Critical Infrastructure Security , Fraud Management & Cybercrime , Social Media

Parler Content Forcibly Archived by Researchers After Riot

Terabytes of Videos, Images and Posts From Conservative Social Media Site Saved
Parler Content Forcibly Archived by Researchers After Riot
Protesters gather outside the U.S. Capitol on Jan. 6, 2021. (Photo: TapTheForwardAssist via Wikipedia/CC)

A security researcher based in Vienna led a fast-paced, crowdsourced effort to archive posts, videos and images from the social network Parler after rioters on Wednesday violently stormed the U.S. Capitol.

See Also: Unmasking Risk for Due Diligence, KYC and Fraud

Parler, launched in 2018, was modeled on Twitter but with a self-proclaimed focus on "free speech." It has been "adopted by American conservatives as an alternative to mainstream social media platforms," says threat intelligence firm Recorded Future. Following the November 2020 U.S. election, "millions of users registered for accounts on Parler."

The Vienna-based researcher and other researchers say that they found a way to forcibly archive Parler content to retain communications that may have touched on the planning and execution of the Wednesday riot.

Parler is one of several smaller social media sites, including Gab, MeWe and Zello, that have a “vigorous” presence of far-right groups who participated in the Wednesday riot, according to the think tank Atlantic Council.

The crowdsourced Parler archiving effort appears to have ended Monday, however, when Amazon booted the social media service off of its servers. By then, researchers say, they had amassed tens of terabytes of data from the social network, comprising posts, images and videos. Details about how exactly the researchers were able to obtain the information, and in such large quantities, are unclear, although they may have exploited an undocumented API that Parler created for its iOS app.

Some industry watchers also suggested that the researchers may have subverted the Twilio identity verification code service that Parler uses. But Twilio says Parler’s security issues are unrelated to its products. Twilio also notes that Parler deactivated its service just before Twilio warned it would suspend Parler’s account if Parler did not adequately moderate thecontent appearing on its platform.

In some instances, the archived Parler data includes GPS metadata, which could help law enforcement and third-party investigators identify riot participants. As of Monday, 45 individuals had been charged - under federal or local laws in Washington - in connection with Wednesday's events, according to the Program on Extremism at The George Washington University.

Researchers say they plan to publish the Parler data soon via the Internet Archive. The Austria-based researcher who led the effort, who goes by the Twitter handle @donk_enby and username "Crash Override," says researchers aim to create a “permanent public record” of Parler’s data. She could not be immediately reached for comment.

Parler Loses Service Providers

U.S. law enforcement agencies are reportedly reviewing posts to Parler to help identity those who participated in the riot, which occurred two weeks before President-elect Joe Biden's inauguration.

President Donald Trump, who has continued to falsely claim that he lost the election due to fraud, delivered a speech in Washington on Wednesday that incited a mob to violently march on the Capitol. Five people died as a result of the violence, and many more were injured. Trump now faces his second impeachment inquiry by the House of Representatives, with a vote on impeachment expected on Wednesday.

The FBI and other law enforcement agencies investigating the riot have issued public appeals for help in identifying suspects who breached the Capitol.

Parler has also faced intense scrutiny over allegations that the service was used to coordinate the violent protests and breach of the Capitol and for allegedly not adequately moderating content that encourages violence.

As a result, Apple and Google suspended the mobile app, contending that Parler violated their terms of service and that the service needs to improve its content moderation. Amazon also barred Parler from using its service, leading to Parler suing Amazon, seeking a temporary restraining order that would restore service, CNN reports. Identity service provider Okta has terminated Parler’s use of a free trial.

Such actions have prompted questions over censorship and the ability of large technology companies to suspend or banish users, as well as the timing of such efforts - coming just days before a Democratic president who may be less friendly to large technology companies takes power. Twitter, for example, has permanently banned Trump, and Facebook has suspended his account until after Biden's Jan. 20 inauguration.

Rich Data Set

Investigative projects, such as Bellingcat and others that study misinformation and far-right extremism, have been collecting photos and videos of the Wednesday riot, many of which were taken by the participants. Investigators have also been urging the public to help archive such content for investigators.

Riot participants, fearing legal consequences, have likely begun scrubbing their feeds of incriminating material. What makes the Parler data set valuable is its completeness as social media postings may be ephemeral.

It’s likely that U.S. authorities have already sent a data preservation letter to Amazon instructing it to save a copy of Parler’s data, says Alexander Urbelis, a partner at the Blackstone Law Group in New York and former acting CISO for the U.S. National Football League.

Alexander Urbelis

But law enforcement officials would have to apply for a judge to approve search warrants based on probable cause to request further data, he says. Nonetheless, because researchers captured so much Parler data for offline review, it can now be analyzed by law enforcement officials to find material for which they should seek a search warrant, Urbelis says.

“It could be a great starting point for investigation while they are awaiting the full repository of data and giving them additional leads on other service providers as well,” he says.

Public Archive of Parler Communications

Crash Override, who runs the website donk.sh, tweeted that the captured data largely comprises information posted publicly by users but also includes some other types of data, such as video metadata, which may have embedded GPS coordinates. She says obtained data doesn’t include email addresses, phone numbers or credit card numbers, unless for some reason users posted this information into a Parler conversation.

Crash Override and others are part of the Archive Team that downloaded the data, in part by using a virtual archiving appliance called ArchiveTeamWarrior. A tracker for the tool shows usernames of those who have copied parts of Parler’s data to help save it.

The downloaded data may also include posts that users had set to be private or deleted, Crash Override says. The presence of data that was marked for deletion is a reminder that some service providers do not delete user data, but rather set it to not display publicly, experts say.

Crash Override writes that she and the group have begun to extract metadata from the videos and plan to make that indexable. She published an archive that contained metadata from 30TB of video on the free, anonymous file-sharing service Gofile.io. But the site appears to have quickly removed the data.

Suspicion Falls on Unofficial Parler API

Researchers behind the archiving effort have not revealed exactly how they obtained the Parler data, although Crash Override has offered a clue, in the form of a Parler security problem.

In early December 2020, Crash Override published information indicating she had reverse-engineered one of Parler’s unofficial APIs for its iOS app. Using the API, it was possible to determine if someone was on Parler and which users had administration and moderation rights. Some researchers have suggested that the archivists may have used this information to forcibly reset administrator passwords to email addresses they controlled, to gain admin-level access to Parler and begin copying content.

Executive Editor Mathew Schwartz contributed to this story.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.