
Facebook shoots first, ignores questions later; account lock-out attack works - shawndumas
http://arstechnica.com/business/news/2011/04/facebook-shoots-first-ignores-questions-later-account-lock-out-attack-works.ars
======
DanielBMarkham
I have a fan page for the hn-books site (shameless plug:
[http://www.facebook.com/pages/Hn-
books/176636875710129?ref=s...](http://www.facebook.com/pages/Hn-
books/176636875710129?ref=sgm) )

On it I talk about what books and tools we're reviewing and cool book and tool
stuff for startups and hackers. Hn-books.com is a hobby site, and the fan page
is a part of that hobby of collecting cool resources.

But really, at the heart, it's all links -- links to the site, links to hn,
recent blog entries with links. I don't do events, and resource links are the
most useful thing I can provide. So when FB banned me from my own fan page, I
was kind of freaked out. Why do that?

The only answer I got was because I was spamming, but heck _I was just doing
what the page was supposed to be about_. I guess the problem was that somebody
joined the fan page, then _complained about the links the page was providing.
The links they asked to get_.

Just like with Ars, I found very little help. I finally sent an email off into
the blind with something like "I am not spamming. I am simply maintaining a
page full of resources. People who want to be fans of the page expect to see
these resources. That's the whole point!"

A few days later the ban was lifted. The whole episode happened with very
almost zero useful information from Facebook.

So somebody out there is reading these emails. But my customer service
experience was far from pleasant. I hope Ars gets it straightened out. When
you're in a situation where you can be punished for little reason and without
much recourse something is whacked somewhere. This situation desperately needs
some transparency and structure.

------
CWIZO
My boss recently went trough something similar. His profile was locked and he
just received a generic email offering no explanation as to why that has
happened. He sent them an email asking why he was locked out and received no
response. After about 14 days he finally got an email from FB that his account
was locked because of an error or something like that.

The saddest part is that now he can't use FB's advertising tools anymore,
there is just some text there saying that he is locked out. No explanation. No
form he could fill to resolve the issue. No nothing. And he has spent several
thousands euros on FB adverts for our products (and was planning on spending
even more). I really can't say anything else _but what the fuck Facebook?!_

------
paulcjeffries
I'm Paul C. Jeffries, Head of Legal Operations at Facebook, where I work with
the team that handles incoming notices of intellectual property infringement.
I wanted to provide a little color about what happened in this situation.

As you may have heard, today we investigated a number of recent trademark
(intellectual property) takedowns, and as a result of this investigation we
restored four Facebook Pages. We apologize for any disruption to those who
posted content.

Taking a step back, abuse of DMCA and other intellectual property notice
procedures is a challenge for every major Internet service, and we take it
seriously. In many cases, when we're put on notice we're obligated to take
appropriate action. We have invested significant resources into creating a
dedicated team (including me) that uses specialized tools, systems, and
technology to review and properly handle these intellectual property notices.
This system evaluates a number of factors when deciding how to respond -- and
in many cases, we require the reporter to provide additional information
before we can take action.

As a result of these efforts, the vast majority of intellectual property
notices that we receive are handled without incident. Of course, no system is
perfect and we're always striving to improve our practices. Rest assured that
the dedicated team who handle incoming complaints from rights holders are
equally devoted to protecting the interests of people expressing themselves on
Facebook. As part of our ongoing efforts to improve, we will be considering
the results of our investigation into this matter as we continue to refine our
systems and procedures.

~~~
nolanw
A _very_ little color.

Can you add anything that wasn't in the originally-posted article? For
example, answers to any of these questions:

Why was the accused infringer of trademarks not given specific, actionable
information about the trademarks in question? You state that the reporter is
required to provide additional information in many cases. Assuming this was
one of those cases, why was this additional information not shared with the
accused infringer? (And if this was not one of those cases, why mention this
at all?)

You invoke the DMCA, citing it as obligating you to take appropriate action.
Was the action taken in this case the most appropriate one? Who decides what's
appropriate here, Facebook or the relevant laws?

Care to discuss any of your specialized tools, systems, and technology to
review and properly handle IP notices? I can't speak for others, but their
mere presence says little to me.

No sane person expects a perfect system. We're just curious about the
particular circumstances of this particular case, and you have a reasonable
audience here who would love for you to share some of them.

------
16s
Many IT security standards actually require account lock-outs. For example,
PCI-DSS requires it. No one seems to understand that the goal of the attack
may be to deny access. The attackers may not want to compromise the account,
only to keep someone (or a group of people) locked out for a bit while they do
something bad elsewhere.

Edit: I'm surprised an account would be locked by a DMCA request though. Block
or remove the content (if it's a legit DMCA notice) but keep the account
alive. That's just one more way to carry out this sort of denial of service
attack.

~~~
rexreed
It's not even a DMCA request. You just fill in a form and claim infringement,
without even having to authenticate who you are. So, I don't see this as
following any sort of "fair" process that gives the other side an opportunity
to challenge or object.

------
te_chris
As an aside, I had my personal account hacked last year. It was such a
torturous process getting it back. They got into my gmail account, then took
my fb account off that (I actually didn't realise the two were connected as
I'd signed up to FB with my University of Otago email addy back when you had
to have an academic address - turns out you could login with your "backup
address"). Google's process for locking my account and getting it back to me
was clinical, quick and mostly efficient: I had my account back in a day.
Facebook took nearly two months of me trying everything to get them to
respond. I got my friends to email them, I emailed them daily, I started a
blog about my ordeal, I did everything then, finally, they got back to me,
after nearly two months.

I think I was quite lucky to have both my gmail and FB go down at the same
time as it showed me such a clear contrast of approaches. Google, though
impersonal, still assume that you're telling the truth. Facebook just don't
give a shit.

------
recampbell
It seems like someone clever could easily turn this policy against itself by
reporting popular facebook pages for DMCA violations. Not that I would
encourage or condone such activities.

------
rexreed
FYI - the copyright complaint form is here:
[https://www.facebook.com/legal/copyright.php?noncopyright_no...](https://www.facebook.com/legal/copyright.php?noncopyright_notice=1)

As you can see, it's not a normal DMCA take down, and it can easily be
spoofed.Yes, you have to certify under penalty of perjury, but what difference
does that make if the contact information is bogus?

------
JoeCortopassi
Easy way to fix this: Flag everything you see on Facebook. Once it starts
crippling everyday users, they will take more care in taking stuff down just
because a random person complains

~~~
ekanes
Random abuse against innocent people isn't really the moral solution. Public
complaints and negative press for Facebook is a better way.

~~~
CWuestefeld
Don't Sony and friends have Facebook pages? Since they're the ones that
insisted that this weapon be built, it would be ironic if it were deployed
against them. (not that I'd advocate such an action, mind you)

~~~
mattdeboard
Do you honestly think MegaCorp One has no protections/oversight in place to
protect other MegaCorps that use its services?

------
msy
I feel like I'm repeating myself daily at the moment. If you're not paying for
it, you shouldn't expect _anything_. If people paid for the services they
used, they'd have recourse and the interests of the provider and the consumer
would be aligned. As it stands, why would or should Facebook give a shit?

Brands building their online presence via Facebook are mad as far as I'm
concerned, Facebook owns that content, they can do with it what they want and
as this demonstrates, zero recourse.

~~~
yellowbkpk
I _am_ paying for it with a very valuable commodity: my personal information.
I have every right to complain about getting the crappy end of the stick when
stuff like this happens in the same way you have the right to complain about a
crummy contract with AT&T or your roofer.

Just because the currency in question is not (directly) the USD doesn't mean
I'm not paying for it.

~~~
res0nat0r
If your boss paid you via an excel spreadsheet of personal data every month I
think you'd give a bit of pause on the real value of the dollar vs. personal
information.

Sure you are giving them personal information that is valuable, but I don't
think the datacenter power company is going to take that as a monthly payment
from Facebook each month the bill is due.

You do have the right to complain, as everyone does, but since you aren't
giving them actual $, they have the right to really not give a damn.

~~~
rpedroso
That analogy does not really hit the mark. Facebook lays claim to the data you
upload to its website, and profits from that information.

Sure, it's not quite the same as a financial exchange, but at the very least
they should treat their users well -- their virtual monopoly isn't gonna last
forever.

~~~
res0nat0r
Really I think it translates to any company the size of Google or Facebook. It
would be impossible for them to have the same level of face to face service
that a ma and pa shop with a userbase of 100 people provides. You might not
like it, but if 500 million people had an easy way to lodge complaints for
whatever they wished, their helpdesk/support staff would probably be larger
than their engineering team .

~~~
reso
This is exactly it. Facebook is 2000 people serving 600 million. They all work
10-12 hour days and still can't keep up with all the work thrown their way.
Its not that they don't care, they are just swamped.

~~~
ghaff
Agreed. Companies like Facebook, Google, eBay, etc. serve a staggering number
of users with a relatively modest number of customer-facing staff. They're
able to do so because they have very sophisticated software systems that can
handle an awful lot of things automatically. But run into something that
requires a human to do something and stuff breaks down. They're just not
staffed for it.

And it's not clear they realistically could be staffed to handle it well.
Though Amazon seems to do a better job than the others. So arguably you can
provide better service if you're willing to invest in it. But for Facebook and
Google, beyond some VERY base level, better customer service is a cost that
probably wouldn't drive much in the way of revenue.

------
jrockway
They have 500 million users. It's probably easier to shoot first and ask
questions later, because even if you kill 1000 users a day, you still have a
lot of users.

Remember, Facebook is about one thing: eyeballs. If some eyeballs cost them
money, it's easier to lock them out than to work with them.

If you don't want some large company to shut down your website, host your own.

------
tambourine_man
I find it amusing that this may come as a surprise. Facebook's got so big that
people think it's a government institution or something.

The outraged tone and arguments of the article imply that the author thinks he
has “rights”, hence his fairness demands. This is a privately owned website,
they can do what ever the ____ they want with the data that you give them.
This quote from the article exemplifies this view:

 _How dare we post our own content to our own Facebook page_

They really think it's their own. I can't decide if that's sad or hilarious.

I'm not an open web fanatic, but such naivety from a tech savvy site is scary.
Regular people must think Facebook is a given, like air or tap water. This
widespread lack of education is going to get ugly soon.

Maybe I'm just a grumpy young guy, but I can't understand why people not only
use, but depend on Facebook.

Look at Hacker News, there is something interesting here everyday. I'm sure
there are equally relevant sites in almost every field of knowledge. Yet, I've
never seen anything in Facebook deeper than regular gossip or elevator
chitchat about the weather: your friend spent last holiday at his beach house.
Wow.

And regarding business contacts, C'mon. We've been doing business networks for
ages. I've yet to see someone getting loads of money because of whom they met
at Facebook.

------
sawyer
This is what happens when people and businesses choose to lock themselves in a
walled garden they do not control.

All the businesses out there actively marketing their Facebook page should
take heed. Set up and market a proper website; utilize a mailing list for
client communication.

------
ck2
Counter-notice, but only if you are positive it's a bogus takedown.

<https://www.chillingeffects.org/dmca/counter512.pdf> (not actually a pdf)

They have to put it back online with a counter-notice.

~~~
jerf
It doesn't sound to me like this is necessarily a DMCA complaint. While the
DMCA defines certain procedures in return for certain protections, I don't
think it actually _forbids_ just dropping Facebook a note saying "Hey, this is
infringing content", without even having to necessarly own the content in
question, and if Facebook chooses to aggressively take it down, what recourse
do you have? Filing a counternotice won't necessarily do anything, as far as I
can tell.

~~~
ck2
Safe-harbor means the provider dooes not have to authenticate a DMCA notice -
the takedown notice is done under perjury, they just have to obey it to escape
any liability.

The catch is there is virtually never a prosecution for a bogus takedown, I
cannot remember ever reading about one, it would be huge news.

Bogus takedowns happen all the time on youtube so I guess now it's moved onto
facebook.

Can't believe I am suggesting this but _anonymous_ just needs to have
"Takedown Fridays" where they target the service of their choice and perjure
away to their hearts' content. When thousands of FB pages suddenly vanish,
eventually Congress may get wind of it and improve the law but I kind of doubt
it.

~~~
TheAmazingIdiot
It'd work alright. Do you think you'd target Joe_Blow_1374 ?

Nope.

You'd target Actors/Actresses, Politicians, CXOs, and other influential
people, and their families. When those people hurt, they WILL do something.
Sometimes, that something could be changing the law, or using the law as a
nice pointy stick.

------
praptak
Oh well: _"Everyone who uses Facebook is on some level a Facebook partner."_

Even taking into account some level of exaggeration, this is laughable.
Facebook advertisers might be Facebook partners. The Facebook-user
relationship cannot be further from partnership, it is the relation between a
farmer and their livestock.

------
mrerrormessage
Can someone come up with a way that any of the Zynga stuff (or even better,
Facebook-generated content) genuinely infringes on their rights? If they start
getting takedowns for things that make them money, that might make them think
about reforming their procedures.

------
michaelpinto
If Facebook wants to scale they need to learn about customer service — maybe
not so much for their individual users, but for businesses. I recently helped
a consumer brand client clean up her Facebook presence which was a mess —
their interface was impossible for typical bricks-and-mortor biz owner to
decipher.

~~~
PonyGumbo
If Facebook wants to scale?

~~~
user9756
Yeah, you know, beyond earth.

------
invisible
It looks more like facebook PAGE lock-out. Furthermore, aren't they legally
obligated to do this under DMCA?

~~~
biot
The email Ars received doesn't mention DMCA, so it's likely not the case. If
it were, there are specific requirements that Facebook would need to follow
including allowing Ars to file a counterclaim which then reinstates the
content and absolves Facebook of liability -- the third party would then need
to follow-up directly with Ars over their infringement claims.

------
orijing
It sounds like a hard problem to find a balance that satisfies everyone. What
do the security experts here recommend?

------
mkramlich
I'm making a note here: sharecropping reminder incident #435.

------
powertower
The worst is that as soon as Facebook detects the stink on the internet of
this, they will rectify the situation for ArsTechnica, but everyone else will
still be screwed.

When you are dealing with virtual monopolies that have zero customer support
and negative processes (Facebook, Google, etc) getting locked out does not
mean that you get go somewhere else, it literally mean getting locked out of
an entire aspect of your life and/or business...

Think about it: all your friends are on facebook, you get banned, where are
you going to go, which other social site are you going to use?

Facebook did not make facebook popular, the users did. Virtual monopolies need
to recognize this, that they have a responsibility to the users.

~~~
hammock
Why should facebook care? They are a "monopoly" that you willingly submitted
yourself to. They created a great service and you bought into it. If all your
friends are on facebook then that's you and your friends' own damn fault.

"It's not fair! Facebook has a responsibility to its users! I demand them to
do such and such!"

So what if facebook was never around? You are in debt to them for such a great
service, they never forced you to become so dependent. People lived for tens
of thousands of years without social networking, and they'll continue to do
so.

~~~
esmevane
I can't help but think this blame mentality is the root of a lot of problems
with the intended discourse, here.

The issue at hand isn't whether or not Facebook has the power to do this, but
rather that the system is intrinsically moronic in that it involves no checks
and balances. It is trivial to abuse.

You don't like a company's Facebook fan page, and you can have it removed with
a little effort into building an email. You don't actually have to prove
anything, just wave your hands.

In essence, you seem to be defending the right of Facebook's public users to
disable accounts and pages on Facebook on a whim. Is that correct?

~~~
hammock
I am defending Facebook's right to deal with the stuff it publishes however it
wishes. You don't have a contract with Facebook that they store and display
your content, as you would a book publisher or private hosting service. With
Facebook you voluntarily post your content, and they voluntarily publish it
for free. They have no obligation to you to keep it up there for any reason
whatsoever.

If you want to guarantee the stability of your content, you need to get a
contract or host it yourself. Facebook doesn't owe you anything.

~~~
falcolas
On the contrary - Facebook owes it's users everything. Without them, Facebook
does not exist. Every user provides Facebook with content, which Facebook then
monetizes using ads. Every user also views those ads, directly earning
Facebook money.

To assume that since there is no legal contract between a user and Facebook,
Facebook has no need to treat its users well is simply untrue. The users make
Facebook, not the other way around.

~~~
Hoff
Did you read through the FB Terms of Service back when you signed up?

When I last read through that (and which was admittedly a few years back), the
ToS indicated that whatever you uploaded became available to FB in perpetuity,
and for whatever purpose FB wanted to make of it.

Put another way, if you didn't pay for something, then there's a good change
it's you that's what's being sold.

~~~
caf
This comment is a complete non-sequitur response to the previous comment. It's
completely true, but in no way addresses the points raised.

The Terms of Service are irrelevant to the idea of whether "it's the users
that make Facebook". Put it this way: how useful would Facebook be if you were
the only user?

~~~
ericd
The grandparent is talking as though Facebook has a legal obligation to do
right by its users. This is not true, as far as I can tell. As hammock says,
it can do whatever it wants with the stuff published, to the extent that it
doesn't do something libelous with it.

Of course, it's not a good PR or long term business strategy to screw with
lots of its users, but talking as though it must do things when it really
doesn't have to is the issue that the parent is responding to.

~~~
caf
I'm not sure which comment you're talking about, but falcolas' comment
specifically says _"...since there is no legal contract..."_ \- the comment is
clearly talking about a _non-legal_ "need" for Facebook to treat it's users
well. This has nothing to do with ToS.

If someone says Facebook "must" do something, it doesn't necessarily mean that
they're implying a legal requirement. It is more likely that they're talking
about something that, in the opinion of the commenter, is required to stay
successful long term - regardless of the legalities.

------
ignifero
That's not even news, everyone who has worked with facebook has the same
issues. For such an understaffed company, that's not surprising. We have our
domain banned from their spam filter before we even launched our game (really,
it was just a redirect back to facebook); been like that for months and still
no response to our complaints.

------
leon_
> At least the help page has a contact e-mail address, but we have received no
> response as of yet.

You could assume a $50 bil. company would have something like a customer
service ...

~~~
ovi256
Do you think they got to be worth $50 bil. by spending cash on such niceties
such as customer service ? That's so old industry BTW. /joke

------
bxr
Facebook has issued a statement to ReadWriteWeb and (as of this post) has yet
to contact Ars. That action speaks volumes about what Facebook's real concerns
are.

------
narrator
You are one of 500 million "customers" who aren't even paying them any money.
They can drop you at any time.

~~~
ra
users != customers

~~~
jarin
Advertisers are the customers, users are the product.

