Investigative Opinion

Facebook Identity Theft Reporting is Broken

At a time when online identity is often equal to Facebook or Google sign-in (hi, Medium!), a recent case shows that Facebook is handling at least some claims of identity theft in an entirely wrong way.

TL;DR: despite clear proof and several terms violations that would have been enough to suspend an account, Facebook did not act on multiple and repeated reports of an account impersonating someone else, and failed to take any effective action. It all seems to indicate serious flaws in their decision algorithm / internal rules for this, as only canned answers were received and no human was involved so far. This is day 3 without a solution in sight.

I witnessed the following over the weekend. A friend was warned by her contacts that an account using her full name and picture was sending contact requests to a number of people in her network, with a focus on her colleagues. She works in the social sector, in youth welfare, and is therefore always very careful to lock down what little she shares. She doesn’t use her full name on her profile, but instead first name + middle name (real ones). She doesn’t want either kids she work with to be able to dig up personal information on her, nor does she want parents who may be disgruntled to be able to target her through Facebook or through her friends.

It was therefore no surprise when the initial attempts at impersonating her targeted her colleagues, a couple of whom had added the fraudulent account by the time this impersonation was discovered. After it was, she proceeded to warn friends and family, as well as colleagues, that there was an account that pretended to be her.

She then reported to Facebook the fraudulent account, using the dedicated Facebook channel for this. About 10 friends also reported the account as fraudulent, using this same dedicated channel, ie going to the fraudulent account’s profile page, finding the right category in which to report it, and sending their report in.

She received notifications her friends were reporting this account as impersonating her. The answer from Facebook over the last couple days were, to say the least, underwhelming.

Screens of the reports. The astute observer will see 3 different languages, that’s the beauty of the modern EU friendships for you, and more seriously the highlighted German bit actually says that “we have checked the profile (..) and came to the conclusion it is not pretending to be you”.

Not only did these responses stay very much in the canned variety, meaning that there is very little chance a human being actually took the 10 necessary seconds to see that yes indeed, there was an impersonation going on. However, the case was then closed, with no possibility for the person whose identity is being stolen to appeal. Meanwhile, the damage continues -time is of the essence here- with the impersonating account trying to insinuate itself in the work network of the legitimate account.

Missing such an obvious impersonation doesn’t bode well for anyone facing a similar problem on Facebook, and the suggestions accompanying the rejection of the report are downright surrealistic: blocking the account or hiding its publications, far from solving the identity theft problem, would actually remove the ability of the person whose identity is being fraudulently used to see what is happening.

One could assume that an algorithm could weigh the chance 10+ accounts that have been active for years in a network may actually be trusted over a new account that is blatantly displaying the picture of an existing member of said network.

One could assume that Facebook’s commitment to “Keeping your account and personal information secure” is actually taken seriously, this instance demonstrating that it is far from being the case. Mind you, this appears not to be a human error but something systemic, which makes its implications much wider ranging than any given personal case.

A screen grab from Facebook’s community standards, that according to the exchanges above, were being respected by the impersonating account.

Impersonating someone also goes against at least 3 articles of the Facebook terms of use, namely 3.9, 4.1 and 5.1. Violating a single one of these articles should be enough to get an account closed, and should certainly not be ignored by Facebook itself in its responses.

As of Monday 3pm GMT, Facebook is unresponsive despite repeated reports through its dedicated channels, tweets explaining the problem, and attempts to appeal the erroneous determination that was made over the weekend. The problem persists.

If someone at Facebook is reading this at some point, please:

• address the overarching identity theft report management policies, which seem severely flawed if they can miss such an obvious case
• handle this case properly — you will notice a case number in one of the screens above, please put it to good use