http://www.washingtonpost.com/wp-dyn/content/article/2008/02/05/AR2008020503144.html By Robert O'Harrow Jr. Washington Post Staff Writer February 6, 2008 U.S. intelligence officials are cautioning that popular Internet services that enable computer users to adopt cartoon-like personas in three-dimensional online spaces also are creating security vulnerabilities by opening novel ways for terrorists and criminals to move money, organize and conduct corporate espionage. Over the last few years, "virtual worlds" such as Second Life and other role-playing games have become home to millions of computer-generated personas known as avatars. By directing their avatars, people can take on alternate personalities, socialize, explore and earn and spend money across uncharted online landscapes. Nascent economies have sprung to life in these 3-D worlds, complete with currency, banks and shopping malls. Corporations and government agencies have opened animated virtual offices, and a growing number of organizations hold meetings where avatars gather and converse in newly minted conference centers. Intelligence officials who have examined these systems say they're convinced that the qualities that many computer users find so attractive about virtual worlds -- including anonymity, global access and the expanded ability to make financial transfers outside normal channels -- have turned them into seedbeds for transnational threats. "The virtual world is the next great frontier and in some respects is still very much a Wild West environment," a recent paper by the government's new Intelligence Advanced Research Projects Activity said. "Unfortunately, what started out as a benign environment where people would congregate to share information or explore fantasy worlds is now offering the opportunity for religious/political extremists to recruit, rehearse, transfer money, and ultimately engage in information warfare or worse with impunity." The government's growing concern seems likely to make virtual worlds the next battlefield in the struggle over the proper limits on the government's quest to improve security through data collection and analysis and the surveillance of commercial computer systems. Virtual worlds could also become an actual battlefield. The intelligence community has begun contemplating how to use Second Life and other such communities as platforms for cyber weapons that could be used against terrorists or enemies, intelligence officials said. One analyst suggested beginning tests with so-called teams of cyber warfare experts. The IARPA paper concurred: "What additional things are possible in the virtual world that cannot be done in the real world? The [intelligence community] needs to 'red team' some possible scenarios of use." The CIA has created a few virtual islands for internal use, such as training and unclassified meetings, government officials said. Some veterans of privacy debates said they believe that law enforcement and national security authorities are preparing to make a move, through coercion or new laws, to gain access to the giant computer servers where virtual worlds reside. Jim Dempsey, policy director at the Center for Democracy and Technology, a nonpartisan group that monitors privacy issues, said he heard the same worries from the government when cell phones became popular in the 1980s and again when mainstream American logged on to the Internet in the 1990s. Dempsey said the national security fears are overblown, in part because the country already has legal and technical mechanisms in place to give the government access to digital records it needs. "They want to control this technology and make it even easier to tap than it already is," Dempsey said. "When the government is finished, every new technology becomes a more powerful surveillance tool than the technology before it." Questions about the impact of innovations in communications technology are nothing new. Criminals, terrorists and others have used Web sites for more than a decade to recruit, operate scams and trade pornography. Law enforcement and intelligence authorities responded to new technologies by repeatedly seeking out new surveillance authorities. Intelligence officials said, however, that the spread of virtual worlds has created additional challenges because commercial services do not keep records of communication among avatars. Because of the nature of the systems, the companies also have almost no way of monitoring the creation and use of virtual buildings and training centers, some of them protected by nearly unbreakable passwords. "Virtual environments provide many opportunities to exchange messages in the clear without drawing unnecessary attention," the IARPA paper said. "Additionally, there are many private channels that can be employed to exchange secret messages." And there are the numbers. Some marketers and technology observers are predicting explosive growth in the use of virtual worlds in coming years. As more people create avatars, it will become harder to identify bad guys, intelligence officials said. As in the real world, one of the central difficulties is establishing the identity of individuals. "The challenge that we face is to be able to distinguish the fanatics from the average person looking for some simple enjoyment," said the IARPA paper. One intelligence official, who spoke on condition of anonymity, said he had no evidence of activity by terrorist cells or widespread organized crime in virtual worlds. There have been numerous instances of fraud, harassment and other virtual crimes. Some computer users have used their avatars to destroy virtual buildings. Last month, Second Life operators shut down a dozen online banks holding virtual currency worth an undetermined amount of actual dollars, after computer users raised questions about whether the banks were paying promised interest. National security officials have begun working informally to take stock of virtual worlds. That research likely will take on more urgency this year, as companies in other countries prepare to unveil their own virtual worlds. One such world, called HiPiHi, is being created in China. HiPiHi founders said they want to create ways for avatars to be able to travel freely between its virtual world, Second Life and other systems -- a development that intelligence officials say make it doubly hard to track down the identity of avatars. In promotional material, HiPiHi officials said that they believe that virtual worlds "are the next phase of the Internet." "The residents are the Gods of this virtual world; it is a world of limitless possibilities for creativity and self-expression, within a complex social structure and a full functioning economy," the promotional material says. "Virtual worlds are ready-made havens," said a senior intelligence official who declined to be identified because of the nature of his work. "There's no way to monitor it." The popularity of virtual worlds has grown despite the technology being in an early stage of development. The systems don't work well on older computers or those with relatively slow connections to the Internet. Though Second Life has more than 12 million registered users, only about 10 percent of those accounts are active. About 50,000 people around the world are on the system at a given moment, according to Linden Lab, which operates Second Life. Officials from Linden Lab have initiated meetings with people in the intelligence community about virtual worlds. They try to stress that systems to monitor avatar activity and identify risky behavior are built into the technology, according to Ken Dreifach, Linden's deputy general counsel. Dreifach said that all financial transactions are reviewed electronically, and some are reviewed by people. For investigators, there also are also plenty of trails that avatars and users leave behind. "There are a real range and depth of electronic footprints," Dreifach said. "We don't disclose those fraud tools." Jeff Jonas, chief scientist of IBM Entity Analytic Solutions, who has been examining developments in virtual worlds, which have attracted some investment from the company, said there's no way to predict how this technology will develop and what kind of capabilities it will provide -- good or bad. But he believes that virtual worlds are about to become far more popular. "As the virtual worlds create more and more immersive experiences and as global accessibility to computers increases, I can envision a scenario in which hundreds of millions of people become engaged almost overnight," Jonas said. Jonas said it's almost a certainty that clandestine activity associated with real criminals and terrorists will flourish in these environments because of the ease, reach and obscurity they offer. "With these actors there will be organized criminal planning and behavior," he said. "The likelihood that somebody is recruiting, strategizing or planning is almost a certainty." Copyright 2008 The Washington Post Company ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Wed Feb 06 2008 - 00:19:43 PST