Pawan Deshpande is the founder and chief executive of Curata, a Boston-based software company.
This month, Facebook revealed that “malicious actors” abused a search tool on the platform to uncover the identities and collect information on most of its 2 billion users. The company said it has disabled the search tool, which uses email addresses to identify users.
But this vulnerability remains. I know because I invented it.
Fourteen years ago — back when Facebook was open to only a small set of colleges — I created my Facebook account as an undergrad at MIT. My first task on the site was to browse the network and send friend requests to populate my connections. It was exciting and entertaining because it felt like an online popularity contest to amass the greatest number of connections. But it was also time-consuming and daunting to think that every new user would have to undertake the same exercise.
So that summer, I co-created a technology for Microsoft to mine a user’s emails, address book, mailing lists, instant messages and calendar to recommend social connections. The concept back then was so novel that Microsoft patented it. In subsequent years, every social network including Facebook, LinkedIn and Twitter has incorporated some form of this technology.
It is remarkably easy to uncover the identities of Facebook users using this feature, even after Facebook disabled its search-by-email-address feature. In fact, my version of the tool is more powerful and easier to use than Facebook’s now-defunct tool because it can be used to probe thousands of users at once. All one needs to do is create an email account, populate the address book with email addresses of intended victims and upload those contacts into Facebook. Facebook will then display the profiles of users with matching email addresses, revealing their identities.
This technique is well-known among savvy marketers as a “growth hack.” A malicious party can purchase readily available lists of millions of email addresses from data breaches on the dark Web and use this technique to append their corresponding personal data from Facebook (assuming the intended victims have not changed their default privacy permissions to block people from seeing their profiles).
The inherent vulnerability online is the exposure of email addresses and mobile phone numbers as unique identifiers. Not only can they be used by a third party to uncover a user’s identity, but increasingly they are used to deliver highly targeted ads to specific individuals on major platforms such as Facebook, Twitter, LinkedIn and Google.
Russian ad campaigns during the 2016 U.S. elections used these techniques to precisely target groups of individuals based on demographic and behavioral criteria at a low cost. Last year, my friend emulated a disinformation campaign aimed at Facebook users who donate to conservative political causes and engage with conservative political content in battleground states. The campaign reached 4,645 people on Facebook while spending only $50 on ads.
If you want to influence a specific voter or lawmaker but don’t have their email address, all you need to do is create a Gmail account, populate the contacts with thousands of possible permutations of the victim’s email address, upload it to a social channel to see if any of them match actual users. After determining the target’s email address, you can launch a concerted ad campaign with incendiary fake news across multiple online channels ranging from their Facebook news feeds to YouTube pre-roll video advertisements. At best, the victim will dismissively consume this promoted content. At worst, it may goad the person into altering their voting choices or political opinions.
How should we fix this? A heavy-handed approach would be to require that these platforms disable these features altogether, resulting in a loss of convenience for users, efficient market access for brands and revenue for social media companies.
A better approach would be to pass legislation similar to the 1999 Gramm-Leach-Bliley Act, which mandates that financial institutions regularly disclose to customers how their information is used and shared while providing the ability to opt out. Such a law would provide a lasting and comprehensive solution that forces social media companies to transparently inform users of their privacy options and the consequences of their choices and require users to make an explicit choice rather than reverting to predetermined defaults.
Time and time again, Mark Zuckerberg has apologized for Facebook’s transgressions since its inception, but his company has repeatedly violated users’ privacy despite his promises to do better. Even with the latest round of apologies and changes, there are demonstrable vulnerabilities in Facebook and other social media platforms today, and there will continue to be until we enact legislation to protect our rights — and ultimately our democracy as well.