Your Privacy Is Gone and MLB Just Proved It

It’s been four years since we published LinkedIn Is Not a Video Game.

And now along comes a guest blogger, Matt Thompson, to reinforce the basic principles with an updated spin.

First, the official disclaimer from Matt: “These are my personal views and are not associated with my employer or any group I am affiliated with”.

Ready?  Here we go…

Hackers have been using social engineering for a long time and it appears as MLB took a page out of their book. Social media platforms like LinkedIn and Facebook allow other people to see into your life and in many cases your associates’ lives as well. These types of investigations are going to become a part of normal everyday life in the future.

Info on the MLB investigation – http://es.pn/1cbNyFV

facebook-scam-graphicWhy Should You Care?

The methodology used in these types of investigations can be carried out by almost anyone. It requires a lot of man hours but that’s about it. Companies or individuals can carry out these types of data mining activities as you being the target. It all starts with people not managing privacy or blindly accepting friend requests from strangers. You may think your social media is private but it really isn’t.

I am not stating MLB used these tactics but rather this is how I can see a simple hypothetical scenario like this being played out.

Step 1 – Targets Identified

cross-hairsThe investigative team has a group of people of interest associated with case. They believe they are all interconnected somehow and they know more unidentified people are probably out there. Think about any criminal investigation portrayed on TV. The team is starring at a giant board filled with photos of potential suspects with lines connecting them.

Step 2 – Establish an Event

Assuming the team has a particular event they want to pin on the pool of suspects. Let’s say an alleged steroid clinic received a shipment and the team wants to establish who comes into contact with clinic shortly after. The team could begin crawling social media looking for activity around that time frame in that area. Now not everyone’s social media is open to the public so that poses a small problem.

kevin_bacon_300x400Step 3 – The Kevin Bacon Theory

This is where 6 degrees of separation theory comes into play that was made popular with the 6 Degrees of Kevin Bacon game. Basically, the concept is that any two people on Earth are six or fewer acquaintance links apart. Social media makes this concept easy to document and track.

The team can now being trying to access the social circle through requests to group. In my model I assume social engineering is used by reaching out to multiple people in a methodical fashion. Slowly the circle of friends begins to take shape and every accepted request accelerates the process. Investigators now have data (photos, check-ins, tweets, etc. ) on a number of people’s activities that they can use to paint a timeline.

Step 4 – Crowd Sourcing

To this point the team has a pretty good picture of whom, where and when but still might have some gaps. The highest profile suspects probably haven’t allowed the team directly into their circle but because everyone else has the target’s activities maybe leaked. Sifting through the data provided by the group and the general public the team can has that window.

detectiveSay for instance the team wants to establish that two people went to the same venue at the same time. Let’s assume that one is a professional athlete and one is an everyday person with confirmed connections to the clinic. They know of the venue because the team has access to data that places one of the two at that location (maybe an Instagram photo). To place the high profile target on-site as well the team just needs to scan all social media activity in that given time frame at that location. In most cases hundreds of tweets, posts and check-ins would provide a plethora of raw data. Investigators may get lucky and there’s a post directly stating the celebrity is at that location if not the team would need to crawl through all the photos looking for the target. Now it’s not a crime to be in the same place as someone else that is linked to an alleged event but the team will now begin looking for a pattern of coincidental meetings and that in turn establishes evidence.

Step 4.5 – The Rabbit Hole

I labeled this step 4.5 because this really in reference to step 4. Remember when I spoke about the investigators tapping into the general public looking for social media activity around that time frame? This is where programs like this can take a nasty turn and begin to involve people like you and me. Let’s same the targeted venue is a club on a certain date and time. The team finds a photo of your group of friends on twitter; which by the way have nothing to do with the investigation. A simple photo now provides a stepping stone for the team. Everyone in the photo now becomes a target and the team tries to gain access to your group of friends in hopes someone snapped a photo or mentioned one of the main targets. Duplicate that process over and over until all possible options are exhausted. If someone was there the team probably knows about it now.

Step 5 – The Closer

kira-2
Layers upon layers of humor here.

So what does all this data mean to the suspects? The team can begin to map out non-coincidental meetings and communications by establishing patterns over time. Someone in the chain is going to mess up or willing provides the team with concrete evidence of wrong doing. It’s through association that the other people of interest are implicated. The team just needs to add a little narration to the story using both confirmed and circumstantial evidence. Since the hypothetical team and event are not being prosecuted in a court of law circumstantial evidence and hearsay play a much bigger role in a conviction.

Step 5 talks a lot about circumstantial evidence playing a much bigger role in non-criminal investigations. Many of the situations in which these tactics could be used would be for private reasons such as a background check or cyber stalking.

Get to the Point

So why did I go through this whole thing? I did it to show how your privacy is gone whether or not you wanted it to be. You could delete every electronic account you have but through your associates your privacy will still be compromised on some level. That doesn’t mean you’re helpless but it does mean you should be more cautious about who has access to your data. People often don’t treat social media with the respect it deserves. I can’t count the number of times I’ve seen people be connected to someone that they don’t know or would never associate with in a non-internet way. Those connections seem too insignificant so they get ignored but we’re at a point where they are not so insignificant anymore.

Everyone is connected by 6 degrees of separation. I am just spending a little more time making sure the people closest to 1 are the people I really want there.

That’s all for this time.  Chime in below with your thoughts, and go read something else: https://itinthed.com/read/ or listen to past IT in the D podcast episodes: http://www.ITinTheD.com/listen/ to get some more helpful advice.