In 2012, Technology Review reported on a technique that it described as "Star Trek-style cloaking," which involved using deactivated Facebook accounts; accounts activated only briefly, to gain intelligence on a target.
I first began to suspect that this was possible when I received a friendship request from an account which completely mirrored that of a real friend. At first I thought he had unfriended and refriended me, so I added him without much thought. Then a day later my real friend warned on his newsfeed that someone had created a clone account, to delete the new "person." One day is more than enough to acquire a person's entire picture gallery, to gain intelligence about a targets' friends, movements, most frequented establishments, etc.
Realizing what a huge security flaw cloned accounts represented, I began to ask around. My friend Mortimer [not real name,] who works for a US government agency which I'd rather not name, confirmed that the Department of Homeland Security routinely works with private companies that, operating without the constitutional constraints which bind the hands of sworn government agents, mine data in ways that would make even former NSA head General Keith Alexander cringe.
The US federal government is, for example, forbidden by the Firearms Owners' Protection Act of 1986 from building a registry linking certain weapons to their owners. This law, however, does nothing to prevent a private entity from building such a registry, as was the case with the National Rifle Association, which in 2013 was criticized for having the "largest privately held database of current, former, and prospective gun
owners... well beyond its estimated 3 million members."
According to Buzzfeed, the NRA built this database "through years of acquiring gun permit registration lists from state and
county offices, gathering names of new owners from the thousands of gun
safety classes taught by NRA-certified instructors and by buying lists
of attendees of gun shows, subscribers to gun magazines, and more."
Mortimer informed me that access to these private databases is indirect, preferably involving informants employed by the companies conducting the digital espionage, but at times with companies created with direct government assistance. This disconnect allows the US government to maintain a stance of deniability in regards to activities that would be deemed unlawful if carried out by government agents. Further adding to the legal disconnect is the fact that many companies engaging in mass datamining usually do so in a jurisdiction where it makes it difficult for an intended target to file legal grievances.
Most worryingly, the "Five Eyes Alliance" between the United States, the United Kingdom, New Zealand, Canada, and Australia -- a data-sharing agreement forged by the allies after World War II -- allows these countries to freely exchange data on one another's citizens. In a 2013 article -- Is The Five Eyes Alliance Conspiring to Spy on You? -- The Atlantic reported that Britain "has secretly gained access to the network of cables which carry the world's phone calls and internet
traffic and has started to process vast streams of sensitive personal
information which it is sharing with its American partner, the National
Security Agency."
The numerous intelligence agencies which make up the Five Eyes alliance operate a laundry list of private companies on foreign soil, all with the objective of collecting information on other nations' citizens which is then indirectly passed back to a requesting nation's intelligence agency -- with the method of acquisition redacted to protect the front companies.
Using information provided by Mortimer, we were able to establish that a company somewhere in Eastern Europe specializes in creating cloned facebook profiles. These cloned profiles are used to fool people into accepting a friend request, before quickly going dormant. Another, more complex method involves briefly gaining access to a person's facebook account, and quickly sending a friend request to the spy account. A record of having accepted the account is erased, the cloned account goes dormant, and a target would never even realize that every few months a "friend" reactives his account and steals pictures, posts, and the activity log.
To test if I had any cloaked accounts tracking me, I purchased a keffiyeh and took a fake trip to the United Arab Emirates. I went dormant on facebook for a couple of days and then posted pictures of myself allegedly in the UAE, using some of my girlfriend's old pictures and videos from when she visited last year.
There is a possibility that someone who directly works for a foreign government/front company reported this information, as I had nearly 1,000 facebook friends, many of them in law enforcement, but I'm almost certain that it was a cloaked account due to the nature of the reporting.
Suffice it to say, information about my trip to the United Arab Emirates made its way to a company in New Zealand, information which was later made available after a routine request. Upon learning that I was under surveillance by a cloaked facebook account, I immediately began the painstaking task of unfriending all of the accounts on my friends list.
When I was finished, there were 4 accounts, just as expected. I couldn't easily delete these four accounts, and the odds of me being able to spot them while logged in are extremely low.
Though facebook reported that the cloaking flaw was fixed in 2012, it still remains very difficult to notice what essentially amounts to a tiny discrepancy in the number of active accounts versus the number of inactive accounts.
When it comes to gathering intelligence on researchers who use Wikileaks, it seems that there truly are no boundaries. Every digital decision may involve an espionage trap on the indirect behalf of the Fives Eyes Alliance, even something as innocuous as accepting a friend request.
Installing Marauders Map, an app that tracks if a person has unfriended you or deactivated their account, is the only way to make sure that you don't have cloaked spies checking in on you.
[Countries have been changed to protect sources.]
