On Twitter, Shane even suggested Goldman hadn’t read the indictment.

Wonder if Rob Goldman has read the indictment. Mueller appears to disagree.

Then, Sheera Frenkel extends the purported fact check.

“I have seen all of the Russian ads and I can say very definitively that swaying the election was *NOT* the main goal.” Tweet #2

Not according to the indictment.

The grand jury indictment secured by Mr. Mueller asserts that the goal of Russian operatives was to influence the 2016 election, particularly by criticizing Hillary Clinton and supporting Mr. Trump and Bernie Sanders, Mrs. Clinton’s chief rival for the Democratic nomination.

The Russians “engaged in operations primarily intended to communicate derogatory information about Hillary Clinton, to denigrate other candidates such as Ted Cruz and Marco Rubio, and to support Bernie Sanders and then-candidate Donald Trump,” the indictment said.

Mr. Goldman later wrote in another tweet that “the Russian campaign was certainly in favor of Trump.”

Both Shane and Frenkel don’t consider what I laid out here:

[T]here are hints that Mueller is using this indictment to set up a more important point.

For example, the indictment (perhaps because of Mueller’s mandate) focuses on political activities supporting or opposing one or another 2016 candidate. Even where topics (immigration, Muslim religion, race) are not necessarily tied to the election, they’re presented here as such. Unless Facebook’s public reports are wrong, this is a very different emphasis than what Facebook has said the IRA focused on. Which is to say that Mueller’s team are focusing on a subset of the known IRA trolling, the subset that involves the 2016 contest between Trump and Hillary.

Goldman was addressing all of IRA’s activity on Facebook, which it described this way in September:

  • The vast majority of ads run by these accounts didn’t specifically reference the US presidential election, voting or a particular candidate.
  • Rather, the ads and accounts appeared to focus on amplifying divisive social and political messages across the ideological spectrum — touching on topics from LGBT matters to race issues to immigration to gun rights.
  • About one-quarter of these ads were geographically targeted, and of those, more ran in 2015 than 2016.
  • The behavior displayed by these accounts to amplify divisive messages was consistent with the techniques mentioned in the white paper we released in April about information operations.

Nowhere in the indictment does Mueller describe the scope of what IRA activity his team investigated, though it does describe how “over time” the IRA activity came to focus on the 2016 election.

These groups and pages, which addressed divisive U.S. political and social issues, falsely claimed to be controlled by U.S. activists when, in fact, they were controlled by Defendants. Defendants also used the stolen identities of real U.S. persons to post on ORGANIZATION-controlled social media accounts. Over time, these social media accounts became Defendants’ means to reach significant numbers of Americans for purposes of interfering with the U.S. political system, including the presidential election of 2016.

Indeed, the indictment makes it clear that the universe of IRA activity is larger than the election-related activity, in part by tying two counts of identity theft to crimes that happened after the election, as recent as May 2017.

Eight of the usages of fake credentials described in ¶92 also postdate the election. That’s presumably part of what Goldman was pointing to when he tweeted,

The majority of the Russian ad spend happened AFTER the election. We shared that fact, but very few outlets have covered it because it doesn’t align with the main media narrative of Tump and the election.

Even as they, a mainstream media outlet, ignored how Goldman’s invocation of this spending detail and the inclusion of 2017 activities in the indictment is proof that not all of the IRA activities Mueller investigated did pertain to the election, NYT deemed that claim lacking in context.

According to figures published by Facebook last October, 44 percent of the Russian-bought ads were displayed before the 2016 election, while 56 percent were shown afterward. Mr. Goldman asserted that those figures were not published by the “mainstream media” — however, many mainstream news outlets did print those numbers, including CNN, Reuters and The Wall Street Journal.

The point is that there are two universes of IRA Facebook activities: the entire universe, for which Goldman’s claims are generally true, and the activities that Mueller has chosen to focus on, which Shane and Frenkel mistake as the entire universe, and in the process blow their fact checks.

This disjunct continues to the citation of real life events planned using Facebook. Goldman pointed to two May 21, 2016 Houston events, where an Islamophobic event was planned on the same day as a United Muslims event, as the quintessential example of how Russia was trying to pit Americans against each other.

The single best demonstration of Russia’s true motives is the Houston anti-islamic protest. Americans were literally puppeted into the streets by trolls who organized both the sides of protest.

Frenkel doesn’t even get Goldman’s reference correct, in spite of his link to a story on it, and instead apparently takes the citation to be a reference to this passage from the indictment.

By in or around early November 2016, Defendants and their co-conspirators used the ORGANIZATION-controlled “United Muslims of America” social media accounts to post anti-vote messages such as: “American Muslims [are] boycotting elections today, most of the American Muslim voters refuse to vote for Hillary Clinton because she wants to continue the war on Muslims in the middle east and voted yes for invading Iraq.”

From which she concludes,

The protests in Houston in November 2017 were among many rallies organized by Russian operatives through Facebook. While the Houston protest was anti-Islamic, as Mr. Goldman said, he failed to note that the goal in promoting the demonstration was to link Mrs. Clinton’s campaign with a pro-Islamic message.

Again, the indictment is focusing on a particular subset of the IRA activity, whereas Goldman is commenting on the larger universe, arguably to say the indictment understates the threat.

With NYT’s mad, repeated rush to fact check Facebook using an indictment that never claims to be addressing the same universe of IRA activity Goldman was commenting on, they commit some pretty significant analytical errors, errors that extend to their ability to understand what Mueller is doing with the indictment.

I can’t say for certain why Mueller focused on certain kinds of IRA activity, but I can think of three likely possibilities:

  • Since his mandate is to investigate Russian tampering in the 2016 election, he is focusing on that subset of the IRA activity
  • Because it is tied to election law, the conspiracy to defraud the US charge in the indictment depends on activity that violates election law, and much of the IRA Facebook trolling does not
  • The events on which Mueller does focus — notably, twin events at key times in NYC and activities in FL that involve three identified Trump campaign officials — may hint at further crimes or more sophisticated cooperation between the campaign and Russian agents

The last possibility is (as I noted in my earlier post) one of the most intriguing parts of the indictment. But the NYT won’t see it because they’re so busy fact checking claims made about different sets of data.

I get the urge to beat up Facebook. They’ve got a lot to pay for in permitting Russia to abuse their platform. But (I suspect entirely because Trump used Goldman’s tweet to try to exonerate himself) in doing so, NYT has missed Goldman’s larger point, which isn’t an apology at all. Indeed, Goldman was saying that the problem is far bigger than what Mueller lays out in the indictment, and that our continued divisions are a vulnerability Russia continues to exploit.

As Mueller moves forward, we’re likely to see similar kinds of confusion between the specific crimes he addresses in indictments and pleas and the larger toxins that hurt our democracy. So long as we confuse Mueller’s investigation for the larger, still vulnerable whole, we’re never going to do the things as a society we need to prevent this from happening again.

Update: My apologies to Frenkel for misspelling her name originally in this.

Update: On the limits of what is and is not illegal for foreigners to engage in see this Rick Hasen post.

Update: I had an exchange on Twitter with Frenkel about this, and the so-called article has what purports to be a correction.

Because of an editing error, an earlier version of this article misstated the month when protests organized by Russian operatives were held in Houston. It was March 2016, not November 2017.

Except that as corrected (by me, though I got no attribution), the piece compounds its error.

The protests in Houston in May 2016 were among many rallies organized by Russian operatives through Facebook. While the Houston protest was anti-Islamic, as Mr. Goldman said, he failed to note that the goal in promoting the demonstration was to link Mrs. Clinton’s campaign with a pro-Islamic message.

According to the indictment secured by Mr. Mueller, there were many other examples of Russian operatives using Facebook and Instagram to organize pro-Trump rallies. At one protest, the Russian operatives paid for a cage to be built, in which an actress dressed as Mrs. Clinton posed in a prison uniform.

None of the materials or contemporary coverage associated with the anti-Islamic side of the protest associated it with Clinton’s campaign. On the contrary. the protest was about a local Islamic center.

A group calling themselves Heart of Texas called for the rally to protest what they consider “Islamization” of Texas – sparked in part by the recent opening of a privately funded library inside the downtown center. The group had also encouraged followers to bring legal firearms.

Although the Heart of Texas group never showed, about 10 people bearing flags of the United States, Texas and the Confederacy were there. “This is America. We have the right to speak out and protest,” said Ken Reed, who wore a T-shirt emblazoned with the phrase “White Lives Matter.” “We feel Texas, our great state and the United States is being threatened by the influx of Islam.”

Again, I agree that Facebook is a shitty company. But a newspaper doubling down on its errors to attack Facebook’s errors is … doing what it is complaining about.

The Gizmo™: Correlation Doesn’t Equal Adversary Nation

/67 Comments/in /by

For days, reporters have been mis-using The Gizmo™ (the name I use for the “disinformation dashboard” from the German Marshall Fund, a black box that purports to show “Russian propaganda efforts on Twitter in near-real time”) to claim that Russian-linked accounts are pushing the #ReleaseTheMemo campaign calling for the public release of Devin Nunes’ politicized memo attacking the FBI.

As the effort lead by some Republicans to curtail special counsel Robert S. Mueller III’s investigation into the election meddling has heated up, Russian-linked accounts helped amplify a Twitter hashtag calling for the release of a memo the group hopes will help discredit Mueller’s work, according to Hamilton 68, a research firm that tracks the malicious accounts. The #releasethememo hashtag was tweeted by these accounts nearly 4,000 times in the last couple of days, the firm said.

As always with such reporting, the articles don’t provide even the nuance the project’s most responsible contributor, JM Berger, lays out on their methodology page.

  1. Not all content in this network is “created” by Russia. A significant amount—probably a majority—of content is created by third parties and then amplified by the network because it is relevant to Russian messaging themes.
  2. Not all content amplified by this network is pro-Russian. The network frequently mobilizes to criticize or attack individuals or news reports that it wishes to discredit.
  3. Because of the two points above, we emphasize it is NOT CORRECT to describe sites linked by this network as Russian propaganda sites. We are not claiming that content producers linked by this network are Russian propaganda sites. Rather, content linked by this network is RELEVANT to Russian messaging themes.

Such reports certainly don’t consider the validity of drawing conclusions from such analysis that the authors have refused to have vetted by a third party. What does it mean to openly profess to be pro-Russian, for example? Do non-consensus views on Syria or Ukraine count? Does skepticism about Russian involvement in the election count?

And the reports don’t note the serial false positives, such as the time Jim Lankford used The Gizmo™ to claim Russia was stoking tensions around NFL players taking a knee during the anthem. More responsible analysis showed that,

[B]oth #TakeAKnee and #BoycottNFL were genuinely viral movements, generating high volumes of traffic from large numbers of accounts, but both received an additional boost from bots.

The bots which amplified #TakeAKnee were primarily non-political; they appear to be bots for hire, repurposed to amplify specific posts. Of these, the most significant group is that which retweeted @DianneLogic, given its previous use in online harassment campaigns in the context of Russia and the far right. However, the evidence of its prior behavior is suggestive but not conclusive. It cannot be taken as proving Senator Lankford’s claim.

The accounts which amplifed #BoycottNFL are a different breed. They are largely cyborgs, rather than bots, posting authored content in between slews of retweets. They are also political, rather than commercial. Their sole purpose appears to be boosting far-right American posts.

In both cases, the bots were functionally anonymous, providing no verifiable information on the identity of the user behind them. There is thus no independent information which would allow us to say definitively whether they were American, linked somehow to Russia, or managed from another country entirely.

In short, in spite of this thing being shown to measure something entirely different from what reporters continue to report — correlated traffic (and that, based on unpublished criteria) rather than causal traffic — nevertheless Russia got credit for a campaign clearly driven by right wing Americans backed by a far more extensive propaganda infrastructure.

And then, even as Twitter started leaking initial analysis saying just that — that Russia wasn’t to blame …

[A] knowledgeable source says that Twitter’s internal analysis has thus far found that authentic American accounts, and not Russian imposters or automated bots, are driving #ReleaseTheMemo. There are no preliminary indications that the Twitter activity either driving the hashtag or engaging with it is either predominantly Russian.

In short, according to this source, who would not speak to The Daily Beast for attribution, the retweets are coming from inside the country.

… Two members of Congress from California, Adam Schiff and Dianne Feinstein, called on two California companies, Twitter and Facebook, to confess further manipulation by Russia.

We understand Facebook and Twitter have developed significant expertise in identifying inauthentic and malicious accounts.  Further, your forensic investigations into Russian government exploitation of your platforms during the 2016 U.S. election have helped expose to the American public the vast extent of Russia’s covert influence efforts. We therefore request that your companies conduct an in-depth forensic examination of this real-time activity on your platforms to determine:

  1. Whether and how many accounts linked to Russian influence operations are involved in this campaign;
  2. The frequency and volume of their postings on this topic; and
  3. How many legitimate Twitter and Facebook account holders have been exposed to this campaign.

Given the urgency of this matter, we ask that you provide a public report to Congress and the American public by January 26, 2018.  In addition, we urge your companies to immediately take necessary steps to expose and deactivate accounts involved in this influence operation that violate your respective user policies.

Nothing in this letter explains why Facebook should have to do this work, as The Gizmo™, the sole piece of evidence Schiff and Feinstein rely on, doesn’t track Facebook.

But even the demand to Twitter was based on yet another misreading of what The Gizmo™ actually measures. And, having never asked The Gizmo™ to explain the methodology behind its serial panics, a Senator representing both Facebook and Twitter demanded that they check its work, rather than vice versa.

If I were a forewoman in a Russian troll factory, there would be no easier way to boost my career prospects than to use a few of my bots to manipulate The Gizmo™’s sloppy methodology to claim credit for an obviously American-generated hoax. “Ивана! Давайте претендовать на последнюю республиканскую пропаганду!” Doing so would set off a self-fulfilling prophecy, precisely the kind of thing The Gizmo™’s authors claim to want to prevent, boosting Russia’s ability to sow discord with virtually no effort.

Why Call Alice Donovan a Troll?

/78 Comments/in , , , /by

The WaPo and CounterPunch have the story of Alice Donovan, a pseudonymous persona the FBI suspected (it’s not clear starting when) of being part of a Russian influence operation. The WaPo makes it clear sources told them about the investigation (though without clearly revealing when FBI identified Donovan or when they learned about the investigation) and leaked the report behind this story (or perhaps it is all one report).

The FBI was tracking Donovan as part of a months-long counterintelligence operation code-named “NorthernNight.” Internal bureau reports described her as a pseudonymous foot soldier in an army of Kremlin-led trolls seeking to undermine America’s democratic institutions.

[snip]

The events surrounding the FBI’s NorthernNight investigation follow a pattern that repeated for years as the Russian threat was building: U.S. intelligence and law enforcement agencies saw some warning signs of Russian meddling in Europe and later in the United States but never fully grasped the breadth of the Kremlin’s ambitions.

CP first learned about it when Adam Entous called about the leaked intelligence report on her.

We received a call on Thursday morning, November 30, from Adam Entous, a national security reporter at the Washington Post. Entous said that he had a weird question to ask about one of our contributors. What did we know about Alice Donovan? It was indeed an odd question. The name was only faintly familiar. Entous said that he was asking because he’d been leaked an FBI document alleging that “Alice Donovan” was a fictitious identity with some relationship to Russia. He described the FBI document as stating that “Donovan” began pitching stories to websites in early 2016. The document cites an article titled “Cyberwarfare: Challenge of Tomorrow.”

And CP reveals they first came to believe that Donovan was fake (and not just a serial plagiarist) when a NYT story listed Donovan’s account among those that Facebook had shut down as fake.

This long story focused on dozens of phony Facebook accounts which the Times claims pushed pro-Russian messages during the election. Buried in the 28th paragraph of the story was the name “Alice Donovan.” Donovan’s Facebook page, the Times said, “pointed to documents from Mr. Soros’s Open Society Foundations that she said showed its pro-American tilt and — in rather formal language for Facebook — describe eventual means and plans of supporting opposition movements, groups or individuals in various countries.’” According to the Times, Facebook had deactivated the Donovan account after it failed a verification protocol.

CP ends by noting that for the entirety of the period when FBI was investigating this pseudonymous persona, they never informed CP.

If the FBI was so worried about the risks posed by Alice Donovan’s false persona, they could have tipped off some of the media outlets she was corresponding with. But in this case they refrained for nearly two years. Perhaps they concluded that Donovan was the hapless and ineffectual persona she appears to be. More likely, they wanted to continue tracking her. But they couldn’t do that without also snooping on American journalists and that represents an icy intrusion on the First Amendment. For a free press to function, journalists need to be free to communicate with whomever they want, without fear that their exchanges are being monitored by federal agencies. A free press needs to be free to make mistakes and learn from them. We did.

It’s an interesting example — and given my prior focus on Facebook’s intelligence apparatus (one reiterated by the revelation that Facebook has been taking down NK infrastructure of its own accord) — one that raises questions about whether FBI identified this persona or FB did.

But I’m wondering why both WaPo and CP are calling the Donovan persona a troll. While it sounds like Donovan’s election related interventions were trollish about Hillary, some of what she published at CP and other outlets clearly supported Russian policy objectives (that CP might legitimately agree with) or — as CP notes — mirrored mainstream reporting on Clinton’s emails.

Donovan served not just to poison debate, as trolls do.

So I’m wondering why people are using that term. I’m wondering, in part, why we should distinguish Donovan’s authorship (or plagiarism) of articles from leaks from foreign intelligence services, which news articles have long relied on, whether Israeli, Saudi, or Russian sources (remember, for example, how presumed Yemeni or Saudi sources have repeatedly revealed details of US or UK double agents). A number of people in DC have laughed with me about the way that Rinat Akhmetshin — a central figure in the June 9, 2016 Trump Tower meeting and as such suspected of doing Russian intelligence bidding — has long regaled mainstream journalists as a source. And I’ve suggested that Scott Balber — and American lawyer working for a Russian oligarch — may be fostering a cover story for the same meeting.

So why is one kind of intelligence disinformation called journalism and another called trolling?

10 Years of emptywheel: Key Non-Surveillance Posts 2016-2017

/1 Comment/in , , /by

Happy Birthday to me! To us! To the emptywheel community!

On December 3, 2007, emptywheel first posted as a distinct website. That makes us, me, we, ten today.

To celebrate, over the next few days, the emptywheel team will be sharing some of our favorite work from the last decade. I’ll be doing probably 3 posts featuring some of my most important or — in my opinion — resilient non-surveillance posts, plus a separate post bringing together some of my most important surveillance work. I think everyone else is teeing up their favorites, too.

Putting together these posts has been a remarkable experience to see where we’ve been and the breadth of what we’ve covered, on top of mainstays like surveillance. I’m really proud of the work I’ve done, and proud of the community we’ve maintained over the years.

For years, we’ve done this content ad free, relying on donations and me doing freelance work for others to fund the stuff you read here. I would make far more if I worked for some free-standing outlet, but I wouldn’t be able to do the weedy, iterative work that I do here, which would amount to not being able to do my best work.

If you’ve found this work valuable — if you’d like to ensure it remains available for the next ten years — please consider supporting the site.

2016

Why Doesn’t Dianne Feinstein Want to Prevent Murders Like those Robert Dear Committed?

I’ve written a lot about how the focus on Islamic terrorism, based on a claim it’s foreign, creates gross inequalities for Muslims in this country, and does nothing to address some of our most dangerous mass killers (as the Stephen Paddock massacre in Las Vegas makes all too clear). This post is one of that series. It focuses on how the ill-advised efforts to use the No Fly List to create a list of those who couldn’t own guns would be discriminatory and wouldn’t add much to safety.

“Only Facts Matter:” Jim Comey Is Not the Master Bureaucrat of Integrity His PR Sells Him As

From the periods when Jim Comey was universally revered as a boy scout through those when Democrats blamed him for giving us Trump (through the time Democrats predictably flip flopped on that point), I have consistently pointed to a more complicated story, particularly with regards to surveillance and torture. I think the lesson of Comey isn’t so much he’s a bad person — it’s that he’s human, and no human fits into the Manichean world of good guys and bad guys that he viewed justice through.

NSA and CIA Hacked Enrique Peña Nieto before the 2012 Election

As Americans came to grips with the fact that Russia had hacked Democrats to influence last year’s election, many people forgot that the US does the same. And it’s not even just in the bad old days of Allen Dulles. The Snowden documents revealed that NSA and CIA hacked Enrique Peña Nieto in the weeks before he was elected in 2012. The big difference is we don’t know what our spooks did with that information.

Why Is HPSCI’s Snowden Report So Inexcusably Shitty?

In 2016, HPSCI released its Devin Nunes-led investigation into Edward Snowden’s leaks. It was shitty. Really shitty.

Now that the HPSCI investigation into the Russian hack (which has not been subjected to the same limitations as the Snowden investigation was) has proven to be such a shit show, people should go back and review how shitty this review was (including its reliance on Mike Flynn’s inflammatory claims). There absolutely should have been a review of Snowden’s leaks. But this was worse than useless.

Look Closer to Home: Russian Propaganda Depends on the American Structure of Social Media

As people began to look at the role of fake news in the election, I noted that we can’t separate the propaganda that supported Trump from the concentrated platforms that that propaganda exploited. A year later, that’s a big part of what the Intelligence Committees have concluded.

The Evidence to Prove the Russian Hack

In this post I did a comprehensive review of what we knew last December about the proof Russia was behind the tampering in last year’s election.

Obama’s Response to Russia’s Hack: An Emphasis on America’s More Generalized Vulnerability

Last year, in a speech on the hack, Obama focused more on America’s vulnerability that made it possible for Russia to do so much damage than he did on attacking Putin. I think it’s a really important point, one I’ve returned to a lot in the last year.

The Shadow Brokers: “A Nice Little NSA You’ve Got Here; It’d Be a Shame If…”

In December, I did a review of all the posts Shadow Brokers had done and suggested he was engaged in a kind of hostage taking, threatening to dump more NSA tools unless the government met his demands. I was particularly interested in whether such threats were meant to prevent the US from taking more aggressive measures to retaliate against Russia for the hack.

2017

On “Fake News”

After getting into a bunch of Twitter wars over whether we’re at a unique moment with Fake News, I did this post, which I’ve often returned to.

How Hal Martin Stole 75% of NSA’s Hacking Tools: NSA Failed to Implement Required Security Fixes for Three Years after Snowden

The government apparently is still struggling to figure out how its hacking tools (both NSA and CIA) got stolen. I noted back in January that an IG report from 2016 showed that in the three years after Snowden, the IC hadn’t completed really basic things to make itself more safe from such theft.

The Doxing of Equation Group Hackers Raises Questions about the Legal Role of Nation-State Hackers

One thing Shadow Brokers did that Snowden and WikiLeaks, with its Vault 7 releases, have not is to reveal the identities of NSA’s own hackers. Like DOJ’s prosecution of nation-state hackers, I think this may pose problems for the US’ own hackers.

Reasons Why Dems Have Been Fucking Stupid on the Steele Dossier: a Long Essay

I believe Democrats have been ill-advised to focus their Russia energy on the Steele dossier, not least because there has been so much more useful reporting on the Russia hack that the Steele dossier only makes their case more vulnerable to attack. In any case, I continue to post this link, because I continue to have to explain the dossier’s problems.

Other Key Posts Threads

10 Years of emptywheel: Key Non-Surveillance Posts 2008-2010

10 Years of emptywheel: Key Non-Surveillance Posts 2011-2012

10 Years of emptywheel: Key Non-Surveillance Posts 2013-2015

PureVPN Doesn’t Need to Keep Logs Given How Many Google Keeps

/13 Comments/in /by

There’s a cyber-stalking case in MA that has a lot of people questioning whether or not VPNs keep serial cyber-stalkers safe from the FBI. In it, Ryan Lin is accused of stalking a former roommate, referred to by the pseudonym Jennifer Smith in the affidavit, as well as conducting some bomb hoaxes and other incidences of stalking (if these accusations are true he’s a total shithole with severe control problems).

Because the affidavit in the case refers to tying Lin’s usage to several VPNs, it has been read to confirm that PureVPN, especially, has been keeping historic logs of users, contrary to their public claims. To be clear: you can never know whether a VPN is honest about keeping logs or not, and simply having a VPN on your computer might provide means of compromise (sort of like an anti-virus), that makes you more vulnerable. But I don’t think the affidavit, by itself (particularly with a great deal of the evidence in the case still hidden), confirms PureVPN is keeping logs. Rather, I think the account matching described in the affidavit says the FBI could have identified which VPNs Lin used via orders to Google, Facebook, and other tech companies, and using that, obtained a pen register on PureVPN collecting prospective traffic. I don’t think what is shown proves that FBI obtained historic logs (though it doesn’t disprove it either).

One thing to understand about this case is that Lin would have been the suspect right from the start, because his stalking started while he still lived with Smith, and intensified right after his roommates got him evicted. Plus, some of his stalking of Smith and others involved his real social media accounts. That means that, at a very early stage in this investigation, FBI would have been able to get all this information from Google and Facebook, which his victims knew he used.

A. The following information about the customers or subscribers of the Account:
1. Names (including subscriber names, user names, and screen names);
2. Addresses (including mailing addresses, residential addresses, business addresses, and e-mail addresses);
3. Local and long distance telephone connection records;
4. Records of session times and durations, and the temporarily assigned network addresses (such as Internet Protocol (“IP”) addresses) associated with those sessions;
5. Length of service (including start date) and types of service utilized;
6. Telephone or instrument numbers (including MAC addresses);
7. Other subscriber numbers or identities (including temporarily assigned network addresses and registration Internet Protocol (“IP”) addresses (including carrier grade natting addresses or ports)); and
8. Means and source of payment for such service (including any credit card or bank account number) and billing records.

B. All records and other information (not including the contents of communications) relating to the Account, including:
1. Records of user activity for each connection made to or from the Account, including log files; messaging logs; the date, time, length, and method of connections; data transfer volume; user names; and source and destination Internet Protocol addresses;
2. Information about each communication sent or received by the Account, including the date and time of the communication, the method of communication, and the source and destination of the communication (such as source and destination email addresses, IP addresses, and telephone numbers);
3. Records of any accounts registered with the same email address, phone number(s), method(s) of payment, or IP address as [] the accounts listed in Part 1; and Records of any accounts that are linked to either of the accounts listed in Part 1 by machine cookies (meaning all Google user IDs that logged into any Google account by the same machine as [] the accounts in Part 1). [my emphasis]

So very early in the investigation (almost certainly 2016), the FBI would have started obtaining every IP address that Lin was using to access Google and Facebook, and any accounts tied to the IP addresses used to log into his known accounts.

Instragram IDs WAN usage

Now consider the different references to VPNs in the affidavit. First, in February 2017, Lin registered a new Instagram account via WAN Security, one of the three VPNs listed.

February 2017: Lin registers Instagram account via WAN Security, also uses it to send email from [email protected] to local police department

That would mean that from the time FBI learned he used WAN to register with Instagram, the FBI would have known he used that service, and probably would have a very good idea which WAN server he default logged into.

Gmail ties WAN usage to other pseudonymous accounts

Then, FBI tracked April 2017 activity to connect Lin to an anonymous account at a service called Rover that he used to stalk people.

  • April 14, 2017, 14:55:52: Lin’s Gmail address accessed from IP address tied to WANSecurity server
  • April 14, 2017, 15:06:27: “Ashley Plano,” using [email protected], accessed Rover via same WANSecurity server
  • April 17, 2017, 21:54:25: “Ashley Plano” accesses Rover via Secure Internet server
  • April 17, 2017, 23:19:12: Lin’s Gmail address accessed via same Secure Internet server
  • April 18, 2017, 23:48:28: Lin’s Gmail address accessed via same Secure Internet server
  • April 19, 2017, 00:30:11: Ashley Plano account accessed via same Secure Internet server
  • April 24, 2017 (unspecified times): Lin’s Gmail and [email protected] email account accessed via same Secure Internet server

The WAN Security usage would have been accessible from Lin’s Gmail account (and would have been known since at least February). A subpoena to Rover after reports it was used for stalking would have likewise shown the WAN Security usage and times (assuming their logs are that detailed).

The Secure Internet use would have likewise shown up in his Gmail usage. Matching that to the Rover logs would have been the same process as with the WAN Security usage. And matching Lin’s known Gmail to his (alleged) pseudonymous teleportx email would have been done by Google itself, matching other accounts accessed by the IP Lin used (though they would have had to weed out other multiple Secure Internet server users).

In other words, this stuff could have come — and almost certainly did — from 2703(d) order returns available with a relevance standard, probably starting months before this activity.

Work computer confirms PureVPN usage, may provide account number

Then there’s this information, tying Lin’s work computer to PureVPN.

July 24, 2017: Lin fired by his unnamed software company employer — he asks, but is denied, to access his work computer to sign out of accounts

August 29, 2017: FBI agents find “Artifacts indicat[ing] that PureVPN, a VPN service that was used repeatedly in the cyberstalking scheme, was installed on the computer.”

What is not mentioned here is whether the “artifact” that showed Lin, like a fucking moron, loaded PureVPN onto his work computer also included him loading his PureVPN account number onto the computer. I think the vagueness here is intentional — both to keep the information from us and from Lin (at least until he signs a protection order). I also think this discussion, while useful for establishing probable cause to search his house, is also a feint. I suspect they already had Lin tied to PureVPN, and probably to a specific account there.

FBI’s not telling when and how they IDed Lin’s PureVPN usage, but Google would have had it

Which leads us to this language, which is the stuff that has everyone wigged out about PureVPN keeping logs.

Further, records from PureVPN show that the same email accounts–Lin’s gmail account and the teleportfx gmail account–were accessed from the same WANSecurity IP address. Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time, and the software company where Lin was employed at the time.

[snip]

PureVPN also features prominently in the cyberstalking campaign, and the search of Lin’s workplace computer showed access of PureVPN.

Unlike almost every reference in this affidavit, there’s no date attached to this knowledge. It appears after the work computer language, leaving the impression that the knowledge came after the work computer access. But particularly since FBI alleges Lin used PureVPN for a lot of his stalking, they probably were looking at PureVPN much earlier.

One thing is certain: FBI could have easily IDed a known PureVPN server accessing Lin’s Gmail account and the teleportfx one FBI identified at least as early as April, months before finding PureVPN loaded onto his work computer.

The FBI doesn’t say which victims Lin accessed via PureVPN or when, only that it figured prominently. It does say, however, that PureVPN identified use from both Lin’s home and work addresses.

Most importantly, FBI doesn’t say when they asked PureVPN about all this. Nothing in this affidavit rules out the FBI serving PureVPN with a PRTT to track ongoing usage tied to Lin’s known accounts (rather than historical usage tied to them). Mind you, there’s nothing to rule out historical logs either (as the affidavit also notes, Lin at one point tweeted something indicating knowledge that VPNs will at least keep access information tied to users).

Here’s the thing, though: if you’re using the same Gmail account tied to the same home IP to access three different VPN providers, often on the same day, your VPN usage is going to be identified from Google’s extensive log keeping. It is an open question what the FBI can do with that knowledge once they have it — whether they can only collect prospective information or whether a provider is going to have some useful historical knowledge to share. But the FBI didn’t need historic logs from PureVPN to get to Lin.

Richard Burr’s Tacit Warning to Christopher Steele

/18 Comments/in , /by

I’m just now catching up to Richard Burr and Mark Warner’s press conference on the Russia investigation yesterday. I saw some folks questioning why they did the presser, which surprises me. The answer seems obvious. They did the presser to release and apply pressure from specific areas of the investigation. For example, Burr exonerated those involved in the Mayflower Hotel meetings on April 2016 and further argued that the GOP platform was not changed to let Russia off the hook for Ukraine (I think the latter conclusion, in any case, is correct; I’m less persuaded about the first). Warner used the presser to push for Facebook to release the ads sold to Russia.

A particularly instance of this — one that I believe has been misunderstood by those who’ve reported it thus far — pertains to the Steele dossier. Here’s what Burr said about it, working off of prepared remarks (meaning issuing this tacit warning was one purpose of the presser; after 16:00):

As it relates to the Steele dossier: unfortunately the committee has hit a wall. We have on several occasions made attempts to contact Mr. Steele, to meet with Mr. Steele, to include, personally, the Vice Chairman and myself as two individuals, of making that connection. Those offers have gone unaccepted. The committee cannot really decide the credibility of the dossier without understanding things like who paid for it? who are your sources and sub-sources? We’re investigating a very expansive Russian network of interference in US elections. And though we have been incredibly enlightened at our ability to rebuild backwards, the Steele dossier up to a certain date, getting past that point has been somewhat impossible. And I say this because I don’t think we’re going to find any intelligence products that unlock that key to pre-June of ’16. My hope is that Mr. Steele will make a decision to meet with either Mark and I or the committee or both, so that we can hear his side of it, versus for us to depict in our findings what his intent or what his actions were. And I say that to you but I also say that to Chris Steele.

People seem to interpret this to mean SSCI hasn’t been able to corroborate the dossier — a point on which Burr is ambiguous. He references intelligence products that might unlock secrets of the dossier, which might suggest the committee has found intelligence products from later in the process that either confirms or doesn’t the events as the dossier as produced.

More important, however, is his reference to June 2016. While it seems like Burr might be suggesting the committee has found no evidence on collusion dating to before that date, that would seem to be inconsistent with the committee having received information on Michael Cohen’s discussions of financial dealings from before June (though given Burr’s exoneration of the Mayflower attendees, he may deem the earlier activities to be inconclusive).

So it seems more likely Burr raised the June 2016, along with his question about how paid for the report, to suggest he has real questions about whether its findings served as a partisan effort to taint Trump, paid for by a still undisclosed Hillary backer.

If Christopher Steele won’t talk about what intelligence he had on Trump before the time when, in June 2016, he reported on Russia providing kompromat (though not, at that point, hacked emails) on Hillary to Trump’s team, Burr seems to be saying, then it will be far easier to question his motivations and the conclusions of the report. And frankly, given some of the details on the Steele dossier — especially Steele’s briefings to journalists and his claim that the customers for the brief never read it — Burr is right to question that.

In other words, one point of the presser, it seems to me, was for Burr to warn Steele that his dossier will not be treated as a credible piece of work unless and until the committee gets more details about the background to it.

Update: Apparently, Steele responded to Burr’s comments by informing the committee he is willing to meet with Burr and Warner.

Mark Warner’s Inconsistent Social Media Law-Mongering

/4 Comments/in , , /by

Remember when, three weeks ago, people were shooting off their baby cannons because two reports kind of sort of claimed that Robert Mueller used a criminal search warrant to obtain details on Facebook’s ad sales to the Internet Research Association? I noted at the time that the logic behind those stories — that Facebook would have needed a warrant (as opposed to a 2703(d) order or a 702 directive) to obtain that information — was faulty. I’ve since become more certain that a D order was used in this case.

But since the stories were so dodgy, I assumed then they weren’t actually reporting about the investigation, but rather pressure on the part of Mark Warner to force Facebook to share the same data with Congress, including leaving (rather than just showing) ads.

And it worked! Last week and this week, Facebook did share those ads, with all the more leaks about them.

Unsurprisingly, Mark Warner is back, now insisting that Facebook should release all those ads that he or someone close to him just weeks ago was suggesting could only be released with a criminal search warrant, but now wants released with neither legal process nor a congressional oversight claim to force it.

I get why he wants that to happen. Even on top of informing the public about what happened in last year’s election, Warner would like to embarrass Facebook into accepting more sweeping regulation of political ads, which is a totally respectable goal.

But I find it amusing that the same people who, weeks ago, were certain that such materials were so private they could only be released with a search warrant are now arguing they should be released with no process whatsoever.

And whatever the beneficial goal here, there’s also the precedent of protection for private data. Do we really want it to be possible for (say) Russia to force Facebook to release all the information on the NGOs that target Russian users? Do we want Jeff Sessions’ DOJ to be able to force Facebook to release the details of those who oppose Trump without legal process?

I don’t expect Warner to be bound by those considerations — he’s trying to win a political battle (and doing a remarkably effective job). But I’d expect those reporting on this story to show some awareness of the claims they made about the sensitivity of this data just weeks ago.

[Photo: Annie Spratt via Unsplash]

The Slow Death of Neoliberalism: Part 1

/9 Comments/in /by

This is the first of a short series on my long-term project on neoliberalism. The questions I started with were 1. How did neoliberalism become the dominant discourse; 2. Was there an alternative; and 3. How can we move to some other form of discourse.

I started with the premise that the neoliberal project has two prongs, a theory of the person in society and an an economic theory.

The person in society is as a rational actor whose only important role is to get a job producing stuff which provides money to buy stuff based solely on a rational calculation of utility. The work part doesn’t apply to people with money. They just rationally concentrate on getting more money. People with no money and no job are subject to discipline by the carceral state. It doesn’t matter why they don’t have jobs. No work, no money, no freedom.

The economic theory is based on neoclassical economics, with its roots in 19th Century morality and the idea that everything can be stated mathematically. The morality is Jeremy Bentham’s utilitarianism, with a strong dose of Calvinism evidenced by the phrase “the lash of hunger”.

My project and my premise are based on reading books which broadly fall into three categories: theory (Foucault, the Frankfurt School, Kuhn, Mirowski), history (Arendt, Veblen, Polanyi), and economics, (Mankiw’s text, Samuelson and Nordhaus’ text, Jevons, Piketty). The plan was that by placing neoliberalism in a broader context, I could get some idea of how it took hold and what were plausible alternatives.

This post discusses theoretical issues. Neoliberalism is a positivist theory.

Positivism is the view that the only authentic knowledge is scientific knowledge, and that such knowledge can only come from positive affirmation of theories through strict scientific method (techniques for investigating phenomena based on gathering observable, empirical and measurable evidence, subject to specific principles of reasoning). The doctrine was developed in the mid-19th Century by the French sociologist and philospher Auguste Comte (1798 – 1857).

The scientific method is a good way to understand physical phenomena. The key step is eliminating all aspects of the object of study that cannot be measured and accounted for. If you want to know the charge of an electron for some reason, there’s an old experiment for that. In this experiment, that includes measuring the viscosity of air, but it also includes several assumptions that may or may not be accurate; one is that the droplets of oil are spherical.

In the double slit experiment you fire photons at two slits and get interference bands. Some of the photons hit on one of those bands, and others hit others. We don’t know exactly the route that they take between the photon gun and the target, and we can’t predict which band the particle will hit. There is only statistical prediction. So, there are limits to what we can know in the positivist sense. That’s true of math too for other reasons; see Godel’s Theorems.

One difficulty with positivism is what constitutes a proof in non-physical sciences. Obviously we can’t separate things analogously to the way we isolate photons. And we don’t have a way to repeat experiments and we can’t be sure we understand all the relevant considerations or their magnitude at any point in time, and anyway, people change, societies change and context is controlling.

Besides positivism, neoliberalism is centered on utilitarianism. We can see this in the writings of the inventor of marginal utility, William Stanley Jevons, as I note here. We also see it in Pareto Efficiency. These ideas, and positivism generally, are very useful in rationalizing the production of goods and services.

According to the Frankfurt School the theory that positivism provides the only authentic truth is central to the Enlightenment. Ideas and theories that cannot be proved according to the requirements of positivism cannot be taken seriously. The drive to extreme positivism leads us to ignore concepts like love, social cooperation, justice, morals and all intellectual concepts because they cannot be measured and are inconsistent over time and across societies. As an example, Keynes says that “animal spirits” lead development and stock markets. How do we measure animal spirits? Positivism tells us to find a formula to replace those concepts. Eventually it leads us to focus all our energy and attention on production for profit because that is tangible.

Critical theory rejects another underlying assumption of positivism, the absolute separation of subject and object. In order to study something, it must be segregated from other things. When one person studies another, the investigator must treat the other person as an object. If the object changes, we have to assume that the changes are measurable and predictable. In the same way, when the ruler deals with the subject, the kings treat citizens as objects, and employers treat employees as objects.

To put this in our time, Facebook algorithms treat users as objects and the company sets out to draw a picture of the not-exactly-human user so as to exploit it for profit. Facebook also allows others to use its tools to exploit for profit or for other purposes.

Every society has a system for deciding what goods and services it will produce and a system for dividing up the goods and services it produces. These systems cannot be addressed easily in a positivist framework because there is no way to predict outcomes with any certainty, and because we don’t have a scientific way to assess the quality of the current system, let alone a new arrangement. For that reason, the Frankfurt School claims that positivism reinforces the status quo, and cements it for the benefit of the current group of elites.

The effect of this extreme positivism is to reduce or eliminate imagination by focusing people’s attention on the immediate present. The emphasis on work means that people have less time and energy to think about societal issues.

This all seems terribly arid. Or boring, your choice. But it describes our putrid politics. Lambert Strether analyzed the Sanders/Klobuchar vs. Graham/Cassidy debate at Naked Capitalism; I highly recommend it. Here’s Amy Klobuchar, fn omitted:

KLOBUCHAR: [Y]ou can have things available to you like treatment, right, but if it’s too expensive, is it really available to you? And if you see a Ferrari in a car lot, well, it’s available to you, but you can’t really buy it. And that is the problem if the prices skyrocket.

So it’s doing something immediately to stabilize these prices, but then in the long term making sure we can make health care more affordable. Bernie has one idea; I have some others. And we can talk about them later.

As Lambert Strether shows, Sanders can talk about both now, while Klobuchar can’t, and it’s because she can’t imagine that kind of change as a real possibility. She can’t formulate a radically different vision of society. And that’s the problem facing the whole Democratic Party and especially its last presidential candidate.

Facebook Anonymously Admits It IDed Guccifer 2.0 in Real Time

/24 Comments/in , /by

The headline of this story focuses on how Obama, in the weeks after the election, nine days before the White House declared the election, “free and fair from a cybersecurity perspective,” begged Mark Zuckerberg to take the threat of fake news seriously.

Now huddled in a private room on the sidelines of a meeting of world leaders in Lima, Peru, two months before Trump’s inauguration, Obama made a personal appeal to Zuckerberg to take the threat of fake news and political disinformation seriously. Unless Facebook and the government did more to address the threat, Obama warned, it would only get worse in the next presidential race.

But 26 paragraphs later, WaPo reveals a detail that should totally change the spin of the article: in June, Facebook not only detected APT 28’s involvement in the operation (which I heard at the time), but also informed the FBI about it (which, along with the further details, I didn’t).

It turned out that Facebook, without realizing it, had stumbled into the Russian operation as it was getting underway in June 2016.

At the time, cybersecurity experts at the company were tracking a Russian hacker group known as APT28, or Fancy Bear, which U.S. intelligence officials considered an arm of the Russian military intelligence service, the GRU, according to people familiar with Facebook’s activities.

Members of the Russian hacker group were best known for stealing military plans and data from political targets, so the security experts assumed that they were planning some sort of espionage operation — not a far-reaching disinformation campaign designed to shape the outcome of the U.S. presidential race.

Facebook executives shared with the FBI their suspicions that a Russian espionage operation was in the works, a person familiar with the matter said. An FBI spokesperson had no immediate comment.

Soon thereafter, Facebook’s cyber experts found evidence that members of APT28 were setting up a series of shadowy accounts — including a persona known as Guccifer 2.0 and a Facebook page called DCLeaks — to promote stolen emails and other documents during the presidential race. Facebook officials once again contacted the FBI to share what they had seen.

Like the U.S. government, Facebook didn’t foresee the wave of disinformation that was coming and the political pressure that followed. The company then grappled with a series of hard choices designed to shore up its own systems without impinging on free discourse for its users around the world. [my emphasis]

But the story doesn’t provide the details you would expect from such disclosures.

For example, where did Facebook see Guccifer 2.0? Did Guccifer 2.0 try to set up a Facebook account? Or, as sounds more likely given the description, did he/they use Facebook as a signup for the WordPress site?

More significantly, what did Facebook do with the DC Leaks account, described explicitly?

It seems Facebook identified, and — at least in the case of the DC Leaks case — shut down an APT 28 attempt to use its infrastructure. And it told FBI about it, at a time when the DNC was withholding its server from the FBI.

This puts this passage from Facebook’s April report, which I’ve pointed to repeatedly, in very different context.

Facebook is not in a position to make definitive attribution to the actors sponsoring this activity. It is important to emphasize that this example case comprises only a subset of overall activities tracked and addressed by our organization during this time period; however our data does not contradict the attribution provided by the U.S. Director of National Intelligence in the report dated January 6, 2017.

In other words, Facebook had reached this conclusion back in June 2016, and told FBI about it, twice.

And then what happened?

Again, I’m sympathetic to the urge to blame Facebook for this election. But this article describes Facebook’s heavy handed efforts to serve as a wing of the government to police terrorist content, without revealing that sometimes Facebook has erred in censoring content that shouldn’t have been. Then, it reveals Facebook reported Guccifer 2.0 and DC Leaks to FBI, twice, with no further description of what FBI did with those leads.

Yet from all that, it headlines Facebook’s insufficient efforts to track down other abuses of the platform.

I’m not sure what the answer is. But it sounds like Facebook was more forthcoming with the FBI about APT 28’s efforts than the DNC was.

Amid Promises to Share Ads with Congress, Some Other Interesting Promises

/25 Comments/in , , /by

DC is atwitter with Facebook’s announcement that it can, after all, voluntarily share the same information it shared with Robert Mueller with Congress. As part of that announcement, it released a statement from their General Counsel, a Q&A addressing some of the questions that had been generating bad PR, and some promises of additional things Facebook will do to support democracy from Mark Zuckerberg.

I’m most interested in two details in Zuck’s statement. For example, this paragraph says Facebook will continue to look at what happened closely.

 We will continue our investigation into what happened on Facebook in this election. We may find more, and if we do, we will continue to work with the government. We are looking into foreign actors, including additional Russian groups and other former Soviet states, as well as organizations like the campaigns, to further our understanding of how they used our tools. These investigations will take some time, but we will continue our thorough review. [my emphasis]

While the frenzy responding to this announcement has focused on Russian ads, Zuck just revealed that Facebook is also looking at what the campaigns did.

That would permit Facebook to look for any apparently similar activity from campaigns and Russian actors, as we have reason to believe there was. It also might suggest Facebook is reviewing to see whether Republican dark marketing served to suppress turnout, and if so in coordination with what other actors.

I’d really love to have this information, but note that it is a substantially different thing for Facebook to review Russian actions and for Facebook to review Democratic or Republican actions.

Then there’s the promise to work even more closely with other tech companies.

We will increase sharing of threat information with other tech and security companies. We already share information on bad actors on the internet through programs like ThreatExchange, and now we’re exploring ways we can share more information about anyone attempting to interfere with elections. It is important that tech companies collaborate on this because it’s almost certain that any actor trying to misuse Facebook will also be trying to abuse other internet platforms too.

I think I’m okay with this (and they’re legally permitted to do this in any case). But given my newfound obsession with the fact that with any of these global tech companies, you’re dealing with intelligence resources that might rival nation-state intelligence, I’m interested in Facebook’s efforts to expand the sharing.

Facebook, by itself, may not rival the NSA. But when you put together Facebook, Microsoft, Google, Twitter, and others, then you’re beginning to talk really powerful intelligence capabilities.

It’s good, I suppose, that that much technical power is going to hunt down Russians. But it might be worth pausing to imagine what else they might cooperate to hunt down.