December 11 , 2012
(See also: “Mark Zuckerberg’s Value Problem: “My Facebook Profile Was a Fraud, so Was Warren Buffett’s” – July 14, 2011 appended below and “Facebook: Soaring Fraud and Decelerating User Growth,” – November 26, 2012
by Janet Tavakoli
Facebook’s reported user numbers appear to me to be off by a country mile. Multiple user accounts seem to be chronic. Moreover, besides run-of-the-mill fakes and duplicates, Facebook’s identity-theft-enabling business model is, in my opinion, a disgrace for any U.S. public company. Yet Facebook’s prospectus and 10Qs for the periods ending June 30, 2012, and September 30, 2012, make no mention of the words: imposter, impersonator, or identity theft.
In the prospectus for its May 2012 IPO, Facebook “estimated” fraud at 5-6 percent of user accounts. (Fraud for the purposes of this report is defined as a user who is not what the user pretends to be, which may or may not have legal ramifications.) This estimate appears much too low to me. Later, in its 10Q filing for the period ending June 30, 2012, Facebook “estimated” 8.7 percent fakes on a then reported even higher user base. This updated estimate also appears much too low to me. Based on my unscientific survey of 50 U.S. Facebook users and further publicly reported anecdotal evidence, Facebook’s prospectus’s representation of fakes may be off by a factor of ten.
While my estimates are unscientific, so are Facebook’s. But the discrepancy between Facebook’s representations and what I’ve been able to discern is so great that it merits further study. To get a more scientific estimate, an independent third party, perhaps the SEC, might do a proper poll of a broad cross-section of Facebook’s U.S. user base.
In its 10-Q filing for the period ending June 30, 2012, Facebook reported 552 million daily average users (DAUs) and 955 million monthly average users (MAUs). Note that the press seems to repeat Facebook’s suspect MAU numbers, but advertisers may be more interested in its daily average users. As I noted in a previous commentary, Facebook reported fakes as a percentage of MAUs and admitted to the following: Relative to the December 31, 2011 base of 845 million MAUs with Facebook’s claim of 5-6 percent fake users, by June 30, 2012, Facebook reported a 64-97% increase in fake users (69-104 percent increase in fakes if Facebook netted before reporting the 845 million MAUs), or an increase of around 168-287 percent in fake users on an annualized basis (185-319 percent increase in fake users on an annualized basis if Facebook netted before reporting the 845 million MAUs). Facebook’s own reported numbers suggest its “controls” are inadequate.
On September 28, 2012, IT World’s Dan Tynan wrote that his 13-year-old daughter has at least three Facebook accounts, possibly more, and she uses them for different reasons. (She’s now exploring Tumblr to have more privacy from parents and relatives.) Tynan’s remark about his daughter’s multiple (not merely duplicate) accounts tracks with the results of my unscientific survey. Some people have only one account, but many others have multiple accounts, suggesting that the percentage of U.S. fakes could easily be well over 50 percent. That doesn’t even include identity theft, and that is just in the U.S.
The U.S. market is the chief source of Facebook’s advertising revenue. In my November 26, 2012, report, I mentioned that overall user growth is decelerating. The deceleration problem is most pronounced in the U.S. and Canada. From September 30, 2011-12, the number of Daily Active Users (DAUs) grew from 124 million to 132 million — by only 8 million or 6 percent. Monthly Active User (MAUs) grew from 176 to 189 million — by only 13 million or 7.3 percent. Should you rely on those numbers? Given Facebook’s own estimation of its percentage and number of fakes (83 million globally or 91 million if Facebook didn’t net out fakes from base numbers), the number of users may have actually declined.
From October 2011-12, Facebook’s U.S. desktop visitors declined from 166 million to 149 million or 10.2 percent. (New Myspace desktop users increased by 1 percent off a lower base.) U.S. mobile usage appears up, but even that isn’t clear. Facebook doesn’t know how much it is double counting when it comes to multi-platform users. It acknowledges this. It also acknowledges that mobile users that have automatic updates may be reported as active when they are not. Facebook estimates this at only 5 percent. But it has no way of really knowing, and its estimate hasn’t been checked by an independent source.
But that’s not all. Facebook disclosed that it believes fake accounts are an even greater problem in less developed countries than in developed countries. It admits this estimate is a subjective opinion and may be flawed. Really? If Facebook’s opinion proves correct, then less developed countries have an even bigger fake-fest than the U.S.
Facebook might consider issuing a disclaimer that its fake accounts may be greater in number than its genuine user accounts.
But Facebook’s user count problems don’t stop there. The issues surrounding identity theft are even uglier.
I don’t use Facebook and never have, yet my first-hand experience made me feel Facebook’s business model is pernicious. I had to jump through hoops to get my impersonator’s profile removed from Facebook. I discovered the impersonator in June 2011 via Google Alerts; otherwise it would have gone undetected by me. Note that this was almost a year before Facebook’s IPO.
Facebook required me to fill out a form and provide the fake profile’s URL — which I had only thanks to Google Alerts. (People not on Facebook who don’t use Google Alerts may be the victim of identity theft without even knowing about it.) Then I had to provide a scan of a government issued photo I.D., information I didn’t want to provide, but the potential consequences of a malicious use of my profile made reluctant compliance seem the lesser of two evils. I felt as if I were the victim of tag-team malware.
Facebook’s lack of controls enabled this fraud. Meanwhile Facebook may have reported the fraudulent profile as a “user,” and after the fraud was found out by me, Facebook extracted valuable information from me. I’m not saying Facebook was the original source of the fraudulent profile only that it can benefit from the existence of it. Anyone, including Facebook, could have been the source. Facebook potentially benefits from identity theft both by counting fake users as real, and then when a victim tries to get the fake removed, by getting more valuable information that it can sell.
Update: Facebook public policy manager Frederic Wolens sent me an email asking me to clarify Facebook’s position with respect to this identity theft incident. At least I believe it was he. Unlike Facebook, I didn’t insist that he supply me with a scan of a government issued photo I.D. I’m happy to let Facebook have its say: “When describing your unfortunate run-in with a fake account you state, ‘Facebook extracted valuable information from me,’ in reference to providing your passport and then you state, ‘[it gets] more valuable information that it can sell.’ The second inaccuracy is understandable, and a common misconception, but we do NOT sell any data. We do not give advertisers access to your personal information, and we do not, and never will, sell any of your information to anyone. ( Learn more here – https://www.facebook.com/help/152637448140583/) Equally importantly, we do not store or use the information from the government ID you provided, in anyway, beyond confirming your identity. We do NOT use this information in any of our ad products either. We would appreciate if you could please clarify this point in your article.”
My position is that advertisers come to Facebook because they get indirect access to Facebook’s data and users, that is what I mean by selling data. A scan of a government issued photo I.D. has value in some circles in and of itself; perhaps to the “infiltrators” that seem to be running rampant within Facebook. Moreover, I’m reminded of Mr. Zuckerberg’s comments in college of people trusting him with information being — in his words — “dumbf$cks.” Facebook claims it doesn’t store the data beyond confirming identity. I hope that it true. But Facebook asked me for the following: 1) Your full name 2) Your relationship to the person being impersonated, 3) Your contact email address, physical address and phone number, 4) A digital copy of a government-issued photo ID of the person being impersonated (ex: your ID or the ID of the person you’re authorized to represent). Just as I accepted Mr. Wolen’s information, it seems to me that Facebook could have accepted mine without the government issued photo I.D., and if it wanted to speak with me, it could have picked up the phone. If I seem skeptical of the way Facebook operates and of its explanation above, it seems to me that its own actions earned my skepticism. I’m not alone in my skepticism. Separately, Austrian law student Max Schrems is taking Facebook to court alleging it collected information without prior consent, retained deleted information, and was in violation of European privacy laws. Facebook maintains it is in full compliance with the law.
But Facebook’s business model is even more perverse if you are a Facebook user and a victim of identity theft on Facebook.
On November 27, 2012, Bianca Bosker, Executive Tech Editor for the Huffington Post, wrote that the previous week she discovered an account set up by someone impersonating her:
After being ‘friended'” by myself on Facebook, I set out to learn as much as I could about who had created the bizarre — and unsettling — Bianca Bosker impostor account, a profile created under my name, with my profile photo, my cover picture, my personal information and even my most recent status update.
Since she was already on Facebook, she was able to get Facebook to pull down the fake profile — but only because the impersonator hadn’t blocked her (more on that later). But when she asked Facebook for the information it collected about the fraudster, it didn’t immediately accommodate her. First she had to scan her driver’s license and provide a notarized statement verifying her identity. Her independent investigation with Alex Horan of Core Security revealed IP addresses that appeared to be in Ahmedabad, India, and he said it seems to be the source of lot of fraudulent Facebook accounts. But there are ways to make it only appear that way, so the source could be anywhere.
On November 29, 2012, IT World’s Dan Tynan wrote about a Facebook user whose identity was stolen, and who is blocked from remedying the theft. Tynan also describes in his article how he separately verified the story.
The victim’s wife, Jennifer, was friended by a fake profile of her husband, Andrew. Andrew was already her friend, so she investigated. The fake profile had her husband’s name, photo, and Timeline. Andrew was unable to see the profile himself, because the impersonator blocked him. Jennifer tried to report the fake, but Facebook only allows the real account owner to report the fraud. But Andrew is unable to access the reporting mechanism, because he is blocked by the fake account.
Jennifer then used the Report/Block process to tell Facebook that an identity thief created a fake profile of her husband. But all that did was to send Andrew a message telling him his account was duplicated and that he should report the fraud, which he can’t do because he’s blocked.
If you delete your Facebook account, there appears to be nothing to prevent an impersonator from creating a new fraudulent profile that appears to be you. I recommend every regulator read Tynan’s article: “Facebook’s Crazy Catch 22: How Imposter’s Can Assume Your Identity and Run Wild.”
The SEC must have been napping during the IPO process, when it let Facebook’s lack of controls, self-reporting of fakes, and lack of mention of the identity theft problems go unchallenged.
Disclosure: I’ve bought and monetized puts on Facebook since they became exchange-traded shortly after the IPO. (“Investors Bet on Facebook Fall,” Kaitlyn Kiernan and Jonathan Cheng, Wall Street Journal, May 19, 2012.) Update 2013: I currently have no position (long or short) in Facebook.
July 14, 2011
I don’t use Facebook. Neither does Warren Buffett, but phonies have used his name on Facebook. Earlier this month, an imposter created “my” profile on Facebook. In order to get the fake removed, Facebook required an uploaded scan of a government issued I.D. that shows a photo and birth date (for example, a driver’s license or passport). Facebook suggests one black out the most sensitive information and claims it will delete this scanned information from its servers once identity has been verified.
In other words, after an impostor faked my identity, I was the one who had to put myself further at risk by providing a verifiable scanned government I.D. to prove I had the right to complain about the fraud enabled by Facebook.
There was no mechanism to email a human, who could have easily verified my identity without the need for me to upload a scan of a government issued I.D. (after blacking out the document number). There was also no way to even submit the report using the “Reports” link without the upload.
Christopher Soghoian, a privacy advocate at the Center for Applied Cybersecurity Research at Indiana University told the Wall Street Journal: “People do not like Facebook. They do not trust Facebook. Facebook gets people to give up information under the claim that it’s private and then it’s made public. And your only option is to shut down your account.”
I now completely agree with Mr. Soghoian. I don’t like Facebook, and I don’t trust Facebook. You don’t even need an account to be punked by Facebook. When you’ve been impersonated, Facebook asks for private information and claims it will delete it from its servers, but given that it has failed to protect private information in the past, why should anyone trust this claim? Yet I had no choice but to supply the information in order to get cooperation from Facebook to take down the fraudulent profile.
The Facebook Team responded three days later reporting it had removed the profile. If you expect niceties such as “sorry for the inconvenience,” forget it. That might be fine if you are imposing on Facebook, but when Facebook’s protocol has imposed on you, something more is required, if Facebook ever wants to be taken seriously as a valuable business.
Mark Zuckerberg said that Facebook is “free” and always will be. But it isn’t true for all of its users. Facebook claims “750 million active users,” and some, the “whales,” must eventually provide profitable business.
Facebook requires revenues, and it requires an eventual demonstration of ongoing profits to keep investors happy. That means it needs users to buy goods and services so that Facebook gets a cut of the action. It’s an indirect cost imposed on the Facebook users that support the network. If Facebook loses those willing buyers, it loses the whole ballgame.
Eventually investors will want to know the number of profiles of people in the demographic sectors that are most likely to buy goods and services. If one had a mind for mischief, then one could mislead investors by, intentionally or otherwise, allowing phony profiles of whales. In my case, Facebook did just that. Investors should ask if this is a habit.
What is Facebook’s strategy? Where is its audited balance sheet? Which users provide the most revenue? Of target demographic profiles, how many are fakes? How many authentic users does Facebook actually have? Does Facebook know how many user profiles are genuine, and if so, how does it know?
Based on my experience, Facebook doesn’t know who is real and who isn’t real. Many people may not even be aware there is an impostor profile of them on Facebook, and if they are aware, they may resent the hoops they have to jump through to get it removed. I know I was tempted to shrug and let it go, but I didn’t.
Investors should take that into account when evaluating Facebook’s “users” and the potential for revenues they represent.
If you eat in a cafeteria that asks you to dispose of your trash and put away your tray after you eat, you cooperate, because you are holding up your end of the social contract. You clean up for the next person, whom you’ve never met. You trust that others understand and honor this social contract, too. You trust that someone who has never met you will have the courtesy to clean the table before you arrive for your next meal. It doesn’t make you superior. It just means you understand the utility of honoring the social contract. On your next visit, you won’t have to carry your tray to a table covered with trash. But if others break this social contract, you’ll find another place to eat where the people are smart enough to cooperate with the social contract, because it is a nicer place to hang out.
Facebook may think it’s too cool to honor the web’s social contract. It may believe its image says “we are the Borg,” but to me it says “we are the slobs,” and we’re not interested in running a business. Facebook’s attitude is futile, and I won’t be assimilated.
Users who believe they’re getting something free may tolerate it, but people who spend money, actual customers, will find a better place to hang out as soon as an alternative becomes available. As I mentioned in an earlier commentary, “The Biggest Headache for Groupon and Facebook,” bright young people are doing interesting things on the web that may one day challenge Facebook on features alone. If newcomers are trustworthy and courteous, Facebook will lose its revenue generators.
Facebook will have a hard time keeping its inflated stock market valuation — currently roughly $84 billion for its privately traded shares — once investors face up to its flawed business model. For my part, I can say that if you ever see a profile of “me” on Facebook, it will be another impostor.