Social giants must do more to stop intelligence 'scraping'
by Paul SmithThe former National Cyber Security Adviser and leading privacy experts have rounded on social media platforms including Facebook, Twitter and LinkedIn for failing to do enough to prevent mass intelligence gathering about influential Australian citizens by Chinese operatives, as the tech giants defended their efforts.
Former head of the Australian Cyber Security Centre Alastair MacGibbon, who was the most senior cyber adviser to Malcolm Turnbull as prime minister and is now chief strategy officer at the country's largest security services company CyberCX, said revelations in The Australian Financial Review on Monday were significant in showing how US-based tech platforms were being weaponised by China to sow dissent in the West.
The report detailed how a Chinese military contractor, Zhenhua Data, was able to pull together profiles of more than 35,000 Australians it believed to be influential, with plans to use the knowledge to cause civil unrest in the West via social media posts.
While most of the data gleaned by Zhenhua comes from publicly available posts, the process of "scraping" the relevant posts from among millions on the sites is supposedly against the terms of use on the platforms.
"Global tech companies that have had their genesis in the West have taken a view for a long time that they are somehow above any form of geopolitical partisan politics, in the sense like they are Nirvana," Mr MacGibbon said.
"They have thumbed their nose at actually protecting the very societies that grew them, that fuelled them and gave them their extraordinary strength.
"Of course they can do more to prevent scraping, they have just never seen it as core to their business. But I believe that it's an obligation upon their part to get smarter and better at preventing the data that's in their systems from being misused."
Mr MacGibbon said China was seeking to disrupt Western democracies in the same way as Russia in the 2016 US presidential election, and observed that Facebook in particular had been dragged kicking and screaming into recognising its responsibilities to protect the fabric of society.
He said high-profile Australians such as Atlassian founder Mike Cannon-Brookes were entitled in a democracy to express their views on social media without being compromised, but platforms were not doing enough to enable that.
He said Twitter and Facebook still routinely accepted advertising dollars from scammers, who used the images and reputations of high-profile figures to promote phoney products, and had created an environment where operations such as Zhenhua could thrive.
"If the Financial Review was taking ad space from criminals, you wouldn't last long, but these sites allow criminals to use other people's brands and information to peddle crime to unsuspecting people. They need to do more on things like that, like they need to do more to prevent scraping, there's no doubt," Mr MacGibbon said.
"Mike Cannon-Brookes should have a profile. I mean, he's entitled to have one ... But individuals need to make sure that they understand how the information they're giving, which is sometimes innocuous, can be used against them and against society more broadly.
"He has strong views that can run counter to the establishment and you could see why a country like China or Russia or North Korea, who don't have our interests at heart, could try to be quite divisive, and misuse Cannon-Brookes as a vehicle. He is now in a situation where he needs to be able to make sure that when his views are being misused that he jumps in very quickly and says 'Actually, that's not me.'"
Bans for Zhenhua
A Facebook spokesperson said the scraping of public data off its pages by Zhenhua was against its policies, and it was now banned from accessing the platform.
"Even public data shouldn't be collected in this way. We have banned Zhenhua Data Technology from our platform and sent a cease and desist letter ordering them to stop," the spokesperson said.
A spokesperson for Microsoft-owned LinkedIn said it would also take action after the stories of Chinese scraping emerged.
The spokesperson said LinkedIn was committed to keeping its platform safe, trusted and professional, and to keep its members' information safe and secure.
"We do not permit the use of any software that scrapes or copies information from LinkedIn under our user agreement ... We have technical measures and defences in place to protect against the use of any such tools on our platform and are constantly working to improve them," the spokesperson said.
"If any violation of our user agreement is uncovered or reported, we investigate and take necessary steps to protect our members' information.”
Twitter declined to comment on the actions of the Chinese company, or discuss what it does to try to prevent people from scraping data from public profiles, or whether there was more it should do to prevent intelligence gathering.
A spokesperson sent a generic statement saying it had rules in place to address users' privacy.
"Twitter takes privacy seriously, and we expect everyone using Twitter content and the Twitter API to do the same. Any use of the Twitter developer platform, Twitter API, or Twitter content in a manner that is inconsistent with peoples' reasonable expectations of privacy may be subject to enforcement action, which can include suspension and termination of API and Twitter Content access," the statement said.
Australian Information and Privacy Commissioner Angelene Falk said the scraping of personal information on a large scale from social media sites, and subsequent matching and combining of different data sets, raised privacy concerns.
The Office of the Australian Information Commissioner and the UK's Information Commissioner's Office are investigating the personal information handling practices of controversial tech company Clearview AI, focusing on the company's use of "scraped" data and biometrics of individuals.
Ms Falk suggested social media platforms were failing in their responsibilities under the Privacy Act to prevent the misuse of their users' information.
"If a social media company covered by Australian privacy law discloses personal information for a purpose other than the primary purpose of collection, it may only do so with consent unless an exception applies," Ms Falk said.
"It must also take reasonable steps to protect the personal information it holds from unauthorised access, modification or disclosure ... Social media companies should implement measures to detect unauthorised web scraping and take steps to enforce non-compliance with their policies."
Chris Cooper, executive director of Responsible Technology Australia, an activist group seeking to rein in the excesses of big tech, said regulation might be needed to ensure the tech platforms took the threat of China's misinformation seriously.
"We need to rein in the weapons these bad actors are using in their disinformation campaigns. To date we haven't seen the social media platforms particularly exercised about how malicious actors are weaponising their technology to run vast disinformation campaigns," he said.
"Facebook, Google and their ilk see no difference between legitimate and harmful content – to them it's just advertising revenue. So we need greater oversight and regulation over how disinformation is monetised, so that platforms are discouraged from it."
He said Australians needed better data rights to restrict access to the ammunition for bad online actors, meaning the ubiquitous surveillance and the selling of insights to personal data on every user, including young people, must end.
"The detailed character profiles bad actors create from scraped personal data is the ammunition used in co-ordinated disinformation campaigns," Mr Cooper said.
"While we can't prevent foreign or domestic forces from trying to manipulate our society, we can restrict their access to the social media platforms that they weaponise to sow division and undermine Australian democracy."
Vice-chairman of the Australian Privacy Foundation Roger Clarke said successive governments had permitted ever wider access to personal
data held by both governments and corporations, so he viewed it as no surprise the personal-dossier industry was now vastly larger than when it was primarily the business of credit agencies and consumer databases.
"The abuses that social media operators have been permitted to perpetrate
have added massively to the pool," he said.