In Review: Bellingcat and the unstoppable Mr Higgins

By John Naughton

Review of We are Bellingcat: An Intelligence Agency for the People, by Eliot Higgins, Bloomsbury, 255pp

On the face of it, this book tells an implausible story. It’s about how an ordinary guy – a bored administrator in Leicester, to be precise – becomes a skilled Internet sleuth solving puzzles and crimes which appear to defeat some of the world’s intelligence agencies. And yet it’s true. Eliot Higgins was indeed a bored administrator, out of a job and looking after his young daughter in 2011 while his wife went out to work. He was an avid watcher of YouTube videos, especially of those emanating from the Syrian civil war, and one day had an epiphany: “If you searched online you could find facts that neither the press nor the experts knew.”

Higgins realised that one reason why mainstream media were ignoring the torrent of material from the war zone that was being uploaded to YouTube and other social media channels was that these outlets were unable to verify or corroborate it. So he started a blog — the Brown Moses blog — and discovered that a smattering of other people had had a similar realisation, which was the seed crystal for the emergence of an online community that converged around news events that had left clues on YouTube, Facebook, Twitter and elsewhere.

This community of sleuths now sails under the flag of Bellingcat, a name taken from the children’s story about the ingenious mice who twig that the key to obtaining early warning of a cat’s approach is to put a bell round its neck. This has led to careless journalists calling members of the community “Bellingcats” — which leads them indignantly to point out that they are the mice, not the predators!

The engaging name belies a formidable little operation which has had a series of impressive scoops. One of the earliest involved confirming Russian involvement in the downing of MH17, the Malaysia Airlines aircraft brought down by a missile when flying over Ukraine. Other impressive scoops included identification of the Russian FSB agents responsible for the Skripal poisonings and finding the FSB operative who tried to assassinate Alexai Navalny, the Russian democratic campaigner and Putin opponent who is now imprisoned — and, reportedly, seriously ill — in a Russian gaol.

‘We are Bellingcat’ is a low-key account of how this remarkable outfit evolved and of the role that Mr Higgins played in its development. The deadpan style reflects the author’s desire to project himself as an ordinary Joe who stumbled on something significant and worked at it in collaboration with others. This level of understatement is admirable but not entirely persuasive for the simple reason that Higgins is no ordinary Joe. After all, one doesn’t make the transition from a bored, low-level administrator to become a Research Fellow at U.C. Berkeley’s Human Rights Center and a member of the International Criminal Court’s Technology Advisory Board without having some exceptional qualities.

“One could say that the most seminal contribution Bellingcat has made so far is to explore and disseminate the tools needed to convert user-generated content into more credible information — and maybe, sometimes, into the first draft of history.”

One of the most striking things about Bellingcat’s success is that — at least up to this stage — its investigative methodology is (to use a cliché) not rocket science. It’s a combination of determination, stamina, cooperation, Internet-saviness, geolocation (where did something happen?), chronolocation (when did it happen?) and an inexhaustible appetite for social-media-trawling. There is, in other words, a Bellingcat methodology — and any journalist can learn it, provided his or her employer is prepared to provide the time and opportunity to do so. In response, Bellingcat has been doing ‘boot camps’ for journalists — first in Germany, Britain and France and — hopefully — in the US. And the good news is that some mainstream news outlets, including the New York Times, the Wall Street Journal and the BBC, have been setting up journalistic units working in similar ways.

In the heady days of the so-called ‘Arab spring’ there was a lot of excited hype about the way the smartphone had launched a new age of ‘Citizen Journalism’. This was a kind of category error which confused user-generated content badged as ‘witnessing’ with the scepticism, corroboration, verification, etc. that professional journalism requires. So in that sense one could say that the most seminal contribution Bellingcat has made so far is to explore and disseminate the tools needed to convert user-generated content into more credible information — and maybe, sometimes, into the first draft of history.

Mr Higgins makes continuous use of the phrase “open source” to describe information that he and his colleagues find online, when what he really means is that the information — because it is available online — is in the public domain. It is not ‘open source’ in the sense that the term is used in the computer industry, but I guess making that distinction is now a lost cause because mainstream media have re-versioned the phrase.

The great irony of the Bellingcat story is that the business model that finances the ‘free’ services (YouTube, Twitter, Facebook, Reddit, Instagram et al) that are polluting the public sphere and undermining democracy is also what provides Mr Higgins and his colleagues with the raw material from which their methodology extracts so many scoops and revelations. Mr Higgins doesn’t have much time for those of us who are hyper-critical of the tech industry. He sees it as a gift horse whose teeth should not be too carefully examined. And I suppose that, in his position, I might think the same.

Forthcoming in British Journalism Review, vol. 32, No 2, June 2021.

Clubhouse in China shows that even “harmless” apps may put individuals in harm’s way

by Alina Utrata

Up until last week, most people hadn’t heard of the voice chatroom app Clubhouse—popular mostly with LA celebrities and Silicon Valley elites (and venture capitalist firm Andreessen Horowitz has invested tens of millions of dollars in the platform). The reason the app gave off such an air of exclusivity was because not just anyone could join—new users required an invite from a current user in order to sign up. Clubhouse growth has increased recently, especially after Elon Musk tweeted about it, with some invites being auctioning off for up to $125. But the recent uptick in user growth has underscored a privacy nightmare that is almost certainly putting Clubhouse users and non-users at risk—and in some cases even putting them in danger. 

The problem centers around Clubhouse invites. In order to invite someone onto the platform, you must allow the app access to your contact list. The app then uploads your entire contact list—and lets you know how many Clubhouse users also have your contacts in their phone’s contacts. Because of Clubhouse’s aggressive contact list collection policy (you literally cannot be invited onto the app unless one of your contacts has allowed Clubhouse access to their contacts) the app has has the capacity to quickly accumulate a “social graph.”

Some, like Will Oremus, have pointed out that this is a little bit “creepy.” You can suddenly see how many people have your therapist (or drug dealer) in their contact list, revealing networks or connections that were previously invisible. This “invite a friend” practice is also, as Alexander Hanff pointed out, almost certainly illegal under GDPR. By providing your contact list to Clubhouse, you have shared your contact’s personal information with the company without their consent. And while you may know that a friend shared your phone number with Clubhouse if you received an invite, Clubhouse also knows how many of its users have your phone number in their contacts—whether you are on the app at all. 

For places where GDPR does not apply, it is unclear whether this type of non-consensual data collection is illegal. As a California resident, I have the right to request that companies delete my personal information under California’s Consumer Privacy Act of 2018—and I wrote to the company to specifically request that Clubhouse delete my phone number that other users have shared. Clubhouse (or its parent company, Alpha Exploration Co) have 45 days to respond or request a 90 day extension.

While I personally find this type of data collection irritating, it may literally be a matter of life or death for others. Just this week, some articles have triumphantly proclaimed that “Clubhouse cracked the Great Firewall.” Chat rooms entitled “Does Xinjiang have concentration camps?” and “Friends from Tibet and Xinjiang, we want to invite you over for a chat” appeared on the platform, and were supposedly attended by individuals from mainland China (who downloaded the app via VPN, as Clubhouse is not available in China’s Apple app store). Clubhouse has since been shut down by China’s censors.

However, a report by the Stanford Internet Observatory pointed out that there are major security flaws in the Clubhouse app that almost certainly have put Chinese users and non-users of the app at risk. The SIO report found multiple problems with Clubhouse’s security—including lack of encryption for sensitive information; the use of a back-end infrastructure software located in Shanghai, which may therefore be legally obligated to share information with the Chinese government; and unclear policies surrounding Clubhouse’s storage and retention of chatroom audio. The report noted that “in at least one instance, SIO observed room metadata being relayed to servers we believe to be hosted in the PRC, and audio to servers managed by Chinese entities and distributed around the world via Anycast. It is also likely possible to connect Clubhouse IDs with user profiles.”

Clubhouse has almost certainly put attendees of those discussions who live in or have connections to mainland China at risk of retaliation from the Chinese government. It may also, by implication, have put non-Clubhouse users at risk, depending on how securely the users’ contact list data was stored. Even individuals who did not join the app or participate in the chatrooms may find themselves implicated if their phone number is found in the contact lists of individuals who are now associated with politically sensitive issues by virtue of participating in the Clubhouse chatrooms. 

This issue extends beyond the China context. As Dr Matt Mahmoudi discussed with me on my most recent podcast episode—data collection can be a death sentence. If individuals who work with undocumented immigrants, for instance, join Clubhouse, the network affects of their combined contact lists can reveal phone numbers and therefore the identity of undocumented individuals—and, if shared or demanded by ICE, lead to deportations. 

In the wake of the Stanford Internet Observatory report, Clubhouse has said that they are reviewing their data protection practices. But the fact remains that this comes only after individuals have already been put at risk because of Clubhouse’s poor data practices. These issues were easily predicted and prevented, underscoring the need for a duty of care and risk assessment for even seemingly “harmless” apps. And—as a rule of thumb—the less data collected, the better.

Trust in/distrust of public sector data repositories

Posted by JN

My eye was caught by an ad for a PhD internship in the Social Media Collective, an interesting group of scholars in Microsoft Research’s NYC lab.  What’s significant is the background they cite to the project.

Microsoft Research NYC is looking for an advanced PhD student to conduct an original research project on a topic under the rubric of “(dis)trust in public-sector data infrastructures.” MSR internships provide PhD students with an opportunity to work on an independent research project that advances their intellectual development while collaborating with a multi-disciplinary group of scholars. Interns typically relish the networks that they build through this program. This internship will be mentored by danah boyd; the intern will be part of both the NYC lab’s cohort and a member of the Social Media Collective. Applicants for this internship should be interested in conducting original research related to how trust in public-sector data infrastructures is formed and/or destroyed.

Substantive Context: In the United States, federal data infrastructures are under attack. Political interference has threatened the legitimacy of federal agencies and the data infrastructures they protect. Climate science relies on data collected by NOAA, the Department of Energy, NASA, and the Department of Agriculture. Yet, anti-science political rhetoric has restricted funding, undermined hiring, and pushed for the erasure of critical sources of data. And then there was Sharpie-gate. In the midst of a pandemic, policymakers in government and leaders in industry need to trust public health data to make informed decisions. Yet, the CDC has faced such severe attacks on its data infrastructure and organization that non-governmental groups have formed to create shadow sources of data. The census is democracy’s data infrastructure, yet it too has been plagued by political interference.

Data has long been a source of political power and state legitimacy, as well as a tool to argue for specific policies and defend core values. Yet, the history of public-sector data infrastructures is fraught, in no small part because state data has long been used to oppress, colonize, and control. Numbers have politics and politics has numbers.  Anti-colonial and anti-racist movements have long challenged what data the state collects, about whom, and for what purposes. Decades of public policy debates about privacy and power have shaped public-sector data infrastructures. Amidst these efforts to ensure that data is used to ensure equity — and not abuse — there have been a range of adversarial forces who have invested in polluting data for political, financial, or ideological purposes.

The legitimacy of public-sector data infrastructures is socially constructed. It is not driven by either the quality or quantity of data, but how the data — and the institution that uses its credibility to guarantee the data —  is perceived. When data are manipulated or political interests contort the appearance of data, data infrastructures are at risk. As with any type of infrastructure, data infrastructures must be maintained as sociotechnical systems. Data infrastructures are rendered visible when they break, but the cracks in the system should be negotiated long before the system has collapsed.

At the moment, I suspect that this is a problem that’s mostly confined to the US.  But the stresses of the pandemic and of alt-right disruption may mean that it’s coming to Europe (and elsewhere) soon.

Create your website with WordPress.com
Get started