How rogue bots target and misuse our online information

Patrick Krupa, Founder and Head of Product at SmartFrame, looks at the ways rogue bots target our personal online information and why putting protection in place is imperative.

We like to imagine that the internet is made up of just human users. But in reality, a large portion of the internet’s traffic is made up of a very different type of user – bots. To put this into perspective, Imperva, publisher of the annual Bot Traffic Report, finds that bots make up over half of the web’s total traffic.

While good bots, such as feed fetchers and search engine bots, exist on the internet – it’s important to recognise that these forces for good are outnumbered by bad bots. Specifically, Imperva has found that 28.9% of the web’s traffic is made up by bad bots, outweighing the 22.9% of good bots.

Bad bots, mainly made up of impersonators and scrapers, pose a significant threat to our security on the internet. While most are aware of the ways in which bots target websites and spread spam through email and online forums, all internet users should know about the ways bots target and misuse our most personal online assets. 

The bot battleground

In recent times, bad bots have become synonymous with the web’s most damaging DDoS attacks. Bots can perform online tasks at a rate much faster than humans can – making them the perfect weapon for sending huge amounts of artificial traffic to websites, forcing them to crash under the pressure. High profile examples, such as 2016’s Dyn attack that caused major global internet outages, have pushed bad bots into the public conscious. 

While it’s important to be wary of DDoS attacks, internet users also need to be more conscious of the way bad bots exploit and misuse less obvious digital assets – like photographs.

In recent years, Instagram has emerged as one of the most popular social platforms. Millions of individual users and enterprises are sharing images on the platform every day. When sharing a post on Instagram, users mostly think of a funny or witty caption to go with their image, or how many likes they hope to get from their picture – what they don’t think about, is how the platform is crawling with malicious bots.

A 2018 study by Ghost Data estimated that up to 95 million bots exist on Instagram – making up to 9.5% of the platform’s total user base. It’s important to note that these aren’t the stereotypical bots with no posts or display pictures. Modern Instagram bots look authentic by using the stolen personal information of real people. A bot could be using your Instagram display picture or posts to pass off as a real human – and a user would never know.

As bots advance, so to grows the potential for nefarious use of our online photos. Researchers at Japan’s National Institute of Informatics have disclosed how peace sign selfies can be exploited by hackers to recreate individuals’ fingerprints. Throwing up a peace sign in a photo will come naturally to some – but thinking about the risks of uploading that photo, won’t. 

It’s important we recognise that Instagram photos are more than standard social media posts. For some they hold commercial value – for most, they contain vital elements of our identity. Online images hold a unique value – one that needs to be sufficiently protected. 

Responding to rogue bots

The issue of image misuse is a tough one to tackle. But whose responsibility is it to put measures in place to prevent the misuse of images hosted on these platforms? While more pressure may be put on online platforms, Facebook, the parent company of Instagram, has itself been accused of mishandling its own users’ images. In fact, earlier this year, Australian cyber researcher Edin Jusupovic uncovered metadata in the code of Facebook images that allows the company to track these images, even when downloaded and hosted outside of Facebook. 

In recent years, legislators have taken action against negative forces online, and bots are firmly in their sights. California’s senate this year passed a law that forces bots to reveal their artificial identity online. Although it is positive to see legislators act against bots and online identity theft, the impact this California law will have is questionable. The internet operates at a global scale, and regulation confined to state lines won’t affect an overwhelming majority of bots online. 

Putting protection in place 

Rather than waiting for a paradigm shift, users who are serious about protecting their online images should consider alternatives to the unsecure popular image formats that provide an effective defence against bots and other bad forces. 

Encrypted image formats, which are already well established online, get the better of webcrawlers by displaying low-resolution thumbnails at the point of a bulk-image download. They also prevent image theft by blocking screen captures and grant image owners more control through a virtualised control panel that gives the options to update, edit or revoke images at any time, from anywhere they are hosted on the internet. 

Enterprises, photographers and social media users should all be aware that bad bots are out to exploit the photos they publish online, just as much as they are out to commit DDoS attacks. There’s a heightened risk with publishing photos to platforms like Instagram that are ripe for exploitation. Content owners who are serious about securing their images should look to alternative image formats that prevent theft, enforce copyright and provide a defence against the rogue bots.

This article is part of PCR’s Security Sector Spotlight – in association with 

For more security-themed articles, click here