futureScreen 02
DATA TERRA
metaverse
dLux media arts
investigating_the_mediation_of_data_across_technological_cultural_and_physical_terrains
*manipulation/[mis]representation
cyber_performances
exhibition/installations
live mix / vj's & dj's
food & talk
DATA _what is it goof for...

 
Essays

DECEPTION IN CYBERSPACE

Bill Hutchinson and Mat Warren

We live in a world of illusion. Our senses are limited and our brain interprets our imperfect sensory inputs in ways based on our education, intelligence, cultural background, and our immediate surroundings, past experiences, mood, and a multitude of other factors. We deceive ourselves every day of the year. However, this article is about how others deliberately deceive us, sometimes using the very limitations mentioned before. It will concentrate on deception in cyberspace but the principles are relevant in many situations and using many media; most of which are not hi-tech.

Manipulating data to produce outcomes desired by the manipulator has been routinely practiced since the dawn of history. From a soldier's camouflage suit to the company brochure skilfully crafted by corporate spin-doctors, individuals and organisations choose data (signals) to send out into the world, which suits the image they want to be portrayed. Faked documents and photographic images have been faked to alter history for many. However, the advent of digital data has made manipulation of images, text, sounds, and even smells much easier. Innovations in the creation perceptual peripherals has made the impact of manipulated data reach a profound level.

Principles of Deception

For our purposes, deception is defined as the deliberate alteration of data or a situation's context to promote a desired outcome. Therefore, it does not include self-delusion, or a person's natural tendency to use mental models to interpret things in an individual way. The definition places emphasis on a second party being involved, where that person or organisation is consciously trying to create deception.

The word 'deception' tends to infer a negative motive. For instance the following words were derived from the Thesaurus of the MS Word package used to create this document: illusion, sham, stratagem, hoax, cheat, lie, delude, trick, betray, swindle, hoodwink, defraud, con, dupe, and mislead. Many of these words indicate an action and/or a negative motive. However, it is the motive, which ultimately decides the ethics of a situation where a deception is used.

However, to really understand deception, it is necessary to define the words: 'data', 'information', and 'knowledge'. There are many definitions of these terms but for our purposes, the best is derived form Boisot . He developed a model where data is defined as the attribute of a 'thing' such as, its colour, shape, or its value. Whereas, knowledge is an attribute of an 'agent' (usually this means a human, although it can be argued that intelligent machines can have knowledge). Knowledge is a product of experiences, education, age, gender, culture, and many of the other factors that make up individuals. He further argues that humans derive information by using their knowledge to select appropriate data provided to them to construct it. Thus, human information is a product of the data supplied to a human plus their interpretation of it in a particular context. These definitions imply that information is personal. No information is 'true', just an interpretation. We might agree on the 'truth' about something simple such the colour of a carpet, but be at odds about the 'truth' of the causes of the Gulf War despite limited knowledge of all the data, and propaganda (data trying to mode the context of 'facts').

To execute a deception, one or more of these elements (data, knowledge, or context) must be manipulated. This can be achieved by controlling the data available to a human by depriving, adding, deleting, or modifying its contents, or arranging the time and place it is delivered (if ever). It is a bit trickier but the context in which the data is interpreted can be manipulated. Changing the knowledge base is also possible but is usually long term and is best left to the great socialising factors: family, religion, the mass media, peers, and the education system. Give me the boy until he is seven...and I'll show you the man!

Thus to deceive, data can be manipulated to allow the 'targeted' person(s) only to have access to the subset of data which will provide the best perceived outcomes for the deceiver. The data is then interpreted using mental models (knowledge), which can be affected directly by other activities such as propaganda and perception management (such as advertising campaigns). This is usually a long-term process. However, the context within which the mental models make the human decide an outcome can also be influenced by enhancing/decreasing environmental signals. Of course, the ultimate aim is to alter behaviour. Thus, just changing thought patterns may not be enough; changing behaviour is more difficult

Deception can be classified into two types :

  • Hiding the real;
  • Showing the false.

Of course, 'showing the false' involves 'hiding the real' but not the other way around. 'Hiding' can further be divided into 'Masking', 'Packaging', and 'Dazzling'. 'Showing' can be divided into 'Mimicking', 'Inventing', and 'Decoying'.

Masking occurs when something blends into the background. This is typical of camouflage. Repackaging occurs when something is perceived to be something else. Dazzling occurs when the target knows you are there but is confused by overwhelming signals are sent out. An octopus squirting ink into a predator momentarily confuses the attacker. This can be used to escape or a diversion to allow an attacker to strike from a different point (a feint).

Mimicking (spoofing) involves the display of something, which looks like something else. It is similar to masking but not attempt to hide is made, just to hide the reality of what is there. Inventing creates a new reality. Thus a colourful reef fish with a large spot and its rear is creating the impression to an attacker that its eye is mush further back than it is. When it attacks the predator makes for the 'wrong end' of the fish giving it an ability to dart forward and escape. Most fashion clothing, uniforms, and make-up are designed to create a 'new, world reality'. Decoying openly shows something, which it is not. For example, dummy tanks used successfully by the Serbs in the recent Balkans' conflict to confuse attack aircraft.

A successful deception needs planning. The deceiver needs to know why, what, who, when, and how. There must be an objective, a target and a story to tell. The desired outcomes must be known, as should be the reasons for doing it in the first place. The type of data: environmental, machine, or, direct digital will determine the easiest and most effective method at any given time. This process is ongoing. Situations are dynamic, and so the methods used must be as well.

Of course, there are two sides to a deception: the deceiver and the deceived. Individuals and organisations should have vibrant processes to ensure the integrity of the data received, processed, stored, and used. There should also be an awareness of the ability of others to manipulate perceptions. As such, the humans using the data should be interpret them in the context chosen by themselves or the organisation they represent. The sources of data should always be established and verified.

Deception on the World Wide Web

The digital nature of Web sites and their almost universal accessibility make them prone to attack. Some examples of the types of deception listed above can be illustrated. However, it should be noted that a really successful deception is one that is unrecognised. Therefore, the examples below are not truly successful deceptions but do serve to illustrate the point. Many of them are obvious and might cause embarrassment but not deception. Subtle attacks are far more destructive. The changing of a person's photographic image, or the insertion of small pieces of text are techniques that may go undetected until the damage has been caused. For instance, one can only speculate about the damage that could be caused by inserting the word 'not' into an employment advertisement stating 'Applications from women especially welcome'.

The concept of repackaging can be practiced on the Web. Here the user is fooled into believing that something is what it is not. There are numerous sites that purport to be what they are not. A Kurdish Liberation Movement site will appear authentic but really hold messages and images that further the cause of the nation state of Turkey. Many terrorist groups use innocuous sites for passing messages to their membership. Many deceptions on the Web camouflage their real intent. A common way to spread computer virus is to have an attachment to an e-mail message apparently with desirable contents, which is just an unwanted or maybe destructive program.

Propaganda and disinformation have always been a part of making a point. The contemporary term is 'perception management' and, as Web sites become the 'faces' of organisations to the world, more care will be needed to ensure that the data and its presentation on these sites give the desired image. Also, it is important that part of the corporate database shown does not allow its image to be tarnished or its secrets revealed.

Dazzling is meant to provide data overload to the victim. The target's resources are thus used up in coping with the attack rather than its normal operating activities. Much obvious and malicious hacking is of this type. Its intent is to embarrass and interrupt operations. 'Spamming' is one way to give this effect. Dazzling is also used as a feint to detract targets from the real attack. Therefore, an attacker might flood a site with emails, or obvious denial of service attacks but be really trying to implant a rogue piece of code, as the system administrators are busy coping with the dazzling attacks.

Deception on the Web can be divided into passive and active. Many sites contain images that are there to invoke emotional responses to further the cause of their creators. As it is easy to set up a site, the contents of all but a few should be treated with caution. Victims of a particular illness might desperately search for data on their condition. Charlatans abound and their motives for doing what they do might be financial or just plain 'loopy'. We can be whatever we want to be at our Web site, or on a chat line. Computer Cams might add to our sense that what we are seeing is authentic, but we are easily fooled. On the Internet, emails are broadcast to people stating that a general's son is about to be executed in La la Land. Money will save his life but must be sent within the next week. It is amazing how many people actually send money. The authors have knowledge of an intelligent, mature individual who replied to one of these requests. He ended up getting threatening phone calls and an apparent debt of a quarter of a million dollars. It took a visit to the police and a change of telephone number to rid this person of unwelcome attention. It is also of no surprise that the most effective way into a computer system is not technical wizardry but 'social engineering'. The manipulation of others by convincing them that you are authentic either in person or on the telephone.

The means of deception in cyberspace are numerous; the table below lists some of the more common types.

Deception Description
Honeypots/Honeynets Apparently authentic web sites but really sites to trap hackers/crackers. Used to analyse attack strategies used by hackers
Propaganda Sites used to espouse a certain political, religious beliefs. They are often apparent, but many present 'facts' which can lead to deception occurring
Spamming Flooding a target site with data. This might just be a nuisance, or a distraction for another attack.
Spoofing Messages appear to be derived form one source but are form another. Used to give credibility to an e-mail message, or to obtain network privileges.
Viruses Malicious programs that pretend to be something else, by embedding themselves into innocuous code.
Steganograhy The art of hiding one message within another. For instance, an image file might contain a message, whilst the image might be displayed the hidden message goes undetected.
Virtual reality The combination of software and I/O devices designed to create a whole perception not necessarily based on the physical world.
Encryption Encoding a message to make it unintelligible to those who do not have the key.
Lying Sending deliberately false data (eg market information) to create an effect


Beyond the Present

In the early 1990's, when the French philosopher, Jean Baudrillard, wrote a series of articles called 'The Gulf War Did Not Take Place', he did not mean that the events of that conflict did not occur, but that the reality of the situation had been changed by the media. The perception that what happened in the Gulf was a 'real war' was controlled by the data and context set by the media and fed to the consumer. The implication is that our senses relating the 'real' world to our brains is no longer the primary determinant of perception. The development of wireless technologies and its associated software and wearable hardware has brought the spectre of the true human machine. A mobile set of gadgets could allow you to accentuate your senses (Marks, 2000; Gershendfeld, 1999; Kurzwell, 1999). Some examples are:

  • Infra-red/star light vision;
  • Ability to 'smell' other humans in your vicinity;
  • Face recognition software that could identify the person standing in front of you then
  • display their name and details either visually or by voice;
  • The ability to find out where you are, and call up a map to be displayed on your retina;
  • The ability to send real-time movie images of your own situation, and so on.

Who could resist these extra abilities? The applications for these technologies are enormous. Yet so is the ability to deceive. As human become almost totally dependent on digital data for their personal operational lives the consequences of deception increase exponentially.

Yet, the implications of contemporary technological development take digital data into another realm. At one level, the ability to create virtual world where you can have a conversation with someone in Sydney whilst you are in Prague, and at the same time touch and feel that person in the bubble of a virtual world can stretch the abilities of those who deceive but also provide enormous potential.

An even higher level of dependence is the creation of the true human-machine - the cyborg. The physical merging of mind and machine lifts the data processed by our brains from photons, volatile chemicals, and pressure to pure digital data. In the UK, a married couple have implanted microchip directly into their nervous systems (under the arm) to be able to 'feel' their respective 'feelings'. Digital data now totally replaces 'natural' inputs; this is truly the digital person. Some of the consequences of this digital world where many humans are networked and receive purely digital data into their nervous systems are easy to imagine. Feeding 'false' or manipulated data into a system such as this would have enormous implications. Ironically in a networked world, the digital enhancement of the individual would make each one vulnerable to being turned into the clone (in terms of behaviour) of everyone around. Whilst the previous argument sounds more like science fiction, many of the principles are not. In this case, digital data is your world.

The development of wireless technologies has created a new, distance free world. The data stored is a part of you. Recently, an IRA member was convicted because his mobile telephone logs showed him to be at certain places at certain times. The US government now insists that all mobile telephones must be able to be located to a few metres. Hence, your very position is always known, or is it? Here the mobile telephone became that person. It can be reversed, if you want an alibi give someone else your telephone and go to some other place. 'You' are then not where really are. The mobile phone (the 'other' you) is somewhere else.

Conclusion

Deception is a part of life, and the Internet/World Wide Web are just new tools for its practice. The flexibility of digital data is one of its great benefits yet, this very flexibility, makes the alteration of data so easy.

Security can be defined as the function that ensures the survivability of an organisation or individual, and it is within this role that deception should be studied. Knowledge of the methods of deception is essential to protect you or your organisation's interests. The authors carried out a survey of Australian information technology managers to determine perceptions of threats to their organisations . Interestingly, 66% thought there was no threat of attack from competitors. This complacency might be reflective of high ethical behaviour in business or a dangerous ignorance of the risks involved.

On the other side of the coin, deception is also a part of strategy. Howard states that force is the strategy of the strong, and deception the strategy of the weak. In this case, the Internet has opened up the world to potential, 'weak' attackers. However, the use of deception as tool in individual and organisational survival should also not be overlooked.

In a world where surveillance is the order of the day and is entrenched in all facets of life, deception may be the only way to escape the watchful eyes of those who wish to control. Devices watch citizens at work and at play. The locations of people, both in real time and historically can be determined by their mobile telephone records. Financial, tax, medical, insurance, social security, purchase records...any number of personal data can be integrated and processed. In this insidious world of data collection, the most effective response might just be another massive deception. May the force of truth be with you!

 

See Brugioni, D.A. (1999) Photo Fakery : The History and Techniques of Photographic Deception and Manipulation, Brasseys Inc., Dulles, Virginia for an excellent and personal account of the photographic trickery used in the Cold War.
See Turk, M., Robinson, G. eds (2000) The Intuitive Beauty of Computer-Human Interaction, Communications of the ACM, 43, 3 for an explanation of the hardware and software that is not only perceptive (can recognise its environment) but perceptual (can enhance a human's world by increasing the sensory data available).
See Boisot, M.H. (1998) Knowledge Assets. Oxford University Press, Oxford.
A concise definition is given in the unusual and extremely useful text Bowyer Bell, J. (1991) Cheating and Deception, Transaction Publishers, New Brunswick. This article uses these models. This text is a must for those who want a basic understanding of the theory of deception.
See: Gershenfeld, N. (1999) When Machines Start to Think, Hodder and Stoughton, London; Kurzwell, R (1999) The Coming Merging of Mind and Machine, Scientific American Presents, 10, 3:56-61; and Marks, P. (2000) Your Everything, New Scientist, 168, 2261:42-46.
See Davenport, G. (2000) Your Own Virtual Storyworld, Scientific American, 283, 5:61-64.
See Hutchinson, W.E., Warren, M.J. (1999). Attacking the Attackers: Attitudes of Australian IT Managers to retaliation against Hackers, Proceedings of ACIS (Australasian Conference on Information Systems) 99, December, Wellington, New Zealand.
Howard, M. (1990) Strategic Deception in the Second World War, W.W.Norton and Company, London.