Update: This story has been updated with additional context from Blackdot Solutions.
A company that markets an online investigations platform for government agencies, banks, and other businesses says publicly that it's based on open source intelligence. In a leaked user manual obtained by Motherboard shows that the company has previously taught customers how to create fake Facebook and LinkedIn accounts to gather information about people that, depending on how it's used by others, can be protected by their privacy settings on those platforms.
The guide also explains how to avoid detection by Facebook.
Blackdot Solutions, a startup based in Cambridge, UK, offers a product called Videris. On its official website, Blackdot says Videris is an open source intelligence (OSINT) investigation tool that can, among other things "help you to map and understand connections while conducting all of your searches securely." But in a 2018 user manual obtained by Motherboard, Blackdot offers step-by-step instructions to customers on how to mine data from Facebook and LinkedIn profiles. The guide explains how to create sock puppet Facebook accounts , and how to avoid having these detected by Facebook. The manual gives a behind-the-scenes look at how social media monitoring tools, which are increasingly being used by corporations and law enforcement, work from a user's perspective.
Law enforcement in both the United States and the United Kingdom, where Blackdot is based, have a long history of surreptitiously befriending targets and their friends on social media to mine their data and collect evidence. Videris would not give any specifics about what agencies it works with; on its website, the company says it has banking, government, law enforcement, and corporate clients.
It specifically lists investigations by law enforcement against “serious and organized crime, counter proliferation, counter terrorism, counter intelligence, and economic crime” on its list of use cases.
Blackdot repeatedly stressed that Videris has no functionality for befriending targets, and noted that its user agreement says the "customer is responsible for all activities conducted under its and its Users’ use of Videris," and that customers may not use it in a way that is "infringing the intellectual property rights of a third party."
"The surface part of the program was typical but I noticed the use of fake social media accounts and did not think that aligned with company values," a person who saw a demo of Videris, and asked to remain anonymous because they were not allowed to speak to the press, told Motherboard. "The fake accounts were against social media platform policy and used algorithms to unravel private networks, which seemed like an invasion of privacy."
“Videris does not unravel private networks. It can’t do anything that users couldn’t do themselves if they were to log into social networks in the normal way," Adam Lawrance-Owen, Blackdot's head of product, said in an email. "The advantage of our software is twofold. It allows for more effective investigations to help catch fraudsters, money-launderers and terrorists. And it allows those investigations to be carried out in the most secure and discreet way possible, which is absolutely essential when dealing with these sorts of matters.”
Do you work at Blackdot Solutions? Have you ever used its product Videris? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Wickr at lorenzofb, OTR chat at email@example.com, or email firstname.lastname@example.org.
Lawrance-Owen said in an email that "a core principle of Videris as a product, and a fundamental ethical and business principle for our company, is that the user can access publicly available, open source information only. Videris cannot be used to go behind privacy settings, as your email suggests. None of our customers use, or could use, Videris for such a purpose."
When we showed Lawrance-Owen the relevant pages of the user manual, he said that he "not seen this document before and it certainly isn't our user manual." We then shared the whole document, and Lawrance-Owen said that he could not "really comment on the document you attach, except to tell you that, while it references our functionality, it isn't our standard user guide. I wasn't aware of this document and it also appears to be 2 years old."
"Videris does not and cannot break privacy settings," he added.
In the user manual, dated September 2018, Blackdot details how Videris can be used to scrape the internet for information about a certain person or company. Videris then organizes the data in easy to understand charts and graphs, according to the manual.
In case the target of the investigation has a Facebook profile where they protect information, such as their friends' list, with their privacy settings, Blackdot suggests customers "recreate" an approximation of the list by adding "seed" Facebook profiles to Videris. This process, according to the manual, consists in extracting names of friends and analyzing their public interactions' with the target such as likes in pictures.
The manual also suggests creating fake accounts to mine data, and includes detailed step-by-step instructions, such as creating a new Gmail account, linking it to a new phone number, and using a proxy server—all solutions to prevent Facebook and LinkedIn from spotting the fake accounts and banning them.
"After intense periods of data collection, certain data providers have been known to restrict the access of online accounts used by Videris. Videris automatically detects restrictions and disables affected accounts, removing them from use," the manual warns.
After creating the fake account, the manual also suggests users should "break-in the account by randomly browsing and searching for 5-10 minutes."
For LinkedIn, the manual suggests using a "non specific job title" like consultant and "a common and uninteresting company name and a broad industry (e.g. ‘Human Resources’)."
Just like with Facebook, the manual suggests users to "break-in" the fake account by spending a few minutes using the site, searching for profiles and "browsing around LinkedIn to reduce the chance of the LinkedIn account being blocked at a later stage."