Summary: As a result of the current Security Policy or Implementation, Facebook has been notified with a responsible disclosure well in advance but has not replied.
Problem Description: Facebook has claimed 845 million MAUs as of December 31, 2011 and 483 million daily active users (DAUs) on average in December 2011 in its filing with the SEC. In all the advertising campaigns by its executives including Sheryl Sandberg in the Roadshow video, it has claimed these as real people and have given the potential investors the impression that 845 million real people have accounts on FB. Further it defines the MAU and DAU as just the user account count and the identity policy as – “we encourage you to be your true self online”. Facebook does not enforce this strictly and in the early days even before this was called out, people did create multiple accounts. So this number includes the number of real people accounts, multiple accounts, ghost accounts, virtual people, game accounts and such. Hence this becomes a breach of trust where the management has willfully misled the investors regarding its user penetration.
Details: There are a few compelling reasons for real people to have multiple accounts. Some of them are
- People like to keep a separate personal and work profile and manage them separately. Even my 13 year old nephew figured this out himself and Google’s Circle concept was provided exactly as a solution to this problem before FB allowed groups and lists.
- Many people lead a fictional online live with a virtual identity which they love and promote sometimes more than their real selves because they are not restrained by physical constraints.
- There is incentive to creating ghost accounts to cheat in online games or even to get started in some very social games. Same thing applies to apps that depend too much on referrals.
- People are afraid to voice their opinion strongly with their real identities where the govt. or other powerful gangs can trace them down. This also includes instances where the user plans to engage in a conduct that will get many abuse complaints on him and there is a potential of FB locking him out.
- Criminals who are really using the OSN for monetary gains, fraud schemes and to hunt victims.
We understand among all these cases, only the category 5 accounts need to be terminated immediately. Right now the allegation is that FB manually investigates abuse reports. We do understand that with such a big user base it is not possible to investigate all accounts manually or in time but it is possible to have a reasonable estimate of each of these categories. Facebook might already have this information and may have already developed a bunch of internal tools or is capable of doing so using their 4000 odd employees picked out from the smartest on the planet. We do understand that FB aggressively grew its user base and the DAU and MAU are good enough metrics to measure the growth. We also do understand that verifying the real IDs is not only expensive but against FB’s business interests and will significantly reduce the growth rate if introduced at any point and we are not asking for anything like that. But it is reasonable for a potential investor or an advertiser to expect to know how many real people FB can actually reach. If you point him to look at your DAU numbers, that will be exaggerated and only FB can examine the real data and disclose that. If the percentage of real accounts is pretty high, say above 95% then you have nothing to fear about. But if it is lower like 50%-65% FB will soon have some explaining to do in the next three years when the MAU reaches the number 2B, the consensus estimate on the number of Internet Users on the planet. Even after you reach 100% penetration among all Internet Users, FB’s MAU numbers will continue to grow and common sense will make people question this number that they have been conveniently neglecting so far. FB will have to restate the way it counts its users and at that time any trial lawyer will be capable of bringing in a class action lawsuit. Given the fact that FB has raked up so much cash, any jury will simply side with the plaintiff and depending on where the price of the shares stand, FB might have to needlessly pay a huge penalty.
While the estimate on the street is that 70% of these are real people, FB has not officially given out any statistics to the public. Just like FB has disclosed it’s financial numbers, I think it will be a good thing to be open about your security metrics and publish it to gain the confidence of the research community in particular and investors and users in general. We encourage FB to publish the estimated real people on its network, the number of accounts disabled, the number of cases of abuse reported, the number of identity thefts, number of inactive users, number of closed accounts and such statistics. Few years ago Intel started cranking up its CPU clock speed and later realized that the CPU speed in itself was not a sufficient metric for the processor’s capability and then changed its marketing strategy. Learning from that mistake, FB should make changes and not market the user account count as the real number of people on the network.