Confessions of an Internet Snoop

I was an Internet snoop.

There I said it.

No, this isn't some former Agency tell all blog post, sorry. I base the above confession not on my Agency time, or even my law enforcement work. I was a snoop long before that.

I became a snoop because I have a knack for finding just about anything or anyone on the Internet. I've used this line a lot in job interviews. It landed me at a company you may have heard yodeled back in the day. I worked several related, but different, positions at this company, and each one had an element of customer knowledge that would make most people uneasy if they ever knew about it.

The first group I was hired into was looking for someone who was familiar with pirated material and who didn’t shy away from having to review websites or uploaded user content that contained all manner of the sorts of things the Internet was built for transmitting (you know, the bad stuff). I just wanted a job at this place, and didn’t much care what they wanted me to do. The fact that it involved illicit or pirated material was nerdy-cool-guy icing on the cake.

Excuse me, I believe you have my stapler...

Excuse me, I believe you have my stapler...

My regular work involved identifying and tracking pirated material on our web servers and then working with our production engineers to remove it and create tools to make it harder for the pirates to exploit our servers. It was because of this level of involvement that I became a snoop. And much later, it was this experience that got me into my current lines of work. For better or worse, Internet snooping made my career.

At the turn of the last century most Internet companies did not yet have specific tools or procedures developed for addressing the vast amounts of pirated material being passed around the net. When I started doing this work I didn’t have any custom tools. The only way to identify material I suspected to be in violation of our terms of service was to log into the suspected user account and review the content. This usually involved logging into the "suspect" user's public directory on our server, but if you weren’t careful enough to log out each time, or accidentally went to check your own account (hey, you can’t tell me you worked at an Internet company and didn’t surf the web all day while at work. It’s called multitasking people!) you could log into their email account or another directory and see personal files or communications. Think of it like accidentally using the master key to a building instead of a designated key to just one office in that building.

It wasn’t until much later when I worked in another office within the same company that I realized this was a huge internal problem. At that time I was doing audits of company employee access to various user database tools. A large company like this amassed quite a valuable user database, full of all sorts of useful info that was not only worth quite a lot to them, or advertisers that paid to pump ads to users over the service, but also quite valuable to outside influences as well. We suspected that certain competitors of ours were sending people to get jobs at our company only to gain access to our user data. At the very least, people were fired for having used their positions within the company to sell user data they had access to, or just spy on people. I also heard hushed rumors that certain criminal groups were doing the same thing.

I don’t doubt it; in fact, I would be surprised if this type of “competitive intelligence” or illegal activity didn’t happen on a regular basis. Internal company security elements were charged with keeping the most egregious cases within a tight circle of related departments, usually legal, HR and some form of operations. This was prior to mandated user notifications for data breaches, so these incidents were brushed under the rug with relative ease.

Recent cases from companies like Apple or even Target really highlight the possibilities here, especially when a breach of company information centers on a new product release or insider threat. My experience however was more related to poor employee access control to that sensitive information.

What sort of sensitive information am I talking about here? How about email content? I once accidentally logged into a user account after using a tool to review a suspected pirated file in the user’s website account. I was moving too quickly through various browser windows and went to check my own account without logging out of the tool I was using. The tool would essentially authenticate my session on that user’s account, making it look like that user had logged in from my computer. I could then move around our different properties (products, etc) logged in as that user. In this case I found myself looking at some kind of odd chat log between two people having an affair when I accidentally logged into a file storage account. I realized all this when I checked my personal storage account and saw all these files I didn’t recognize. I checked the first one and saw the log. This sort of thing happened on a daily basis with all of us doing this work. Its amazing how many people put real information in sign up forms for free services. That fact meant that the user's account details could have most likely been easily verified and linked to the explicit chat logs I had mistakenly discovered. I'm not really the type for blackmail, but the ammo was ripe for the picking none the less.

In another occurrence, a former colleague in engineering was watching network traffic on the company servers around 9/11/01 and believes he spotted “chatter” (which much later the 9/11 Commission Report validates) from those involved. Then there were private message boards, some of them with financial info. The possibilities were endless!

This really highlights our growing (or should I say full grown) use of the Internet as an identity storage device. We pump it full of the most intimate details about ourselves (saw that stuff too folks) on a regular basis. All of it being monetized and just looked at by cubicle dwelling recent college graduates – then there is a crazed uproar when classified information is released (without actual context being provided by a knowledgeable source) about our Intelligence services performing signals intelligence on the backbone of the Internet. The public outcry is coming way too late in my mind. This is evident when you have a chance to work in both areas, as I have. Nothing moves quite a slow as progress in the Federal Government. Logically, if the Intelligence Community is sifting through loads of user traffic, private companies have been doing it for at least a decade prior, and more efficiently. Guaranteed.

I was a snoop long before I was a government snoop. When I became a government snoop I was regulated, professionalized and given a mission. The fact that there is a free flow of our prized user data to commercial entities every second of every day, and not one person up in arms about it is mind blowing.

In the next installment of this confession I’d like to focus on how corporate collection of bulk user data compares to the Government’s collection of the same. Is it any more acceptable to have a government worker at an intelligence agency write and execute an algorithm on SIGINT collected from an ISP compared to say an engineer sitting in Menlo Park working at Facebook doing the same?

Theodore W. Weaver