“My gosh, what the heck? That’s scary,” Greenman said when a Washington Post reporter showed her the fake account. “That’s me, but I never posted any of this stuff.”
Facebook in December offered a bold solution for its worsening scourge of fake accounts: new facial-recognition technology to spot when a phony profile tries to use someone else’s photos. The company is now pushing its users to agree to expanded use of their facial data, saying they won’t be protected from impostors without it.
But Greenman and other Facebook users who consented to that technology in recent months remain plagued by a horde of identity thieves.
After The Post presented Facebook with a list of numerous fake accounts, the company revealed that its system is much less effective than previously advertised: The tool looks only for impostors within a user’s circle of friends and friends of friends — not the site’s 2 billion-user network, where the vast majority of doppelganger accounts are probably born.
“We use new technologies to protect people on Facebook, and we’re often able to improve as we roll them out,” Facebook spokesman Matt Steinfeld said. “In the early days of this feature, we’re focused on alerting people to new and recent photos posted by their friends and friends of their friends. We hope to improve how we use this technology over time.”
After publication, Facebook added that it conducts searches on profile pictures among “millions” of other images beyond those in the network of extended friends. But Facebook would not say how it selects the broader group against which the images are vetted or the relation to the profile photo. Even scanning a photo against millions of others is still a tiny fraction of the images posted by the site’s 2 billion users worldwide.
Facebook has championed face recognition and other artificial-intelligence tools as its secret weapons to combat political propaganda, hate speech and misinformation.
But the fakes highlight how the company is struggling to use the technology to fulfill its most basic mission — connecting real people around the world.
The limited scale of Facebook’s central technical solution to the fake-account mess also suggests that the site is failing in its pledge to protect users’ personal information, while still urging them to hand over more photos and consent to their broader use.
Facebook disabled dozens of fake accounts after being notified by The Post, though others quickly rose in their place.
The number of what Facebook calls “undesirable” accounts is growing rapidly. The company estimates that there were as many as 87 million fake accounts in the last quarter, according to financial filings — a dramatic jump over 2016, when an estimated 18 million accounts were fake.
Facebook explained the increase by pointing to “episodic spikes” in fake-account creation in countries such as Indonesia, Turkey and Vietnam. That estimate does not include duplicate accounts, which users sometimes create by accident or to have separate professional and personal profiles. Facebook estimated that duplicates account for 10 percent of its global user base.
Facebook’s failure to spot obvious counterfeit accounts has highlighted one of the company’s more embarrassing public ills. During chief executive Mark Zuckerberg’s hearing before a Senate committee last month, Sen. Christopher A. Coons (D-Del.) said that his friends — including old classmates from law school and Delaware’s attorney general — had alerted him that morning to a fake Facebook account with his name, alma mater, photos of him and another senator’s family “and a whole lot of Russian friends.”
“Isn’t it Facebook’s job to better protect its users?” Coons asked Zuckerberg. “And why do you shift the burden to users to flag inappropriate content and make sure it’s taken down?”
Coons said last week that “whoever created them had literally just copied and pasted my photo from my Senate page and a whole bunch of photos from my Facebook pages.”
Zuckerberg responded in the hearing that “it’s clear that this is an area . . . we need to do a lot better on.” He added: “Over time, we’re going to shift increasingly to a method where more of this content is flagged up front by AI tools that we develop.”
Facebook has for years used facial-recognition technology to suggest who can be tagged in a user’s photo and sift through the 350 million images the company says are uploaded every day. In December, Facebook announced that it would soon upgrade that technology with new features “to prevent people from impersonating others on Facebook,” adding, “We want people to feel confident when they post pictures of themselves on Facebook.”
The site is using that technological promise to encourage more users to consent to expanded facial-recognition rules. In its new privacy settings revealed last month, users are told, “If you keep face recognition turned off, we won’t be able to use this technology if a stranger uses your photo to impersonate you.” Facebook users who want to avoid impersonation but not have their name suggested for tagging in someone else’s photo are not allowed the choice.
But in the months since that feature was announced, scam profiles that took the names, photos and other information from legitimate accounts continued to spread. The company said profile-photo review began in mid-March and works only for a limited segment of a person’s social circle, “not random strangers.”
The company said the feature is reviewing only new accounts’ profile photos because of the large amount of computing power it would take to check each one. That means the tens of millions of existing fake accounts made before March will not be caught.
Facebook’s rules forbid users from falsely representing themselves as someone else. The company could not estimate when it might expand the feature or how many impostor accounts had been spotted so far.
Some critics question why a $500 billion company with so many top engineers still struggles to protect its users’ identities. Zach Elwood, an author in Portland, Ore., who sleuths out Facebook fakes in his spare time, keeps a long spreadsheet of names and alerts users when he finds that they have been impersonated. He uses no AI, he said, because he doesn’t need it. Looking through Facebook groups, he says he can spot blatant fakes with just a few clicks.
“It’s kind of a cop-out to pretend there’s some high-tech solution needed for this,” he said. “I’m not anybody with any special knowledge. Anybody can go on there and find these things.”
It’s not always clear why or how a person was chosen for impersonation, or for what purpose the knockoff was made. The profiles tend to post links to dodgy websites, share spam, boost a group’s followers or lure other people into sharing information or sending money. Many of the fake accounts appear to be built by copying, or “scraping,” the photos and biographical details from users’ Facebook profiles.
Some telltale signs can give the fakes away: A username that doesn’t match the person’s real name; friends from a different country, including online-scam hot spots such as Macedonia and Nigeria; and recently created profiles with a lack of public posts or relationships.
But some of the impostors are more active than the real accounts. Mark Bright, a restaurant sommelier in San Francisco, had his name and photos co-opted for an impostor account that in the last six months has posted more regularly than he has. Even its username seems more authentic than his: His is “mark.bright.961,” while the fake’s is “Mark.Bright.001.”
The impostor account appears to enjoy a rich and fulfilling social life, posting photos from Bright’s honeymoon with his wife, their trip to a Chicago Cubs baseball game and a portrait from his birthday party. In September, the fake account checked him into Distrito Federal, Mexico, where it said he was “feeling loved.”
But nearly all of the account’s activity has been devoted to sharing pictures, posts and tweets from or about the president’s daughter, Ivanka Trump. It was also a member of 14 groups for Trump devotees. “Do you love ivanka trump?” the fake Bright wrote in a post last month.
“Anybody who knows me would see the Trump thing and think ‘Bulls---. That’s not him,’ ” said Bright, 35. “This just gives me a big feeling of insecurity. And honestly, it makes me want to take my account down.”
Analysts say the site could face an existential threat if unnerved users shy away from posting photos there for good. “There is some skepticism that they know where all of the fakes are,” said Brian Wieser, a senior analyst at Pivotal Research.
Because the doppelganger accounts speak out in Facebook’s most public venues, the profiles can gain followings, friends and enemies all their own. The fake account of Greenman, the Texas college student, is a member of Facebook groups such as “Trump’s New Generation.” It attracted dozens of fawning and profane commenters to the photos of her that the fake account had swiped. Several strangers engaged in political shouting matches or sparred for her approval.
The political nature of many of the sham accounts is a reminder of the distorting role that the world’s largest social network continues to play on American politics in the months leading up to the 2018 midterm elections, two years after the presidential campaign shined a spotlight on its role in the viral spread of misinformation.
The frustration with Facebook can be resoundingly bipartisan. Terry Hestilow, a conservative U.S. Army veteran in Texas who offers commentary on the news for his 8,500 Facebook followers, criticized the site last summer as complicit because it had done too little to combat fake accounts. He listed 60 scam profiles he said had used his old photos (“Army uniform by helicopter,” “Western hat in front of elephant”) and urged his followers to report them “until Facebook is forced by shame to remove them.”
“From this day forward, know that those criminals who continue to maintain pages pretending to be persons represented by stolen photos of me do so with the full knowledge, consent, and support of Facebook,” he wrote.
Facebook’s inability to stop counterfeits has pushed some users to a breaking point. Steve Kalfman, a 28-year-old Army engineer in Washington state, said scammers have created dozens of fake Facebook profiles in recent months by taking his name and photos, including of himself in uniform, at the gym or with his young daughter.
Kalfman suspects many of the profiles are used to fool women into handing over cash, since those “catfishing” victims often end up tracking him down to demand their money back. The fakes appeared to have a wide-ranging set of interests, lived in seven different states and were rich in concocted personalities: “I A Good Guy..Am Simple,cool But Hard To Get,” one phony Kalfman said.
Kalfman started placing a signature watermark on all his photos, agreed to Facebook’s expanded facial-recognition tools and said he now spends time filing fake-account reports on about 10 profiles a week. But Facebook, he said, appears no closer to solving the problem beyond disabling an account here or there in a fruitless game of Whac-A-Mole.
“Whatever I report, they’ll make a new one the next day,” Kalfman said. Facebook has, in four cases, inadvertently disabled his real profile instead, making the problem even more frustrating. After The Post reported more than a dozen sham accounts stealing Kalfman’s name and photos to Facebook, the company erroneously disabled Kalfman’s real account but left virtually all of the fakes intact.
“I don’t understand,” he said. “It’s pretty easy to tell that I’m the real one.”
By the time Facebook restored Kalfman’s real account the next day, another six fake Steve Kalfmans had already bloomed.
Alice Crites contributed to this report.