
Fake “like” factories – how we reverse engineered facebooks user IDs [video] - sturza
https://media.ccc.de/v/36c3-10936-inside_the_fake_like_factories
======
cmrdporcupine
I'm pretty sure it's not just parties outside of FB, but FB itself is
implicated. Out of curiosity I paid to run ads to promote a page associated
with a community group I'm trying to get up and running ("Ski the Great
Lakes"); I paid about $10 to run an ad for a few days. It became clear after a
day or two that most of the engagement was fake; many Indian and Egyptian etc.
accounts completely outside of the targeted demographic and clearly not real
accounts.

A couple months later I'm still getting the odd 'like' from these type of
accounts despite not running the campaign.

I didn't seek out any third party promotion, just used FB's own promotion
tools.

(I also find it objectionable that one can run ads to promote commercial
pages, but there's no way to do so for "groups"; if I want to spend some $$ to
expand actual community engagement, for some non-commerical purpose, I can't.
I can only promote a business.)

~~~
ec109685
I don’t think Facebook is paying Indian companies to fake like your ad.

Those accounts are probably trying to look legitimate so when they like
they’re own pages, the signals are trusted.

That said, Facebook should have refunded you obvious non legitimate clicks.
Did you report it?

~~~
brentis
You can set your demographic and still get many foreign likes. They are either
using proxy service or something similar. FB does little to discourage and I
frankly feel enables to drive revenue.

These likes also pollute your account and skew your demographic as they are
not sincere. Makes it ultimately difficult to understand your buyer.

~~~
cmrdporcupine
It's pretty awful; I used to work in ad-tech, and if we had this level of
click fraud our customers would have had our head on a platter.

------
chromaton
I wrote about this a year ago on my blog:
[https://planiverse.wordpress.com/2019/01/11/advertising-
to-⅔...](https://planiverse.wordpress.com/2019/01/11/advertising-to-⅔-fake-
users-on-facebook/)

In short, the fake accounts had several factors in common: \- No or almost no
public posts. \- The only public posts being an update of the cover photo and
profile photo in 2017. \- The profile photos tended not to be headshots: a
photo of a cup of coffee, say, or a landscape. \- Between 20-100 friends. \-
Friends tended to be in places like India, the Middle East, or Southeast Asia.
\- Their gender didn’t match the name or photo about half the time: a “Martha”
referred to as “he” by Facebook, for example.

------
genode_fan
Given the power of modern day corporate actors, this is a competitive tactic,
morals notwithstanding. I thought it was interesting that one person in the
video did not view this as a form of fraud. But I have difficulty seeing how
this is not fraud. It doesn't seem likely that everyone knows what is
authentically or artificially amplified. Even if people do view the internet
social atmosphere around them with caution, it's difficult to find who exactly
is behind the amplification and to what extent. On other platforms such as
reddit I suspect that there has been further political activity.

For nation-state actors, it is a modern form of agit-prop that is probably
superior in both its effectiveness and its ability for fine-grained control.
What's interesting is how this approach can utilize the idea of proxy control
on so many fronts. In the US, the citizens themselves are being gamed as
proxies for foreign voting power. Malicious actors hide behind proxy servers
as well, which adds another avenue of difficulty in dealing with the problem.
And then there are the botnet overlords.

An instance of a normal person posing with their own identity once is its own
bit of fun, but now that commercial and then national actors are involved it's
a whole different ball park. If your fridge supports the other candidate and
products from its superior overlord should this be the advent of bot rights or
total bot enslavement? I partly jest.

I did a quick Google Translate and read the Vice Germany article they
referenced and it's an entertaining read. I recommend it. If you want to look
it up, the title is "Die Applausfabrik: So funktioniert die Industrie hinter
gekauften Likes und Followern".

------
onreact
Intriguing. On the other hand Facebook cracks down on new users and requires
them to jump through many hoops to access the service.

My wife finally gave in and signed up to Facebook in order to be able to take
part in a webinar she already payed for that was staged on the platform just
to get her new account blocked for using a different device from the one she
signed up.

They wanted her mobile phone number, photo and her ID (think passport).

She didn't want Facebook SPAM on her phone, she already gets bombarded by
WhatsApp notifications and sending her photo again didn't help. She got banned
for good. Also her IP was blocked so she couldn't sign up again.

------
stevenicr
I've been curious about the ?fbcid=lkjwejowijtoirj14j blah blah that fbook
adds to urls then you click over.. I think this id is always the same(?) - so
it's another layer of fingerprinting.

I don't use fbook enough for it to be a big issue - and I had assumed it was
always a unique string so fbook could track ads, but I am now things it's not
different each time and it's another identifier than can be used by god knows
how many groups and peoples to track - when I am employing several other
systems to stop tracking - this is crazy - is there a way to strip this auto?

~~~
mike_d
FBCLID is "Facebook Click ID". It is sent to third party sites as a URL
parameter so that if an advertiser complains about fake clicks or something
they can provide the IDs and the Facebook advertising team knows which ones
they are talking about.

Analytics companies (I think Google and a few others) can pay Facebook to get
data on your behalf like what page it came from and the demographics of the
visitor.

Google AdWords does this as well on paid clicks with GCLID

~~~
stevenicr
This is terrible. Someone with access to server logs at a few web sites (or
someone that loads a third party resource (ads, analytics, sharethis buttons,
etc) onto a few web sites) would be able to know exactly who is coming from
fbook and viewing different types of content.. no inside access to fbook or
their data required.

I can't believe nothing is auto-stripping this url addition between firefox
and ublock origin - must find and tell others.

~~~
_-___________-_
Note that the ID changes for each "click" \- hence "Facebook CLICK ID" \- so
you can't tie different clicks back to the same user without access to
Facebook's data.

But yes, an extension to strip these (along with `gclid` from Google,
`reddit_cid` from Reddit, and so on) would be very welcome.

~~~
stevenicr
thanks for this - I was confused about it since I have seen a few that looked
very similar (first 12 characters of it the same) - did a quick, slightly
deeper check into history and see that I do have 2 urls that have the exact
same string, but it appears at least in this one case, that it's a click to a
short link that forwards (dj-m.ag to djmag dot com) - so the similarity was
confusing, and see some doubles freaked me out. now I see at least some
differences in several - so I guess unless there is an easy pattern match, or
as the title of this hn thread story suggests they may be able to reverse
engineer fbook clicks - it's highly concerning to be sure since so many places
use third party scripts and assets.

fingers crossed this is good and it gets better.

------
JohnFen
While I don't use FB, this sort of thing is why I no longer give any weight at
all to "likes", "upvotes", or product ratings.

------
weinzierl
One interesting thing for me was that the majority of buyers seem to be small
shops and individuals. Unfortunately they don't present any hard data on this
but their examples and one answer in the Q&A at the end really hint in that
direction. I wonder if big brands buy likes in a significant numbers as well?

~~~
dredmorbius
Majority of cases is often a poor measure for such things -- what you're
interested in is the _significance_ (in the general, not increasingly fraught
statistical sense) of the use.

There are more small businesses than large ones. But large business practices
are, for the most part, far more meaningful. Some metric of net financial or
revenue impacts might be a better (though much more difficult to acquire)
metric.

It's kind of the "space aliens land on Earth, who do they encounter" problem.
Most _people_ are located in cities, but cities occupy a small fraction (~<1%)
of Earth's surface.

By statistical likelihood, your alien is most likely to encounter ... a fish
(or plankton). If they find land, they're most likely to find a rural area,
and hence rural dweller. Not because that's a statistically accurate sampling
of _human population_ but because it's a statistically accurate sampling of
_human population areal distribution_.

So: if you look at like-buying campaigns, you'll find, because there are far
more small businesses, many more small businesses participating.

If you looked at other metrics -- say, bought likes distributed among all
commercial accounts -- you'd probably find the weighting swinging far more
toward at least moderate-to-large sized businesses.

Though: for a small business, some early-stage "growth hacking" might be both
a modest budget line, a plausible-sounding practice (not necessarily true, but
_appearing_ to be true), and something a likewise ethically challenged black-
hat SEO marketer could sell.

Then there's the possiblity of joe-job likes -- buying fake likes for a third
party in order to present them as fraudulent. Possibly not widespread, but
possible, and given the difficulties in attribution, something that's hard to
demonstrate one way or the other.

Big brands:

\- Likely have more effective tools.

\- Have other ways of promoting online content without going through fake
likes. (Paid "influencers" being one widely-practiced option.)

\- Might be aware of the potential downsides and hence avoid this.

\- Are a much smaller fraction of "like" campaigns, and have a higher
"organic" (or at least organic-appearing) rate of user engagements.

There are numerous reports of ... large influencers in the political space ...
paying $10k - $100k amounts monthly for social media promotion.

------
patrickany
I mirror'd a copy of the video to Vimeo for those eager to see it and are
having problems with upstream. I suspect they're having trouble dealing with
the HN-effect.

[https://vimeo.com/382103218/bbe2fe74c3](https://vimeo.com/382103218/bbe2fe74c3)

~~~
netsharc
They already mirror their videos on YouTube...

------
rnd_dude428673
FB generates a different user id for each FB application id.

"Facebook issues app-scoped user IDs for people who first log into an instance
of an app, and page-scoped user IDs for people who first use a Messenger bot.
By definition, this means the ID for the same person may be different between
these apps and bots."

[https://developers.facebook.com/docs/apps/for-
business](https://developers.facebook.com/docs/apps/for-business)

So the 10 billion number the researchers quoted does not necessarily represent
individual users.

~~~
pkreissel
Hi, this is actually incorrect. Facebook uses internal IDs (these are the ones
used here, they are valid globally) AND external IDs for Apps and their
connected pages. The external IDs have a completely different format and
cannot be used to access a profile in the web browser (which is what we were
able to do for all of them). We cannot completely rule out, that Facebook
assigns two IDs to the same profile. However we think this is highly unlikely.
We tried to check for that as far as possible. For example: If I search for a
profiles name, that I found via a random ID lookup, and then check that
profiles ID, its the same ID that was used in the lookup. We couldn't try this
at scale though.

~~~
rnd_dude428673
It's pretty simple to validate. Create two different FB developer accounts.
Then create a Login with FB type app for each account. Then use a third FB
account to login to each different app and use the FB Graph api to view the
user id in the tokens. It will be different.

------
tnolet
Very curious about what Facebook's response is to this (outside the response
mentioned in the talk, which is clearly not sufficient)

Also, if there are any FB employees on here, what do they think of their
employer still enabling massive disinformation, astroturfing etc?

To be clear, I'm not blaming individual employees. Just honestly curious how
they deal with these issues on their personal moral compass.

~~~
piokoch
Frankly I don't understand this kind of "calls to action" directed to company
X employeese.

First of all, it is not like FB employees are pushing people into gas chambers
in Dachau, FB usage is not obligatory, what I keep telling everyone who
complains about FB censorship or privacy abuse - I don't have FB account
because of that.

In the same way we might ask to step out Coca Cola employees (say, delivery
truck drivers), because drinking Coke is bad for ones health. Or HSBC
employees because HSBC was laundering narco cartels money? Or John Deere
employees because company forbids farmers to modify tractor software?

All of those practices are immoral and bad, but why chase the weakest, whose
income, ability to pay rent, etc. depends on the employer? Why not target
those, who are really responsible for that what is happening and who make huge
money thanks to that?

I would say it makes much more sense to vote with our money, avoid services
and products from companies we consider immoral.

Publicly discourage people from using such services and products, publicly
stand against CEOs, shareholders of those companies, spread the knowledge
about their personal responsibility for such kind of behavior - this is not
that difficult and actually can make a difference. Imagine PR outcome of a
conference that would invite Mark Zuckerberg, but no one else would want to
attend it? Mark shows up on, say, TED, and all the people leave the room
during his talk? In the media-driven World surely this would become "viral"
and even Mark with all his money couldn't ignore that easily.

~~~
hydgv
>FB usage is not obligatory, what I keep telling everyone who complains about
FB censorship or privacy abuse - I don't have FB account because of that.

Wow are you saying that people should take responsibility for their actions
and should let others choose freely what to do?

~~~
jen20
Shadow profiles, anyone? The idea that Facebook does not attempt to spy on
former or non-users is laughable.

------
z3ugma
Oof - what is an "ordinary guy" and why is that person not Asian?

>"you instantly think of mobile phones strung together in multiple lines in
front of an Asian woman or man. What if we tell you, that this is not
necessarily the whole truth? That you better imagine a ordinary guy sitting at
home at his computer? "

~~~
ronsor
The sentence, though worded a bit awkwardly, is not implying there is anything
strange about Asians, but it is implying that anyone who has dozens of phones
in multiple lines is odd.

The many phones is what makes the person "not ordinary."

------
Trias11
"Likes" are as trusted as the platform that created them.

------
DanielBMarkham
We've become quite adept at pointing out the conflicting incentives, scaling
problems vis-a-vis mobs, and hidden rights violations users agree to without
realizing the implications. There is, however, another aspect to this we don't
talk about much.

Who suffers the most here? It obviously not the social media platforms. They
adapt their code and move on. It's not the users, at least in the long run.
The problem has been identified and resolved. It's not the people selling
likes. They get punished, bail out on some fake accounts and get new ones.
Even if you could somehow ban individuals from using platforms, there's a
million more people willing to create fake likes from where those came from.

It's the poor, as always. The people who know the system is rigged, know the
system has to be gamed in order to make money, and are desperately looking for
a way to be competitive and get ahead. So they buy some fake likes, then get
destroyed by the social media companies. Perhaps they've already invested a
lot of time in their presence before they got desperate. In either case,
they're not running fake ids. It's just them. And they don't know enough tech
to move on. They get slammed for life for making a poor moral choice. Why?
Because they're easy to find and it's easy to punish them.

That's whack.

~~~
danans
> It's the poor, as always. The people who know the system is rigged, know the
> system has to be gamed in order to make money, and are desperately looking
> for a way to be competitive and get ahead. > They get slammed for life for
> making a poor moral choice. Why? Because they're easy to find and it's easy
> to punish them.

This observation has strong parallels with how the poorest are lowest rung of
the drug trade - on the street, and bear the highest price of it - death or
imprisonment, while the higher level traffickers usually get away with
impunity. But the populace feels good because of the disheveled mugshot of the
street drug dealer they saw on the evening news.

~~~
DanielBMarkham
The drug analogy is very interesting. As you may know, 100-ish years ago,
drugs were legal. Some people frowned upon them, some did not. Then there was
a great moral uprising followed by legislation, then we had the War on Drugs.
Finally the pendulum seems to be swinging the other way. So we've seen most of
a full cycle.

Continuing your low-level drug dealer example, if that guy that runs the car
wash down the street gets banned for using fake likes, why shouldn't he? It
was a bad thing to do! We can see him, we know him, he did a bad thing and
deserves his punishment. Not only does he deserve his punishment, we should
shame him if we can in order to discourage others from contemplating doing the
same thing. Maybe if we increase punishment we can see less of that sort of
thing around here.

Ever hear how a lot of social/internet companies got started? Sock puppets,
fake likes, generated social proof, paying off influencers, and so forth. All
the things the little, common folk aren't supposed to do today. It seems there
is a moral code for the common folk and a separate one for our betters. All
animals are equal ...

This story, where we find all these millions of fake people and likes, is a
"drugs on the table" story: big flash, looks like progress is being made, we
have heroes and villains, feats of strength and daring, and people can feel
like the net is somehow safer. Then things can go on as usual.

~~~
danans
Another recent example of this are the ICE raids on slaughterhouses rounding
up undocumented immigrant workers.

I've yet to hear of a single executive of those companies arrested and put on
trial for their employment practices. It's almost as if changing the
employment practices wasn't the objective.

------
doener
[https://news.ycombinator.com/item?id=21910573](https://news.ycombinator.com/item?id=21910573)

------
kops
What is worst than being popular? Perhaps bought popularity. A team member
decided to boost an instagram post(same FB platform) expecting a few tens of
likes to start the virtuous cycle. We got a few thousand likes. It is our most
embarrassing post ever and the worst part is that I haven't deleted that post
yet. FB and instagram are black mirrors that make me wonder who am I and how
low I can stoop.

------
nxpnsv
A side note: I really like the linear video timeline thing ccc does.

------
NilsIRL
I think the line between was is ethical and isn't is very blurry and there is
almost no reason why advertising is ethical.

------
mola
Any textual write up available?

~~~
curiousgal
Honestly I was underwhelmed. They started by scraping a site that offered paid
likes for a list of their "clients" i.e. the pages to be liked. They talked to
a couple of people who got paid to like pages. They then reported that
platform to Facebook so they blocked it (dick move towards the workers they
interviewed imo) then they noticed how Facebook profile IDs are incremental so
they deduced a profile's creation date from that using "interpolation" even
though it didn't account for various sparious points. They used that to look
at the distribution of certain pages' and like services' liker profile age
(recent profiles -> fake, older profiles -> genuine account) and that's about
it. Not to be cynical but I don't find this groundbreaking at any shape or
form.

------
bob_theslob646
Is there a way to remain anonymous but verify that the person is a human?

------
ThomPete
There is only one metric that really matters when it comes to using social
media as metrics and that is comments. Those are the actual relevant users.

~~~
empath75
A lot of them are bots or paid astroturfers, also.

~~~
ThomPete
Sure and easy to spot, thats not the point.

------
gravitas
This may rub some folks raw and be pessimistic, but a half a century on this
planet has taught me that any solution which relies on "doing the right thing"
(ethics) but does not have any rules, laws or other repercussion for abusing
it, then (some entity - person or company) will use your altruistic belief to
their own gain, ethics be damned.

Just Google "buy reddit upvotes" and the internet is full of folks who will
sell you a million Likes for cheap - in my mind, it's just a modern digital
con (confidence game) - some of y'all may remember having created self-signed
OpenSSL certs with the Snake Oil, Ltd company named in it. :) Even Wikipedia
has a page for "there's a sucker born every minute" it's so institutionalized.

~~~
buboard
There are trustless systems though, like bitcoin

Oh btw you can buy hn upvotes too : [https://upvotes.club/buy/hacker-news-
upvote/](https://upvotes.club/buy/hacker-news-upvote/)

~~~
lifeisstillgood
Wow, does that even work - I just assumed that HN was too small a community
for misbehaviour to be lost in the noise.

Would love to hear moderators opinions on this?

~~~
dobleboble
Recently HN seems to have become more heavily targeted. I think bad actors
have realized the value of the community here. I am increasingly wary of
opening links to unfamiliar domains except in a sandbox environment.

~~~
jacquesm
This has been going on for quite some time. But the mod(s) do a more than
credible job at keeping up with the trash and identifying such behavior.

The bigger problem - in my opinion - is people submitting (unwittingly)
content cloned from elsewhere.

There is quite a bit of blogspam that makes it to the front page. Usually even
that is taken care of sooner rather than later but for every time it works
there is proof that it can work which will drive more people to try to get
away with it. We can all help with this issue: ensure that we submit content
from original sources and in case content from a cloned source is submitted
flag the article and point to the original.

~~~
nkurz
> in case content from a cloned source is submitted flag the article and point
> to the original

It sure would be nice if there was a way to add a comment to explain why one
has flagged an article, so the moderators don't have to guess why it was
flagged! As it is, I occasionally add an explanation in a comment or direct
email, but it always feels awkward.

------
throwaway8291
It's also the beauty of capitalism and the creation of new types of work, that
can provide value. For every like factory there is a fraud detection startup,
so everyone's a winner.

Never mind where the "problem" came from in the first place.

~~~
onreact
Yeah, create the problem and then provide the solution is one of the best
business models.

Climate change is also making people rich now due to this logic.

~~~
throwno
It is saving anyone from having to actually innovate. Remember when there was
a rush of "but on internet" patents and businesses? Well, now there's a bunch
of "but green this time" businesses. Not to say they aren't needed, but
redoing the last 100 years of tech isn't really moving us forward.

------
mattferderer
After listening to the video I have a hard time seeing the difference between
paying for likes vs paying for ads from an ethical stand point.

Instead of FB, etc getting ad money, that ad money is being spread out to many
others instead. It also seems like this might be more cost effective than ads.

I think I would consider this much more ethical than how Google puts the top
3-5 results as "ads" these days. Sometimes I question how long until I have to
go to Page 2 to get off the advertised results.

Note - In the above I'm only considering this practice being done by
legitimate places sharing fairly accurate or honest content. Such as a
business trying to promote a sale or a blog piece.

I would consider paid ads, paid likes, paid comments, etc., to be unethical if
the content they're supporting is false.

TLDR: What's the difference between paying Facebook/Google/etc for an ad vs
paying someone else to like your post? The 2nd seems like a better solution
for a majority of people.

~~~
nammi
People expect that companies pay for their ads to be presented. A big reason
for buying likes seems to be deceiving people into believing the posts aren't
ads. I'd say it's similar to "sponsored content" that doesn't disclose the
fact that it's sponsored

~~~
ryandrake
I think, at this point it is safe to assume that on any platform where
individual content can be promoted via a crowdsourced upvote, including star
ratings and "likes", much of what rises to the top is manipulated in some way,
often sponsored (paid for) by a commercial interest. This includes FB posts
and Amazon reviews, but also comments on reddit and even HN comments and
articles. I would love to see internal reports from these companies about what
% of each platform's accounts and/or activity they estimate to be automated,
botted, farmed, fraudulent, etc. but for obvious reasons nobody seems to be
willing to regularly publish this information!

~~~
vonmoltke
Not percentages, but actual numbers of reports and suspicious account
challenges: [https://transparency.twitter.com/en/platform-
manipulation.ht...](https://transparency.twitter.com/en/platform-
manipulation.html)

~~~
ryandrake
I stand corrected. Great job, Twitter!

------
msoad
The 10 billion active accounts figure can not be right. As someone else
mentioned Facebook generates new ID for application users.

~~~
pkreissel
We don't use application level IDs for this but global IDs. These are unique
for users (at least we have no evidence otherwise).

