Are You Safe Online?

How secure is the internet?
22 August 2019
Presented by Adam Murphy
Production by Adam Murphy.


The image shows a hooded person hacking a laptop.


This week: How does the internet affect us? What does it mean for our security, our wallets, and ourselves. We're taking a deep dive into the world of all things cyber...

In this episode

The image shows a laptop with an open padlock.

How secure is your computer?
Adrian Winckles, Anglia Ruskin University

Today, with computers in our pockets, most of us spend a good deal of time. But when something is everywhere, we can forget how it might be affecting us, how it might be changing us, how it might be unsafe. So Adam took a trip, with an old laptop, down to visit Adrian Winckles at Anglia Ruskin University, to brush up on his cybersecurity 101...

Adrian - Malware stands for malicious software, and really is any software that has not been intended to be installed on your computer that has a malicious intent.

Adam - That is Adrian Winckles from Anglia Ruskin University.

Adrian - By malicious intent, it could be a virus, something that infects the computer. It could be a what we call a backdoor that lets someone take over remote control of your computer. Things like Ransomware, is a branch of malware. But the idea it’s effectively a form of extortion in fact, is that more correct term. All your firewalls will generally be encrypted, made turn to gobbledegook, and you'll be held to ransom for you to pay a portion of a bitcoin to get the password to return your files to their normal state.

Adam - How easily can it happen though. Surely it's got to put in the work right?

Adrian - It can happen without you knowing. Essentially if you go on to particular websites that maybe you haven't vetted, you may be a victim of drive by malware just by visiting the website. You get some malicious code installed into your browser and whilst the malicious code might not do anything directly, it will download other more malicious malware that may install a Trojan backdoor, may install ransomware, or may install some sort of spyware that's looking at what you're doing.

Adam - How easy is it to have something like spyware on your computer and not know?

Adrian - Very easy. Unless there's something that indicates to you that there's a performance problem in your computer or your getting spurious emails sent out on your behalf. You might not know. Or suddenly if you've got unauthorised credit card transactions they might be telltale signs that something may be lurking on one of your computing devices. But unless you see something like that you might never know.

Adam - But that's all right. If I notice the website is a bit dodgy I can just smash the back button on my browser. It'll take me right back to safety. Won’t it?

Adrian - Once you've visited a website usually the malicious code's been installed. Unless you've got something to protect you just going back and deleting it won't change anything.

Adam - Oh right. Let's change the subject. USBs. It can't be that bad to just plug in a USB. Sure we've all done it. Just grabbed a friend’s or stuck one in the work computer. How dangerous can that be.

Adrian - That can be very dangerous. So there's a form of USB that I know called a rubber ducky. Which is essentially, it can be a storage device but it also has a form of malware on it that makes the computer think it's a wireless keyboard. So it will actually then act as a key logger and log everything you type in, while that device is connected. It could open up applications or do all kinds of things, and download that device and it'll be taken away afterwards. But USBs are a common form of technique to get access to computing devices because someone picks up a USB. What’s the first thing they do with it? Plug it in. Or “Who does it belong to?” A common technique for example, if I was acting in an unethical capacity and wanted to get access to someone's network, if I wanted to target for example a particular firm, I could get a branded USB with that firm's logo. I could install malware, a remote Trojan to get remote access, and if I dropped a handful around the most expensive cars within that corporation's carpark, the likelihood at some point somebody would pick one up saying “Oh it's one of our USBs, I'll plug it in and someone will plug it in”, and of course as soon as you plug it in, no one's had to break a firewall. No one's had to go direct anyone to a website. You've now got a backdoor into one of the chief executive's office and they're targeted just by general human nature trying to be helpful. That's how easy it is. It's a form of social engineering

Adam - But my passwords are safe aren't they?

Adrian - People still go for secretpassword123, their spouse’s name, the eldest child's name, the dog's name. Plus adding some characters. The trouble is, people tend to use the same password over and over again for multiple websites, for multiple accounts, online banking. The National Cyber Security Centre's advice nowadays is to have complex passwords to use things like password managers to manage them for you so you have unique passwords.

A padlock imposed over a screen of computer code

The state of cybercrime
Ross Anderson, University of Cambridge

We need to keep ourseves safe. But who are we keeping ourselves from? Cybercrime is unsurprisingly, crime that occurs online. But what does it look like, and what’s the state of it at the moment? Adam Murphy met with Ross Anderson, Professor of Security Engineering at Cambridge University, who took him through the shifting world of cybercrime...

Ross - There were big changes in crime about 10 to 20 years ago but over the past decade, patterns of cybercrime have been remarkably stable. We did a big survey in 2011 and another survey in 2018, whose results came out this year, and we were surprised to find that the patterns were stable despite the fact that we've had a complete change in technology since the early 2010s. We're now all using phones rather than laptops to go online. Everything's become social and companies are keeping the data in the cloud, rather than on servers in their company premises. Yet the patterns of crime are the same and that's basically telling us that crime isn't so much about technology, it's about the broader stuff; the environment, the incentives, it's what the police are prepared to investigate, and the CPS is prepared to prosecute.

Adam - What does cybercrime look like? Is it just digital versions of analogue crimes?

Ross - Well there are three types of crime that you can think about that are analogue crimes that haven't changed very much at all, like tax fraud. That's technically cyber crime because you feel your tax return online and that's basically unchanged. Then there are crimes that we used to have in the analogue world which have changed the nature radically as we've gone online, such as card fraud. Fraud against people's bank accounts and credit cards used to involve things like shoulder-surfing people at ATMs or fishing credit card carbons out of bins in restaurants. Now it's mostly stuff that's done online. And the third type of online crime you get is the pure cyber crime. Things like ransomware, for example. And underpinning all this is cyber criminal infrastructure, or the botnet, made up of thousands or even millions of infected computers which send out the spam which hosts dodgy concent and so on and so forth.

Adam - Are there trends though? Even if it's remained constant, how has cyber crime changed over the years.

Ross - There's a number of changes in the ecosystem. The first is that card crime overall has about doubled in the past eight years. But the total volume and value of card payments has more than doubled, it's almost tripled. What's happening is that the card payment system is growing as the online component grows and it's also becoming more efficient. So that's a good thing. What we also see is that particularly cyber crimes have dropped away. Seven or eight years ago, you got an awful lot of spam that was trying to sell Viagra. Now Viagra is out of patent, you just buy it in the chemists so there's not a big deal anymore and so you don't get that kind of stuff. And similarly, there's not a lot of people trying to sell pirated software or movies or music because nowadays everyone just downloads music and movies and software tends to be in the cloud and free anyway.

What has replaced them are crimes involving bitcoin, for example, with dodgy Bitcoin exchanges where you're invited to take part in some scheme or another, or invest in a new coin, or invest in some high yield investment plan. And what then typically happens is that the scammers just take your money and vanish with it.

Adam - With all this cybercrime you'd imagine there'd be a lot of emphasis on enforcement. Well…

Ross - The shocking thing is this. Despite the fact that half of all acquisitive crime is now online, the total number of police officers who are involved in fighting cyber crime in Britain is somewhere between 200 and 300. That's out of a total police force of 120,000 officers. So it's given essentially no priority at all despite the fact that it's half the total.

Adam - So what can we do?

Ross - Basically it comes down to being out and arresting people. You see the typical online scam is a bit like the typical burglary. There may very well be no usable evidence but if you look closely, then in a significant minority of cases there will be some. The burglar may have picked up a paper hankie from your kitchen and blown his nose or he may have cut himself from the window as he went in or whatever. And with modern DNA and fingerprinting techniques then you've got them. Similarly, people who do online crimes are very often poor at their operational security and they leave traces back to their real names, and their real email addresses and so on. Simply because, up to now, they've been able to operate with impunity. They didn't have to learn to be careful.

Now the problem is that many police forces will say “it's not our policy to investigate frauds under £10,000”. Right? And this very rapidly becomes known to the crooks that you can go and steal an awful lot of money, in thousands pound helpings from some particular neighborhood. And the police will never get off their butts to chase you. So what's really needed here is for police enforcement to be randomised. If the police say they're always going to investigate fraud over £10,000, then if somebody starts from £900 then the police should roll some dice and investigate that crime with probability 9 percent.

And that means if anybody goes out and rips off a whole lot of students for deposits for nonexistent flats from 900 potentials, student after student, dozens, hundreds every year, then eventually the number will come up and they'll get chased. That is the way to do it.

A bank vault door, bathed in a purple light

11:49 - Cybercrime tactics

What sorts of things do cyber-criminals get up to?

Cybercrime tactics
Alice Hutchings, University of Cambridge

What tactics do criminals use to scam people online, and is there anything we can do about it? Adam Murphy spoke to Alice Hutchings from the Department of Computer Sciences in the University of Cambridge, who went through just a few of the tactics used, starting with something that feels a little familiar...

Alice - Okay. So a DDoS attack is a term which refers to denial-of-service attack which refers to kind of overwhelming resources to a site or a service to make it inaccessible to other people.

Adam - A “Denial of Service” attack, is a common way of taking down websites. It does this by flooding a server with so many requests for a certain web page that it just cannot deal with it. Imagine if every time you tried to speak at a party, everyone around you just started yelling questions at you at the same time.

Alice - There's a number of reasons why this would happen. So it's a technique that's used for revenge, so if you have a grudge against somebody, and there's been a number of police stations that have been targeted with denial-of-service attacks for example. It could be for extortion, so if there's an event coming up you could threaten to take down somebody’s website and demonstrate your capabilities beforehand in order to get them to pay money to stop their site been attacked at an important time. Also we see a large volume of attacks against home Internet connections and these tend to be very short attacks and we believe they're used for taking down opponents in online games.

Adam - To me that feels like the old school stereotypical mafia tactics. It's a nice web site you've got here… shame if something happened to it. Alice's specialities also include another old school tactic: fraud, but with a cyber twist.

Alice - One area I’ve been looking at recently is airline ticketing fraud. So the sale of genuine tickets, genuine airline tickets, that have been obtained fraudulently, say with compromised credit cards or with a compromised frequent flyer account. And then these are traded online either to people who don't realise they've been victimised or to complicit travelers and they're using them to commit other types of criminal activity.

Adam - And how common is that? Because that seems relatively new in terms of internet things.

Alice - I mean in terms of the global travel trade, there's you know, many many people traveling by plane every day but there's probably a couple of hundred people who are traveling on a ticket that has been obtained fraudulently.

Adam - Asking someone how to just “fix crime” isn't very helpful. So what can we do for these denial-of-service attacks?

Alice - So what we've been doing recently is trying to evaluate some of the different interventions that police have been using to try and stop denial-of-service attacks or at least a particular type of denial-of-service attack which is caused by denial-of-service-for-hire. So there's what's called a booter service which allows users to open accounts on there and then it lowers the barrier of entry where there's very little technical expertise required in order to carry out an attack. Police have developed different intervention strategies to try and deal with it. Some of these include prosecuting the operators of the booter services, they've also been influential in having some of the marketing of these taken off some of the forums that allow these to be advertised.

Adam - They've also been messaging people, letting them know that what they're about to do is illegal. And that has had an impact on cutting it down.

Alice - And we've actually found that these have various levels of success, and all of them have resulted in a reduction in attacks, although the level of attacks is increasing over time. There have been dips following these different interventions.

Adam - As Ross told us cybercrime has remained pretty constant. So how does that stack up with the overall crime rate?

Alice - For the last several decades now, criminologists are being quite excited because it's been a big crime drop, crime has been going down quite steadily. What's really interesting though is if you start looking at some of the figures here. One place we can start looking at is the victim survey for England and Wales. This is an annual household survey and they ask very standardised questions about the type of crime that they've experienced over time. And this is where we get indicators of things like the crime drop because we're not just looking at reported crime. You find that questions aren't added very often to the crime survey, but they did actually add some questions in 2016, and they ask questions now about fraud and computer misuse. And what's really interesting is that in 2016 the crime rate from the victimization survey actually doubled. People started to realise that crime hasn't necessarily started going down, it's been going online, we just weren't capturing it in the data. Most people weren't sure where to report crime to, how do you report that you've received malware on your computer for example. I mean, the nature of the crime has changed so maybe there’s less violent crime online. There’s a hypothesis that things like online drug markets actually reduce the level of violence because most of the violence that's associated with the drug trade is to do with kind of interpersonal conflict. And so if you put it online, that can kind of disappear as well. And so in some cases it might be reducing levels of crime as well.

A padlock, superimposed over a map of the world, with binary code written across it.

Patching up our cybersecurity
Adrian Winckles, Anglia Rusking University

Most of us probably aren’t as secure online as we’d like. But hope is not lost. Even the weakest security can be shored up and patched together! Adam Murphy went back to Adrian Winckles, who had some much needed advice about keeping ourselves secure...

Adrian - Follow the general advice. Make sure that you have antivirus, firewalls, anti-spyware, all the usual tools you’d expect. Whilst they might become less effective, they still offer a level of protection. But also always be suspicious. Think about the websites that you’re visiting. Websites can harbour drive-by download code, they can redirect you to phishing sites, and these sort of things. So always examine, look at the address bar, make sure there's a green padlock obviously for making sure your data is encrypted.

Also be suspicious of what you receive as well. Everyone at some point will be a target of either a generic or a spear phishing-type attack to try and get you to visit websites, to get either login credentials or financial details to basically scam you. So always be suspicious of what you receive, look at, “is it a genuine link?” If you are suspicious of someone, “that's not the usual response that I get from someone that I know,” be prepared to ring them up, contact them separately before you follow out the instructions on that email. Knowing that your bank shouldn't contact you to immediately log in. Always use other forms of communication if you can. Look at the spelling, the English. Does it look like a genuine email? Sometimes it's difficult to tell, sometimes there are little tell tales. But if in doubt seek some sort of a confirmation that it's another form of a way of doing things.

Adam - And the advice for USBs is: don't plug in ones if you're not completely sure of where they came from.

Adrian - Many, many organisations will ban the use of USBs within the organisation because of data going out or data being left. You can get secure USBs. Know where a USB has come from. Or you can get the ones that have a high level of encryption on them, so if you lose them somebody can't get the data off them anyway.

Adam - There are sites that can tell you if your data has been breached from any website or leak. We did it in the office and most of us had been. So chances are you have too. So what do you do if you know your information has been compromised?

Adrian - If you found it’s been breached, obviously change your login credentials. If you can change your username do that, but certainly change the password. It comes back to what I said before: don't use the same password on each system. So if it's just one system that's compromised, it's only accessed that's system, it’s not multiple systems. Find out if you can what data has been exposed. And so if you need to make changes to necessary credit cards or other personal details then do so.

Adam - And these days there's more than one way to secure any given login you use.

Adrian - Two-factor and multiple-factor authentication, whereby it's a bit of something you know, something you have, something that’s part of you. So whether it be a username-password plus a code on a phone, or it’s biometric data, they are intrinsically more secure - not infallible - but definitely easier to protect.

Adam - And one last thing to think about. Pretty much everyone I've spoken to while making this who isn't a computer pro gives themselves administrator privileges on their own computer. It's convenient, you don't need a password to install something. But is it a good idea?

Adrian - No. Because if someone gets the login credentials and can remotely access, because most computer systems have a form of remote access, whether it be remote desktop, whether it be Skype-type sessions or one of those sort of things. You shouldn't use privileged accounts for genuine user access.

A wooden mallet about to smash an egg in a teacup

21:51 - How fragile is the internet?

Is the internet as robust as we'd like to think?

How fragile is the internet?
Vasileios Giotsas, Lancaster University

With everything on the cloud, transmitted through transient beams of wi-fi from one device to another, the internet can often feel like an ethereal, intanglible thing. But, of course, it’s not: it's cables and servers and a lot of infrastructure. And maybe that infrastructure itself isn’t as solid as we like to think. Adam Murphy spoke to Vasileios Giotsas, from Lancaster University, about the Internet's weak spots...

Vasileios - So the internet can be really fragile. It has been designed to withstand a nuclear disaster. But when it was designed it was assumed that everyone who is connected on the internet, would not have any interest in harming the internet. So everybody is automatically trusted. Which makes it very susceptible to poisoning, from bogus or intentionally erroneous information. And when this information is propagated in the core of the Internet it can cause widespread disruptions that are very hard to mitigate.

Adam - So how can the internet malfunction?

Vasileios - So the internet, think of it as a really large and complex road network. Right. And traffic can take many different paths, and it needs a G.P.S. systems, a navigation system, and this navigation system is called the routing protocol. So the routing protocol is the protocol that decides how traffic would travel from your computer, to let's say the BBC website, or to the Lancaster University website. Right? Now, if this information is accurate then everything works as expected. If this information for any reason becomes poisoned, then traffic can go through unpredictable ways. It can never reach its destination. And this can cascade to many different destinations. And at the end you have millions of users being unable to access their desired destinations or services. So essentially what happens is that the Internet has this routing system, this navigation system, that is really sensitive to any sort of small change. These small changes, if they are either intentionally or unintentionally wrong can cause the whole network to crumble.

Adam - And this isn't just a hypothetical. Whenever there are large outages of several websites this problem is often to blame. In July 2019 this happened to one company, CloudFlare, and the outage took out 10 percent of all web traffic in the U.K. It happens to Google. It happens to Facebook. So why haven't we fixed it?

Vasileios - The ownership of the internet infrastructure is distributed across tens of thousands of organisations. Imagine the internet as a network of individual networks, right? So if any of these individual networks decides to deploy new technology, the other networks have no obligation to follow suit. So all the security solutions that exist out there, it is important to have a global cooperation between all of these organisations. Now these organisations essentially are competitors. So the internet is based on cooperation and competition at the same time.

So they try to cooperate as little as possible, only as much as required in order to achieve end to end usability, and deploying any new protocol, deploying any new technological solution incurs some sort of risk both operational, and also financial. It has overheads, it requires manpower. And basically there are very few organisations that are willing today to take this risk. And as a result, if these security solutions are not deployed by everyone, they are meaningless.

Imagining a building for instance, that has 100 doors and you decide to lock just a couple of them, it's still insecure. It boils down to incentives, how we incentivise these different organisations to deploy the security protocols, how we incentivise them to cooperate and to take security into consideration.

Adam - What can we do then?

Vasileios - Well the solutions are quite simple. And essentially they are cryptographic solutions. Now the problem is that the routing protocol, that today operates in the tens of thousands of backbone routers, and these others are you know very large industrial machines not the routers we have at home, and changing the protocols in these routers requires to switch them off, you know, do the setup of the new protocols, test them and so on. So they require the downtime that most operators cannot afford. Imagine the problem like you are flying a plane, and at some point you have to change the engines of the plane while in mid-flight, you cannot land the plane, change the engines, and then continue the journey. You cannot switch off the Internet and just update the protocol and then, you know, start it back again. That’s the problem really, how to change the engines of the Internet in mid-flight.

So essentially the solutions are simple, we know them. How to develop them, and they have been discussed in many different operational and research venues. They have been agreed upon, there are standards but, you know, deploying these protocols requires this level of cooperation and coordination that is almost hard to imagine. How to do it without having an entity that would enforce these changes.

An infographic showing different smart devices, all connected to a cloud

The insecure Internet of Things
Ken Munro, Pen Test Partners

The internet is everywhere. No longer just on our phones, on our computers, the internet has expanded. Smart watches, smart tvs, smart appliances all can connect to the internet. There are even smart toys, smart shoes, smart hair staighteners. This collection is called the Internet of Things. It’s basically anything that isn’t a computer than can get online. But like all emergent techonologies, it’s got its problems. Adam Murphy spoke to Ken Munro from PenTest Partners to see how safe - or unsafe - it can get...

Ken - I've spent the last five years with my colleagues looking at Internet of Things and it's pretty bad. We've seen some horrible things happen, so we've seen people spied on through their home security cameras, we've seen bits of the internet taken down with botnets made up of compromised IoT devices. And we've also seen the start of ransomware on smart things, so maybe things like holding your thermostat to ransom so you can’t turn the heating on.

Adam - So what kinds of things has Ken broken into?

Ken - There's been some really unpleasant examples. We've seen some devices.. one was a kids’ toy called My Friend Cayla that anyone nearby, say 30-40-50 meters, could spy and listen to you and your kids in your house. And even worse, anyone could talk to your child through an innocent doll. That's pretty horrible.

Adam - But surely tech for grown ups isn't subject to this. Surely we wouldn't trade security for convenience. What could he possibly find that would do that?

Ken - The Wi-Fi enabled kettle.

Adam - Ah.

Ken - The idea was that you could connect to the kettle using an app on your phone and you could boil the water remotely. Which is great. So the idea being you wake up in the morning, roll over out of bed, press a button on the app, and by the time you get to the kitchen, you've got a kettle of boiling water, saving you maybe 30 seconds, I don’t know. So they could then join your Wi-Fi network and if you hadn't changed the administrator password on your Wi-Fi router they could intercept all the traffic you had. And that's quite nasty. So you could intercept your social media, might be able to intercept your banking. Your whole online life is now theirs. Just because you wanted to boil your water in your kettle from your bedroom.

Adam - But there were more nefarious things as well, including a pair of smart hair straighteners.

Ken - Now the reason I looked at these is because I was trying to see if there was a way that we could get the Internet of Things to set fire to stuff. Problem is, there wasn't any Bluetooth security, so we could turn the temperature up remotely and we could also tell them not to turn off as quickly as you thought. And after doing some research speaking to a fire service, they suggested that nearly 650,000 house fires are caused by hair straighteners being left on. That was quite sobering really.

Adam - And if ordinary hair straightness can cause that many fires, what could happen if people could hack into smart ones? With that in mind, is the Internet of Things all bad?

Ken - Now, don't get me wrong, I do think there's there's good use for Internet of Things. For example, in assisted living for the elderly, so they can live independently longer. I think in medical technology there's some really good smart technology that can diagnose diseases better and help us live longer. But do I really need a Wi-Fi kettle? Is it really important to me? I don’t know.

Adam - How do you tell a good device from a bad device then?

Ken - Everyone asks me this and I have to say, hand on heart, I can't tell you. But by and large, the bigger, better known brands are better at dealing with vulnerabilities when they're found. The problem is, it’s the smaller brands aren't so well-known, they're probably a first product to market, a startup, and if something's found, they'll run out of money by recalling or repairing a product. So by and large, I’d say err towards the bigger, better known brands because they're more able to fix the problems. But if you were into a shop to ask me which product better than the other, I couldn't tell you.

Adam - How does a good hacker, also known as a white hat hacker, go about doing this ethically?

Ken - What we don't do is we don't go and find vulnerabilities and tell the world immediately because that wouldn't be fair. It wouldn't be fair on us the consumer to all of sudden have someone hack our stuff. So what we do is we report it privately to the manufacturer. We tell them about it, we tell them what's wrong. All for free. Don't charge them a penny. Tell them what we think they should do and then ideally what they do is they fix it, they send us an update saying ‘look think this fixes it’, we check it and then they update their customers and then they tell the market. But what often happens is we get stonewalled. A lot of manufacturers don't take kindly to people telling them the stuff that’s wrong with their products. They try to ignore us. And that's when things get really awkward for us because we've got people buying the product, we've got people using the product that we know is insecure. So at what point do people need to understand there's a problem, that they need to seriously reconsider whether they use the product? And that's often when we’ll go and ask for help from journalists or sometimes government agencies that can help us make these companies listen. Because last we want to happen is for people to be hacked. We want them to be safe. We're the good guys out there, right?

Adam - And what should us ordinary people do?

Ken - Make sure your app is completely up to date. Make sure you got the latest updates and make sure the app is able to update the product as well. Sometimes you get what are called “firmware updates” in the app, the phone then pushes those updates through to the smart product to keep it secure.

Adam - And what are Ken's final words on the Internet of Things?

Ken - Do you actually need to connect your fridge to the internet? Where's the benefit from being able to tweet from your refrigerator? So do ask if you actually need this thing or is it just a gadget that you want to have a play with and you'll probably forget about in six months time. That's really really important. If you don't need it, don't pay the extra for it. You do also have the option of not connecting things. A lot of smart TV is like to be connected to the internet but you can not do that. You can not connect your washing machine to the Internet. That's kind of a good thing to do. Yes, even if it does come with connectivity, ask yourself if you really need to hook it up. Because that way you're breaking the link between the hacker and your stuff. That's a really good spot.

A statue of a trolls head in grass

Why do trolls troll?
Claire Hardaker, Lancaster University

It’s not just our bank accounts or our computers that we risk. Being online so often, it can get into your head. It’s not uncommon for people to start the day looking through social media, which can often feel like beaming hellfire directly into your cortex. What can that do to us? Now we’ve talked about scam artists, and cybercrime, and people who do cruel things for the purpose of gaining something. But what about those who are just cruel, ostensibly for no reason? We call them internet trolls. People who just hurl abuse. But trolling has changed in recent years. It used to be a troll was someone who posted a link to one thing, only to have it redirect to Never Gonna Give You Up by Rick Astley. These days it’s abuse and threats, or political leanings. So what’s going on? Why do this, and what strategies are there in dealing with them? Adam Murphy spoke to Claire Hardaker, a linguist at Lancaster University, and she talked about all the ways one person can troll another...

Claire - There are actually a very wide variety of different kinds of trolling behaviour. So you have people who will just nitpick and criticise, and find little faults, and niggle, and they just continually needle away. They're never really overtly aggressive, they're just really irritating. You then have the people who do the 'whatabouting', so they go off... like you're talking about Donald Trump and politics, and they keep saying, “yes but what about Hillary? What about her emails?” And they just always continually go off-topic.

You have people who introduce incredibly shocking, taboo subjects; so you're talking about something quite anodyne and they'll bring in something really extreme and quite horrific. You have people who will post advice that's dangerous - so someone will say, "my computer is doing such a thing," and they'll say, “get a big magnet and wave it near your computer and that should help fix the problem.”

You have people who are just flat out aggressive, they’ll just swear at you, they'll just hurl onslaughts of abuse and death threats. And basically there's as many different strategies to trolling as a person can sit and think up.

Adam - How do people respond to trolls, then? What is the family tree of counter-trolling?

Claire - You do get the class of people who just... they bite. They are the classic victim that the troll is looking for. The trolls say something horrific or outrageous and they become desperately offended, outraged, they start shouting - those are the classic engagers and it's like the gold win for the troll, that's who they want.

You then get the James Blunt category of respondent, as I call them. That's the kind of person who finds trolling hilarious and they turn it into a joke, so they turn the entire mechanism of being horrible back on the person who is trying to be offensive. So for those... take care, if you've got a sensitive aversion to strong language you might not want to go and see James Blunt's account, but if you want to have a look at this, go see James Blunt in action responding to people who are trying to send him abuse online. It's magical.

Adam - Of course that's a riskier strategy. People like James Blunt usually have enough followers to gather around them, and enough money to buy some time and a private island if they want it. Most of us can't afford that luxury. So what else can we do?

Claire - Other people go in for reciprocating. So they meet trolling with abuse and trolling of their own. It's like, "if you're gonna swear at me, I'm going to swear at you. You're going to find my address? I'm going to find your address." And it becomes a very escalating conflict situation that can get really out of hand. So I can't say I recommend that either, but for some people that's a very much more therapeutic way of responding.

And the final one, the one that's really interesting because it's viewed very much as a very powerless strategy, is where you use silence. And it's the classic response: we're always told, “do not feed the trolls.” But for a lot of people that feels like, “I have been silenced. I have lost my voice. This person has driven me off of this platform.” Whereas from my perspective, if you reframe that as, “I am not giving this person the air of attention. I am not giving them my headspace. I'm not letting them degrade my mental health.” So for me, this is very much about: you are not validating them. You are not feeding them. You are not giving them the thing that they're craving.

Adam - So remember: block and mute with impunity. If you think someone is trolling you, why give them the time of day? Let them boil in their own little dark cauldron. And what about counter-counter-trolling?

Claire - Oh, there's so many. There's probably about five different classic ways. So the classic is, “I'm not a troll, I'm a good person.” The next one is: they try and force an investigation. “You prove to me where I've done something wrong. I want you to go over all my posts, and you do this work and show me how I got this wrong or what I did wrong.” So it's sort of making the other person do all the emotional and cognitive labour of proving the case. The next one is excusing. “I'm new to this. I just didn't know how it works here. I didn't realise that you guys don't do jokes like that. I thought you were wittier kind of people, I thought you could take a joke.”

Another one is basically turning the accusation around. “I'm not the troll, you're the troll. What you're accusing me of is the exact thing that you say I am.” It's like, you know, you see this because you are this. And then the final one is the people who just don't care. And they're like, “yes I am. You... go die, fall in front of a bus.” And they just... the gates are opened and all the abuse is unleashed in a big, massive torrent.

Adam - You have to be tentative when drawing conclusions about any large group of people, but why might someone behave this way? Especially when they've ostensibly nothing to gain?

Claire - One of the classic ones seems to be disenfranchisement. So people felt like they were silenced, like they didn't have a voice, like the political process wasn't addressing their needs or requirements. This was their way of having a voice.

Another really toxic key factor - which may coincide with these other ones as well - was where people were basically doing it as a form of validation. So I found that these networks were forming, really transient networks. So let's say something starts trending on Twitter. People click on the trending topic, whatever that topic is. They then see loads of tweets that are abusive. They find those tweets funny and engaging and entertaining, and then they join in because they've seen lots of other people already doing it.

Those people then start to form this really transient network. It might only last 10 minutes, it might last an hour, sometimes it can last days if it's going really badly for the person involved. And they start liking, retweeting, and laughing and joking with each other going, “haha, isn't she an idiot! Well she should never have done this, then.” And they are sort of pouring fuel on their own fire. They're all encouraging each other to continue to be even more abusive, and they're seeking more and more likes, more and more retweets by getting ever more extreme. So it has this polarising factor of, “I have an audience and I want to impress them even more, and I want to be the wittiest, the nastiest, the most extreme.” And so that can really exaggerate people's behaviour.

a computer screen full of computer code

41:39 - The power of algorithms

How does the internet know which things to show you?

The power of algorithms
Beth Singler, University of Cambridge

Social media can push us in extreme directions, create these bubbles we can get stuck in. But how? Social media is run by algorithms, programs which spit out the things you see online, working in the background to come up with the things you see. Adam Murphy spoke with Beth Singler at the University of Cambridge, who specialises in the social side of these algoritms, and talked about what they could mean for us...

Beth - At its most simplest state, an algorithm is data going into a model computation and then data coming out. And when you’re talking about algorithms on the internet or social media, you're talking about people's data going into a system and reworked preferences that come from that data input coming out. So you're seeing the same sorts of things again and again when you're expressing your preferences online

Adam - And then how does that relate to the words a lot of people hear, like “machine learning” and then “AI” on top of that?

Beth - It gets complicated because people use the terms in lots of different ways. Machine learning and reinforcement learning, these different systems of different ways are new models of thinking about how these levels of data input interact with each other.  AI has become a catchall for those systems as well as the more personified versions that we get in our science fiction as well.

Adam - The algorithm is just doing its job. Some programmer told it to say “maximise time people spend on the website” and that's what it does. It does things at random first, slowly refining the best approaches, until you have something that works pretty well. Usually. So how do we relate to this algorithm, this bit of code? What can it do to us?

Beth - Well at the very simplest level, you can see it if you pop on Facebook, and you see the kinds of stories that are being promoted to based on your previous interest in other things. You may have seen stories online about YouTube and how various different videos are promoted to you, again, based on what you've watched before. In my case, you watch one video with a previous Doctor Who in it and suddenly you've got ten videos with that previous Doctor Who. And maybe you wanted to see something else in your suggestions, can be useful as well if you're looking for a particular genre of things.

Adam - If it just shows us what we want, can it push us in different directions?

Beth - Yeah absolutely. So there's lots of work being done at the moment on identity formation and community formation online, and how these algorithms can push our interest in particular directions. There is a sort of meta level of algorithms going on; the interest of the corporation that is fueling the content that you're seeing. So the YouTube, the Twitter, the Facebook.

They have an aim in getting you to watch more and more of the content that's available online and they use the algorithms to direct you, based on what you've already shown interest on. It's very easy to get into what they call a “social media bubble” quite quickly, that you're only seeing things that reinforce your existing views or can take you down a rabbit hole of slightly more extreme versions of those views.

There's lots of work being done on the rise of fascism or populism through social media and the kind of messages that are being promoted to people, when they only show a slight interest in a topic.

Adam - It can be hard sometimes to not feel like the algorithm is thinking. It does its job. Even here at The Naked Scientists we worry about how the algorithm will treat our stuff, which apparently isn't unusual.

Beth - This is another strand of my work that I'm really interested in and I've started to look at some very specific instances of people's responses to the concept of the algorithm. Where they personify the algorithm and think about it in terms of what the algorithm wants and how it's treating them.  I've noticed people talking about being “blessed by the algorithm” and, personally, I'm quite interested in religious metaphors anyway. But I think this is a really interesting way into this discussion of how much agency, or even super agency, do we give algorithms. Do we decide that they're making actual choices for us? Are they giving us beneficial moments?

The whole concept of “blessed by the algorithm” would be I've put some content online and it's doing really well. I've been blessed by the algorithm. So it's about giving anthropomorphic agency to something that really doesn't make decisions in the same way that we do. It is a reinforcement system based on existing preferences.

Adam - Is there a better way to think about the algorithm?

Beth - I think we've slipped very easily. As I say, there's this slippage into personification of algorithms. But there's also this slippage into thinking of social media platforms as some sort of form of human rights. Because it's public speech, we think it's something that we necessarily can do in any way that we want to, without really remembering that these are private corporations. You sign up to terms and conditions when you get online with Twitter or Facebook or so forth. They own your content in very specific ways and they have very specific aims for your content as well.

I'm not saying that they’re evil by any means but they have corporate goals and interests. There’s some really interesting work by David Runciman also here at Cambridge, where he talks about the fact that we talk a lot about artificial intelligence but we don't always think as much about artificial agents. And those would be things like the corporations, or the states, or the nations that have their own models that they're working with, their own algorithmic systems of thinking. And, most of the time, being a capitalist system it's about profits.

The globe with computer text superimposed over it

The internet and identity
Harry Dyer, University of East Anglia

We may spend an increasing amount of time online, but we still live here, in the physical world. And while the internet may impact our identity, maybe it’s more complex than we think. Adam Murphy spoke with Harry Dyer from the University of East Anglia about how even the platform drastically changes how we present ourselves...

Harry - You look at: even one feature of a platform can be used differently from one platform to the next. There was research done in 2015 by Ian Rowe who looked at the comments section in the Washington Post versus the comment section on the Facebook of the Washington Post, and there were real differences between how that feature was used, based on the anonymity offered on the Washington Post versus the traceable identity on Facebook. And they found really different dynamics of interacting, negative in that case but in other cases anonymity can be a real positive thing. In my own research I found young people sharing intimate details about their lives on forums and in comment sections based on the fact that they’re anonymous. They can share issues about sexuality, about their health, about their family, because they hide behind the anonymity and are able to find a supportive community.

So the features in and of themselves are bound up in the places where we find them, that will affect different people differently. So there's a lot of, for example, issues of users experiencing racism and sexism and homophobia online that carries on from offline settings. So for example you see Wikipedia, this global source for knowledge, is 90% written by white males in the global north despite it being our go-to base for knowledge. It's not neutral, it's presented in a specific way. I think it was… what’s his name? Melvin Kranzberg, who wrote the rules of technology. And his first rule of technology is: technology is neither good nor bad, nor is it neutral. And we see that online all the time. It's not good, it's not bad, it's this complex mix of things - it's definitely not neutral - that's loaded with socio-cultural baggage and resources that affect different people differently. So this identity online becomes this real complex mix of design and user and technology.

Adam - Where do we focus when we talk about online identity, especially with young people?

Harry - The focus is often on, how much time are they spending online? What's a good amount of time? Rather than sitting down and talking to young people about their experiences, about their mental health, about complex topics. We focus on these issues of screen time, or we create fictional monsters. We created Momo at the beginning of the year, the Momo challenge that was shared around by concerned parents, understandably, and promoted in the press as this monster that we manifested into reality to talk about our concerns around young people and mental health, rather than actually talking to young people about their mental health issues. So these broad, sweeping understandings of identity online are really hard to pin down.

Adam - This keeps happening as well. Momo was a monster we thought talked to our kids, telling them to hurt themselves. But there's very little evidence that it was ever a widespread thing. Same with the tide pod challenge, where young people filmed themselves eating toxic washing up liquid cubes. Yes, it did happen, but it wasn't a panic sweeping through young people.

Harry - So Marshall McLuhan, very famous theorist of technology, said, “the medium is the message.” And what he meant by that is the mediums that we use will affect in some way our experiences of the reality around us, they will shape and change how we use and interact with the world around us in general, and we can track this via generational changes. So your experience will be different to my experience, will be different to the generation below us. Certainly there are ways of tracking over time the sorts of concerns that we have, the ways we express ourselves, the general trends that young people might think is important. But at the same time there's been a sort of pushback to easily generalising young people's experiences because they, you know, suggesting they have the same or comparable experiences of technology just because they're exposed to it. It ignores some of these issues of racism and sexism that we see, of poorer people not having access to technology, of areas where I am in Norfolk not having decent internet access, of the sort of ways that what we call ‘digital divides’ persist, the divide between different people experiencing and using technology differently.

Adam - But people growing up today have never known an offline world. And even I remember that! Barely. That must affect them, right? So what does the future hold for the internet?

Harry - I have great hope for the upcoming generation, for young people. I think they're using the internet in a really smart and intelligent way. I don't think they're gullible. I think they're able to spot things like fake news, to spot deep fakes. I think they're able to see through some of the traditional media tricks. So I'm quite hopeful for their ability, but they need to be guided in that. Part of the problem with assuming young people are digital natives is that it sort of relinquishes the responsibility of older generations to guide and to shape and to help young people navigate these complex landscapes. So I think there's still a need to guide and to help young people in their criticality, and to have bigger discussions with young people around what the internet is doing to them, how they're experiencing it, issues of mental health. It’s some really big issues that are worth sitting down and talking with young people about.


"Adam - There are sites that can tell you if your data has been breached from any website or leak. "
Would it be too much to ask you for the URLs?

Add a comment