Australia’s cyberspies are using a digital surveillance tool to monitor the world’s most popular social media platforms and websites, as well as online communities for pregnant people, bodybuilders and fetishists.
Last month the government’s tender website, AusTender, published a contract between the Australian Signals Directorate (ASD) and ShadowDragon Holdings, LLC. The contract runs for two years and is valued at $563,040.
ShadowDragon Holdings is an American company that sells software collecting “open source intelligence software, unique datasets and training” to organisations, including the United States Immigration and Customs Enforcement agency as well as state police forces in New York and Michigan.
ShadowDragon’s products pull data from a range of public online platforms — reportedly more than “200 unique sources and datasets” — to make them searchable for its users.
The full list of places isn’t published but its promotional material lists places including Facebook, Instagram, Telegram, YouTube, X, Google, Amazon, Tumblr, WhatsApp, LinkedIn, Reddit, 4Chan, Skype, Spotify, Twitch, Xbox network, PornHub, SoundCloud, Gab, Foursquare, Tripadvisor, Tinder, Etsy, PayPal, Flickr, Imgur, Disqus, eBay, GitHub, DeviantArt, Blogger, FetLife, BitChute, parenting forum BabyCenter, social network for Black people BlackPlanet and more.
Additionally, 404 Media reported that its chief operating officer Jonathan Crouch told an industry event that it also included Fortnite as well as gaming platforms such as Xbox, PlayStation and Steam.
ShadowDragon allows users to search by name, online handles, phone numbers, emails and other information. It provides a number of uses for this information: it can be searched; it can be used to create a map of an individual’s networks; it can be proactively monitored for references (including sentiment).
In 2021, The Intercept reported that a now-deleted online tutorial from the company suggested clients might use the data to “social engineer” a mutual friend into talking to a target.
An ASD spokesperson confirmed its commercial relationship with ShadowDragon and explained that the company’s products are used for its cyber threat intelligence activities and to train analysts.
AusTender also shows that the Department of Home Affairs procured ShadowDragon’s services five times between 2018 and 2022 for a combined value of more than $280,000.
A Home Affairs spokesperson told Crikey that the department “currently has dealings with ShadowDragon … to support the Department’s and Australian Border Force’s specific functions activities.” The spokesperson defended its use, stating that all data is public and is collected in a lawful manner.
Digital Rights Watch program lead Samantha Floreani said that ShadowDragon exploits the trails of data that people create by taking part in the digital economy: “It’s exceptionally invasive, generally operates without people’s knowledge, is potentially inaccurate, and turns the whole internet into a free-for-all for intelligence agencies and law enforcement.”
Floreani said the government’s use of ShadowDragon shows how corporate and state surveillance are fundamentally intertwined: “Surveillance capitalism isn’t just a boon to digital platforms and advertising companies, it also enables government agencies to leverage the huge amounts of data gathered across the internet for their own surveillance purposes, often without adequate rights-protections, oversight or accountability.”
Update: This article has been updated to include comment from the Department of Home Affairs.