Every human being is unique and special. Identities, on the other hand, are a dime a dozen.
Only figuratively, that is. With just a photo, a name and an email address, anyone can set up a false profile, for free, on social media sites like Twitter (TWTR - Get Report) and Facebook (FB - Get Report) . More sophisticated actors might set up hundreds or thousands using photos scraped from others' profiles or other public sources.
I would know -- it's happened to me countless times. Just last week, a Twitter user pointed me to an account using an old photo of me (wearing Google Glass, no less) spewing out links and phone numbers for what were purported to be credit counseling services. No savvy Twitter user would ever believe there was a person behind this account. It's primitive, even for a bot. And yet, Twitter is rife with accounts like these -- and the account is still active.
As of this writing, there are four Facebook profiles I can find using either my name, my photos or both -- and in the past, I've seen others that were either taken down or abandoned by the operators. At one point I even chatted up one of my doppelgangers, learning that my photos had been appropriated by a spurned lover in Ecuador in a scheme to make an ex jealous.
I confronted my Facebook impersonator, and now we're having a ❤ to ❤ pic.twitter.com/Nza9YmgbfO— Annie Gaus (@AnnieGaus) July 20, 2017
Like others who spend much of their lives online, there's an abundance of personal info out there about me and tons of photos -- more than enough to build out a fake me many times over. The question is: Why are Twitter, Facebook and others still so bad at sniffing them out?
In its earnings report last week, Twitter told shareholders its spending in 2019 will increase sharply. The goal is to make Twitter "a healthier and more conversational service," said CEO Jack Dorsey at the time. It's been eager to show off the fruits of its labor: In late January, Twitter also published a review of the company's efforts to fight manipulation of its platform, writing that it removed 214% more accounts year-over-year, and that its system identified and challenged "between 8.5 million and 10 million accounts each week suspected of misusing automation or producing spam." It's also killing the monthly active user metric in favor of "monetizable daily active users," as a better approximation of real, live humans using Twitter -- and their potential value to advertisers.
"Some of Twitter's interest in removing inauthentic accounts is driven by the popular outcry over election interference or fake news, but it is directly aligned with their business interests," said Scott Vernick, an attorney with Fox Rothschild LLP who specializes in cybersecurity issues. "In preserving their business, they need a credible and authentic platform."
The risks go beyond just a cluttered environment for selling ads, however.
"The presence of bots and automated accounts on platforms may well present a security threat, because they could be virus carriers," Vernick added. Or credit counseling scammers, for that matter.
On social platforms where anyone can create an account for free, the costs of maintaining a credible environment for users and advertisers are considerable. Twitter's stock plunged 9% after it told investors that its operating expenses would increase this year. And last July, Facebook's stock spiraled for months after the company disclosed heavier spending on security issues.
"Coordinated inauthentic behavior," as Facebook calls it, is a problem that may be difficult, if not impossible, for the sprawling company to solve on its own. It works with law enforcement and outside researchers to identify and purge such behavior, according to several blog posts by the company last year. In the wake of the Cambridge Analytica scandal, Facebook urgently needed to show progress on security measures, writing last May that it disabled 583 million fake accounts in the first quarter, mostly "within minutes of being created."
Still, whether for lack of resources or lack of will, the pool of existing "inauthentic" accounts is still immense: In a May 2018 financial filing, Facebook disclosed that 3-4% of its monthly active users were fake accounts, while as many as 10% of users were defined as "duplicate" accounts. Together, those percentages imply that humans using Facebook as intended -- as opposed to the total volume of accounts -- are hundreds of millions fewer than the roughly 2 billion users Facebook claims.
Another reason why bogus accounts aren't easy to stamp out: There's a well-developed cottage industry of businesses peddling fake accounts, traffic and engagement, not limited to social media platforms but across the broader landscape of digital advertising.
Devumi, a firm that made millions selling fake followers across Twitter, YouTube (GOOGL - Get Report) , LinkedIn, SoundCloud, Pinterest and others, using stolen photos and profiles, was sued by the New York Attorney General and is prohibited from selling fake engagement services under a recent settlement agreement. It's the first settlement targeting fake accounts as a form of illegal impersonation.
However, if there's one thing that security researchers know, it's that fraudsters are a nimble lot.
"It's a game that is ever evolving. As soon as we identify and shut down a particular botnet, two more pop up. The fraudsters are growing ever more sophisticated," added Steven Woolway of DoubleVerify, an advertising technology firm that studies suspicious activity and fraud.
At this point, it's not clear who's winning.