Every human being is unique and special. Identities, on the other hand, are a dime a dozen.
Only figuratively, of course. With just a photo, a name and an email address, anyone can set up a false profile, for free, on social media sites like Twitter (TWTR - Get Report) and Facebook (FB - Get Report) . More sophisticated actors might set up hundreds or thousands using photos scraped from others' profiles or other public sources.
I would know -- it's happened to me countless times. Recently, a Twitter user pointed me to an account using an old photo of me (wearing Google Glass, no less) spewing out links and phone numbers for what was purported to be credit counseling services. No savvy Twitter user would ever believe there was a person behind this account. It's primitive, even for a bot. And yet, Twitter is rife with accounts like these -- and the account is still active.
As of this writing, there are four Facebook profiles I can find using either my name, my photos or both -- though some look like they've been abandoned by now, either intentionally or through punitive actions by Facebook. At one point I even chatted up one of my doppelgangers, learning that my photos had been appropriated by a spurned lover in Ecuador in a catfish scheme to make an ex jealous.
I confronted my Facebook impersonator, and now we're having a ❤ to ❤ pic.twitter.com/Nza9YmgbfO— Annie Gaus (@AnnieGaus) July 20, 2017
Like so many others who live much of their lives online, there's an abundance of personal info out there about me and many photos -- more than enough to build out a fake me many times over. The question is: Why are Twitter, Facebook and others still so bad at sniffing them out?
In its earnings report last week, Twitter told shareholders its spending in 2019 will increase sharply. The goal is to make Twitter "a healthier and more conversational service," said CEO Jack Dorsey at the time. It's been eager to show off the fruits of its labor: In late January, Twitter also published a review of the company's efforts to fight manipulation of its platform, writing that it removed 214% more accounts year-over-year, and that its system identified and challenged "between 8.5 million and 10 million accounts each week suspected of misusing automation or producing spam." It's also killing the monthly active user metric in future earnings releases in favor of "monetizable daily active users," as a better approximation of Twitter's genuine users -- and its potential value to advertisers.
"Some of their interest in removing inauthentic accounts is driven by the popular outcry over election interference or fake news, but it is directly aligned with their business interests," said Scott Vernick, an attorney with Fox Rothschild LLP who specializes in cybersecurity issues. "In preserving their business, they need a credible and authentic platform."
The risks go beyond just a cluttered environment for selling ads, however.
"The presence of bots and automated accounts on platforms may well present a security threat, because they could be virus carriers," Vernick added. Or credit scammers, for that matter.
On social media platforms where anyone can create an account for free, the costs of maintaining a healthy environment for users and advertisers are considerable. Twitter's stock plunged 9% after it told investors that its operating expenses would increase this year. Last July, Facebook's stock spiraled for months after the company disclosed heavier spending on security issues. And "coordinated inauthentic behavior," as Facebook calls it, is a problem that may be difficult, if not impossible, for the sprawling company to solve on its own. It works with law enforcement and outside researchers to identify and purge such behavior, according to several blog posts by the company last year.
Another reason why fake accounts are tough to stamp out? There's a well-developed cottage industry of people peddling fake accounts, traffic and engagement, not limited to social media platforms but across the broader landscape of digital advertising.
That could be changing. Devumi, a firm that made millions selling fake followers across Twitter, YouTube (GOOGL - Get Report) , LinkedIn, SoundCloud, Pinterest and others, using stolen photos and profiles, was sued by the New York Attorney General and is prohibited from doing so under a settlement agreement. It's the first settlement targeting fake accounts as a form of illegal impersonation.
However, if there's one thing that security researchers know, it's that fraudsters are a nimble lot.
"It's a game that is ever evolving. As soon as we identify and shut down a particular botnet, two more pop up. The fraudsters are growing ever more sophisticated," added Steven Woolway of DoubleVerify, an advertising technology firm that studies suspicious activity and fraud.
At this point, it's not clear who's winning.