Palko Karasz

c.2019 New York Times News Service

LONDON — “Want to see more of Lasse L. Matberg?” NATO asked on Facebook last October about an officer who acted as the public face for a recent military exercise. The following week, it said, he was to take part in Trident Juncture 2018, NATO’s “biggest exercise in decades.”

Matberg’s image, sometimes seen with Norway’s armed forces, has appeared prominently on his Instagram account, which has 630,000 followers. He and other NATO soldiers have also been active on Facebook, with 5,000 photos published under the hashtag #Tridentjuncture, showing soldiers posing with guns, in the field or in the cockpit of a military aircraft.

Publicizing exercises like Trident Juncture has become an essential tool for NATO to get its message out and to showcase its military strength — especially in the face of fake news spread online by Russia. But such information published on social media platforms carries risks, researchers from the Strategic Communications Center of Excellence warned this week.

An article published by the independent organization, which provides NATO with advice and expertise and is based in Riga, Latvia, said that during a recent exercise in a NATO nation, researchers were able to collect sensitive information, track troop movements and find soldiers’ approximate location via social media.

It’s the latest warning that in addition to electronic devices such as smartphones, Instagram and Facebook also can unintentionally pull back the curtain on military activities meant to be kept out of the public eye. In January 2018, Strava, a fitness app that posts a map of its users’ activity, unwittingly revealed the locations and habits of military bases and personnel, including those of U.S. forces in Iraq and Syria.

And Tuesday, Russian lawmakers voted to bar troops from using smartphones and recording devices, and from posting anything online about their military service, after soldiers’ digital traces were used to reveal actions the Kremlin wanted to keep secret.

Here’s what the researchers from the Strategic Communications Center of Excellence found.

Public Posts Can Help Find and Track Soldiers

The researchers embedded with a unit that played the adversary in an exercise by a NATO member state. They discovered that Instagram provided timely information about the exercise, and Facebook features like friend suggestions allowed them to find soldiers through their connections.

They not only used data that people share publicly on social media to connect with soldiers. They also set up “honey pot” pages designed to lure the soldiers in and closed groups on Facebook, using both fake accounts and some that impersonated real people to engage with their targets. They sought details about the exercise, its participants and its targets.

The results were in line with a recent article by Bellingcat, an online investigative group that recently gained prominence when it identified the Russian spies suspected by Britain of poisoning former Russian spy Sergei V. Skripal, and his daughter, Yulia, in Salisbury, England.

“Soldiers who take part in large-scale exercises, regardless of nationality, love to share photographs of their trip on social networks,” according to the Bellingcat article. It added that Instagram photographs and tagged locations offered many opportunities to monitor NATO’s Trident Juncture exercise last year.

Soldiers Shared Sensitive Data

By tracking soldiers on social media, researchers were able to discover the dates of the exercise and to follow the movements of battalions and pinpoint their exact locations.

Through direct contact with the soldiers, researchers managed to find their approximate location, including those of crucial personnel.

All participants targeted shared pictures of military equipment, the article said.

Facebook’s Response Revealed Loopholes

Facebook identified and took down some of the fake pages in a matter of hours or weeks, but the closed groups, one fake profile and one profile impersonating a real person were not discovered, the researchers wrote.

Researchers also alerted Facebook to a feature that allowed them to find users’ workplace information even when the users actively blocked those details from the public.

“The privacy features and settings of social media platforms cannot be trusted not to leak information to other layers of the social media platform,” the article said.

Social Media Guidelines in NATO States Aren’t Aligned

The article concluded that at the current level of security, an adversary would be able to collect personal data and track and target soldiers participating in an exercise in order to influence their behavior.

It said that social media companies should consider changes to prevent private data leaks. But it found that some of the weaknesses the researchers were able to exploit were “human flaws that can only be addressed through better training and stricter control.”

NATO member states, including Britain, the United States and France, have published guidelines for social media use and warned their troops of the risks it posed. But the guidelines were different in each nation.

In response to the article, NATO said in an emailed statement Thursday that it was “important that NATO Allies continue to train their troops to be vigilant, including online.”

“At the same time, we are strengthening our cyberdefenses and taking all necessary measures to protect our networks.”