Tales from Stasiland: The Internet Vigilantes
Champions of liberal democracy were quick to celebrate the information revolution. Authoritarian societies thrive on isolation, secrecy, and manipulation of information, they reminded us, but the global technology revolution will frustrate plans to control the free flow of information.
In fact, of course, things are far more complex. On the one hand, networking technologies like Twitter helped fuel the Green Revolution in Iran, and recent stories out of Saudi Arabia and the United Arab Emirates demonstrate how technology can challenge even wealthy and sophisticated authoritarian states. On the other hand, modern information and networking technologies can easily be used just the way George Orwell envisioned they would be: to spy on people almost effortlessly, in ways that can hardly be detected. Congress has laid down clear restrictions on the government’s ability to collect data, but what if viligantes were to collect the data and then just spontaneously share it with the intelligence community?
Consider the Internet organization called Project Vigilant, which appears to have played a role in identifying the transmissions to WikiLeaks of the documents now known as the Afghan War Diary. Robert McMillan at Computerworld reports on the curious remarks delivered at a public conference by Chet Uber, who claims that he convinced hacker Adrian Lamo to denounce Bradley Manning to the intelligence establishment.
“I used my connections to make sure that the three-letter agencies knew about it,” said Uber, who directs Project Vigilant, a volunteer-run effort to dig up intelligence on “bad actors,” such as terrorists and drug cartels. Lamo has worked as a volunteer with the group since 2009, providing “adversary characterization,” which helps its members understand the different types of computer intruders that they may be dealing with.
Evidently the “bad actors” that Project Vigilant targets include not just terrorists and drug cartels but also government whistleblowers seeking to expose some potentially embarrassing conduct of the nation’s intelligence community.
What is Project Vigilant? Its website provides no meaningful information, operating instead as a sort of piece of flypaper trying to collect information from others. In an article at Forbes, Andy Greenberg states that the organization is run by Mr. Uber and is based in Ft. Pierce, Florida. It “monitors the traffic of 12 regional Internet service providers,” he writes, passing the information it collects on to “government agencies.” In an interview with Greenberg, Uber makes clear that he “pressured” Lamo to turn Manning into the federal authorities, apparently telling him that he faced criminal culpability unless he did so. That legal advice is certainly incompetent, but then, Uber was probably just passing on the message that his friends at the three-letter agencies asked him to pass along.
The San Francisco Examiner recently looked into this organization, which has been operating in relative obscurity for a decade, and finds that its membership consists largely of government contractors:
Many of them are very recognizable names in technology circles, yet their public profiles, posted for all to see on sites such as LinkedIn, Facebook and even their own webpages, omit any reference to Project Vigilant. As one source explained, “These are known names in the industry, but they have stayed under the radar to help their law enforcement clients.”
Take Mark Rasch, Project Vigilant’s General Counsel. Rasch has been a guest on numerous TV programs, including the PBS program “Charlie Rose,” and is frequently quoted in the press on a variety of Internet crime matters. For over 9 years, Rasch led the Department of Justice computer crime unit. He’s been associated with Project Vigilant for approximately 18 months. “It’s an exciting concept,” said Rasch. “We are using our unique talents to collect information about threats and vulnerabilities, but we will not do things that violate the law.” Chet Uber, the group’s current director, is a founding member of InfraGard (a partnership between the FBI and the private sector) and a longtime participant in AFCEA (Armed Forces Communications and Electronics Association). He is considered by many to be one of the country’s leading experts in “attack attribution,” the complex ways in which computer code and the people behind it who create malicious attacks on the Internet can be tracked and identified. He’s frustrated by what he sees as a lack of security awareness on the part of computer users as the Internet has grown. “We wish people would quit leaking private matters because it’s making the country vulnerable,” said Uber.
One of Uber’s top lieutenants is Kevin Manson, who serves as Project Vigilant’s liaison with state and federal law enforcement groups. Manson recently retired after many years as the Senior Instructor at the Federal Law Enforcement Training Center, under the Department of Homeland Security. He also is a co-founder of Cybercop, a web portal used for the confidential exchange of information between groups such as Project Vigilant and authorities within the U.S. government.
Why would a group of intelligence community contractors with tight connections to the intelligence community be out there sifting through various ISPs to prepare reports to be turned over to the government? Glenn Greenwald speculates that this is an elaborate effort to overcome limitations on government snooping:
There are serious obstacles that impede the Government’s ability to create these electronic dossiers themselves. It requires both huge resources and expertise. Various statutes enacted in the mid-1970s — such as the Privacy Act of 1974 — impose transparency requirements and other forms of accountability on programs whereby the Government collects data on citizens. And the fact that much of the data about you ends up in the hands of private corporations can create further obstacles, because the tools which the Government has to compel private companies to turn over this information is limited (the fact that the FBI is sometimes unable to obtain your “transactional” Internet data without a court order — i.e., whom you email, who emails you, what Google searches you enter, and what websites you visit –is what has caused the Obama administration to demand that Congress amend the Patriot Act to vest them with the power to obtain all of that with no judicial supervision).
But the emergence of a private market that sells this data to the Government (or, in the case of Project Vigilance, is funded in order to hand it over voluntarily) has eliminated those obstacles. As a result, the Government is able to circumvent the legal and logistical restrictions on maintaining vast dossiers on citizens, and is doing exactly that. While advertisers really only care about your online profile (IP address) in order to assess what you do and who you are, the Government wants your online activities linked to your actual name and other identifying information. As Calabrese put it: “it’s becoming incredibly easy for these companies to link your IP information to who you really are, by, for example, tracing it to your Facebook page or other footprints you leave with your identifying information.” As but one example, The Washington Post recently began automatically linking any visitors — without their knowledge or consent — to their logged-in Facebook page. The information turned over to the Government is now easily linkable — and usually linked — to the citizens’ actual identity.
This analysis seems astute. It makes sense to view Project Vigilant as an extension of the national-security state, crafted with plausible “private sector” autonomy to overcome pesky legal restrictions. So remember: next time you get a prompt from Facebook or Linked-In for more information about yourself, Project Vigilant may be there eagerly watching what you type in. If you decide to blow the whistle on some serious misconduct by a government official by sending a message to your congressman or your local newspaper, they may be monitoring that closely too.