Anyone with a presence online leaves a digital footprint wherever they go – fragments of information about their personal lives, their occupation, their likes and dislikes. These pieces of data may seem fairly innocuous on their own, but when combined they build a detailed picture of the individual behind them. So detailed that it can be used for nefarious purposes, should it fall into the wrong hands.

The widely reported scandal involving the now-defunct Cambridge Analytica saw data from millions of people’s Facebook accounts accessed without explicit permission. It was a clear demonstration of the value and power of people’s data. Extrapolating Facebook likes and other public-domain affiliations and associations allows for precision-targeted political advertising campaigns. Targeted advertising is, of course, the lifeblood of many digital businesses. But now researchers working with NATO researchers have shown just how powerful such information could be in the wrong hands, and how inexpensive it is for malicious agents to use it.

In its report, Responding to Cognitive Security Challenges, the NATO Strategic Communications Centre of Excellence details an experiment it ran to trick serving members of the armed forces. While the authors won’t say which country’s armed forces, they are at least clear about what they were trying to achieve.

- Could they gather information about a planned NATO exercise?

- What information regarding individual service personnel could they acquire?

- Was it possible to directly influence people's actions and behaviour?

Setting the bait

The experiment involved setting up fake accounts on Facebook (also known as sock puppet accounts), designing pages to attract attention and lure people in, setting up closed/secret Facebook groups, and using targeted advertising. The premise was simple – the fake accounts, pages and groups all purported to be from, or affiliated to, members of the armed forces. This was part of the lure that got actual service personnel to accept friend requests, join groups, like pages and share information in conversation.

The practice of pretending to be someone else in order to fool someone online is known as catfishing. As a term used in this context, it came to prominence in the 2010 movie Catfish, a pseudo-documentary about the online relationship between a young man and a young woman. However, the woman’s account was a work of fiction; her mother was the person behind it, the profile photo belonged to a family friend. The whole thing had been a deception.

While most organizations have strict policies regarding security, the armed forces are steeped in it – from support staff to frontline troops and across all ranks. Even so, soldiers preparing for a NATO military exercise shared details about it with the people behind the false accounts, which demonstrates the ease with which malicious actors or state agents could obtain sensitive information. One of the chief tactics they used to draw unsuspecting people into their web of carefully constructed deliberate deception was targeted advertising, which cost just $60 to deploy across Facebook.

The NATO research team broadened their search for personal data by taking in other social media platforms and apps. Through this they were able to identify specific personnel who were married but also using online dating apps - information sensitive enough to be used against an individual as leverage, convincing them to share sensitive details or even – as was the case in the research project – abandon their posts while on duty.

The World Economic Forum’s most recent Global Risks Report details concerns regarding the ongoing threat of data fraud, cyber-attacks and other tech-based vulnerabilities. Around two-thirds of respondents to the 2019 survey said they “expect the risks associated with fake news and identity theft to increase” this year, while three-fifths said the same about loss of privacy.