ID for Facebook, Twitter and other sites? Not so fast, says security expert
When Jack Dorsey and his co-founders first launched Twitter in 2006, they probably did not imagine their platform would find itself intertwined with many controversial political and complex security challenges years later.
Yet, whether through the reach of accounts backed by real people or through the power of algorithms with the ability to create and orchestrate hundreds — if not thousands — of fake accounts, social media platforms have played an increasingly bigger role in shaping public discourse and fanning movements of all types.
See Infosec IQ in action
See Infosec IQ in action
Reactions to social media’s growing influence
In response to growing concerns about the use of their platforms for spreading misinformation or even hate speech, these companies have begun to fight back. In 2019, Twitter shut down more than 70 million fake accounts and bots while Facebook publicly acknowledged it had found billions of its accounts could be fake.
At the same time, individuals have also begun to feel the impact of these malicious accounts on their own lives. This has further boosted a call for more structure around how social media platforms register new accounts and confirm the identities of those who create them.
According to one recent study by Broadband Genie, “70% of social media users would be prepared to enter a piece of formal identification (such as a passport, driver’s license or credit card) to use social media.”
While this change could help mitigate one complex problem, would it introduce new, unintended ones? Cameron Bulanda, a security engineer at Infosec, weighed in on the topic.
Would requiring legal identification introduce new user risks?
By design, signing up for a social media account is easy and quick. Driven by business forces and even stockholder pressure, social media platforms sometimes even have an incentive to report high and growing numbers of users on their platform.
Unfortunately, this has likely introduced a conflicting pressure to limit the number of fake accounts to demonstrate the power of their brand’s presence in the social media world. Equally, the ease to set up an account has led to the ability to create anonymous and even large numbers of computer-controlled “bot” accounts.
In response to the growing use of fake and anonymous accounts, the Broadband Genie survey found that, according to 1,620 social media users, 72% “would be happy to provide ID themselves” to create an account. And 73% believe “it would be a big step towards tackling hate speech on social media,” while 55% would think more carefully about what they share or post if they had formal identification linked to the account.
The survey reported that the following were the preferred identification options users would be prepared to use on social media platforms:
- Driver’s license (62%)
- Passport (29%)
- National ID card (16%)
- Credit card (7%)
Requiring identification is one way to combat this trend, a technique perhaps most prominently known to be used by self-styled “alt-tech microblogging” site Parler. However, as Burlanda notes, “Nearly every major social media platform has reported a security breach in the past decade. This includes Twitter, Facebook, WhatsApp, Telegram and even LinkedIn. In many of these incidents, sensitive account information was leaked to bad actors and later listed for sale on the Dark Web.”
Combined with other breached data, cybercriminals can piece together more damaging databases of user information that can be used for more malicious intent.
“It’s through these lists of compromised data that cybercriminals can piece together fairly robust profiles of high-value targets by simply looking for common threads like emails, phone numbers and employers,” Burlanda says. “Every additional piece of exposed personal information increases the likelihood of a social media user becoming a cybercrime victim later on.”
Adding more sensitive information derived from legal forms of identification — or even copies of them — could raise the risks for users and social media platforms while increasing the incentives for cybercriminals to get a hold of them.
How could user behavior change with new identification requirements?
Burlanda noted another unintended effect of requiring identification to connect with a social media platform. Just as the internet has opened up new ranges of political discourse with their ability to “hide” someone’s true identity, these same users could, in Burlanda’s opinion, “normalize” sharing sensitive information so easily online.
“One of the major themes we teach in our courses is the concept of ‘zero trust.’ On social media, that means not sharing any personal information on a network that could put you at risk,” notes Burlanda.
“As social media platforms like Parler require users to verify identities with sensitive information, it also lowers the guard of its user network and ‘normalizes’ sensitive information sharing online, further putting users at risk for future attacks,“ warns Burlanda.
As more and more of our personal and professional lives are facilitated through the internet and the digital world, having to utilize legal forms of identification for something like social media could expose individuals to far more risk than the benefit they receive from the service.
Phishing simulations & training
Phishing simulations & training
Despite these growing tensions and public awareness for both data security and the existence of anonymous and fake accounts, Facebook and Twitter still have no formal plans to end the ability to create them. They have decided instead to reactively shut down accounts and use other means to track their activity and flag any unusual behavior. Within Facebook, for example, when the platform’s artificial intelligence spots suspect behavior, it sends an in-app warning to the users involved. The users can then block or ignore the suspect account and gain access to resources to avoid potential scams.
Therefore, until other options can successfully balance transparency with security, users will have to brave these social media platforms on their own. While this may make for a more choppy discourse, security experts believe they won’t contribute even more to online data theft and fraud.
How fake Twitter accounts spread misinformation and distort conversation, Marketplace Tech
Facebook removed 3 billion fake accounts over a six-month period, Washington Post