Facebook Identity Verification Is Broken And Has Been For A Long Time

Last month, there was the story of how Meta is going to introduce ‘account verification’ as an upsell, and how it was going to be done in the name of safety and security. There were over 100 comments (above the norm for Techdirt) and most seemed to come to the consensus of how bad an idea it was. Having been at the receiving end of one of their related products, I can say that their fears are not unfounded.

The point of the new program is to try and ‘increase trust’, by verifying users, and in exchange they get a little check badge and get impersonation protections. And it’s not the first attempt at this sort of thing, although it is the first time they’ve tried putting it behind a paywall.

High profile accounts have long had the ability to get verified on Facebook and Instagram, by providing ‘government details’ to Facebook. If you’re a person, you need a government photo ID, and if you’re a business you need government documents in that business name.

But that’s not the only program they’ve run in this area. About a year ago, after years of constant pressure and shade thrown at it over inauthentic accounts, and so the Facebook Protect scheme came out last year. Protect was rolled out to people who “have the ability to impact lots of people”. I ran the Facebook page for TorrentFreak, so I was one of those people.

Here’s the email I got on March 24th 2022

If you can’t see it, it says

Your account requires advanced security from Facebook Protect

Hi KTetch,

Your account has the potential to reach a lot more people than an average Facebook user. Hackers are often motivated to attack accounts that have a lot of followers, run important Pages or hold some community significance.

To help defend against these targeted attacks, we require that you turn on Facebook Protect for your account.

Turn on Facebook Protect for your account by 09 April 2022. After that, you will be locked out of your account until you enable it.

• We’ve already turned on advanced login protections for your account.

• To fully enable Facebook Protect, we’ll check your account for vulnerabilities, and help you resolve them.

Note: Facebook Protect isn’t available to everyone on Facebook. We require stronger security for your account because it has the potential to reach a large audience.

Thanks so much,

The Facebook Team

There’s just a slight problem with this. I had a medical issue on March 17th 2022, one week earlier, and didn’t touch a computer for months. I never saw the email until LONG after, and after they’d activated it. 

So, it’s activated, and I’m now ‘protected’, it’s a simple matter to fix once I come back, yes?

No.

Facebook protect is about adding 2 factor authentication to things, so it should be simple right? There’d been a phone number listed with my account for many years, it’d be simple enough to use that as the starting point to unlock the account, right? I mean, we know how SMS based verification is not the most secure, but it’s better than nothing ,and it’s a starting point to identify to enable stronger protections. 

You’d think that, but it’s not the case (if it were, this wouldn’t ever have to be written). Instead any attempt to log in requires me to ‘enter the code from the authentication app I set up’

This is the problem though, Facebook Protect was turned on without my input. I never set up any app. And any prior sessions had long since expired. So they’ve absolutely secured the account from being used for misinformation, by making sure no-one can log in to it. 

It seems that I was not alone in having these problems with facebook’s roll out of Protect. In a 5-tweet thread on March 18th, head of security said

So, as he admits, there’s issues with people enrolling, and yet they still went ahead. There were people (like me) getting this forced on them, but having 2 factor issues, of faulty codes, or other things.

Most reacted to the issues within a day or two, and it seems to have gotten things fixed for them, but is a product really fixed if some of the underlying issues continue to exist and have not been dealt with? Doing a manual bypass to get around a screwup, rather than fixing the screwup itself and not have it happen in the first place is not good policy. And yes, you can expect this to end up floating around some policy seminars, because before Mr Gleicher joined Facebook as Head of Security Policy, he had spent 2 ½ years as Director for Cybersecurity policy at the White House national Security Council (May 2013 – October 2015) while he was a senior counsel for Computer Crimes at the Department of Justice (October 2010-OCtober 2015). He has the ear of policy makers, and yes, you can imagine there being a push to ‘verify’, for ‘safety’, and to “counter misinformation”, and before you know it, we’re back at Real Name policies, and Nymrights by the back door.

I did actually try reaching out to Gleicher, a few months back, and nothing. I guess now that the many news stories of the constant problems with the system, or the articles about how while it looks JUST like a 3rd rate phishing campaign it is actually real are gone, he doesn’t have to worry about the problems any more.

But, you’ll notice on the bottom of the log-in image it says “Need another way to confirm that it’s you?” There’s always that option, right?

You’d think so, but that takes you to a set of pages where you send in photos of Government Photo ID. So we’re back to sending in copies of government documents to private companies for some sort of ‘verification’, and let’s hope the documents match what they have.In my case, it seems they don’t.

I’ve had this with multiple kinds of documents. It would appear that Facebook at some point set my year of birth to something like 1910, so clearly none of my documents match the idea they have for a 110+ year old person. 

It’s not even the first time I’ve experienced the  “we can’t verify you are you so screw you, you’re locked out” position. Nine years ago, I had a similar fight with Nominet, over their desire to “verify” people with .UK domains. Nominet eventually backed down, but it seems Meta will double-down instead.

Meta may claim to ‘store the ID info for 60 days then delete it’, but we know how that can go. It’s been just under two months since the last major Facebook data breach, while laws like the 3rd party doctrine make it a tempting target for a subpoena, if you wanted to, say, identify people behind a popular group or page making you look bad, just ask Paul Frese, Anthony Novak, or critics of Terrebone Parish police how that goes.

It’s a terrible idea, not just as a product for sale, but even in their attempts to implement it for some kind of public good. They may be doing more in the way of verification than Twitter is with their Blue service (which seems to only ‘verify’ that someone has $8/month).

And again, let’s go back to the reason for these programs – to stop “impersonation” and account hacking. You’d hope it’d be so that fake pages wouldn’t pop up pushing BS news stories and false narratives, but no, that’s still perfectly fine (especially if you’re a politician, you can claim any old shite is true if you’re a politician with a Verified checkmark, even though misinformation is supposedly one of the reason for this. But it’s not verified people making BS claims, it’s BS people making BS claims, as exemplified by the Eli Lily Insulin tweet. Fakebook just noticed the possibility before Space Karen demonstrated it (and its effect on advertising revenue). In that light, it becomes clear why this program exists, and why last month’s announcement was made. Facebook Protect isn’t protecting you, or me, or our accounts, it’s protecting Facebook, and its revenue, and that really is one of the unstoppable forces in the galaxy.

Should you sign up for their new verification system? It’s hard to see why, when their implementations of similar systems have been so poor and slapdash, and when it goes wrong, there is almost certainly not going to be any resolution short of “send them even more personal data”.