The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

The FBI is spending millions on social media tracking software

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Good morning! See any interesting contracting records? Send them my way: aaron.schaffer@washpost.com.

Below: Lawmakers blast a reported review of a major U.S. cyber policy, and crypto scams are multiplying. 

A new FBI contract is raising surveillance concerns

Social media users seemed to foreshadow the Jan. 6 attack on the U.S. Capitol — and the FBI apparently missed it. 

Now, the FBI is doubling down on tracking social media posts, spending millions of dollars on thousands of licenses to powerful social media monitoring technology that privacy and civil liberties advocates say raise serious concerns.

The FBI has contracted for 5,000 licenses to use Babel X, a software made by Babel Street that lets users search social media sites within a geographic area and use other parameters.

The contract began March 30 and is worth as much as $27 million. The FBI has already agreed to pay an IT vendor around $5 million for the first year of the contract, procurement records indicate. The contract has not previously been reported.

The Justice Department has previously had Babel X in its arsenal, contracting records show. But the new contract appears to be by far the most the agency has ever shelled out for the software, and is one of the largest contracts for the software by a civilian agency, experts said.

  • “It's both per-year the biggest I'm aware of in terms of obligation, and it's also the fact that it's a five-year contract,” said Jack Poulson, who runs the research advocacy group Tech Inquiry. “So if you combine those two things, it's the biggest Babel Street contract I'm aware of.”

And while it’s not clear what exactly the contract entails, contracting documents provide a blueprint for the FBI’s aspirations for the technology. Babel Street and IT vendor Panamerica Computers didn’t respond to requests for comment about the terms of the contract.

“The FBI uses social media tools to search publicly available information pertinent to predicated investigations in order to identify and respond to threats of violence, acts of terrorism, and potential federal violations within the scope of the FBI’s mission,” the FBI said in a statement after this story was first published.

Political fallout

Social media monitoring is still controversial on Capitol Hill, where the contract could be scrutinized by lawmakers in both parties. Some Democrats are anxious about creeping government surveillance, while Republicans have focused on the idea that the government could be monitoring political speech.

Rep. Jim Jordan (Ohio), top Republican on the House Judiciary Committee, told The Cybersecurity 202 that he’s calling for a briefing by the FBI on the issue. 

  • Jordan said he has “real concerns based on the [FBI’s] history and based on the fact that we don't know how they're using it and who they're going after," noting that he'd like FBI Director Christopher A. Wray to testify before the committee so he can get answers about the contract, NSO Group's Pegasus spyware and other issues.
The FBI's asks

The FBI awarded the contract for 5,000 Babel X licenses after telling contractors it wanted software to “gather information” from “Twitter, Facebook, Instagram, YouTube, LinkedIn, Deep/Dark Web, VK and Telegram.”

  • Also on the list: The FBI listed a slew of “preferable” — but not required — platforms, including 8Kun, Discord, Gab, Parler, Reddit, Snapchat, TikTok and Weibo.
  • Inclusion of conservative-preferred social media networks Gab and Parler on that list could also draw Republican attention on Capitol Hill.

In contracting documents, the FBI estimates that its 5,000 licensees will run around 20,000 keyword searches every month, though it cautioned that that’s “merely an estimate.” (For context, the FBI last year got funding for around 36,000 employees — including around 13,000 special agents and 3,000 intelligence analysts.)

In its contracting documents, the FBI reiterates that it only wants access to publicly available information, “meaning no logins or court orders are required to access them.” Tools searching for such information “provide critical information without being intrusive because the data they return is publicly available,” the FBI said in a document.

Surveillance practices

At first glance, the FBI seems to have a point: Why would it be a privacy violation to analyze and probe information that anyone can see?

But: the FBI will be looking at a vast amount of data as part of the contract, with contracting documents asking for searches and translation abilities in at least seven foreign languages, along with geofencing and even analyzing emotions and sentiments to “be able to determine likely attitudes of the targets.” It also added other features, like emoji searches, “predictive analytics” and bot detection, as being optional but desired.

“Five-thousand licenses for social media monitoring in real time means that thousands of FBI agents will be looking for key words and topics on an ongoing basis with social media surveillance targeting at least eight languages,” said Greg Nojeim, a senior counsel and co-director at the Center for Democracy and Technology’s Security and Surveillance Project. “The risk of misinterpretation is high. So is the risk that an FBI agent who misinterpreted what you said on social media will come knocking on your door.”

“It turns out that people dismissed as paranoid because they thought Big Brother was watching everything they say on social media were not paranoid after all,” Nojeim said.

The efficacy of features that claim to analyze online sentiments is also unclear. “There is little evidence that sentiment analysis which is part of the project is at all accurate,” said Faiza Patel, who co-directs the Brennan Center for Justice’s Liberty and National Security Program.

Concerns
Matt Cagle, a staff attorney at the ACLU of Northern California, said social media surveillance raises civil liberties concerns even if the surveillance is focused on public posts and profiles.
  • “The First Amendment protects online speech, period," he said. "People should not have to exercise their free speech behind privacy settings in order to avoid being surveilled.”
  • The FBI's guidelines are “so lax that they permit this social media surveillance even in ‘assessments' when the FBI lacks the scintilla of evidence of crime that it needs to open a preliminary investigation,” Nojeim said.

The FBI says its “intent is to analyze past events,” although it also wants to continuously run “persistent,” automated searches as often as every eight minutes, the documents show. In the documents, the FBI said a “predictive analytics” feature — to “point toward possible actions of a subject or group” — would be “desirable.”

That’s also cause for concern, Cagle said.

“The government also wants the ability to predict the future based on social media posts — not only is this impossible, in all likelihood it will risk further bias and harm against the same people that the government has historically mislabeled as suspicious, including movement leaders, immigrants and members of religious and ethnic minorities,” he said.

The keys

Lawmakers say Biden shouldn’t mess with policy that gives the Pentagon cyber authorities

The sharply worded letter comes as the White House is reportedly looking into changing the Trump-era policy, which gave the U.S. military the ability to launch some cyber operations without approval from the White House.

In the letter, which was obtained by The Cybersecurity 202, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) argue that any attempt to change the policy “signals to our adversaries a lack of credible willingness to use offensive cyber capabilities which undermines the credibility of our deterrent.” The National Security Council did not respond to a request for comment on the letter.

Other cybersecurity experts have also weighed in on potential changes to the policy. They disagree on the level of involvement the White House should have in deciding to launch cyber operations, CyberScoop’s Suzanne Smalley reports.

Law enforcement agencies have been slow to investigate cryptocurrency scams

Some victims are organizing themselves after not hearing back from law enforcement agencies about a crypto scam that appears to have snatched more than 5,000 people’s money, Jeremy B. Merrill and Steven Zeitchik report

“Scams are rapidly multiplying in the lightly regulated province of crypto, experts say, each boosted wallet and disappeared dollar underscoring just how mainstream the thievery has become,” they write. “The Federal Trade Commission estimates that Americans lost $750 million to crypto scams in 2021, and the number could rise this year.”

Social responsibility NGO endorses Meta’s encryption push

The report gives Facebook parent Meta ammunition in its fight to extend end-to-end encryption on its platforms, Joseph Menn reports. When messages are encrypted “end-to-end,” it means they’re indecipherable to everyone except the sender and recipient — including police with a valid warrant. Law enforcement agencies say encryption limits their ability to access important evidence and detect online crimes.

Meta paid for Business for Social Responsibility’s work, but the group has a reputation for independence in its reports. Facebook released the report and its response late Monday after The Post reported on it.

Government scan

State cyber leaders aim for more scrutiny of cloud vendors (StateScoop)

Global cyberspace

German police shut down $1.3 billion illegal darknet firm (Bloomberg)

Top EU court says phone data cannot be held 'indiscriminately' (Reuters)

A ‘bug’ that leaves the data of ultra-Orthodox people exposed has devastating results (Haaretz)

Cyber insecurity

Email marketing giant Mailchimp has confirmed a data breach (TechCrunch)

FIN7 hackers evolve toolset, work with multiple ransomware gangs (Bleeping Computer)

Privacy patch

TikTok’s parent, ByteDance, made fake accounts with content scraped from Instagram and Snapchat, former employees say (BuzzFeed News)

Securing the ballot

Michigan GOP roils as Trump injects 2020 grievances into midterms (Matthew Brown)

On the move

  • Jake Williams has joined SCYTHE as its director of cyberthreat intelligence. Williams previously worked at the National Security Agency and was president of Rendition Infosec.

Daybook

  • Alex Bornyakov, Ukraine’s deputy minister of digital transformation, speaks at a Washington Post Live event on Tuesday at 9 a.m.
  • Gen. Paul Nakasone, who leads U.S. Cyber Command and the National Security Agency, testifies before the Senate Armed Services Committee on Tuesday at 9:30 a.m.
  • The House Homeland Security Committee holds a hearing on securing critical sectors from Russian cyberattacks on Tuesday at 10 a.m.
  • U.S. Naval Seafloor Cable Protection Office Director Catherine Creese and NTIA senior policy adviser Maureen Russell discuss securing Asia’s subsea cables at a Center for Strategic and International Studies event on Tuesday at 1 p.m.
  • The U.S. Election Assistance Commission holds a meeting and vote on Voluntary Voting System Guidelines Lifecycle Policy 1.0 on Tuesday at 2:30 p.m.
  • Rep. Darren Soto (D-Fla.), who co-chairs the Congressional Blockchain Caucus, discusses blockchain security at a Washington Post Live event on Tuesday at 3 p.m.
  • Former president Barack Obama; former Cybersecurity and Infrastructure Security Agency director Chris Krebs; and Reps. Lauren Underwood (D-Ill.) and Adam Kinzinger (R-Ill.) speak at a disinformation conference hosted by the University of Chicago and the Atlantic from Wednesday through Friday.
  • Eric Goldstein, the Cybersecurity and Infrastructure Security Agency’s executive assistant director for cybersecurity, and deputy national cyber director Rob Knake testify before a House Homeland Security Committee panel on Wednesday at 10 a.m.
  • Defense Advanced Research Projects Agency Director Stefanie Tompkins, Defense Innovation Unit Director Michael Brown and Undersecretary of Defense Heidi Shyu testify before a Senate Armed Services Committee panel on Wednesday at 2:30 p.m.

Secure log off

Thanks for reading. See you tomorrow.

Loading...