Tag: piracy

Pass the TikTok Legislation. And then…

TikTok legislation

“At what point then is the approach of danger to be expected? I answer, if it ever reach us, it must spring up amongst us. It cannot come from abroad. If destruction be our lot, we must ourselves be its author and finisher. As a nation of freemen, we must live through all time, or die by suicide.” – Abraham Lincoln, The Lyceum Address, 1838 –

Lincoln’s famous observation that only Americans can truly destroy America speaks to the fragility of the Republic, which the founders knew could only endure so long as the people generally keep faith with certain core principles. Watching those principles assaulted by a far-right populism, which has presently swallowed the Republican Party, it is natural to read Lincoln as prophetic, and it is hard to imagine any foreign influence being more dangerous. On the other hand, when Lincoln said, “It cannot come from abroad,” he could hardly have imagined a time when 170 million young Americans would carry a pocket surveillance device loaded with software under the control of a foreign adversary.

Following the 362-55 vote by the House to force TikTok to divest itself of all ties to the Chinese Communist Party (CCP), opinions about the bill question both its necessity and viability—though not with good reason. Although rashly described as a “ban,” the effect of H.R. 7521 would force a sale of the platform by parent company ByteDance to an owner without ties to the CCP. To that end, I agree with independent musician Blake Morgan. who endorses the TikTok legislation, both as a national security and anti-piracy measure. In an editorial for IP Watchdog, Morgan writes:

The vast majority of music on TikTok generates virtually no revenue for the musicians who made it, and even more music on the platform is completely unlicensed (stolen), copied (stolen via AI), or pirated (stolen). Simply put, TikTok is trying to build a music-based business without paying music makers fair value for the music. That’s why Universal Music Group has already pulled out of TikTok. That’s why the National Music Publishers’ Association has already announced it won’t renew its license with the company. So, TikTok poses “a clear and present danger” to American music, too.

The music piracy alone is reason to force the platform to operate within the reach of U.S. law, but with regard to the national security threat, it is notable that unless one is in the intelligence community, or a Member of Congress receiving a security briefing, we are left to rely upon one of those core principles, which have been eroded by social media in general:  trust. I do not endorse the Whatabouist’s view that just because TikTok is not alone in causing havoc that this legislation is moot, but the story does highlight those hazards of social media that make it difficult to convince many Americans that TikTok is a threat of any kind.

Joseph V. Amodio, writing for Tanium, states that TikTok is distinguishable from other platforms thus:

TikTok stands out in its power to manipulate: While videos from any app can go viral, TikTok’s infection ability is unique, given the practice of “heating,”  where TikTok staff can supercharge distribution of hand-picked videos. This has huge implications for fair competition and free trade. Just imagine how they can siphon profits by amplifying your competitors’ posts or cooling down your own viral campaigns.

Whether the goal of data manipulation is to pull the levers on enterprise, as Amodio indicates, or to influence young voters on policy matters, how does one convince nearly 200 million 18 – 29-year-olds that said manipulation is both occurring and should be seen as an attack? If an act of cyberwarfare entails hacking the Pentagon or shutting down part of the power grid, enough Americans can probably recognize such events as attacks in a traditional sense. Likewise, the prospect of malicious software injected into millions of mobile devices might be understood as a threat.

But what if the weapon is an insidious propaganda tool used to manipulate the opinions of millions of citizens? Who is going to be trusted to identify that as a sustained attack on the United States? Some portion of the TikTok demographic will not believe that China (or Russia) is an adversary in the first place, which is arguably evidence itself of social media’s power to influence.

Even if the delivery platform is owned by Meta serving “ads” purchased by foreign operatives with the same objective to sow discord, no individual wants to believe he’s being manipulated. More complexly, even if one tries to apply critical thinking, the effort itself is often countered by teams of data manipulators flooding the zone—i.e. the illusion of more “information” tilting bias in one direction or another. This was true before parties like China and Russia upped their cyber game and before they could add artificial intelligence to the toolset.

As a practical example at the heart of the TikTok story, how does the moderate, who would rather not hyper-politicize national security, take the contemporary Republican seriously in his professed opposition to TikTok’s capacity to “manipulate” Americans? For instance, Rep. Ralph Norman of South Carolina writes, “…if you’ve spent 5 minutes exploring TikTok, you should have recognized the addictive nature of this platform. It is designed for one purpose: to control your attention. Their algorithm quickly figures out what kind of videos you’re likely to watch, and then feed you similar videos to keep you fixated.”

Fine. But one could swap “TikTok for “Trump” and make the same general argument, including that his self-interested rhetoric about NATO, disrespect for the Constitution, etc. all comprise a threat to national security. What would Lincoln say to his legacy party about this tangled interplay between foreign and domestic forces, both hostile to American interests, and both weaponizing disinformation through addictive and manipulative platforms?

In this context, it is important to note that Trumpism is a symptom of populism—a trend that is no less prevalent on the left than on the right, perhaps especially among 18 – 29-year-olds. The difference, for the moment, is that the left has not found its own cult-like figure, who might also undermine core principles, albeit in a different style than Trump. The rise in populism in the U.S. and other democracies is a direct result of social media’s nature to factionalize hearts and minds, which is precisely what a foreign adversary wants to achieve. TikTok may be a shrewdly named time-bomb delivered to over half the U.S. population and, as such, should be diffused. But assuming that task can be accomplished, the existential question remains as to whether we can quarantine the most virulent effects of all social platforms or “die by suicide.”

DCA Reports High Incidence of Credit Card Fraud on Pirate Sites

Digital Citizens Alliance (DCA) released a new report yesterday with the eye-popping statistic that 72% of Americans who subscribe to pirate media sites experience incidences of credit card fraud compared to 18% prevalence of credit card fraud among those who do not subscribe to pirate sites. These data are based on a survey of 2,030 Americans, of which 1 in 3 reported watching some pirated content in the last year, and 1 in 10 reported subscribing to a pirate streaming service. The report titled Giving Pirate Site Operators Credit states …

… piracy was once primarily a headache for content creators, users of these sites now face significant risks. Piracy subscription services make an estimated $1 billion a year providing services to at least nine million U.S. households.

DCA’s findings indicate that around 6.5 million Americans who choose to access movies, TV shows, and games in this black market, have been targeted for credit card fraud as a direct result of their subscriptions. And although I say the stat is “eye-popping,” given the environment we’re talking about, perhaps the real surprise is that the rate of unauthorized credit card charges in this network isn’t closer to 100%. After all, it’s one thing when hackers steal credit card data from legit retailers et al., but subscribing to a pirate site is cutting out the middleman and giving credit card info directly to a network of hackers.

The shift to high-quality streaming a little over ten years ago created an opportunity for pirates to launch new platforms offering low-price subscriptions to “everything” because, of course, none of the material they’re streaming is legally obtained but is stored on pirate servers around the world. Just as other DCA reports have shown that among the hidden costs of this all-you-can-eat offer is a high probability of infection with life-altering malware, the likelihood of unauthorized charges to a credit card is apparently even greater. “Combined with our previous research highlighting the risks associated with free piracy apps and services, the situation becomes even clearer. The pursuit of pirated content is an inherently risky behavior that threatens the devices, wallets, and privacy of consumers,” says DCA executive director Tom Galvin in a press release accompanying the new study.

DCA Research Subscriptions Trigger Fraud Within Eleven Days

Prior to conducting its survey of American consumers, DCA researchers subscribed to 20 pirate sites using a new credit card obtained for the experiment. In less than two weeks, the fraudulent charges began to appear from China, Singapore, Hong Kong, and Lithuania, and within three-months, DCA’s card was targeted with $1,495 in executed and attempted unauthorized transactions. The largest attempted transaction was $850, which was stopped by fraud protection, and the largest approved charge was $244.78. Given the implied cost to credit card services to provide protection against such transactions, DCA’s first recommended remedy—that the payment processors terminate relationships with known pirate sites—seems like a no-brainer.

DCA also recommends that the Federal Trade Commission “take piracy more seriously” and prioritize warning Americans about the risks associated with pirate sites; it recommends more consumer protection group outreach on this issue; and it recommends that law enforcement more aggressively investigate pirate site operators, now armed with the 2020 amendment to the U.S. Copyright Act which elevated large-scale piracy by means of streaming from a misdemeanor to a felony. “Given that the piracy ecosystem is now a $2 billion industry, the Department of Justice should use that authority to target piracy operators,” the report states.

Personally, I would be curious to know something about the thinking of 9 million Americans who want cheap media streaming so badly that they’re willing to tolerate the high risk of credit card fraud and/or a dangerous malware attack. Of course, to DCA’s point, perhaps the majority of these subscribers don’t know how risky accessing these sites can be.

Photo source by: Wichayada57844

DCA Releases New Report on Piracy Sites and Malware

Apropos my recent response to the EFF’s standard policy of shrugging at online piracy, I want to highlight one paragraph from the post to which I replied. Katherine Trendacosta wrote:

From the fever-pitch moral panic of the early 2000s, discussions about “piracy” disappeared from pop culture for about a decade. It’s come back, both from the side explaining why and the side that wants everyone punished.

Aside from the statement being inaccurate—discussions about piracy have persisted (often quite heatedly) every year since the Napster days—I cite the quote here because its sarcasm derives from that common fallacy which asserts that Piracy is a victimless crime. No it is not.

If one wants to cling to the rationale that because certain artists are wealthy, piracy is therefore harmless to creators, fine. Whatever. But the fact that EFF and other “digital rights” groups so consistently echo the alleged “harmlessness” of piracy suggests that they’re not terribly concerned about the broader security threats posed by this $2billion/year, global, criminal enterprise.

In a new report published yesterday, Digital Citizens Alliance tells us that the 500 pirate sites studied in its latest research—there are thousands of pirate sites—earn at least $121 million per year just by hosting “malvertising” (i.e., ads designed to deliver malware). Entitled, Unholy Triangle, the report was produced in collaboration with brand safety organization White Bullet and cyber security firm Unit 221B. It describes a symbiotic relationship between malvertisers and pirate sites—two sides of the triangle—and the various ways these parties profit by endangering visitors to pirate platforms—the third side of the triangle.

Highlights from the Report

Researchers found that among the sites studied, 8 in 10 were littered with ads specifically created to entice clicks that will instantly download malware to a device or network. One out of every six visits to pirate sites, the report says, will encounter an attempted malware attack. The most popular type of bug is ransomware, but the researchers also found trojan horses and other malware used to obtain personal or financial information and/or to take control of devices. Of that $121 million annual revenue the pirate sites acquire from serving malvertising, the report states that more than half ($68.3 million) came from U.S. visits.

Among the most compelling, albeit ironic, details revealed by the report is that the majority of ads used to trigger responses are based on fear—specifically, fear of malware! It seems that because many pirate site visitors know they are exploring illegal and sketchy platforms, they are more susceptible to pop-up and pop-under ads warning them that their devices may be infected, or that they should make changes to their devices to ensure their security or anonymity.

A visitor clicks that ad offering to protect her device, immediately downloads malware, and within minutes,[1] her files are locked up, and she will soon receive a ransom demand promising to release those files for $800 to $1,000—in crypto, of course. Even people who pay these ransom demands report that, at best, they get about 65% of their data back, and there is no reason to assume that the hacker(s), who this report indicates are mostly located in Russia, will restore any data once they’re paid.

Ad Intermediaries Facilitate Sketchy Ads

DCA notes the success of initiatives like the Trustworthy Accountability Group (TAG), which launched in 2015 to extricate the legitimate advertising industry from the piracy business. But, the report describes certain advertising intermediaries that seem to straddle the legal and illegal trade. For instance, researchers focused on intermediary RichAds, which the report describes as follows:

RichAds is an advertising company that touts its ability to capture new quality leads from premium sources through its productive ads. The company is listed as being based in Cyprus, with many of its employees listing Belarusian universities as their alma maters on LinkedIn. It promises to deliver the best traffic and claims, on its LinkedIn page, that “We block any bot or other fraudulent traffic.”

Researchers sent the ad shown here for approval and received a “no problem” message from RichAds. This was hardly surprising because, looking a bit further, it appears that this intermediary is not just turning a blind eye to malware campaigns but is promoting its services to facilitate malvertising on pirate sites. “In the case study [used to promote itself], RichAds highlights how the customer relied upon the company to generate and place ads that ‘warned’ users that a virus was detected on their devices and they needed to update their antivirus software,” the report states.

National Security Implications

With operators in countries like Russia and Belarus—and with more than half the malvertising revenue (measured in this report) being generated by American visits to pirate sites—questions about national security come to mind. No, I am not saying that some teenager in Indiana illegally streams Stranger Things, and the power grid shuts down—and neither is DCA. But with more telecommuting and connections between critical enterprise databases to personal networks, the vulnerabilities to the former have increased, and enterprises are big fish for ransomware hackers.

Whether there is any crossover between the private malvertising industry and state-directed hacking aimed at the U.S. is a matter of speculation, but as the DCA report puts it:

Russia, China, Iran, and North Korea make up half of [all ransomware attacks]. As their primary target is the United States, it’s a safe assumption that the motivations go beyond financial to geo-political with national security implications. Those concerns have some states reconsidering the protocols for dealing with an attack on government operations.

Hardly Victimless

Clearly, even if one does not give a RAT’s butt about creators’ works being illegally distributed, piracy is not a victimless crime. On the contrary, a substantial and growing revenue stream for the pirate site operators is, in fact, a trade in victims. Whether it’s slaving personal computers, identity theft, or delivering ransomware to a pharmaceutical company, malware is big business, and piracy sites continue to be an excellent super-spreader.

After about ten years of reading DCA’s reports, this recent one comes closest to at least implying that media piracy can be a vector for malware attacks on something larger than personal computers. Assuming that’s not an exaggeration, the “digital rights” groups may need to drop the false narrative that mitigating piracy comes at the cost of online “freedom.” Site blocking, technical measures, and other means to interdict the piracy trade become very different conversations, if we are indeed talking about critical supply chains and not just “Hollywood.”

[1] The report cites Paul Watters, who “found it typically takes just 42 seconds for an “advanced persistent threat” such as malware to infect a Windows device and 78 seconds to infect an Android device.”