Information collected as we go about our daily lives can be weaponized into influence operations that are harder to detect.
The data we give tech companies when we buy online or like a tweet will soon fuel disinformation campaigns intended to divide Americans or even provoke destructive behavior — and data-privacy legislation isn’t keeping up with the threat, intelligence community veterans, disinformation scholars, and academics warn.
This could bring back the kind of population-scale disinformation campaigns seen during the 2016 presidential election, which led to some reforms by social media giants and aggressive steps by U.S. Cyber Command. The fact that the 2020 election was relatively free of foreign (if not domestic) disinformation may reflect a pause as adversaries shift to subtler manipulation based on personal profiles built up with aggregated data.
As Michal Kosinski and his colleagues argued in this 2013 paper, easily accessible public information such as Facebook Likes “can be used to automatically and accurately predict a range of highly sensitive personal attributes including: sexual orientation, ethnicity, religious and political views, personality traits, intelligence, happiness, use of addictive substances, parental separation, age, and gender.”
It’s the sort of thing that worries Joseph E. Brendler, a civilian consultant who worked with Cyber Command as an Army major general. Brendler discussed his concerns during a Wednesday webinar as part of the AFCEA TechNetCyber conference.
“A dynamic that started with a purely commercial marketplace is producing technologies that can be weaponized and used for the purposes of influencing the people of the United States to do things other than just buy products,” he said. “Activating people who are otherwise just observers to a political phenomenon that’s going on is accomplishing an extreme shift toward greater political activism. Some of that is a good thing. … the extent to which it might produce a violent outcome, it’s a really bad thing. Absent the appropriate forms of regulation, we really have an unregulated arms market here.”
The barely limited collection and aggregation of behavior data from phones, online activities, and even external sensors is no longer just a concern of privacy advocates.
It’s “continuing to raise attention in our community,” said Greg Touhill of cybersecurity consultancy Appgate Federal and a retired Air Force brigadier general.
While national security leaders have struggled—with mixed success—to predict broad social movements based on large volumes of mostly publicly available data, companies have gotten much better at anticipating individual behavior based on data that consumers give away, often without realizing it. A recent paper in Information & Communications Technology Law calls the process digital cloning.
“Digital cloning, regardless of the type, raises issues of consent and privacy violations whenever the data used to create the digital clone are obtained without the informed consent of the owner of the data,” the authors wrote. “The issue only arises when the owner of the data is a human. Data created solely by computers or AI may not raise issues of consent and privacy as long as AI and robots are not deemed to have the same legal rights or philosophical status as persons.”
In essence, if you can create a digital clone of a person, you can much better predict his or her online behavior. That’s a core part of the monetization model of social media companies, but it could become a capability of adversarial states who acquire the same data through third parties. That would enable much more effective disinformation.
A new paper from the Center For European Analysis, or CEPA, also out on Wednesday, observes that while there has been progress against some tactics that adversaries used in 2016, policy responses to the broader threat of micro-targeted disinformation “lag.”
“Social media companies have concentrated on takedowns of inauthentic content,” wrote authors Alina Polyakova and Daniel Fried. “That is a good (and publicly visible) step but does not address deeper issues of content distribution (e.g., micro-targeting), algorithmic bias toward extremes, and lack of transparency. The EU’s own evaluation of the first year of implementation of its Code of Practice concludes that social media companies have not provided independent researchers with data sufficient for them to make independent evaluations of progress against disinformation.”
Polyakova and Fried suggest the U.S. government make several organizational changes to counter foreign disinformation. “While the United States has sometimes acted with strength against purveyors of disinformation, e.g., by indicting IRA-connected individuals, U.S. policy is inconsistent. The U.S. government has no equivalent to the European Commission’s Action Plan Against Disinformation and no corresponding Code of Practice on Disinformation, and there remains no one in the U.S. government in overall charge of disinformation policy; this may reflect the baleful U.S. domestic politics and Trump’s mixed or worse messages on the problem of Russian-origin disinformation.”
But anti-disinformation tools are is only part of the answer. The other part is understanding the risks associated with data collection for microtargeting, Georgetown Law professor Marc Groman, a former White House senior advisor for privacy, said on Wednesday’s panel. Neither the government nor the tech industry yet understand the ramifications of aggregate data collection, even when it’s lawful.
“We don’t even have norms around this yet,” Groman said. “What we need is a comprehensive approach to risk” generated by data. What’s needed, he said, is to look at the process of data throughout that whole lifecycle of data governance.”