Image: Cathryn Virginia/Motherboard
The guide also explains how to avoid detection by Facebook.
Blackdot Solutions, a startup based in Cambridge, UK, offers a product called Videris. On its official website, Videris appears to be just like any other open source intelligence (OSINT) collections tool. But in a user manual obtained by Motherboard, Blackdot offers step-by-step instructions to customers on how to mine data from Facebook and LinkedIn profiles that have certain privacy settings turned on. The idea is to create sock puppet Facebook accounts to befriend targets and mine their data, which is usually not available publicly on the internet.
“The surface part of the program was typical but I noticed the use of fake social media accounts and did not think that aligned with company values,” a person who saw a demo of Videris, and asked to remain anonymous because they were not allowed to speak to the press, told Motherboard. “The fake accounts were against social media platform policy and used algorithms to unravel private networks, which seemed like an invasion of privacy.”
Companies all over the world, including giants like Amazon, are increasingly employing intelligence analysts who can monitor their own workers, as well as prospective employees, to find data on their pasts and internet activities. Companies like Blackdot have stepped in to offer products to make those processes easier.
“In 2015 Blackdot started selling Videris as a standalone product to government clients, where it proved instantly transformational,” the company says on its official website. “Since 2016 we have wound down our risk agency activities and focused solely on our software, expanding to other sectors. Videris quickly gained a reputation for being the best open source investigations software available, and gained customers across the government, banking, corporate and professional services sectors.”
Do you work at Blackdot Solutions? Have you ever used its product Videris? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Wickr at lorenzofb, OTR chat at [email protected], or email [email protected].
Adam Lawrance-Owen, Blackdot’s head of product, said in an email that “a core principle of Videris as a product, and a fundamental ethical and business principle for our company, is that the user can access publicly available, open source information only. Videris cannot be used to go behind privacy settings, as your email suggests. None of our customers use, or could use, Videris for such a purpose.”
When we showed Lawrance-Owen the relevant pages of the user manual, he said that he “not seen this document before and it certainly isn’t our user manual.” We then shared the whole document, and Lawrance-Owen said that he could not “really comment on the document you attach, except to tell you that, while it references our functionality, it isn’t our standard user guide. I wasn’t aware of this document and it also appears to be 2 years old.”
“Videris does not and cannot break privacy settings,” he added, while never denying that the company may help customers create fake accounts to get around those privacy settings, as the manual makes clear.
In the user manual, dated September 2018, Blackdot details how Videris can be used to scrape the internet for information about a certain person or company. Videris then organizes the data in easy to understand charts and graphs, according to the manual.
In case the target of the investigation has a Facebook profile where they protect information, such as their friends’ list, with their privacy settings, Blackout suggests customers “recreate” the list by adding “seed” Facebook profiles to Videris. This process, according to the manual, consists in extracting names of friends analyzing their interactions’ with the target such as likes in pictures.
The manual also suggests creating fake accounts to mine data, and includes detailed step-by-step instructions, such as creating a new Gmail account, linking it to a new phone number, and using a proxy server—all solutions to prevent Facebook and LinkedIn from spotting the fake accounts and banning them.
“After intense periods of data collection, certain data providers have been known to restrict the access of online accounts used by Videris. Videris automatically detects restrictions and disables affected accounts, removing them from use,” the manual warns.
After creating the fake account, the manual also suggests users should “break-in the account by randomly browsing and searching for 5-10 minutes.”
For LinkedIn, the manual suggests using a “non specific job title” like consultant and “a common and uninteresting company name and a broad industry (e.g. ‘Human Resources’).”
Just like with Facebook, the manual suggests users to “break-in” the fake account by spending a few minutes using the site, searching for profiles and “browsing around LinkedIn to reduce the chance of the LinkedIn account being blocked at a later stage.”