Skip to content

Professor Sean Lawson discusses his
new book, “Social Engineering”


Social Engineering

"Social Engineering"

Sean Lawson, associate professor of communication, recently published a new book, “Social Engineering: How Crowdmasters, Phreaks, Hackers, and Trolls Created a New Form of Manipulative Communication,” (MIT Press). In it, he explores manipulative communication – from early twentieth-century propaganda to today’s online con artistry – through the lens of social engineering.   

What is social engineering?

Social engineering has historically been used to describe both mass media propaganda, as well as interpersonal attempts to penetrate information and communication systems by phone phreaks or computer hackers. In its most general form, it is a form of manipulative communication meant to get the target to take actions that are of benefit to the social engineer but which might not be in the best interest of the target.

What are some examples from the early twentieth-century? How was is created and spread before social media?

The pioneers of public relations and mass media propaganda in the early 20th century used the “engineering” metaphor to describe their work. Sometimes they called themselves “engineers of consent” or even “social engineers.” This included folks like Ivy Lee, Edward Bernays and Doris Fleischman, among others.

Their form of social engineering appeared as early as the 1890s and reached its apogee in the period between the 1920s and 1950s. Like other forms of engineering, the conception here was simple: take the principles uncovered in the sciences, in this case the new social sciences (e.g., sociology, economics, psychology) and apply them to social problems in an attempt to shape society via mass communication using newspapers, radio or movies. While the engineering metaphor implied the promotion of progress, these techniques were also often used for less than progressive ends, like smearing labor unions on behalf of large corporations, promotion of smoking, etc.

What is masspersonal social engineering?

Just as the internet and social media are driving a convergence of once-distinct forms of mass and interpersonal communication into what some scholars call “masspersonal communication,” so too do we see the emergence of a new form of manipulative communication that we are calling masspersonal social engineering.

Masspersonal social engineering brings together the tools and techniques of hackers and propagandists, interpersonal and mass communication, in an attempt to shape the perceptions and actions of audiences. It takes advantage of social media, big data, AI and addressable ad tech to manipulate individuals and small groups – like hacker social engineers – but with the goal of affecting society as a whole – like old-school mass media social engineers.

What are some of the manipulative communication practices we are seeing from Russia?

Russia and a growing number of other state and non-state actors increasingly make use of data collection on their targets. Sometimes this collection is illicit, relying on the penetration of computer networks or trickery to elicit sensitive information from targets. Masspersonal social engineers often make use of pretexts, hiding their true identities and motives behind fake online social media accounts or fake organizations. Their engagements with targets often goes beyond merely offering lies of disinformation and instead uses a mix of accurate information, deception, friendliness, even playfulness to pull would-be targets in, gain their trust and make it easier to manipulate them. So, we see masspersonal engineers sharing funny memes, playing hashtag games with their followers and other practices that don’t fit neatly into the true/false, real/fake binary. Finally, the ultimate goal is the penetration of minds, machines and markets. Masspersonal social engineers want to shape our thoughts, perceptions and ultimately our actions. They do this by working to penetrate media markets and online debates through the use of marketing technologies, automated bot accounts, gaming of search and recommendation algorithms and more. But they also sometimes engage in penetrating machines (i.e. computer hacking) to gather information used in further targeting, creation of pretexts and creation of manipulative content. This is what we saw, for example, in the Russian hacking of John Podesta’s email in 2016.

Why is it so difficult to identify social engineering?

Social engineering is difficult to identify because it is designed specifically to take advantage of human frailties from which we all suffer. Masspersonal social engineering is even more difficult because it also takes advantage of technological frailties in our media systems and computer networks. These frailties in turn allow the masspersonal social engineer to target our human weaknesses even more intensely, using a combination of both public and sometimes illicitly obtained private information about us to target us more directly.

What can people do to make sure they don’t fall victim to this?

There are steps that individuals can take to help protect themselves. Of course, in the interpersonal, hacker form of social engineering, we all know not to click on random links in emails or download attachments from people we don’t know. In the realm of mass social engineering, greater media literacy about how the online communication environment operates these days, how it is monetized and how we are all targeted in that process would be helpful. Taking steps to limit one’s use of social media and to limit the amount of personal information we share online can also help defuse some of the efforts of masspersonal social engineers.

But ultimately, the challenge goes beyond what individuals can solve on their own and beyond mere propaganda, lies or even disinformation. Masspersonal social engineering also implicates challenges related to big data and privacy, AI and machine learning, social media platform governance, dark money and front groups in politics, a largely unregulated global influence industry, poor cybersecurity practices by government and private organizations alike, persistent racial, economic, and political divisions and more. So, at the end of the day, we are going to need collective action through government and private organizations to deal with this multifaceted problem.

 

Last Updated: 11/29/22