YouTube's algorithm has been deleting evidence of Syrian chemical weapon attacks

A child receives treatment after a suspected chlorine attack on Saqba, in eastern Ghouta on March 7, 2018, in which 29n people were injured

At dusk on April 7, one of the worst chemical attacks in Syrian history hit the city of Douma in eastern Ghouta, killing more than 70 people. Minutes later, video reports began to appear on YouTube.

As darkness fell on the Syrian town, population 111,864, video shot inside a dusty building captured multiple bodies foaming at the mouth. Among the dead, a mother and father cradling their newborn, a thick white crust covering their noses and lips. The attacks on the rebel held town sparked international outrage.

YouTube footage is often the only evidence proving human rights violations are taking place in Syria. Yet this video, uploaded by a legitimate Douma based news agency, Kumait, has been removed by Google’s machine learning algorithm – along with thousands like it.

Some videos could be lost forever, according to Hadi Al-Khatib, founder of open source initiative the Syrian Archive, which aims to verify, back-up and preserve footage of the conflict. Other removed videos include hospitals being bombed, victims of chemical attacks, and ammunition remnants. “They are not propaganda; they are not extremist content,” says Al-Khatib. “This information might be the only source that indicates an attack has happened on a specific area, at a certain time.”

It is the most documented war in history, and most of it has taken place on social media. YouTube is citizen journalists’ platform of choice but preserving videos before Google removes them has proven to be a challenge. Between 2012 and 2018, Google has taken down 123,229 of the 1,177,394 videos the Syrian Archive has been able to back-up, Al-Khatib says. And these are just the videos we know about.

Following the Douma attack in April this year, the Syrian Archive launched a publicly-accessible chemical weapons database to specifically preserve videos documenting this type of attack. Videos on the database date back to 2014. Al-Khatib says 72 of the 861 videos have disappeared from YouTube – all of these legitimate.

Google has been removing huge numbers of online videos since it announced it would use machine learning to detect extremist content in June 2017. Two months later, the firm boasted that 75 per cent of videos removed for “violent extremism” were taken down “before receiving a single human flag”. By December last year, this figure had reached 98 per cent.

The Syrian Archive can preserve removed YouTube videos if the team are able to get to them first and back them up to its database. But there are huge implications for content taken down by Google’s algorithm before it can be archived. “I think we have already lost a lot of content since YouTube started using machine learning in 2017,” Al-Khatib says. “There will be a big impact on the Syrian accountability process if we aren’t able to retrieve it."

The algorithms are removing videos that do not adhere to YouTube’s community guidelines, which ban “gratuitous violence, dangerous and illegal activities, and hate speech”. However, the company says it does make exceptions for material with “sufficient educational and documentary news value”.

But because footage of the Syrian war is often graphic, human rights content can be mistakenly flagged by the algorithm as violating YouTube’s guidelines. Google accepts it “doesn’t always get it right” and, according to a YouTube spokesperson, the firm takes the issue “incredibly seriously”.

Yet Al-Khatib and his team know a lot of the removed content is legitimate. Drawing from over 5,000 sources, they are able to verify videos by looking at landmarks, using Google Earth and satellite imagery. “First, we need to find the source: are they credible, do they have an online reputation, have they published reliable information before? Then we verify the date, time and location.”

The Syrian Archive and its partners have also had some success persuading Google to reinstate videos they have proven to be legitimate: 400,000 were put back online between mid-2017 and early 2018. And removals have slowed down since March 2018, Al-Khatib says. But no one knows exactly how the algorithm works – nor for how long Google is keeping the videos after taking them down.

“The response you get from Google depends on who you are talking to and how much they can actually help you,” says Dia Kayyali, programme manager, tech and advocacy at Witness – an organisation working alongside the Syrian Archive. “We have not been in communication as much as we would like in recent months.”

Human rights campaigners say Google’s opaque approach is a major obstacle. “Algorithmic transparency in general is a huge issue, but even more for content take downs,” Kayyali says.“They don’t have any outside auditing, and that’s a basic necessity of transparency. We don’t know the details of the algorithm: we have pushed and pushed, but we still don’t know.”

Eliot Higgins, founder of the open source and social media investigations platform Bellingcat has experienced Google’s strategy first hand. At one point, his entire YouTube account was shut down. Higgins managed to get his channel reinstated, but it still isn’t clear exactly why it was shut down. “If videos are being deleted before war crimes investigators can preserve them, evidence could be lost forever.”

Chris Woods, director at Airwars.org, an organisation monitoring the Syrian conflict, has also experienced issues caused by Google’s algorithm. Despite ensuring Airwars’ YouTube videos tracking attacks on civilians including children did not contain graphic images, Google stamped the content with an 18 certificate and refused to remove it.

“What troubled us deeply is: we had all assumed YouTube was a repository of videos – a permanent archive,” says Woods. “The last year has taught us how impermanent and vulnerable this material is, even on YouTube itself.”

Keith Hiatt, vice president at Silicon Valley-based non-profit organisation Benetech, was told by Google a year ago that a human reviews every piece of content flagged by the algorithm. “But does that mean a person watches each video and does a full, case-by-case analysis? Or does it just mean a human authorises removal?”

People viewing the videos need to be trained to spot human rights-related content, says Al-Khatib. “And, if it is removed, it’s really critical Google keeps it, so it can be reinstated.”

The evidence based on social media content has already proven to be invaluable. In August last year, the International Criminal Court (ICC) issued its first public warrant of arrest based mostly on video evidence and social media posts about war crimes in Libya.

“The scary thing to me is: we have no idea what is already missing,” says Kayyali of Witness. “The people doing open source investigations – such as the ICC and German government – will never know if those videos aren’t there, and it might stop them from being able to issue an arrest warrant or find a witness.”

But lawmakers, particularly in Europe, have made increasingly strong demands for platforms to identify and remove terrorist material within hours from initial upload. In response, social media firms have agreed to a series of voluntary commitments. This includes the terrorist hash database, which sees platforms using automated filters to find and remove duplicate material.

However, a video for example showing Isis recruitment can violate the law in one context, but also be legal and important for purposes such as documenting crimes for future prosecution, says Daphne Keller, intermediary liability director at Stanford's Centre for Internet and Society.

“The more we push companies to carry out fast, sloppy content removals, the more mistakes we will see,” Keller says. She thinks lawmakers should “slow down, talk to experts including both security researchers and members of the affected communities, and build on that foundation”.

YouTube says it’s committed to making its removal process “more transparent”, pointing to its Community Guidelines Enforcement Report and Reporting History Dashboard. The company also says it’s open to working with other organisations to “understand the context of videos to ensure important content remains available on the platform”.

Regulation will make things harder, but for now, humanitarian organisations such as the Syrian Archive can only continue to protest to Google when legitimate content is removed.

In the meantime, Al-Khatib’s team of eight are aiming to set up more separate databases focusing on airstrikes against civilian infrastructure including hospitals and medical facilities, and documenting ammunition. “We don’t have documents, crime scenes or physical evidence, so we want to add value to this content when it’s used for legal purposes,” Al-Khatib says. “YouTube is not the perfect place for it, but it is what people are using.”

Why your router, of all routers?

Why your router, of all routers?

It's clear why spies would target ISPs or their rival governments, but why would Russia want to attack your router? "Two of the main principles that have come through in recent Russian thinking about information warfare — which includes cyber activities as well as exploiting the information that they're collecting through cyber activities — is that nobody is too unimportant to be a target," says Giles. "This is something that's been seen in the front line states quite routinely, with for example Nato soldiers."

Such people may not have seen themselves as targets before, but Giles cites Russian chief of general staff Valeriy Gerasimov as believing that in information warfare there "is no rear area". In other words, we're all on the front line now. "Everybody is because they're looking for vulnerabilities everywhere," Giles says.

While finding embarrassing information to use for leverage is one goal, routers are soft targets that can be used in multiple ways: you can steal data, but you can also redirect traffic, abuse it for a distributed denial-of-service attack, replace pages or elements of a page (as seen with ad fraud), or use the access point to move up the chain to their computer. Indeed, if you hack a home router, you may "get lucky," says Irons, and find someone working from home "who is easier to access than they'd normally be at a more secure location". Even the NSA falls foul of that with home workers and contractors.

Plus, victims are unlikely to notice they've been hacked, allowing the hackers in question to hold onto the compromised router for future use. "When a router has been compromised, it is much more difficult to detect and remediate than say, a laptop infected with malware," says Jérôme Segura, lead malware intelligence analyst at Malwarebytes.

It's not all about you...

While we're all on the front-line in information warfare, it may well be to abuse our routers en-masse. That could be for a huge distributed-denial of service attack using accumulated compromised routers and IoT gadgets to attack a third-party or internet infrastructure, as happened with the Mirai botnet and follow-up attacks, notes Segura.

Plus, the use of UK and US routers can make it difficult to know where the attack actually originated, limiting immediate retaliation. "You can't hack back if the target is a US citizen," Sullivan says. "The home routers can redirect things and make it tough to figure who to attack back, who to hack back."

Russia has also been "practising" cutting off communications in a specific area, Giles noted, pointing to efforts in Crimea to disrupt information. "If Russia is present in home routers… one of the reasons could be to ensure that target governments can't communicate with their target populations."

"I'm going out on a limb," he adds, "but they could be looking at ways of supplying altered information to targeted audiences like they did in the Ukraine, where they intercepted internet communications and replace it with stuff that's being sourced from Russia." He admits that would be harder to do elsewhere where Russia has less immediate control, and adds that the Ukrainians "got wise to it pretty rapidly." However, is says "it would likely be within the realm of their ambition".

Indeed, the technical alert from the UK and US governments notes such a scenario is possible once the hackers have taken control of networking infrastructure: "At this stage, cyber actors are not restricted from modifying or denying traffic to and from the victim. Although there are no reports of this activity, it is technically possible."

That style of attack, intercepting and replacing information on a web page, is one of the most common ways criminals use hacked routers, notes Sullivan — however, it's usually for ad fraud rather than information warfare.

Nobody is safe from Russia's colossal hacking operation in 2018

o-one is too unimportant to be targeted by Russia-backed, state-sponsored hackers. While that may be good for the self-esteem, it's bad news for online security — enough so that this week US and UK authorities teamed up to issue a joint warning about communications infrastructure, including home-office routers.

The rare joint alert noted that routers, switches, firewalls and network intrusion detection systems at government and businesses were the main targets of Russian hackers, but it added that even "small-office/home-office customers" should take more protective action, as should Internet Service Providers (ISPs) and and those developing infrastructure.

The attacks target routers and the protective hardware around them, with Russia-sponsored hackers accused of running "man-in-the-middle" attacks for to spy, steal intellectual property, and "potentially lay a foundation for future offensive operations", the alert reads. The FBI, Department of Homeland Security and the UK's National Cyber Security Centre (NCSC) noted that multiple cyber security research groups have reported such activity since 2015.

"This is not something new, and is not something that has developed in response to Salisbury and Syria," said Keir Giles, a senior consulting fellow of the Russia and Eurasia Programme at thinktank Chatham House. "But it's something that is entirely consistent with how Russia thinks about information warfare." That includes standard cyber attacks as well as "targeting of mass consciousness and public opinion".

Routers are a weak point in security because they're frequently left unpatched, have legacy unencrypted protocols, or weak default settings for easy installation — indeed, the technical alert notes that "Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices." In short, they don't need to be sophisticated. Pair that with the fact most traffic goes through routers and other networking equipment, and that makes them "ideal targets", the alert notes.

Another infamous security weak point noted by the technical alert is the Internet of Things (IoT), such as the smart devices scattered about our homes. Ciaran Martin, CEO of the NCSC, told the New York Times that Russia had targeted "millions" of connected devices in the UK and US, including IoT gadgets. "One of the things with the Internet of Things is it needs to be cheap and easy to use, and one of the ways to do that is take out security," says professor Alastair Irons, academic dean for the faculty of computer science at the University of Sunderland. "In theory, these IoT devices could be weaponised… to disrupt and disable networks and infrastructure."

this new source in www.wired.co.uk