"To the National Security Agency analyst writing a briefing to his superiors, the situation was clear: their current surveillance efforts were lacking something. The agency's impressive arsenal of cable taps and sophisticated hacking attacks was not enough. What it really needed was a horde of undercover Orcs."
I think that one's life experiences sometimes color a person's outlook at life. I think we are seeing that in some of the coverage of the leak of classified documents by Edward Snowden about U.S. and British intelligence efforts targeting virtual worlds such as Second Life and World of Warcraft. Some might think that looking for terrorists in a video game played by kids is foolish. Others, more familiar with these settings, may wonder why anyone would want to conduct clandestine meetings where the game platform records conversations.
But then again, not very many people thought a group of terrorists would hijack multiple aircraft and fly them into buildings either. In a world where the security apparatus wants to lock every threat down, people don't want to take a chance. To use an EVE Online analogy, would you want to explain to the President of the United States why a group of blood elves managed to suicide gank a high value target?
However, since I'm older than Big Bird and never saw a game console until I was in high school, I have a slightly different perspective. Having grown up during Watergate, I think back to that line from All The President's Men, "Follow the money."
Is there a money aspect to the story? Of course. Terrorists engage in money laundering to avoid the efforts of governments to seize their funds. And what medium have criminals used for years to launder stolen money? Virtual worlds. So the fact that intelligence agencies are looking at virtual worlds is an old story. In a paper presented to the International Cyber Resilience Conference in 2010, Angela Irwin and Jill Slay, both from the University of South Australia, looked at the possibility of terrorists laundering money through Second Life and World of Warcraft. They concluded that...
"The constantly evolving nature of money laundering and terrorism financing requires that opponent’s strengths and weaknesses be constantly assessed at both technological and social levels as the degree of protection afforded to financial systems are merely temporary as investigators and anti-terrorism agencies continue to find themselves one step behind a constantly transforming adversary. The development of a practical typology, a strategic and tactical orientation, can guide homeland security professionals and investigators in identifying, assessing and defeating opponents.I write extensively about game companies' war on illicit RMT, but thinking about governments joining the war is a little scary. Yet, if we see the actions of the U.S. and British intelligence agents as a huge anti-RMT operation looking for a specific type of operator, I find the activities described in the Snowden leak as more logical.
"Although real-world financial regulations do not currently extend to virtual environments, there is growing momentum for this to change. It can reasonably be assumed that, in time, virtual environments will be subject to the strict compliance laws and regulations faced by their real-world counterparts. Therefore, it is vital that pattern recognition techniques and suspicious behaviour maps, rule bases and models already be determined and systems designed to automatically detect potential money laundering and terrorist financing activities to ensure their transition into the virtual world is as smooth as possible."
The question some may wonder is: can RMT, whether through the use of Linden dollars in Second Life or the illicit secondary market for WoW gold, really fund terrorist operations? In the scenario envisioned by Irwin and Slay, the process would involve credit card fraud.
That type of fraud would not stand out as unusual in today's world. Back in January 2008, Sony Online Entertainment CEO John Smedly told Massively that credit card fraud and chargebacks had cost SOE over $1 million over the previous six months. And Scott Hartsman, now the CEO of Trion Worlds, told Gamasutra in July 2011...
- Acquire a stolen credit card number.
- Create a new account using a prepaid card on a massively multi-player online game with an active gold farming market, which allows both buying and selling of game currency. It is important that the virtual goods can be bought and sold.
- Go to the gold farming sites and purchase the money with the stolen card and have it transferred to the new account.
- Log on with a second account that has been purchased with a different credit card or prepaid gift card so both accounts are logged on at the same time.
- Transfer the money from the first account to the second and then delete the first account.
- Now sell the money to a place different from where it was purchased and have the proceeds transferred to a new bank account.
"Where you go buy gold from a disreputable gold site, and they say 'thank you' and deliver your gold, and sell your credit card number, or start registering accounts with your credit card.Just how much could a terrorist cell engaged in credit card fraud make in a money laundering operation involving MMOs make? Marcus Eikenberry, the owner of the game time code selling site MarkeeDragon.com, related a story from 2002 of how the Russian mafia would use stolen credit cards to purchase Ultima Online 90-day game codes from the EA store and turn around and sell them at half-price to the general public. He calculated that EA probably lost around $600,000 from the credit card fraud, meaning that the Russians probably pocketed around $300,000.
"It's those kinds of things where people laugh and go, 'Oh, that never happens.' No. It happens. It happens a shitload. To the point where, over the last three or four years, I would dare anybody to ask an exec at a gaming company how much they've had to pay in Master Card and Visa fines, because of fraud. It happens a lot."
But is this story just an aberration or is the illicit RMT market just this big? In 2007, the Helsinki Institute for Information Technology's Tuukka Lehtiniemi and Vili Lehdonvirta estimated that the combined primary and secondary RMT markets were over $2 billion, with the secondary market in the West valued at $285 million.
Based on recent events, the value of the secondary RMT market has probably increased over the past 7 years. In an anti-botting/RMT operation conducted in Final Fantasy XIV: A Realm Reborn in September 2013, Square Enix seized 367.7 billion gil from botters/illicit RMTers worth an estimated $2.5-$4.2 million on the illicit secondary market. And Jagex, makers of the browser-based MMORPG Runescape, also in September estimated that in-game currency with a secondary market value of $60,000-$70,000 was sent to the illicit RMT sites every month.
But is this enough to finance terrorist operations. According to a report on the website of the Council of Foreign Relations, the answer is yes. While al-Quaeda may have spent as much as $500,000 on the 9/11 attacks, the 2002 bombing of a Bali nightclub cost about $50,000, the 2004 Madrid train bombing cost an estimated $10,000-$15,000 to conduct and the 2005 attacks on London's mass transit system cost about $2,000.
So far no money laundered through an MMO has helped finance a terrorist attack. According to the CFR report the biggest sources of funding for terrorist organizations are charities, the illicit drug trade and money laundering though legitimate businesses. Also, the money laundering that does occur is in the more traditional forms of transfers as well as using the hawala system.
Am I too focused on the subject of RMT and ignoring such benefits to intelligence organizations as the identification of human targets to either flip or track? Perhaps. But I'm struck by the Pro Publica article that mentioned "Operation Galician," an effort that cracked down on a crime ring that had moved into virtual worlds to sell credit card information. As that is basically the only solid benefit I saw while researching this article, I'll believe that a focus on credit card fraud is a valid approach to take. But taking my "follow the money" approach, I don't see any evidence presented of a link between MMOs and terrorism. At most I see that some terrorists may like to play computer games.
Expanding beyond the financial angle, is this effort by U.S. and British intelligence agencies really designed to prevent terrorist acts? While the people releasing the data have their own biases, the information available currently indicates the answer is no. I see the effort as a fishing expedition with the fight against terror a handy excuse to justify more intrusions into people's lives. If I had to reach into literature, I would compare this efforts to the early years of Jerry Pournelle's CoDominium series. That, for those unfamiliar with Pournelle's work, is not flattering. Then again, the desire to collect every bit of information on everyone on the off-chance the information could come in handy isn't exactly a pretty picture either.