TikTokkers are using a little-known livestreaming feature to falsely represent Israelis and Palestinians—and the company is taking a cut of costly in-app gifts viewers give to participants.

TikTokkers are using a little-known livestreaming feature to cash in on the huge interest in the Israel-Hamas war despite having no links to the crisis. TikTok, meanwhile, is taking up to 50 percent of the earnings.

In the days after Hamas attacked Israel on October 7, TikTok creators have been engaging in “live matches” on the platform where one creator plays the role of Israelis and the other that of Palestinians, while encouraging—and often shouting at—their followers to continue to donate expensive gifts. The side with the most gifts after five minutes wins the battle.

Some of these gifts cost hundreds of dollars each, and several livestreams WIRED observed in recent days have continued for multiple hours without a break. One battle had seen the creator representing Palestinians winning 72 matches in a row.

The creators can cash out their winnings for real currency, but only after TikTok itself has taken a major cut of the earnings.

As the humanitarian crisis in Gaza continues to worsen, social media platforms have been accused of allowing disinformation to fester while platforms including TikTok have been accused of silencing certain viewpoints. Now TikTok appears to be profiting off their users’ fascination with Israel and Palestinians, and allowing creators who may not be from Israel or the Palestinian territories to earn money off the conflict.

WIRED found dozens of examples of creators seeking to cash in on people’s interest in the crisis, but one pair of creators appears to be cashing in more than most.

On multiple days over the course of the past week, a Turkish streamer who claims to represent Palestinians battled a Greek-Georgian streamer who claims to represent Israelis. In case there was any doubt about who each was supposedly representing, each had the flag of their respective adopted sides onscreen during the battles.

In all of the battles WIRED observed, none of the participants appeared to have any link to the entities they claimed to be representing, and none of them suggested they were planning on donating any of the money earned to the people directly impacted by the current crisis.

Battles between influencers online have been a feature of streaming services since at least 2016, particularly in China, though on most other platforms, the participants have to complete tasks or show off a skill in order to win a battle. On TikTok, it’s mostly just screaming.

Live matches, also known as player knockout or PK battles, have been a feature on TikTok since at least 2021, though TikTok does not mention the feature on its own webpage describing how livestreaming works. Despite the feature being available for more than two years, it is not very well known, and to the uninitiated, the TikTok battles may make little sense, with viewer counters, stickers, and never-ending comments crowding the screen while the two creators shout and scream in a bid to get their followers to donate more gifts.

Rather than making any coherent argument about the rights of Israelis or Palestinians during this crisis, the streamers instead shout out their side’s name or scream comments such as: “Like, like, like,” and “Follow me.”

The streams WIRED observed were watched live by thousands of TikTok users. Today, just before this article was published, a push notification showed the streamers were going live once again.

The two streamers did not respond to WIRED’s messages about their battles.

The rise of TikTok live matches related to the Israel-Hamas war was first highlighted by Abbie Richards, a research fellow at the Accelerationism Research Consortium who specializes in tracking misinformation on TikTok. Richards said it was “gross to grift off atrocities.”

“So this is real people, sending real money to TikTokkers to gesture support for the concept of Israel or Palestine,” Richards said in a video posted on Instagram this week. “But do you know who’s really making money off of these? TikTok, because they take roughly half of the money creators make on live. This helps literally no one except these grifters and TikTok. It’s fucking disgusting.”

TikTok did not respond to WIRED’s request for comment.

A lot of TikTok creators use the app’s livestream feature to generate income, with some streamers broadcasting their entire lives on the platform. The “live match” feature is little known on the hugely popular video-sharing app that allows two people to “battle” against each other for five minutes at a time. The winner is the person who gains the most likes and gifts from their followers.

The strange phenomenon means that the TikTokkers participating need to encourage their followers to donate as many gifts as possible in order for them to “win.”

Virtual gifts are purchased with TikTok’s in-app currency, known as coins. The cost of coins vary depending on how many you are buying, but you can buy 70 coins for less than a dollar.

The gifts range from stickers of roses and the TikTok logo, which cost just a couple of coins, up to animations that take over the full screen that cost up to 45,000 coins. Purchasing enough coins to buy the most expensive gifts on TikTok can cost over $500.

After a user donates the gift to a creator during a battle, those gifts are then converted into Diamonds, which creators can then cash out for real currency.

However, the full value of the gift is not transferred to the creator, with TikTok taking a significant slice of each gift donated. The exact amount is unclear, but a BBC investigation last year found creators received just 30 percent of the money donated to them. TikTok at the time said its cut was significantly less than 70 percent but would not specify an exact percentage.

But even small purchases can quickly accumulate. In January, people spent $6 billion in-app on TikTok, according to a report released by Data.ai, a mobile market trends firm

It can be a lucrative business, with some TikTokkers claiming they are making up to $30,000 a month from live matches. Meanwhile, those who are sending the gifts are also reporting that they can easily become addicted, leading to financial and emotional problems.

TikTok Streamers Are Staging ‘Israel vs. Palestine’ Live Matches to Cash In on Virtual Gifts

In the hours following the worst mass shooting in Maine’s history, disinformation about the suspected gunman flooded social media with false claims that he had been arrested.

Following a mass shooting at a bowling alley and restaurant in Lewiston, Maine, yesterday evening that left at least 18 people dead, state police urgently warned residents to “stay inside your home with the doors locked” as they mounted a manhunt for the suspect.

Misinformation about the suspect flooded social media platforms like X (formerly Twitter), Facebook, and TikTok moments after the shooting. On X, verified accounts pushed out bogus claims that the threat had been neutralized and a suspect had been arrested. Police have since identified 40-year-old Robert Card as a “person of interest” in the shooting. While Card remains at large as of 10 am ET this morning, posts featured videos of the supposed arrest that have been viewed hundreds of thousands of times.

A prolific verified X account with almost 300,000 followers was among the first to post the claim that the suspect had been arrested, and while the account subsequently posted an update stating that the suspect was still at large, the original post—which has been seen over 170,000 times—remains active.

The top result for the search term “Robert Card arrested” on X was a post featuring the same video that has been viewed over 1.9 million times, even though it had a Community Note attached making it clear the claims in the post were false.

The same video circulating on X was also being shared on TikTok, where one post had been viewed 80,000 times by this morning.

Another of the main false narratives circulating in the hours after Card was identified was that he had been arrested in 2016 for possessing and disseminating sexually explicit materials. This was also inaccurate: It refers to a different person named Robert Card, who is also 40 years old and from Maine.

Some accounts labeled Card “a far-left lunatic” based on the unverified claim that he voted for former US president Barack Obama. Others wildly tried to link the incident to the current crisis in the Middle East, claiming, without evidence, that Card “was a Hamas supporter.”

While misinformation about the mass shooting proliferated across social media, the problem was acute on X, where owner Elon Musk has incentivized people to post engaging and viral content even if it’s not accurate. As a result, users rushed to be the first to post updates about the shooting despite being blatantly false.

“It’s as if everyone thinks disinformation is a problem, but not for them personally—only for _other_ people,” Caroline Orr, a behavioral scientist and postdoctoral researcher at the University of Maryland who tracks disinformation online, wrote on X, adding: “When 20+ people are murdered in a mass shooting, and the reaction of most people on this website is: ‘How can I use this to push a political agenda?’ or ‘How can I use this to attack XYZ person?’ … that reflects something far more disturbing.”

X, Meta, and TikTok did not immediately respond to WIRED’s request for comment.

At 3 am ET this morning, Lewiston Police Department confirmed on its Facebook page that Card, a certified firearms instructor and a member of the US Army from Bowdoin, Maine, was still on the run. The department said Card “should be considered armed and dangerous” and that members of the public should not approach him.

Law enforcement believes the shooter killed at least 16 people and 13 more at around 7 pm yesterday at the Sparetime Recreation bowling alley and the nearby Schemengees Bar and Grille. Officials said the death toll is expected to rise, with one local city councilor telling CNN that it could be as high as 22.

The incident was the nation’s worst mass shooting this year, according to the Gun Violence Archive.

Card, whose own X profile was filled with conspiracy theories about trans mass shooters and pro-MAGA content, had been committed to a mental health facility for two weeks earlier this year after he reported “hearing voices and threats to shoot up the National Guard Base in Saco, Maine,” according to a police bulletin circulated by law enforcement and reported by AP.

Notably, Card also liked two posts, one from Donald Trump Jr. and another by far-right personality Dinesh D'Souza, about their opposition to gun control.

The rapid unchecked spread of misinformation last night and into this morning mirrored the response earlier this month when Hamas militants attacked Israel on October 7. In the hours and days following the attack and the bombing of Gaza by the Israeli government, X was overrun by disinformation shared by verified users, who rehashed old footage, video game content, and photoshopped images to push partisan narratives.

_Updated at 10:55 am ET, October 26, 2023, to include the latest casualty and wounded figures provided by Maine governor Janet Mills during a press conference this morning._

Maine Mass Shooting Disinformation Floods Social Media as Suspect Remains at Large

A recent breach of authentication giant Okta has impacted nearly 200 of its clients. But repeated incidents and the company’s delayed disclosure have security experts calling foul.

On Friday, October 20, the identity management platform Okta said it suffered an intrusion in its customer support system. As an access and authentication service, a breach of Okta always comes with risks to other organizations, and the company confirmed that “certain Okta customers” were affected. Okta tells WIRED that it notified “around 1 percent” of its 18,400 customers that they were impacted.

The password manager 1Password, an Okta customer, said this week that it had notified the company on September 29 of suspicious activity that ultimately was tied to the support system incident. BeyondTrust, another identity and access management firm and also an Okta customer, said last week that it had similarly flagged concerning behavior in its Okta administrator account and notified the company about the issue on October 2. Internet infrastructure company Cloudflare also said last week that it had detected a similar incident in its Okta systems on October 18 and notified the company as well.

Companies like Okta that provide crucial digital services to a large population of prominent customers are always going to be prime targets for attacks because they can serve as a sort of one-stop shop for hackers looking to compromise numerous organizations. And as tech giants like Microsoft have shown, some of these attacks may well lead to breaches even if the vast majority are blocked. The breach at Okta is particularly concerning because it shares many features with a security incident the company dealt with in 2022, in which attackers compromised a subprocessor that Okta had trusted to do customer support work.

“What I find surprising in this case is that, after the 2022 breach, you'd think Okta would be on high alert for any externally exposed systems or personnel who may be targeted—and yet something has happened again,” says Adam Chester, a senior security consultant at TrustedSec.

The latest incident directly affected Okta's internal customer support service rather than one provided by a third-party partner. In this case, attackers used stolen login credentials to compromise an Okta support account, and then leveraged this access to steal cookies and session tokens used to give customer support providers access to clients' systems for troubleshooting. With these access tokens, attackers could then compromise Okta customer accounts directly.

1Password, BeyondTrust, and Cloudflare all said that they were able to detect and block the intrusions before any of their own customers were affected, but they all highlighted the fact that they had notified Okta about the situation before Okta warned them—in some cases weeks before Okta's public disclosure.

“This is the second time Cloudflare has been impacted by a breach of Okta’s systems,” a group of Cloudflare engineers wrote on Friday. They went on to share a list of recommendations for how Okta can improve its security posture: “Take any report of compromise seriously and act immediately to limit damage. Provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them. Require hardware keys to protect all systems, including third-party support providers.”

The Cloudflare engineers added that they view taking protective steps like these as “table stakes” for a company like Okta that provides such crucial security services to so many organizations.

When WIRED asked Okta a series of questions about what steps it is taking to improve customer service defenses in the wake of the two breaches, and why there appears to be a lack of urgency when the company receives reports of potential incidents, the company declined to comment. A spokesperson said it would share more information about these subjects soon.

“I really want to know what technical controls Okta had implemented following the 2022 breach, and why this time will be different,” says Evan Johnson, cofounder of RunReveal, which develops a system visibility and incident detection tool. “My hunch is they did not roll out hardware security keys, or didn’t roll them out for their contractors doing support.”

Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security, emphasizes that “the issue is bigger than Okta,” noting that software supply chain attacks and the volume of hacks companies must defend against is significant. “It's unfortunately common for service providers of any size to have trouble believing they are the source of an incident until definitive proof is offered,” he says.

Still, Williams adds, “there's a pattern here with Okta, and it involves outsourced support.” He also notes that one of the remediations Okta suggested to customers in the wake of the recent incident—carefully removing support session tokens that could be compromised from troubleshooting data—is not realistic.

“Okta's suggestion—that somehow the customer must be responsible for stripping session tokens from the files they specifically request for troubleshooting purposes—is absurd,” he says. “That's like handing a knife to a toddler and then blaming the toddler for bleeding.”

Okta's Latest Security Breach Is Haunted by the Ghost of Incidents Past

Inauthentic accounts on X flocked to its owner’s post about Ukrainian president Vlodymr Zelensky, hailing “Comrade Musk” and boosting pro-Russia propaganda.

Since Elon Musk spent $44 billion on Twitter (now X) last year, the billionaire has been determined to wipe out bots and spammy accounts. Things haven’t gone smoothly. Amid the chaos, in recent weeks Russian trolls have jumped on one of Musk’s own posts and used it to push pro-Kremlin messaging, a new analysis shows.

At the start of October, Musk used his platform to mock Ukrainian president Vlodymr Zelensky with a nine-year-old meme. “When it's been five minutes and you haven't asked for a billion dollars in aid,” says the text above the “Trying to Hold a Fart Next to a Cute Girl in Class” meme, which the X owner posted to his 160 million followers. The original image shows a teenage schoolboy visibly agitated while sitting in class next to a girl. Musk’s version swapped in Zelensky’s face. Ukrainians hit back at Musk, accusing him of trolling and posting Russian propaganda.

Now analysis by a volunteer group of researchers who track Russian-language information operations on X says Russian trolls flocked to Musk’s post and news accounts that reported on his meme. “The Zelensky tweet from Musk seems to be the most commented by Kremlin trolls over nearly three months,” says Antibot4Navalny, the anonymous group of volunteers behind the findings.

In the days after the post, around 160 inauthentic accounts pushing pro-Russian messaging sent some 400 posts praising Musk as a “Russian patriot” and photoshopping him into Russian military uniforms, according to the group. They say the main messaging can be summarized, in part, as “Comrade Musk supports Russia.”

Three independent experts, including one former disinformation researcher at Twitter, reviewed the findings from Antibot4Navalny and concluded that the accounts praising Musk and pushing Russian narratives are likely to be part of a coordinated campaign. They say that while there was a small number of accounts pushing the messaging—the post has 93 million views—the targeting may show the accounts testing their messaging and tactics.

The X press office did not respond to WIRED’s request for comment, which included a sample of the accounts identified by the Antibot4Navalny researchers. “Busy now, please check back later,” its automated response says.

The Antibot4Navalny group monitors inauthentic accounts on X, focusing on the Russian language, and it identifies accounts that may not be genuine by analyzing their behavior and the replies they make to media outlets. Data gathered by the researchers shows the accounts replying both to Musk’s original tweet and also those from Russian-language news accounts, such as BBC Russian and DW Russian. The posts are mostly in Russian, but there are also a few in English. “Among troll replies addressing Musk directly, some are using memes or other images which are sometimes a part of the message,” a Antibot4Navalny representative says.

“Russia thanks you for your excellent work, Elon. And answers with memes,” one English language post says. “As usual, Musk is our comrade: like us, he ROFLs at the junkie,” a translated Russian post says. Others praise Musk for telling the “truth” and mocking the Ukrainian president.

One former Twitter disinformation researcher, granted anonymity to allow them to speak freely without fear of retaliation, looked at a sample of the accounts highlighted by Antibot4Navalny. “Most accounts had multiple signs of inauthenticity,” the former staff member says, pointing out that their analysis was done using public-facing data, and only X would be able to make “hard findings” based on technical data available to the company. The former staff member says the accounts had repeated behavior in reposts and “inconsistent or clearly falsified” personal information. “There was a spectrum for how realistically or well chosen an account's profile pic is,” they say, with some profile images being pulled from elsewhere online.

Martin Innes, codirector of the Security Crime and Intelligence Innovation Institute at Cardiff University, who has led international disinformation research, reviewed a sample of the data with colleagues. He also says there are multiple signs that the accounts may not be genuine. “The accounts examined are newly created, in the main during the period of the Ukraine-Russia war, and exhibit behavior designed to target and polarize opinion, and gain popularity through interaction with larger accounts, many of which represent popular media outlets,” Innes says.

Innes and the Cardiff University researchers say the accounts often have low or zero follower numbers, a lack of identifiable personal details, mostly just reply to other accounts’ posts, and produce anti-Ukraine and anti-Zelensky messaging, which mirror wider Russian narratives. Russia has long used social media to impact politics and divide opinions. In September, an EU report concluded that the “reach and influence” of Kremlin-backed accounts on social media had increased in 2023, particularly highlighting X.

“Since the acquisition of Twitter/X by Musk, there have been a series of policy decisions that any expert in the field of misinformation or disinformation would tell you were bad decisions,” the former Twitter staff member says. They point to X removing labels for accounts funded by governments and firing teams working on disinformation. At the same time, Russian propaganda has also focused on influencing African nations.

Kyle Walter, head of research at misinformation- and disinformation-analysis company Logically, says Musk's account has been targeted in the past, in particular with crypto scams. Walter also reviewed the accounts highlighted by Antibot4Navalny and says they appear to be inauthentic. The claims about Musk supporting Russia have “existed for a while,” Walter says. Throughout Russia’s full-scale invasion of Ukraine, which began in February 2022, Musk’s Starlink satellite internet company has provided crucial internet connections to Ukrainian forces for free and has been praised by its politicians. He was criticized last month over a decision not to allow Starlink’s use around Crimea, the Ukrainian peninsula annexed by Russia in 2014.

When it comes to the Musk posts, the Antibot4Navalny researcher says the accounts could have been looking to boost Russian propaganda talking points or to “create an illusion” for those browsing replies to Musk’s tweet that people support the message. Replying to large accounts like Musk’s has the potential to reach a wider audience, the research says.

Logically’s Walter says that it is a critical time for social media platforms as they head toward a slate of elections in 2024—including those in the US, Canada, UK, India, and the European Union. “Bad actors are testing different tactics, testing different capabilities,” Walter says. “You'll often see a lot of these kinds of unsuccessful campaigns where they're not really getting any engagement, not really getting any views on the content, but it's helping them calibrate their kind of broad efforts for future instances.”

Elon Musk Mocked Ukraine, and Russian Trolls Went Wild

Thousands of child abuse images are being created with AI. New images of old victims are appearing, as criminals trade datasets.

A horrific new era of ultrarealistic, AI-generated, child sexual abuse images is now underway, experts warn. Offenders are using downloadable open source generative AI models, which can produce images, to devastating effects. The technology is being used to create hundreds of new images of children who have previously been abused. Offenders are sharing datasets of abuse images that can be used to customize AI models, and they’re starting to sell monthly subscriptions to AI-generated child sexual abuse material (CSAM).

The details of how the technology is being abused are included in a new, wide-ranging report released by the Internet Watch Foundation (IWF), a nonprofit based in the UK that scours and removes abuse content from the web. In June, the IWF said it had found seven URLs on the open web containing suspected AI-made material. Now its investigation into one dark web CSAM forum, providing a snapshot of how AI is being used, has found almost 3,000 AI-generated images that the IWF considers illegal under UK law.

The AI-generated images include the rape of babies and toddlers, famous preteen children being abused, as well as BDSM content featuring teenagers, according to the IWF research. “We’ve seen demands, discussions, and actual examples of child sex abuse material featuring celebrities,” says Dan Sexton, the chief technology officer at the IWF. Sometimes, Sexton says, celebrities are de-aged to look like children. In other instances, adult celebrities are portrayed as those abusing children.

While reports of AI-generated CSAM are still dwarfed by the number of real abuse images and videos found online, Sexton says he is alarmed at the speed of the development and the potential it creates for new kinds of abusive images. The findings are consistent with other groups investigating the spread of CSAM online. In one shared database, investigators around the world have flagged 13,500 AI-generated images of child sexual abuse and exploitation, Lloyd Richardson, the director of information technology at the Canadian Centre for Child Protection, tells WIRED. “That's just the tip of the iceberg,” Richardson says.

A Realistic Nightmare

The current crop of AI image generators—capable of producing compelling art, realistic photographs, and outlandish designs—provide a new kind of creativity and a promise to change art forever. They’ve also been used to create convincing fakes, like Balenciaga Pope and an early version of Donald Trump’s arrest. The systems are trained on huge volumes of existing images, often scraped from the web without permission, and allow images to be created from simple text prompts. Asking for an “elephant wearing a hat” will result in just that.

It’s not a surprise that offenders creating CSAM have adopted image-generation tools. “The way that these images are being generated is, typically, they are using openly available software,” Sexton says. Offenders whom the IWF has seen frequently reference Stable Diffusion, an AI model made available by UK-based firm Stability AI. The company did not respond to WIRED’s request for comment. In the second version of its software, released at the end of last year, the company changed its model to make it harder for people to create CSAM and other nude images.

Sexton says criminals are using older versions of AI models and fine-tuning them to create illegal material of children. This involves feeding a model existing abuse images or photos of people’s faces, allowing the AI to create images of specific individuals. “We’re seeing fine-tuned models which create new imagery of existing victims,” Sexton says. Perpetrators are “exchanging hundreds of new images of existing victims” and making requests about individuals, he says. Some threads on dark web forums share sets of faces of victims, the research says, and one thread was called: “Photo Resources for AI and Deepfaking Specific Girls.”

The AI-Generated Child Abuse Nightmare Is Here

Though often viewed as the “crown jewel” of the US intelligence community, fresh reports of abuse by NSA employees and chaos in the US Congress put the tool's future in jeopardy.

A federal law authorizing a vast amount of the United States military’s foreign intelligence collection is set to expire in two months, pulling the plug on history’s most prolific eavesdropping operation and the primary means by which US spies intercept the private communications of people deemed threatening, or simply interesting, by the US government—the world’s foremost surveillant.

The US National Security Agency (NSA) relies heavily on the statute, Section 702 of the Foreign Intelligence Surveillance Act, when compelling the cooperation of communications giants that oversee huge swaths of the world’s internet traffic, intercepting hundreds of millions of phone calls and email messages each year, and eavesdropping on the personal conversations of targeted foreign individuals and anyone else, including Americans, unfortunate enough to be caught in their orbit.

As of now, members of Congress have introduced exactly zero bills to prevent Section 702 from sunsetting on January 1, 2024, even though many—perhaps a majority—view this intelligence “crown jewel” as fundamental to the national defense; a flawed but fixable law. The Democrats, who control the Senate, are not blameless in stalling the reauthorization, with more than a handful vying to ensure its renewal is contingent on new rules that force the government to get a warrant before weaponizing the data against its own citizens. The internal conflict roiling the Republican Party, many of whose members share in the desire to rein in the government’s domestic surveillance capabilities, is nevertheless the biggest factor forestalling a compromise, particularly following the removal of Kevin McCarthy as House speaker earlier this month.

The US intelligence community is not without blame. A litany of reported errors, ethical violations, and at least some criminal activity bearing the telltale signs of having been swept under the rug have gone a long way in validating the concerns of Section 702’s biggest detractors: Privacy defenders on both sides of the aisle who share common ground with political allies of Donald Trump, a wellspring of animosity when it comes to military and intelligence leaders—officials routinely peppered from the right with allegations of partisanship and other “treasonous things.”

A US report published in September by an independent government privacy watchdog describes a number of new “noncompliant” uses of raw Section 702 data by analysts at the NSA, an agency where military and civilian employees have been caught repeatedly abusing classified intel for personal, and even sexual, reasons. Issued by the Privacy and Civil Liberties Oversight Board (PCLOB), a body effectively commandeered by Congress in 2005 in an effort to help gauge the scope of the explosion in surveillance after 9/11, the report adds to a decade’s worth of documented surveillance abuses.

_The Wall Street Journal_ first reported in 2013 amid the exploding Edward Snowden scandal that NSA staff had been caught on numerous occasions spying on what the paper called “love interests.” The phenomenon is common enough at the agency to receive its own internal designation: “LOVEINT,” a portmanteau of “love” and “intelligence,” abbreviated in the style of actual surveillance disciplines such SIGINT and HUMINT (“signals” and “human” intelligence, respectively.)

Senator Dianne Feinstein, who died who on September 29 at the age of 90, had defended the NSA following the report, referring to the violations as “isolated,” occurring only roughly, she said, once a year. The _Journal_ noted, meanwhile, that nearly all of the known violations had been self-reported, likely by employees fearful of failing a polygraph exam.

The term “LOVEINT” implies a degree of harmlessness, the misguided acts of a hopeless romantic or a jilted lover. Yet it signifies behavior that is by any modern definition equivalent to stalking. That it received this designation at all seemingly suggests that the abuse is constant enough to border on systemic. The watchdog report released last month by the PCLOB notes that, in 2022, one NSA analyst twice conducted queries on people they’d met “through an online dating service,” showing that despite years of procedures developed to protect against such incidents, the temptation to abuse the most expansive surveillance tool in history for personal gain remains too enticing a prospect for some.

“The US government’s incredible surveillance powers are intended to keep Americans safe from global threats, but we’ve seen time and again how officials have misused this authority at the expense of Americans’ civil liberties,” US senator Chuck Grassley, a Republican from Iowa, tells WIRED. “Instead of aiming this tool at terrorists and international criminals, some have put their political rivals and even love interests in the crosshairs.” The intelligence community’s continued access to the 702 data hinges, in part, on its ability to demonstrate that it can cooperate with oversight attempts, Grassley says, and send an “unequivocal message that abuses will be met with steep consequences.”

While any substantive detail about past 702 violations remains obscured by conditions of secrecy, what can be gleaned from unclassified reports about the “consequences” facing NSA staff for stalking is not encouraging. A 2013 letter from the NSA’s then-top internal watchdog, George Ellard, for instance, described years’ worth of abuses that coincide and even predate the existence of Section 702, which Congress passed in 2008 in an effort to legalize the widespread wiretapping of calls already going in and out of the US, as well as immunize telecommunications companies like AT&T, which was revealed early on to be eagerly cooperating with the government’s demands.

Ellard’s letter, combined with more recent abuse disclosures, paints a picture of an agency that discovers surveillance abuses mainly when its employees self-report them, often to avoid trouble during or in advance of a polygraph test. Violators are often on their way out the door, presumably bound for the private sector, or are otherwise given the option to retire rather than face any real consequences for their actions. Numerous civilian employees at the NSA have admitted to wiretapping the phones of romantic partners, yet it's clear that many escaped punishment by quitting the agency before investigations into their conduct were earnestly underway.

In one of the most egregious cases, predating the 702 program by several years, an NSA employee admitted to wiretapping nine phone numbers belonging to women. Like with other offenses, Ellard noted in his letter—made public by Grassley several years ago—that the employee had “resigned before discipline had been proposed.” (Incidentally, Ellard’s decade as the NSA inspector general came to an unceremonious end following allegations that he’d retaliated against an agency whistleblower.)

Only US service members with access to raw 702 data appear to have been held accountable to some degree, almost certainly because they were unable, due to the terms of their service, to walk away from their jobs. A member of a “tactical military unit,” for instance, was demoted and docked one month’s pay after searching the classified database for communications belonging to his wife, while another’s access was cut after the NSA discovered they’d been eavesdropping on random people’s phone calls, purportedly to learn the language the victims were speaking.

Section 702, which last year targeted more than 246,000 “non-US persons,” permits the NSA to collect both text and audio of communications belonging to Americans, even when they are not the target of an investigation or suspected of foreign or criminal ties. These communications are “highly personal and sensitive, capturing exchanges with loved ones, friends, medical providers, academic adviseors, lawyers, or religious leaders,” according to the oversight authorities; capable of providing “great insight into an individual’s whereabouts, both in a given moment and in patterns over time.” While the communications of Americans captured as part of Section 702 surveillance may be subject to “minimization” procedures down the line, they are nevertheless stored in a “raw” or unredacted format and can be viewed with the help of a Google Search-like interface.

It's unclear how many government employees can access Section 702 data, but US lawmakers have offhandedly estimated the figure to be upwards of 10,000 people. This includes many employed by the Federal Bureau of Investigation, where the process of accessing the database remains practically free from judicial review. Under its own procedures, the FBI may conduct searches of the 702 database without probable cause so long as it believes it is “reasonably likely” to retrieve evidence of a crime—the legal equivalent of a hunch. According to a 2016 memorandum authored by the secretive Foreign Intelligence Surveillance Court, the FBI has at times failed to abide by what are already notably loose restrictions on using 702 for the purpose of acquiring communications protected by attorney-client privilege. The FBI's own procedures have long permitted agents to search the 702 database for correspondence between US citizens and their attorneys, as well as disseminate that information internally, provided the target of the search has not been charged with a crime.

While the NSA refers to the communications of Americans captured under Section 702 as having been collected “incidentally”—the statute authorizes only the “targeting” of “non-US persons reasonably believed to be located outside the United States”—it is important to note that the word “incidental” does not mean “by mistake.” It is merely accepted that each year, as a cost of doing business, the NSA will “inevitably” intercept the calls and messages of an unknown but “substantial” number of Americans.

This collection may be best understood as occurring not in error but as collateral surveillance, defended by the government under an ever-expanding list of national security threats: terrorism, first and foremost; then cyberattacks launched by hostile foreign actors; and today, finally, the illicit trafficking of fentanyl from sources in China.

Since the enactment of Section 702 some 15 years ago, US intelligence chiefs have claimed that it would be impossible to provide any clear metrics regarding just how many Americans are “incidentally” eavesdropped on each year. Ironically, it is the sheer amount of surveillance conducted by the NSA that is blamed for obscuring its impact on Americans’ civil liberties. “We do not yet know the scope of incidental collection,” this year’s PCLOB report states. But it should not be understood as “occurring infrequently,” it says, nor as an “inconsequential part of the Section 702 program.”

A Powerful Tool US Spies Misused to Stalk Women Faces Its Potential Demise

An EU government body is pushing a proposal to combat child sexual abuse material that has significant privacy implications. Its lead advocate is making things even messier.

Danny Mekić, an Amsterdam-based PhD researcher, was studying a proposed European law meant to combat child sexual abuse when he came across a rather odd discovery. All of a sudden, he started seeing ads on X, formerly Twitter, that featured young girls and sinister-looking men against a dark background, set to an eerie soundtrack. The advertisements, which displayed stats from a survey about child sexual abuse and online privacy, were paid for by the European Commission.

Mekić thought the videos were unusual for a governmental organization and decided to delve deeper. The survey findings highlighted in the videos suggested that a majority of EU citizens would support the scanning of all their digital communications. Following closer inspection, he discovered that these findings appeared biased and otherwise flawed. The survey results were gathered by misleading the participants, he claims, which in turn may have misled the recipients of the ads; the conclusion that EU citizens were fine with greater surveillance couldn’t be drawn from the survey, and the findings clashed with those of independent polls.

The micro-targeting ad campaign categorized recipients based on religious beliefs and political orientation criteria—all considered sensitive information under EU data protection laws—and also appeared to violate X’s terms of service. Mekić found that the ads were meant to be seen by select targets, such as top ministry officials, while they were concealed from people interested in Julian Assange, Brexit, EU corruption, Eurosceptic politicians (Marine Le Pen, Nigel Farage, Viktor Orban, Giorgia Meloni), the German right-wing populist party AfD, and “anti-Christians.”

Mekić then found out that the ads, which have garnered at least 4 million views, were only displayed in seven EU countries: the Netherlands, Sweden, Belgium, Finland, Slovenia, Portugal, and the Czech Republic.

At first, Mekić could not figure out the country selection, he tells WIRED, until he realized that neither the timing nor the purpose of the campaign was accidental. The Commission’s campaign was launched a day after the EU Council met without securing sufficient support for the proposed legislation Mekić had been studying, and the targeted counties were those that did not support the draft.

The legislation in question is a controversial proposal by the EU Commission known as Chat Control or CSA Regulation (CSAR) that would obligate digital platforms to detect and report any trace of child sexual abuse material on their systems and in their users’ private chats, covering platforms such as Signal, WhatsApp, and other messaging apps. Digital rights activists, privacy regulators, and national governments have strongly criticized the proposal, which the European data protection supervisor (EDSR) Wojciech Wiewiorowski said would amount to “crossing the Rubicon” in terms of mass surveillance of EU citizens.

“I think it is fair to say that this was an attempt to influence public opinion in countries critical of the indiscriminate scanning of all digital communications of all EU citizens and to put pressure on the negotiators of these countries to agree to the legislation,” says Mekić. “If the European Commission, a significant institution in the EU, can engage in targeted disinformation campaigns, it sets a dangerous precedent.”

The Dutch researcher’s find adds to the controversy surrounding the Commission, which has recently come under fire due to allegations that certain AI firms and advocacy groups with significant financial backing have had a notable level of influence over the shaping of CSAR—allegations that lead Commissioner Ylva Johansson countered, asserting that she had committed no wrongdoing. Johansson’s office did not respond to WIRED’s request for comment.

“There’s an inexplicable obsession with this file \[CSAR\] in the Commission. I don’t know where that comes from,” EU lawmaker Sophie in ’t Veld told WIRED after she submitted a priority parliamentary question on the case. “Why are they doing \[the campaign\] while the legislative process is still ongoing?”

As the pressure on the Commission has been mounting, Johansson lashed out against the influential civil rights nonprofit European Digital Rights, one of the strongest critics of the legislation and a defender of end-to-end encryption. She referred to its funding from Apple, suggesting EDRi was laundering the company’s talking points. “Apple was accused of moving encryption keys to China, which critics say could endanger customer data. Yet no one asks if these are strange bedfellows, no one assumes Apple is drafting EDRI’s speaking points,” she noted in a Commission blog on October 13.

Referring to EDRi’s independence and transparent funding processes, senior policy adviser Ella Jakubowska tells WIRED: “Attempts to delegitimize civil society suggest a worrying effort to silence critical voices, in line with broader trends of shrinking civic space. When both the content and the process regarding this law are so troubling, we need to ask how the European Commission allowed it to reach this point.”

Adding to the Commission’s conspicuous ad campaign, Mekić’s discovery came on the same day the European Commission formally sent X a request for information under the Digital Services Act, the sweeping EU digital disinformation law, following indications of “spreading of illegal content and disinformation” on the platform.

“The Commission’s ability to enforce the DSA could be undermined if their own services are willing to flagrantly disregard these rules. Whilst the DSA is supposed to rein in the power of big tech, the CSA Regulation would force digital service providers to become a privatized police force in all our online chats, emails, and messages,” says Jakubowska. “It’s hard to see how these regimes can coexist or more broadly, how the EU can uphold fundamental human rights if it passes a law which could violate the essence of certain rights.”

The votes in the European Parliament and EU Council are still pending. “The Commission seems to forget its own role here: It is not a legislator. It only has the prerogative of proposing legislation,” says in ’t Veld. “It has no business interfering in the internal debate, neither in the Council nor in the European Parliament. The Commission is completely out of bounds here.”

Commenting on the negotiations, the outcome of which remains uncertain, EDRi’s Jakubowska observed that “it is reassuring to see that many lawmakers are alert to just how terrifying it would be for the EU to endorse a proposal that in essence amounts to distributed spyware on everyone’s devices.”

As far as the contested ad campaign is concerned, Wiewiorowski, the European data protection supervisor, initiated a pre-investigation requesting from the Commission “information related to the described use of microtargeted ads,” with a response due by the end of last week. Wiewiorowski’s office declined WIRED’s request to comment on the potential for a formal investigation.

Ironically, Danny Mekić now believes he’s been shadowbanned by X, alongside other journalists, scientists, and researchers who have been critical of CSAR. X did not respond to WIRED’s request for comment.

“I haven’t received any response from X,” Mekić says. “Steps are currently being taken to find out what caused this and whether it was an algorithmic or human decision or whether it was done at the request of so-called trusted flaggers—such as, for example, the European Commission itself, or one of the organizations involved in the CSAR lobby.”

A Controversial Plan to Scan Private Messages for Child Abuse Meets Fresh Scandal

Stefan Thomas lost the password to an encrypted USB drive holding 7,002 bitcoins. One team of hackers believes they can unlock it—if they can get Thomas to let them.

At 9:30 am on a Wednesday in late September, a hacker who asked to be called Tom Smith sent me a nonsensical text message: “query voltage recurrence.”

Those three words were proof of a remarkable feat—and potentially an extremely valuable one. A few days earlier, I had randomly generated those terms, set them as the passphrase on a certain model of encrypted USB thumb drive known as an IronKey S200, and shipped the drive across the country to Smith and his teammates in the Seattle lab of a startup called Unciphered.

Unciphered’s staff in the company’s Seattle lab.

Photograph: Meron Menghistab

Smith had told me that guessing my passphrase might take several days. Guessing it at all, in fact, should have been impossible: IronKeys are designed to permanently erase their contents if someone tries just 10 incorrect password guesses. But Unciphered's hackers had developed a secret IronKey password-cracking technique—one that they've still declined to fully describe to me or anyone else outside their company—that gave them essentially infinite tries. My USB stick had reached Unciphered’s lab on Tuesday, and I was somewhat surprised to see my three-word passphrase texted back to me the very next morning. With the help of a high-performance computer, Smith told me, the process had taken only 200 trillion tries.

Smith’s demonstration was not merely a hacker party trick. He and Unciphered’s team have spent close to eight months developing a capability to crack this specific, decade-old model of IronKey for a very particular reason: They believe that in a vault in a Swiss bank 5,000 miles to the east of their Seattle lab, an IronKey that's just as vulnerable to this cracking technique holds the keys to 7,002 bitcoins, worth close to $235 million at current exchange rates.

For years, Unciphered's hackers and many others in the crypto community have followed the story of a Swiss crypto entrepreneur living in San Francisco named Stefan Thomas, who owns this 2011-era IronKey, and who has lost the password to unlock it and access the nine-figure fortune it contains. Thomas has said in interviews that he's already tried eight incorrect guesses, leaving only two more tries before the IronKey erases the keys stored on it and he loses access to his bitcoins forever.

Screens in Unciphered’s lab show a microscopic image of the layout of the IronKey’s controller chip (left) and a CT scan of the drive.

Photograph: Meron Menghistab

Now, after months of work, Unciphered's hackers believe they can open Thomas' locked treasure chest, and they're ready to use their secret cracking technique to do it. “We were hesitant to reach out to him until we had a full, provable, reliable attack,” says Smith, who asked WIRED not to reveal his real name due to the sensitivities of working with secret hacking techniques and very large sums of cryptocurrency. “Now we’re in that place.”

The only problem: Thomas doesn't seem to want their help.

Earlier this month, not long after performing their USB-decrypting demonstration for me, Unciphered reached out to Thomas through a mutual associate who could vouch for the company’s new IronKey-unlocking abilities and offer assistance. The call didn't even get as far as discussing Unciphered's commission or fee before Thomas politely declined.

Thomas had already made a “handshake deal” with two other cracking teams a year earlier, he explained. In an effort to prevent the two teams from competing, he had offered each a portion of the proceeds if either one could unlock the drive. And he remains committed, even a year later, to giving those teams more time to work on the problem before he brings in anyone else—even though neither of the teams has shown any sign of pulling off the decryption trick that Unciphered has already accomplished.

That has left Unciphered in a strange situation: It holds what is potentially one of the most valuable lockpicking tools in the cryptocurrency world, but with no lock to pick. “We cracked the IronKey,” says Nick Federoff, Unciphered's director of operations. “Now we have to crack Stefan. This is turning out to be the hardest part.”

In an email to WIRED, Thomas confirmed that he had turned down Unciphered's offer to unlock his encrypted fortune. “I have already been working with a different set of experts on the recovery so I'm no longer free to negotiate with someone new,” Thomas wrote. “It's possible that the current team could decide to subcontract Unciphered if they feel that's the best option. We'll have to wait and see.” Thomas declined to be interviewed or to comment further.

A Very Valuable, Worthless USB Stick

In past interviews, Thomas has said that his 7,002 bitcoins were left over from a payment he received for making a video titled “What is Bitcoin?” that published on YouTube in early 2011, when a bitcoin was worth less than a dollar. Later that year, he told WIRED that he'd inadvertently erased two backup copies of the wallet that held those thousands of coins, and then lost the piece of paper with the password to decrypt the third copy, stored on the IronKey. By then, his lost coins were worth close to $140,000. “I spent a week trying to recover it,” he said at the time. “It was pretty painful.”

In the 12 years since, the value of the inaccessible coins on Thomas' IronKey has at times swelled to be worth nearly half a billion dollars, before settling to its current, still-staggering price. In January 2021, as Bitcoin began to approach its peak exchange rate, Thomas described to _The New York Times_ the angst that his long-lost hoard had caused him over the years. “I would just lay in bed and think about it,” he said. “Then I would go to the computer with some new strategy, and it wouldn’t work, and I would be desperate again.”

Around that same time in 2021, a team of cryptographers and white-hat hackers founded Unciphered with the goal of unlocking exactly the sort of vast, frozen funds that many unlucky crypto holders like Thomas have long since given up on. At the time of Unciphered’s official launch, the cryptocurrency tracing firm Chainalysis estimated the total sum of those forgotten wallets across blockchains to be worth $140 billion. Unciphered says it has since successfully helped clients open locked wallets worth “many millions” of dollars—often through novel cryptographic vulnerabilities or software flaws it has discovered in cryptocurrency wallets—though nothing close to the size of Thomas' IronKey stash.

A deconstructed IronKey inside of Unciphered’s laser cutting tool.

Photograph: Meron Menghistab

Only around the beginning of 2023 did Unciphered begin to hunt for potential avenues to unlock Thomas' IronKey prize. Smith says that they quickly started to see hints that the IronKey's manufacturer, which was sold to storage hardware firm iMation in 2011, had left them some potential openings. “We were seeing little bits and pieces,” Smith says. “Like, this looks a little sloppy, or this looks not quite like how someone should be doing things.” (Kingston Storage, which now owns IronKey, didn’t respond to WIRED’s request for comment.)

Even a decade-old IronKey is a daunting target for hackers. The USB stick, whose development was funded in part by the United States Department of Homeland Security, is FIPS-140-2 Level 3 certified, meaning it's tamper-resistant and its encryption is secure enough for use by military and intelligence agencies for classified information. But emboldened by the few hints of security flaws they'd found—and still with no participation from Thomas—Unciphered's founders decided to take on the project of cracking it. “If there is an Everest to attempt, this is it,” Federoff remembers telling the team. The company's founders would eventually pull together a group of around 10 staffers and outside consultants, several of whom had backgrounds at the National Security Agency or other three-letter government agencies. They called it Project Everest.

A $235 Million Treasure Hunt

One of their first moves was to determine the exact model of IronKey that Thomas must have used, based on timing and a process of elimination. Then they bought the entire supply of that decade-plus-old model that they could find available for sale online, eventually amassing hundreds of them in their lab.

To fully reverse engineer the device, Unciphered scanned an IronKey with a CT scanner, then began the elaborate surgery necessary to deconstruct it. Using a precise laser cutting tool, they carved out the Atmel chip that serves as the USB stick's “secure enclave” holding its cryptographic secrets. They bathed that chip in nitric acid to “decap” it, removing the layers of epoxy designed to prevent tampering. They then began to polish down the chip, layer by layer, with an abrasive silica solution and a tiny spinning felt pad, removing a fraction of a micron of material from its surface at a time, taking photos of each layer with either optical microscopes or scanning electron microscopes, and repeating the process until they could build a full 3D model of the processor.

Because the chip's read-only memory, or ROM, is built into the layout of its physical wiring for better efficiency, Unciphered's visual model gave it a head start toward deciphering much of the logic of the IronKey's cryptographic algorithm. But the team went much further, attaching tenth-of-a-millimeter gauge wires to the secure element’s connections to “wiretap” the communications going into and out of it. They even tracked down engineers who had worked on the Atmel chip and another microcontroller in the IronKey that dated back to the 1990s to quiz them for details about the hardware. “It felt very much like a treasure hunt," says Federoff. “You’re following a map that’s faded and coffee-stained, and you know there’s a pot of gold at the end of a rainbow, but you have no idea where that rainbow’s leading.”

That cracking process culminated in July, when Unciphered's team gathered at an Airbnb in San Francisco. They describe standing around a table covered with millions of dollars’ worth of lab equipment when a member of the team read out the contents of a decrypted IronKey for the first time. “What just happened?” Federoff asked the room. “We just summited Everest,” said Unciphered's CEO, Eric Michaud.

Unciphered still won't reveal its full research process, or any details of the technique it ultimately found for cracking the IronKey and defeating its “counter” that limits password guesses. The company argues that the vulnerabilities they discovered are still potentially too dangerous to be made public, given that the model of IronKeys it cracked are too old to be patched with a software update, and some may still store classified information. “If this were to leak somehow, there would be much bigger national security implications than a cryptocurrency wallet,” Federoff says.

The team notes that the final method they developed doesn't require any of the invasive or destructive tactics that they used in their initial research. They've now unlocked 2011-era IronKeys—without destroying them—more than a thousand times, they say, and unlocked three IronKeys in demonstrations for WIRED.

Cryptic Contracts

None of that, however, has gotten them any closer to persuading Stefan Thomas to let them crack _his_ IronKey. Unciphered’s hackers say they learned from the intermediary who contacted Thomas on their behalf that Thomas has already been in touch with two other potential players in the crypto- and hardware-hacking world to help unlock his USB stick: the cybersecurity forensics and investigations firm Naxo, and the independent security researcher Chris Tarnovsky.

Naxo declined WIRED’s request to comment. But Chris Tarnovsky, a renowned chip reverse engineer, confirmed to WIRED that he had a “meet-and-greet” call with Thomas in May of last year. Tarnovsky says that, in the meeting, Thomas had told him that if he could successfully unlock the IronKey, he would be "generous," but didn't specify a fee or commission. Since then, Tarnovsky says that he has done very little work on the project, and that he has essentially been waiting for Thomas to start paying him on a monthly basis for initial research. "I want Stefan to cough up some money up front," says Tarnovsky. “It's a lot of work, and I need to worry about my mortgage and my bills.”

But Tarnovsky says he hasn't heard from Thomas since that first call. “Nothing came out of it,” he says. “It's weird.”

Unciphered’s director of operations Nick Federoff.

Photograph: Meron Menghistab

Unciphered's team remains skeptical about Naxo’s progress and whether it’s any further along than Tarnovsky. There are only a small number of hardware hackers capable of the reverse engineering necessary to crack the IronKey, they argue, and none appear to be working with Naxo. As for Thomas' suggestion that they could subcontract to Naxo or another team working on the project, Unciphered's Federoff says he won't rule it out, but argues it doesn't make sense when Unciphered alone can crack the IronKey. “Based on what we know, we don't see any benefit to anyone in going that route,” Federoff says.

Thomas, meanwhile, seems to display an unusual lack of urgency in unlocking his $235 million, and has offered only vague hints about why he has yet to reveal any progress toward that goal. “When you're dealing with so much money, everything takes forever,” he told the _Thinking Crypto_ podcast in an interview over the summer. “The person you're working with, you need some contract with them, and that contract needs to be rock solid, because if there's some issue with the contract, there's suddenly hundreds of millions of dollars at stake.”

To potentially accelerate that cryptic contract process, Unciphered plans to publish an open letter to Thomas and a video in the coming days designed to persuade—or pressure—Thomas into working with them. But Federoff concedes that it's possible Thomas doesn't actually care about the money: In its piece about his locked coins in 2021, _The New York Times_ wrote that Thomas already had “more riches than he knows what to do with,” thanks to other crypto ventures.

Federoff notes that it's impossible to know for certain what Thomas' IronKey holds. Maybe the keys to the 7,002 bitcoins are held elsewhere, or gone altogether.

He says Unciphered is still hopeful. But the team is also ready to move on if Thomas won't work with them. There are, after all, other locked wallets out there for the company to crack. And the decision of whether and how to unlock this particular USB drive's riches will ultimately fall to its owner alone. “It's incredibly frustrating,” says Federoff. “But when you're dealing with people, that's always the most complex part. Code doesn't change unless you tell it to. Circuitry doesn't either. But humans are incredibly unpredictable creatures.”

They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird

Hamas has threatened to broadcast videos of hostage executions. With the war between Israel and Hamas poised to enter a new phase, are social platforms ready?

For the past decade, social media platforms have struggled to stop the spread of extremist violence livestreamed on their platforms. Now they face a much different problem: This time, they know what’s coming.

In the days after Hamas attacked Israel on October 7, the group’s military wing said it would kill an Israeli hostage every time Israel launched an attack on Gaza. Abu Obeida, a spokesperson for the al-Qassam Brigades, added that these executions would be broadcast “in audio and video.” As of today, Hamas is holding 220 people hostage, according to the Israel Defense Forces.

Amid the October 7 attack, one person livestreamed footage showing Hamas fighters murdering Israeli citizens—a clip of which was later shared by Donald Trump Jr. on X. And in the days after the attack, Hamas hijacked the accounts of those hostages on platforms like Facebook and Instagram to livestream attacks and issue death threats.

In response, tech companies appeared to take things seriously.

Meta launched a “special operations center” to track content on Facebook, Instagram, and Threads. TikTok activated its “command center.” X (formerly Twitter) mobilized its “cross-company leadership group.” YouTube activated its “intelligence desk.” And Reddit tells WIRED its “safety team” is on alert.

But when WIRED asked for specific details about how they are going to prevent bad actors from weaponizing the platforms’ livestreaming capabilities, none of the companies offered any specific details, instead pointing to their general online guidance about livestreaming policies, if they responded at all. For example, Meta directed WIRED to a 2019 blog post from chief information security officer Guy Rosen about how the company was planning to curb the use of its livestream products in the wake of the Christchurch massacre, during which a gunman killed 51 people at a mosque in New Zealand in March of that year.

Despite the press releases indicating all-hands-on-deck attention to the livestreaming problem, industry experts say social media companies are showing a lack of transparency and an unwillingness to take the measures needed to prevent execution videos from spreading on their platforms, such as suspending livestreaming capabilities completely during the Israel-Hamas war.

“Hamas’ threats to execute these people on livestreams is happening because it’s possible for them to broadcast it,” Imran Ahmed, the founder and CEO of Center for Countering Digital Hate, a nonprofit that tracks hate speech on social platforms, tells WIRED. “They’re doing this for the spectacle because it terrorizes us. If we took away their ability to generate that spectacle, would they be doing this? What comes first, the livestream or the execution?”

Ahmed alleges that the companies are failing to implement systems that automatically detect violent extremist content as effectively as they detect some other kinds of content. “If you have a snatch of copyrighted music in your video, their systems will detect it within a microsecond and take it down,” Ahmed says, adding that “the fundamental human rights of the victims of terrorist attacks” should carry as much urgency as the “property rights of music artists and entertainers.”

The lack of details about how social platforms plan to curb the use of livestreams is, in part, because they are concerned about giving away too much information, which may allow Hamas, Palestinian Islamic Jihad (PIJ), and other militant groups or their supporters to circumvent the measures that are in place, an employee of a major platform who was granted anonymity because they are not authorized to speak publicly claimed in a communication with WIRED.

Adam Hadley, founder and executive director of Tech Against Terrorism, a United Nations-affiliated nonprofit that tracks extremist activity online, tells WIRED that while maintaining secrecy around content moderation methods is important during a sensitive and volatile conflict, tech companies should be more transparent about how they work.

“There has to be some degree of caution in terms of sharing the details of how this material is discovered and analyzed,” Hadley says. “But I would hope there are ways of communicating this ethically that don’t tip off terrorists to detection methods, and we would always encourage platforms to be transparent about what they’re doing.”

The social media companies say their dedicated teams are working around the clock right now as they await the launch of Israel’s expected ground assault in Gaza, which Hadley believes could trigger a spate of hostage executions.

And yet, for all of the time, money, and resources these multibillion-dollar companies appear to be putting into tackling this potential crisis, they are still reliant on Tech Against Terrorism, a tiny nonprofit, to alert them when new content from Hamas or PIJ, another paramilitary group based in Gaza, is posted online.

Hadley says his team of 20 typically knows about new terrorist content before any of the big platforms. So far, while tracking verified content from Hamas’ military wing or the PIJ, Hadey says the volume of content on the major social platforms is “very low.”

“Examples that we can find on large platforms of that official content are in the thousands, so not a lot of examples, compared with significantly more on Telegram,” Hadley says. “We are sharing alerts to 60 platforms who have been implicated with \[Hamas\] and PIJ content to date, but very low volumes are present.”

Hamas is banned on Facebook, Instagram, YouTube, and TikTok, so it has typically not used these mainstream platforms to any great extent, though X said earlier this month that it had removed hundreds of Hamas-affiliated accounts. Instead, Hamas prefers to use Telegram.

“Because the use of Telegram is so widespread and simple, we will assume they will continue to do this because terrorists prioritize platforms they can use most easily,” Hadley says, “and why would they bother with anything other than Telegram?”

Meta, X, and YouTube collaborate to share information about what they are seeing on the platforms. Telegram does not take part in such partnerships. While it has blocked some channels in certain jurisdictions, Telegram has typically taken a hands-off approach to content moderation, meaning Hamas and related groups have been mostly free to post whatever content they like on its platform.

Telegram did not respond to WIRED’s questions about how it would deal with execution videos on its platform, nor did X or Twitch. Discord declined to provide an on-the-record comment.

While Hadley sees Telegram as the primary concern, mainstream platforms are still at risk of facilitating the spread of this content. Videos can easily be downloaded from Telegram and reposted on any other platform, which is where the mainstream social media networks face the challenge of stopping them.

When asked to provide more details about their efforts, Meta and TikTok directed WIRED to their policy pages outlining the work they are doing to prevent the spread of these videos. YouTube spokesperson Jack Malon tells WIRED that “our teams are working around the clock to monitor for harmful footage across languages and locales.” A Reddit spokesperson says the company has “dedicated teams with linguistic and subject-matter expertise actively monitoring the conflict and continuing to enforce Reddit’s Content Policy across the site.”

One of the key ways that tech companies try to keep violent extremist content from going viral on their platforms is by using what are known as hashing databases. When content from a terrorist organization is identified, it is “hashed” to create a unique identifier that can then be shared among all companies to automatically prevent that video or image from being reshared elsewhere.

The sharing of these hashes and communication around incidents like the Israel-Hamas war are coordinated by the Global Internet Forum to Counter Terrorism (GIFCT), a small team of experts whose mission is to stop tech platforms from being exploited by violent extremists. The group was founded in 2017 by Facebook, Microsoft, X (then Twitter), and YouTube as a way of centralizing and coordinating the sharing of information. Companies like Dropbox, Amazon, Pinterest, and Zoom also provide funding to the group.

GIFCT did not provide a spokesperson to answer WIRED’s questions, but a statement on the group’s website says it is “providing regular situational awareness across member companies and support in addressing content relating to this conflict that violates their platform policies.”

Even when mainstream platforms have access to a shared database of verified terrorist content and centralized communications with experts who are tracking this content closely, they still have a lot of work to do in order to prevent violent videos from spreading on their platforms.

“This will be a big litmus test for the mainstream platforms,” Hadley says. “We would expect their algorithmic systems to be able to detect the \[Hamas\] logo, for instance, and respond accordingly. So actually, we’re quietly confident that those platforms will be alright to handle it. And I would hope that they’ve been training their algorithms in anticipation of this, based on the very large amounts of existing content from \[Hamas and PIJ\]. But unfortunately, we have no insight into that at all.”

The Hamas Threat of Hostage Execution Videos Looms Large Over Social Media

Plus: IT workers secretly funnel money to North Korea, a court in the US upholds keyword search warrants, and WhatsApp gets a passwordless upgrade on Android

With the Israel-Hamas war intensifying by the day, many people are desperate for accurate information about the conflict. Getting it has proven difficult. This has been most apparent on Elon Musk’s X, formerly Twitter, where insiders say even the company’s primary fact-checking tool, Community Notes, has been a source of disinformation and is at risk of coordinated manipulation.

Case in point: An explosion at a hospital in Gaza on Tuesday was followed by a wave of mis- and disinformation around the cause. In the hours following the explosion, Hamas blamed Israel, Israel blamed militants in Gaza, mainstream media outlets repeated both sides’ claims without confirmation either way, and people posing as open source intelligence experts rushed out dubious analyses. The result was a toxic mix of information that made it harder than ever to know what’s real.

On Thursday, the United States Department of the Treasury proposed plans to treat foreign-based cryptocurrency “mixers”—services that obscure who owns which specific coins—as suspected money laundering operations, citing as justification crypto donations to Hamas and the Palestinian Islamic Jihad, a Gaza-based militant group with ties to Hamas that Israel blamed for the hospital explosion. While these types of entities do use mixers, experts say they do so far less than criminal groups linked to North Korea and Russia—likely the real targets of the Treasury’s proposed crackdown.

In Myanmar, where a military junta has been in power for two years, people who speak out against deadly air strikes on social media are being systematically doxed on pro-junta Telegram channels. Some were later tracked down and arrested.

Finally, the online ecosystem of AI-generated deepfake pornography is quickly spiraling out of control. The number of websites specializing in and hosting these faked, nonconsensual images and videos has greatly increased in recent years. With the rise of generative AI tools, creating these images is quick and dangerously easy. And finding them is trivial, researchers say. All you have to do is a quick Google or Bing search, and this invasive content is a click away.

That’s not all. Each week, we round up the security and privacy stories we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The recent theft of user data from genetics testing giant 23andMe may be more expansive than previously thought. On October 6, the company confirmed a trove of user data had been stolen from its website, including names, years of birth, and general descriptions of genetic data. The data related to hundreds of thousands of users of Chinese descent and primarily targeted Ashkenazi Jews. This week, a hacker claiming to have stolen the data posted millions of more records for sale on the platform BreachForums, TechCrunch reports. This time, the hacker claimed, the records pertained to people from the United Kingdom, including “the wealthiest people living in the US and Western Europe on this list.” A 23andMe spokesperson tells The Verge that the company is “currently reviewing the data to determine if it is legitimate.”

According to 23andMe, its systems were not breached. Instead, it said, the data theft was likely due to people reusing passwords on their 23andMe accounts that were exposed in past breaches and then used to access their accounts. If you need some motivation to stop recycling passwords, this is it.

The US Department of Justice on Wednesday said it had uncovered a vast network of IT workers who were collecting paychecks from US-based companies then sending that money to North Korea. The freelance IT workers are accused of sending millions of dollars to Pyongyang, which used the funds to help build its ballistic missile program. While the workers allegedly pretended to live and work in the US, the DOJ says they often lived in China and Russia and took steps to obscure their real identities. According to an FBI official involved in the case, it’s “more than likely” that any freelance IT worker a US company hired was part of the plot.

Searching online may have just gotten a little bit more dangerous. On Monday, a Colorado Supreme Court upheld police use of a so-called keyword search warrant. Using this type of warrant, law enforcement demands companies like Google hand over the identities of anyone who searched for specific information. This is the opposite of how traditional search warrants work, where cops identify a suspect and then use search warrants to obtain information about them.

Keyword search warrants have long been criticized as “fishing expeditions” that violate the US Constitution’s Fourth Amendment rights against unreasonable searches and seizures, because it potentially hands police information about innocent people who searched for a specific term but were not involved in any related crime.

Source

Wired