The Internet's Secret Police Come Out Of The Shadows

As everyday users become aware of cyber crime and a mounting cyber war, companies such as Twitter, Facebook, and Google are opening up about their private security forces.

There’s an invisible war happening on the Internet, and with the exception of a few recent, high-profile cases, you've only noticed one side’s victories.

Mostly, you're sucked into it when your password gets stolen, an ad you click sells you counterfeit goods, or your malware-infected friend emails you a link to an Eastern European fake Cialis store. But you almost never think of this stuff when it's not happening to you.

Last year, Google shut down 224 million ads promoting sketchy goods or websites. Pinterest recently purged so many spam bots that follower counts fell across the network. And despite being cited as access points for phishing and other hacker attacks, Facebook prevents bad guys from accessing 600,000 accounts using stolen passwords every day.

Dedicating significant resources to protecting online products is the modern cost of doing business for large Internet companies. Only recently, however, have they started to really talk about it.

"When I first started talking to people about this a year ago," says David Baker, who as the director of engineering for advertising overseas ad security, "a lot of the questions were, ‘okay, Google is finally doing something about this’…I had to explain to them that, no, we’ve been working in this space for many years, pretty much as long as Google has had advertising." In 2009, for instance, Baker's team shut down a group of sites that were selling digital cameras at prices that looked good—until a follow-up call suggested customers also buy batteries and other accessories that should have already been included. More recently, it caught scammers in China who were posting ads for used cars they didn’t own and then filling orders by stealing them.

Baker, who has long blond hair and a jovial demeanor, doesn't look like the character a movie director might cast as an engineer. A request he made about 18 months ago similarly swung outside the stereotype. He wanted to talk to people. More specifically, he wanted to talk about Google's ad security work. "I could see her initial reaction was one of apprehension," he says of the first Google PR person he talked with about the idea. "Here’s this long-haired hippie freak engineer who wants to talk about all these nasty things on the Internet."

But soon, Baker says, she got more excited about the idea than he was. Google had discussed its ad security efforts before, but last year it started publishing stats about the bad ads it blocked. The search giant wasn’t alone in raising the profile of its ad security efforts. AOL, Facebook, Google, and Twitter, along with the Interactive Advertising Bureau, launched the Ads Integrity Alliance in 2012 with goals to share information about bad ads and a very public launch.

Other security teams across the Internet's most popular services say they've noticed a similar shift, if not as formal of one. "In the security world I think, it used to be that companies were afraid to acknowledge that anything bad ever happened," says Joe Sullivan, who oversees about 200 employees as Facebook's chief security officer. "But when it comes to security on the Internet, I think we all understand the reality now is that every legitimate site on the Internet is under constant attack."

Even President Barack Obama acknowledged that a new cyber war could be much more than a government problem. Shortly after it was revealed that the Wall Street Journal, New York Times, and other prominent news organizations had been hacked, and shortly before a report showed a secretive unit of the Chinese military was believed to be involved in stealing data from U.S. organizations, President Obama signed an executive order that would allow intelligence about cyber warfare to be shared with private companies.

Sullivan's team at Facebook handles everything from subpoenas to malware. In December, it worked with the FBI to shut down a botnet that had infected 11 million computers, a portion of which belonged to Facebook users. But when I bring up this incident, what I assume to be an achievement, to Sullivan, e-crimes manager Mat Henley and Internet threat researcher Mark Hammel, there’s no boasting. "Ideally, none [of our efforts would be public], Sullivan explains later. "The goal is, we don’t like when we’re in clean up mode.… We prevent the problems from happening."

He chalks up some increasing visibility of his security team to simply being proactive. Cases where Facebook reaches out to law enforcement, like the botnet case, are more likely to be publicized. "You have to find a balance," he says. "You have to build really strong walls. But you want to set up an environment where people don’t try to crawl over the walls."

Del Harvey, Twitter's director of trust and safety, says Internet companies as a whole have been started to be more open about their natural limitations. If someone is sending harassing messages online and says they're going to show up in person, for instance, users should get law enforcement involved. "Even if we suspend their account, that is not going to stop their car," she says. "If they are driving to your house, it’s not like, 'Oooh, engine shut off. They must have killed my Facebook.' It doesn’t work that way. And not acknowledging that reality is absolutely doing users a disservice." She's also taken to noting at industry conferences the fact that—with fake email addresses, disposable phone numbers, and proxy servers—no user can be permanently blocked.

Sullivan may have noticed a widespread understanding that malicious behavior exists everywhere on the web, but to Baker, who works only with ads, there's still a long way to go before talking about online mischief—blocked or otherwise—doesn't come as a shock to most people. "I don’t think that enough people are aware of the stress that exists on the entire Internet, beyond Google," he says. "I don’t think there is a broad common recognition that you need to protect yourself from threats."

The reality, however, is that sites like Google, Facebook, Twitter and others couldn’t exist without their mischief patrol teams. Facebook's security team just laughs when I bring up their hypothetical nonexistence. "We would have been overrun by spam," Twitter's Harvey says.

[Image: Flickr user David Goehring]