This article was first published in VentureBeat.
You can’t surf two clicks on the web nowadays without seeing a story about chatbots. Ever since Facebook made the announcement that it has opened up a bot building platform for developers during its F8 conference, a whole lot of digital ink has been spilled over what the rise of chatbots means for white-collar jobs, for e-commerce, for customer care, etc.
Other tech companies have been quick to follow suit and step up their chatbot game, with the latest news coming from encrypted messaging app Telegram, which just announced a $1 million prize for developers who manage to build a bot that is both fast and useful, as opposed to Facebook’s bots, which, let’s face it, haven’t been getting much love so far.
Chatbots get better with time and information. The more info you feed them, the better they become at mimicking natural language and making you believe they are real. Human even.
We’re not as far as some may think from a chatbot passing the Turing test without the aid of gimmickry. It hasn’t happened yet, but it will. Soon.
And that “soon” is when our online privacy will take a really big hit and we’ll have to learn (and teach our parents and children) new tricks to keep our personal, sensitive, and highly confidential info safe.
Maybe the rise of the chatbots spells the end of the white-collar job; maybe it is the future of personal assistants and stellar customer care; maybe it is the next big thing. But it is definitely a new and powerful threat to online privacy and security.
Chatbots, unlike your human friends, will always be there.
Without the burden of jobs, family, friends, responsibilities, and a bunch of TV shows to catch up on — or what we humans like to call a life — a chatbot will always have time for you. It will always be there to lend an understanding, non-judgemental ear. It will always be there to listen, whether it’s at the end of a bad day at work or in the wee hours of a sleepless night spent worrying about love, life, or whether the season premiere of Game of Thrones this weekend will bring any closure to the “is Jon Snow dead” conundrum.
And who better to be the keeper of all your worries, all your darkest thoughts, all your doubts, and all your passwords if not a chatbot that will never be too busy or too tired to listen.
Let’s just accept the fact that we will tell chatbots our secrets. We will share information with them that we would never share with our friends. We will use them as repositories for important data that we know we need to remember.
After all, we’ve already said “I love you” to them.
The problem is that all that personal, sensitive, and confidential information will get stored on some server somewhere. Because in order to get better, a chatbot needs to remember the info you feed it so that your conversations don’t start from a clean slate every time. That’s not how human interaction works — unless you’re Adam Sandler and Drew Barrymore in 50 First Dates. You start where you left off, you learn more with every new exchange. Rinse, repeat.
So data needs to be stored. And stored data can be hacked. It can be snooped on. It can be surveilled. It can be used for nefarious purposes. And it will. It’s only a matter of when.
One more problem: We won’t be able to tell a real chatbot from a fake one.
How hard would it really be in the future to release a fake chatbot into the wild to trick people into giving out sensitive information under the guise of being a chatbot from a reputable institution?
Man-in-the-middle attacks are a dime a dozen these days, so why not a chatbot-in-the-middle attack?
Sure, the vulnerability would be rapidly discovered and the chatbot removed, but by the time that happens (however short that time is), it could do a lot of damage.
And what that means from an opsec perspective is that we’ll soon need to train our brains to look out for this type of potential threat. We’ll need to learn to check chat conversations for spelling errors, awkward turns of phrase, and uncanny syntax. We’ll need to go against years of internalized chat behavior to protect our data and our privacy.
And that’s not an easy feat at all. Actually, it could turn out to be impossible.
Chatbots will make phishing as easy as shooting fish in a barrel
Just as we know by now to look for spelling errors in suspicious, seemingly official emails, we also know not to click any unsolicited links that such emails might include. We know they might contain viruses, malware, ransomware, all bad things that could lead to us, at best, to spending a day reinstalling our operating system or, at worst, to paying a lot of money to have our files released from captivity.
But would we be as cautious when it comes to a link from a chatbot? I think not.
Oh, of course we wouldn’t go anywhere near a link from a spammy bot that pops up out of the blue yelling “CLICK HERE AND WIN AN iPHONE,” but I’m not talking about those kinds of bots here.
The bots I’m talking about are the bots of the (near) future that will be described using words such as “witty,” “sassy,” and “funny.” Like Tay before the Internet turned her into a racist and a Nazi. Or Rose here, who says she cares about security and even hands out privacy and security tips. Only 10 times better. And sassier.
The bots that we’re talking about will know how to build rapport, how to act and talk like humans, how to make you forget they’re actually only a piece of software.
And their links would be topical. They won’t come out of the blue and they won’t be shouty and spammy. They will look like they belong in the normal flow of the conversation.
Or like an intentional “personality” quirk that the chatbot was fitted with to seem more real.
Think about this for a second: If a chatbot uses enough TV show references in its replies, how suspicious would you be when it drops a link to a Buzzfeed-type “find out which Grey’s Anatomy doctor is your soulmate” personality test? Would the thought that it might be a malicious link even cross your mind?
Or, if you prefer a more scientific approach that takes more than a second to wrap your head around, read this research paper that tackles the issue:“Towards Automating Social Engineering Using Social Networking Sites.”
In a nutshell, it describes how a female chatbot could join a Facebook university group, build rapport with the members by telling them she’s thinking of applying there and needs some information, and then perform an attack by asking them to help her by filling out a quick 5-minute survey.
Even though the experiment was never carried out (which is unfortunate), we’re pretty sure the results would have shown that it is scarily easy to execute a phishing attack using a chatbot.
But all hope is NOT lost.
Read the rest of this article at VentureBeat.