Tag: digital citizens alliance

Malware Suggests Search Plays a Major Role in Piracy

Image by stefanocar75

Copyright holders have long insisted that search results play a substantial role in driving users toward pirate sites.  Google and piracy advocates have generally countered that search does not drive much traffic to illegal sites because the people who consistently use infringing sites know what they’re doing and will go directly to the content they’re seeking.  This is a reasonable assumption to make about the population of committed infringers out there, but one fact that refutes this premise is the extraordinary volume of malware (a 1-in-3 chance) on infringing sites.  Because malware isn’t there to catch the experienced visitor—it’s there to catch the unsuspecting individuals who may not even realize they’re using illegal sites when they first visit.

For those who don’t know how it works, it goes like this:  A user is interested in watching Moonlight.  If he types “Moonlight” into Google Search, the second-tier results will be links that read “Watch Moonlight Online for Free,” all of which are directed to infringing sites.  If the user actually types “Watch Moonlight” into the search field, then the first-tier results will be infringing links. And quite often, Google will automatically suggest words that prompt the user toward an infringing site. For instance, if the user logically adds the word “movie” (because moonlight is a word and not just a title), then Google will complete the thought with “online,” which then yields top results with links to “watch moonlight movie online” via an infringing site.

Google and the piracy apologists are almost certainly correct that many avid visitors to infringing sites are fairly sophisticated users; they have VPNs, ad-blockers, security software, etc. to avoid detection and malware.  But if these were the only kind of visitors landing on these sites, then the underground market in malware-based trade would not be nearly so robust as it is.

As described in this 2015 post about a report called Digital Bait, commissioned by Digital Citizens Alliance and conducted by RiskIQ, a sophisticated “crimeware economy” exists on the Darknet, where criminals buy and sell goods and services used exclusively for preying on users. To use a blunt example, if a teenage girl visits an infringing site, she has up to a 30% chance of contracting malware. That malware may be a Remote Access Trojan (RAT), which gives fairly unsophisticated hackers control of her computer, including her webcam.  Then, her IP address may be sold in this black market to people who want to spy on teenage girls in their bedrooms. In many cases, a user doesn’t even have to consume the infringing content in order to infect a device. The promise of “free content” may be draw the user into a dead-end malware trap.

If all traffic to pirate sites truly comprised only the knowledgeable users, then the criminals would not have a financial incentive to deploy so much malware on sites that infringe, or promise to infringe, copyrighted content.  The very existence of prevalent malware is an indication that a substantial number of users who have no idea what they’re doing are visiting these sites, which logically leads to the conclusion that search must play a significant role in driving users toward these sites and into the hands of criminals.

Notice that, in this context, we don’t even need to address the subject of copyright infringement, let alone get bogged down in all the tedious rhetoric about free speech.  If Google’s top search results are indeed putting users in harm’s way, this is a consumer protection issue for the Fair Trade Administration and/or State Attorneys General.  And, in fact, Digital Citizens Alliance, after releasing its 2016 report Enabling Malware, began presenting its findings to the AGs.

Yes, it is likely true that once a user—even a fairly unsophisticated teenager—is aware of sites where free content is available, he will probably revisit those sites directly without going through a search engine. But even this kind of anecdotal assumption does not mean the role of search is insignificant, not least because the illegal nature of pirate sites means that they have a tendency to disappear and reappear as authorities in various regions shut them down.  A 2013 study indicated that 19% of the traffic to infringing sites could be directly attributable to search, and if that number were wrong by half, it would still represent billions of visits per year.

Consumers have a right to know the nature of their vulnerabilities when using any product or service, and they have a right to demand that U.S. companies take every reasonable step to mitigate exposure to risk.  To date, Google has refused to take even the obvious step of demoting known infringing sites in their search results, let alone to alter the way in which auto-complete may drive consumers toward these sites.

Google does now feature the legal channels for consuming media, including their own services like YouTube and Google Play, which is a good step but not likely sufficient to protect consumers as hackers become more sophisticated and more ambitious.  In fact, one likely consequence of advertisers becoming more effective at keeping their brands off pirate sites is that the criminals will depend more on the “crimeware economy” to make money through infringing content as a means to deliver malware.

Google is getting a lot of pushback lately—from the EU’s anti-trust decision, from the advertisers, and from the Canadian Supreme Court this week in the Equustek case. (More on that shortly.)  I would not be surprised if the State AGs and other consumer-protection agencies begin to take a more active interest in the relationship between search, piracy, and malware.

DCA Report: Users Demand Some Accountability For Platforms

On December 31, 2016, in a post called The Morning After or Social Media is a Humbug, I wondered whether or not 2017 would be the year when users, advertisers, and even the major web platforms would begin to demand more accountability online and move away from the general belief that a laissez-faire approach to all internet governance was universally beneficial.

After the election, many citizens woke up to the reality of fake news and consequently reaffirmed some faith in traditional journalism with an immediate spike in subscriptions. In March, we saw major brand advertisers threaten to boycott Google if the search and ad giant did not figure out how to keep brand ads away from toxic content like terrorist propaganda videos.  And this morning, Digital Citizens Alliance released a new report, Trouble in Our Digital Midst, indicating that a majority of Americans may be losing trust in the internet as a source of reliable information and as a secure environment.

Building on past studies, like the overall proliferation of malware on pirate sites and trojan horse viruses used to prey on minors, DCA’s 2017 poll comprising 1,240 respondents indicates that approximately 60% of Americans currently favor the web companies taking more responsibility for the manner in which their platforms are used.  Just a few years ago, it seemed that people largely accepted the premise that online platforms should remain neutral on the assumption that it was better to allow a few bad actors to slip through the net than to risk “stifling the speech” of innocent parties. But as the potential toxicity of fake news, malware scams, terrorist propaganda, and major online hacks have become more common and high-profile, that mood appears to be shifting.

In addition to sharing its findings, the DCA compliments major players like Google and Facebook for at least altering their standard response to the ills of bad actors …

“… digital platforms over the last year have shown a new willingness to intervene, impact, or even alter the content on their platforms on issues of national importance. Given that they have opened the door, they must take a fresh and holistic look at all illicit goods, services, content, and behavior on their platforms. The response, ‘we’re just a platform,’ clearly is not the answer in response to the Fake News problem and objectionable content that has brand name advertising imprinted upon it, and it shouldn’t be the answer when it comes to stolen credit cards, counterfeit goods, illicit drugs or pirated movies, TV shows and music, or the violation of our young.” 

This new report notes that 2017 was the first time the Federal Trade Commission issued a consumer warning about the increased likelihood that visiting pirate sites will expose users to malware attacks, leaving them vulnerable to ransom demands, identity theft, and computer slaving that preys on kids by exploiting their webcams and microphones. DCA also reminds readers of the 2015 research by RiskIQ, which found that on the dark web, where hackers pay pirate site owners to distribute malware, that business was over $70 million year at the time of the study.  “Take a moment to think about that – if hackers are paying content theft websites $70 million to drop malware on their sites that infect visitor computers, how much are they making?” asks the report.

DCA proposes what it calls a “neighborhood watch” approach to address these growing problems with a new mindset.  Primarily, this would involve the major platforms doing a better job of sharing information with one another regarding bad actors the same way retailers and other industry competitors do for the overall health of their markets. “While digital platforms collaborate on policy and technical issues, there is no evidence that they are sharing information about the bad actors themselves. That enables criminals and bad actors to move seamlessly from platform to platform,” the report states.

I’m not surprised to see Google and Facebook change their tune at least a little bit this year.  The threat of boycott by the advertisers who pay the bills was sure to get a response; as would the prospect of shedding users who may become disenchanted with Facebook if it were overwhelmed by fake news, trolls, and a psychos who share live video of murder.   The DCA acknowledges the fact that it is a major challenge to weed out hackers, counterfeiters, pirates, and violent extremists from using the internet as a base of operations without harming the free-flow of interaction for the rest of us.  Still, it is at least a step in the right direction if users are indeed beginning to understand that no community–perhaps least of all a virtual one–thrives without reasonable boundaries to protect safety and fair trade.

DCA’s New Report on Enabling Malware

Enabling Malware

Andrew Orlowski reports at The Register that last week Google quietly suspended its legal action to “muzzle” an investigation by Mississippi Attorney General Hood into whether or not the search giant was abiding by the terms of its 2012, non-prosecutorial settlement with the government over illegal online sales of prescription drugs.  Any explanation of Google’s change in strategy or the future of that investigation are subjects for another day.  But the fact that AG Hood was ultimately not stymied—either by litigation or by a brazen attempt in the State House of Representatives to legislatively tie his hands—is probably good news for American consumers because State Attorneys General “often act as the de facto consumer protection arm in their respective states,” notes a new report published yesterday by Digital Citizens Alliance.

Following up on its December report, which presented a look into the scope of the malware hazard for consumers who visit content-theft sites, DCA and RiskIQ have again collaborated to begin looking at the hosting services that either inadvertently or knowingly support illegal sites, which then endanger consumers.  The hosting services in this regard are particularly relevant because they are not shadowy operators based in hard-to-reach geographies but are legal corporations with offices in the United States.  As such, the news that Google will now look to “cooperate with AG Hood” rather than remain on the offensive comes at a good moment for consumers.  This is because DCA notes that state AGs will be the first authorities who may choose to investigate US-operating hosting services to determine their role in fostering the dissemination of malware.

The December report called Digital Bait revealed the likelihood (about 30% in some cases) that users of content theft sites would infect their devices with malware, and the report also identified the various types of malware being deployed in order to steal information and/or assets from consumers.  Digital Bait also presented a glimpse into the dark web-based economy where criminals engage in transactions like selling the IP addresses of a girl’s computer or even a cybercriminal paying content-theft site owners to deliberately host malware on their sites.  The report contains some eye-opening statistics like the one from the DOJ, which states that 16.2 million American consumers have been victims of identity theft, incurring financial losses of more than $24.7 billion.

The report released yesterday, Enabling Malware, looks at two hosting companies, each of which responded very differently when DCA contacted them with their findings.  The first was CloudFlare, which is “known for its willingness to support, or at least overlook, illicit activities,” the report states.  CloudFlare is a hosting service that is specifically designed to mask the identity of site owners and of the true hosting site of any content, whether the content is legal or not.  The site’s blog reads, “Signing up for CloudFlare is like taking your number out of the phone book, and putting in CloudFlare’s number under your name.”

This type of service can be (and is) used by journalists or bloggers operating in locations with authoritarian governments or other hazards to free speech and reportage.  But it is also a natural hosting choice for content-theft site owners, thus earning the service the nickname “CrimeFlare” among cyber-security experts. DCA contacted CloudFlare with regard to its hosting sites like Putlocker and Animex, both of which were identified in the Digital Bait report as delivering malware to users.  CloudFlare did not respond until a day or two before the release of this new report and wrote the following:

“CloudFlare’s service protects and accelerates websites and applications. Because CloudFlare is not a host, we cannot control or remove customer content from the Internet. CloudFlare leaves the removal of online content to law enforcement agencies and complies with any legal requests made by the authorities. If we believe that one of our customers’ websites is distributing malware, CloudFlare will post an interstitial page that warns site visitors and asks them if they would like to proceed despite the warning. This practice follows established industry norms.”

In other words, CloudFlare is not going to do anything unless authorities make them.

The other hosting service DCA and RiskIQ looked at was HawkHost, whose support includes watchfreemoviesonline.top, which was found to have a 32% malware exposure rate in the research conducted for the Digital Bait report. When DCA contacted HawkHost, the company’s response was very different from CloudFlare’s, stating that the sites identified by DCA would be taken down because they “clearly violate our TOS/AUP,” according to CTO Cody Robertson. Additionally, executives at HawkHost have agreed to meet with DCA to discuss findings linking malware with content theft sites and to look for ways to better protect consumers.  DCA commends HawkHost, stating that they find the company’s response “an encouraging sign.”

DCA and RiskIQ will continue to study the link between content-theft sites and malware, as well as the legal hosting services that operate in the United States, which may be supporting malware-infested sites. These findings will be presented to State Attorneys General, who then have the authority to investigate the extent to which a particular hosting service may or may not be willfully turning a blind eye to illegal enterprise that is directly harming American consumers.  So, as mentioned, beyond any implications regarding the Google investigation itself, last week’s affirmation of AG Hood’s authority in that case is likely a good sign for protecting consumers in general from the chronic I-Didn’t-Know-Defense too-often employed by various OSPs.