A research group affiliated with NATO conducted an interesting study recently. Acting on behalf of the military, the NATO StratCom Center of Excellence red-teamed military personnel in an effort to see if the study could answer three questions:
- What can we find out about a military exercise just from open source data?
- What can we find out about the participants from open source data?
- And, can we use all this data to influence the participants’ behaviors against their given orders?
The answer to all three of the questions was yes.
While the experiment was conducted on Facebook, merely not having a Facebook page isn’t enough to keep you safe. From the report:
We have reached a point where it is no longer possible to have a complete overview of the data we use and generate. The number of data points available on any one individual cannot be counted, as they are created and re-created non-stop. Public government data, social media data, and commercial data, together with data aggregated and inferred from these records, create enormous amounts of data with unimaginable scope. This does not mean that comprehensive data is available about every individual, but it does mean that ad targeting is gradually becoming more and more precise, creating unprecedented possibilities for the use and abuse of data.
Oh, and that’s not all. In case you were shrugging about the idea of targeted ads, here’s some more information to chew on:
Although many know that their online presence leaves many digital traces, far fewer are aware that by using various combinations of data (such as calls, SMS, Bluetooth, and app usage) researchers have been able to predict users’ ‘Big Five’ personality traits (openness, conscientiousness, extraversion, agreeableness, neuroticism) to model personality/psychopathology. Indeed, knowledge of any four apps installed on a person’s smartphone has proven enough to identify 95% of users in a given data set.
As we discuss in the Anti-Infiltration Class, being able to understand someone’s motivating factors, and see how their need for validation manifests gives you a perfect avenue of approach for manipulation. So what if you don’t have a Facebook or Twitter account? What about the following list of data sources?
- Pinterest account
- Browser favorites or bookmarked
- Websites visited
- Books purchased online or elsewhere
- Any purchases made with a debit card, credit card, or online method such as Paypal
- Grocery store loyalty/discount card
- Money-saving apps like Ibotta, Checkout 51, etc. (which basically pay you for copies of your grocery receipts)
The list goes on for infinity. Nearly every single thing you do in the course of a day offers data, and there’s a way to collect. In many cases people offer that data freely, or agree to be paid for it. What’s the big deal, though? You’ll hear people say it doesn’t matter if the government or third-party companies want to know the intimate details of your life because you’re so boring. Here’s just a sampling of how all that data can affect you.
- Prevent a person from securing a loan
- Keep them from getting a security clearance
- Cause a company to make poor decisions
- Create conditions and even vulnerabilities
- Steer public opinion about an individual, belief, or movement
- Steer the decision making process of the individual themselves
- Discover and exploit existing vulnerabilities
- Affect or even end employment
You see, no matter who you are, you aren’t boring. Not to the data machines. You’re a product; every scrap of information you have or are or will become is still valuable. You may think, for instance, “so what if they know what games I play on my phone or computer?” but in reality, those games show a great deal about you. What kinds of games do you like? How fast can you complete them? Are you a word puzzle fanatic? Do you prefer brain teasers? Are you the kind of person who wants the mindless entertainment? What about the simulation games: are you demonstrating an aptitude for specific skill sets?
There’s another tidbit to this report that should give you pause if you’re one of those people who has “separate” areas for your friends, family, and public face. If you think that someone cannot figure out who your employer is from your social media account, you’re incorrect. If you think that you can have a specific persona for the public and another for your friends on social media simply by controlling the post privacy settings, you’re also incorrect.
The privacy features and settings of social media platforms cannot be trusted not to leak information to other layers of the social media platform.
The researchers were able to map out entire units simply by knowing the name of one member.
What makes the NATO study so fascinating isn’t the conclusion of how your data can be used; that’s all old news if you even remotely pay attention. It’s that military personnel, who theoretically know better, are so easily manipulated.
Our experiment showed that, at the current level of information security, an adversary is able to collect a significant amount of personal data on soldiers participating in a military exercise, and that this data can be used to target messages with preceision, successfully influencing members of the target audience to carry out desired behaviors.
How much easier is it to get information from Joe Public?