Behind a glass door closed to the public, tacked on the wall of a dark room, thousands of yellow dots glimmer on a world map. A few sofas left vacant before this terrestrial constellation are a testament to its importance. Next door, in an adjoining room, researchers are busy tracking computer threats. They work in a blue-gray lab located on Microsoft’s campus in Redmond, Washington. This is the unit dedicated to digital crimes.

Defenders of democracy

Founded 10 years ago, this group is more active than ever. This summer, it “enforced a court decision to take and transfer control of six domain names created by a group largely associated with the Russian government known as Strontium or Fancy Bear, or APT28,” Microsoft President Brad Smith announced Monday, August 20, 2018. The sites in question had similar URLs to existing institutions designed to deceive the public. Three months into the American midterm elections, they pretended to be affiliated with the Senate and a number of Republican institutions, spreading false information. According to Brad Smith, Moscow was behind it.

“Democracies around the world are clearly under attack,” he concludes. “Foreign entities are launching cyber-attacks to disrupt elections and sow discord.” Smith, a lawyer by training, fears that a scenario identical to that of the 2016 presidential election could be repeated. “President Vladimir Putin has ordered a campaign to influence the vote,” concluded the US intelligence community on January 6, 2017. They say he would have used “Fancy Bear,” a group of hackers accused of having infiltrated the Democratic National Committee (DNC) server.

But Republican organizations are being targeted this time around for “criticizing the relationship of US President Donald Trump with his Russian counterpart, Vladimir Putin,” writes Wired magazine. The domain names attributed to Fancy Bear were recovered thanks to a procedure launched against it in August 2016. Instead of counter-attacking online, Microsoft brought the case to court. It managed to prove that, since the forger sites spread through its messaging system, they caused injury to its clients. Under the 1946 Lanham Act, the courts were allowed to seize URLs in August 2018. They were then “deactivated” using the sinkhole technique.

“We have used this technique 12 times in the last two years to close 84 fake sites associated with this group,” says Brad Smith. “Despite the results, we are concerned about continued targeting by these and other sites, including elected officials, politicians, political groups or think tanks of all stripes in the United States.” That’s why the program Defend Democracy, launched in April 2018, is bolstered by an initiative called “AccountGuard,” which is meant to protect participants in upcoming elections. But can a multinational company establish itself as a guarantor of democracy?

“Microsoft has a dedicated team that has worked in this area in collaboration with the authorities for years,” observes former NSA researcher Dave Aitel. “What is remarkable is that its latest reports point fingers at Russia. A company never went so far against a nation state.” The Redmond firm is far from powerless. “It has a history of sinkhole operations,” says Aitel’s former colleague, Jake Williams. The team’s members have “done tons of research on the threats” since 2008.

Birth of a unit

When he left the Florida sun for the rainy city of Seattle, Richard Boscovich found himself in the middle of a storm. After 17 years working at the Department of Justice, this lawyer was joining a team of Microsoft engineers finalizing its new operating system, Vista, in May 2008. He was there to help them improve the security of the service. His computer skills were limited. The multinational company was recruiting a horde of security experts, not hesitating to take on people who’d made fun of its shortcomings in this area.

Boscovich’s digital crime unit was barely up and running when it faced its first challenge. In November 2008, the computer worm Conficker infected Windows computers. “Everyone was very frustrated,” recalls Boscovich. “Our defensive work had improved a lot but we felt we could do better.” Several million devices were affected and Windows participated in an international working group with other industry players. At the urging of colleague TJ Campana, they recorded the domain names used by the worm in order to neutralize it.

The problem was that some URLs remained inaccessible to Microsoft. Wanting to seize them at any cost, Boscovich recalled a case he worked in Florida. A handbag manufacturer was granted the right to seize counterfeits of its brand, since the copies hurt its image. Applying the same logic, he wanted to present this case to court so that it would take possession of the infected domain names. First dismissed by his superiors, his idea finally bore fruit on February 24, 2010. It helped fight against the Waledac and Rustock viruses.

The Lanham Act of 1946 was cited at the hearing. “We used the basic principles of law – perhaps finally one or two modern laws – to deal with a 21st century problem in a new way,” says Boscovich. “It’s funny. I had never imagined seizing servers used to send viruses using the Lanham Act on trademark infringement.” Once justice was served, Microsoft still had to prevent viruses from automatically being sent. Rustock bots are programmed to generate a new domain name as soon as one of them no longer works. With the help of the company Kapersky, the firm finally managed to predict the URLs that would be created by the algorithm.

In 2011, the Kelihos contagion was protected by a complaint against the manager of a domain name manager, Dominique Alexander Piatti. This man did not knowingly infect computers, but he – according to Boscovich – could prevent others from using his platform. It is this same logic that led it to attack another domain name provider in 2014, No-IP.

A digital Geneva Convention

One morning in 2014, at 7 AM, Dan Durrer awoke to a delivery man’s knocks. But the man brought no packages, just bad news. A thick pile of documents informed him that Microsoft had just taken control of his Nevada-based business, No-IP. Soon enough, his phone was flooded with messages informing him that his services no longer worked.

Without his knowledge, his system, which for 15 years had provided domain names to small companies, had been used by malicious hackers. And, still without his knowledge, Microsoft had shut it down. “The number of malware that used the No-ip.org domain name was astronomical,” says Boscovich. The ex parte appeal, of which Boscovich has become an expert, can succeed even if its target has not been informed, regardless of the damage caused to customers who respect the legal framework. When No-IP shut down, millions of addresses were affected. Microsoft had planned to leave the legal sites intact, but that failed.

As customer complaints came pouring in, Dan Durrer contacted his lawyer and ended up getting Boscovich on the phone. The conversation was anything but friendly. Microsoft agreed to re-enable No-IP under certain conditions. Durrer refused to comply. He talked about his case to the press, which pushed Microsoft to give him control of his domain names a few days later.

In No-IP’s case, “Microsoft considered that if a resource widely used on the Internet was poorly managed by its owner, someone should be able to replace it,” says Paul Vixie, one of the creators of the DNS domain name system, now CEO of a computer security company. “Well, there is a long list of people who could take better care of Hotmail or Outlook than Microsoft. I do not think users would want to live in a world where the No-IP affair would set a precedent.” Microsoft’s behavior was judged severely by the Electronic Frontier Foundation. Different lawyers also argue against the practice of ex parte appeals, which undermine the principle that all parties must be heard by a judge.

This kind of practice is even more controversial when it involves the sovereignty of states. In 2012, Microsoft obtained from a court the control of the Chinese domain name provider 3322.org, from which a virus called Nitol spread. The operator Pen Yong had to reach a compromise with Microsoft in order to resume its activity. But Microsoft’s actions weren’t enough to vanquish Nitol, which used secondary domain names outside 3322.org to continue spreading. The fight against malicious software by this process “does not prevent hackers from launching new and more concealed attempts,” says Wired.

For Paul Vixie, “when a company or a country embarks alone in sanctioning activity, the result is usually catastrophic because the Internet is rich in its interdependencies and many of its rules are not written.” Before taking control of domain names, Microsoft must of course have the approval of a judge. But Microsoft is getting approval more and more frequently. Its actions probably need some kind of framework. Microsoft itself is calling for some kind of digital Geneva convention.