Last Week in Tech Law and Policy, Vol. 16: The Art of Deception: a Gift or a Curse?

(by Annie Tooley, Colorado Law 2L)

Following on last week’s post, another dark cloud continues to loom over the Internet: malware. Malware is somewhat two-faced.  On one side, hackers use malware to gain access to personal information.  On the other side, the government uses malware to track down criminals and terrorists.  But what happens when the line separating the two starts to blur?  This post will explore the “good” and “bad” sides of deceptive delivery of malware.

Malvertisements: The Marriage of Malware and Advertisements 

Users of more and more big-name websites are falling victim to poisoned advertisements, or malvertisements—more than 260 percent more than last year.  The New York Times reported a huge hit that came at the beginning of August when hackers used Yahoo’s ad network to compromise advertisements and send infected code to computers with dated versions of Adobe Flash:

The scheme, which Yahoo shut down on Monday, worked like this: A group of hackers bought ads across the Internet giant’s sports, news and finance sites. When a computer — in this case, one running Windows — visited a Yahoo site, it downloaded malware code.
 From there, the malware hunted for an out-of-date version of Adobe Flash, which it could use to commandeer the computer — either holding it for ransom until the hackers were paid off or discreetly directing its browser to websites that paid the hackers for traffic.

Additionally, The Register released a six-page report (Intro, The pitch, Fire sale, Mad men, “…” – That’s what big ad networks say about malvertising, and Crisis Meeting) thoroughly explaining the severity of this increasing threat and how big-name websites and their ad networks are turning a blind eye:

The biggest-name news websites and web properties have been hosed: The New York Times, Reuters, Yahoo!, and Bloomberg are just a few. Yahoo! and Google’s fragile ad networks have also seen their news and YouTube assets popped.
“Their (ad networks) defence is that ‘this is a one percent problem and I don’t want to design for it, 99 percent is good enough’,” says Spiezle. “But one percent last year was over 15 billion impressions.” The Online Trust Alliance formed the Advertising and Content Integrity Working Group to bring in the advertising players to help address the malvertising scourge, but it lacks interest from the big players., the online dating site Plenty of Fish, Telstra, and the Huffington Post have also come under attack.

Fake News Stories Created by the FBI

Relatedly, the FBI is under attack for behavior that raises both eyebrows and questions about whether its use of deception to track criminals has gone too far.  An Ars Technica report highlights the issue:

The Associated Press filed a lawsuit (PDF) this morning, demanding the FBI hand over information about its use of fake news stories. The case stems from a 2007 incident regarding a bomb threat at a school. The FBI created a fake news story with an Associated Press byline, then e-mailed it to a suspect to plant malware on his computer.
The FBI e-mailed the fake news story via a link to a suspect’s MySpace account. The e-mail was made to look like it came from The Seattle Times. When the suspect clicked on the link, FBI software revealed his location and IP address to agents working the case. A juvenile suspect was arrested on June 14, 2007.

In a New York Times op-ed, FBI Director, James Comey, responded on behalf of the FBI and said that “[w]e do use deception at times to catch crooks, but we are acting responsibly and legally.”  Comey also admitted that in addition to the fake news story, an “undercover officer also portrayed himself as an employee of The Associated Press.”

General Counsel for The Associated Press, Karen Kaiser, stressed that the FBI “both misappropriated the trusted name of The Associated Press and created a situation where our credibility could have been undermined on a large scale.”

In light of this dialogue about malware and deception, security and privacy questions remain unanswered. Will hackers’ ever be completely put to rest or will they forever find new mediums to distribute malicious software? Has the FBI stretched too far or is this mode of deception acceptable because it targets suspected criminals?