The cybersecurity community is reckoning with influencer culture for the first time after several popular figures ran paid advertisements on their social media accounts.
The big picture: For years, the world of cybersecurity experts has operated more like a scientific community than a commercial one — and, until very recently, more like a counterculture than a service. The paid posts provided a glimpse of a corporate sponsor-driven future for security specialists surprised to find out that corporations knew who they were.
Driving the news: Several follower-rich cybersecurity Twitter accounts ran individualized promotions for Lenovo's secure line of products and security services, ThinkShield (all tagged "#ad #thinkshield"), sparking immediate pushback from the wider community.
- The influencer marketer VizSense, not Lenovo, reached out to influencers. It's not clear how much Lenovo was aware of the plan.
- The influencers who were contacted included a reporter, well-known researchers, a former intelligence operative, executives, a financial tech expert, an AI guru and others. All had more than 10,000 Twitter followers.
- No one who ran the ads has confirmed being part of this campaign; however, several Twitter personalities posted using those hashtags.
- VizSense, Lenovo and seven people who appear to have run Lenovo ads related to this campaign — one of whom ran ads in multiple languages — did not respond for requests for comment.
The campaign prompted immediate criticism online, with several security luminaries seeking out and posting screenshots of paid posts.
- Many also noted a 2015 incident where Lenovo's preinstalled software included a third-party advertising product called "Superfish" that introduced severe security issues in its products.
Between the lines: On Instagram, YouTube and other platforms, influencers with large followers routinely take cash to promote products, often in the fashion industry or entertainment. But this appears to be the first time personality-driven advertisements have been used in cybersecurity.
Several of the influencers who turned down the ads told Codebook that companies could use established, less-controversial methods if they wanted researchers to help increase awareness of security products and initiatives.
- Researchers are often paid to conduct third-party evaluations of products. They can be brought in to assist in relevant research projects or speak at branded events and webcasts on research topics.
- "There's nothing wrong with compensated reviews," said Chris Wysopal, co-founder and CTO of Veracode, who noted that VizSense couched an offer to him in terms of paid evaluations of Lenovo wares. "But it didn't look like the tweets people put out were reviews."
- Wysopal and Jake Williams of Rendition Infosec, who both declined VizSense's offer, noted that they were asked to review Lenovo's ThinkShield based on an information sheet, not a product. Neither felt like they could have evaluated a full product in the time frame VizSense offered.
Zack Whittaker, the security editor for TechCrunch, told Codebook that VizSense approached him over LinkedIn — implying they were at least somewhat aware of his role as a journalist.
- "It's particularly unethical for a company to actively approach journalists, of all people — ergo, to ask them to violate their ethics — to promote something in exchange for payment," he said, via electronic message.
The irony, said Wysopal, is that the backlash might obscure real progress Lenovo has made since the Superfish incident.
- "There's a lot of good to ThinkShield, according to what they sent me," he said, pointing to supply chain protections that could fight future Superfish-style problems. "They didn't need to go with this approach."