Cracks in Facebook's Walled Garden
Facebook sits at the eye of a perfect storm this week. Congress forced them to reveal the extent of Russian ads and fake news during the 2016 election. FaceLiker malware spiked. Fake Friend attacks continued to spread.
Facebook security matters. For many people, Facebook is the Internet. One in five web page views occur through Facebook. Ten million web sites are Liked or Shared on Facebook every day. With over 2 billion active users, many who get most of their online content via Facebook, its reach is staggering. 83 million of those user accounts are fake (more about that later).
Let’s start with Russia’s election shenanigans. Facebook just admitted to Congress that 10 million Americans saw Russian political ads during the 2016 presidential campaign. 3,000 ads were purchased by the “Internet Research Agency”, an organization with ties to the Kremlin. Russian groups were also linked to fake news campaigns and troll farms active in 2016.
Facebook cracked down on fake news and began cooperating with investigators regarding foreign political ads. They made it easier for users to report fake news stories, and warn users if they’re about to read a “disputed story”. They made it harder for fake news sites to profit from clicks. And Facebook proactively removed 30,000 fake accounts in France before elections there.
While all this was going on, McAfee quietly reported a sharp uptick in FaceLiker malware, a Trojan virus that performs “like-jacking”, causing a victim’s Facebook account to Like web pages without the user’s knowledge or consent. FaceLiker sells its services to sites that want to drive up Likes for various reasons. Fake news purveyors are among FaceLiker’s biggest customers.
Facebook has begun to disrupt like-jacking attacks with a pop-up dialog window asking users to confirm suspicious Likes. But so far, not desiring to disrupt users’ seamless user experience, Facebook seems to do this very infrequently.
All this happens against a rising tide of Fake Friend attacks. Facebook doesn’t give statistics, but anecdotally more people are experiencing it. You get a friend request from someone you thought you were already friends with. You look at their Facebook page, see the expected photos and friends, and so you accept the request. Later you learn it was a doppelganger, but it’s too late. The moment you friended them, they got all the personal information you share with friends, including photos and friends’ names. Enough to make a fake profile that looks just like yours, and so the cycle continues.
Fake Friends have grown so common that Facebook added a button for reporting them. They seem to take down reported accounts rapidly. But Facebook could do more. For example, when a profile is created with a name and photo matching an existing profile, they could perform additional identity vetting or monitoring.
There’s an ominous synergy between these emerging Facebook threats. Fake news, fake likes, fake friends. Fake friends spread fake news, amplified by fake likes.
Facebook reacts, trying to get ahead of the triple threat, desperate to protect their business from angry users and Congress, but it’s not clear that they see the bigger picture. Let’s hope they can go on offense before the next US national election, which is only a year away.
Facebook has become the walled garden that America Online once aspired to be. AOL wanted to keep users off the WWW by offering them similar content within a walled garden, but their approach didn’t scale. As Internet web sites multiplied exponentially, AOL couldn’t keep up.
Facebook is more of a glass greenhouse than a walled garden. Unlike AOL, they let users peer out at web sites as much as they like, but the view is framed by Facebook.
We know what happens to those who throw stones in glass houses. Windows shatter, fresh air and sunshine pour in, and people decide they’d rather play outside.
UPDATE 5/4/2018: Last December Facebook began using facial recognition to catch fake doppelganger accounts, but Washington Post now reports the checks are limited and have had little effect thus far, raising concerns Facebook persuaded users to enable face recognition for no real benefit.
UPDATE 7/24/2019: Facebook was fined a record five billion dollars by the FTC for privacy violations. Its Board of Directors is also required to form a privacy committee to oversee Zuckerberg's team.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.