The IT Nerd

Facebook is dismantling a significant and highly sophisticated disinformation network supporting the People’s Republic of China (PRC).

Meta, the parent company of Facebook, announced that it had identified connections between individuals linked to Chinese law enforcement and a long-standing yet largely ineffective pro-China “Spamouflage” influence campaign. “We assess that it’s the largest, though unsuccessful, and most prolific covert influence operation that we know of in the world today,” said Meta Global Threat Intelligence Lead Ben Nimmo.

In its quarterly security report, the social media giant disclosed that it had taken down approximately 7,700 Facebook accounts and numerous pages, groups, and Instagram accounts associated with this campaign. Some aspects of this operation had been active since 2018.

Meta said these fake accounts are managed from various regions within China, but they shared common digital infrastructure and followed apparent work schedules, including designated breaks for lunch and dinner based on Beijing time.

The campaign was active on more than 50 platforms and forums, including Facebook, Instagram, X (formerly Twitter), YouTube, TikTok, Reddit, Pinterest, Medium, Blogspot, LiveJournal, VKontakte, Vimeo, and dozens of additional smaller platforms and forums.

Jason Keirstead, VP of Collective Threat Defense, Cyware had this comment:

   “One of the ways in which social media companies could more effectively combat disinformation campaigns is through more effective collaboration and coordination, made possible by using frameworks such as those provided by the DISARM foundation (https://www.disarm.foundation/). Cybersecurity practitioners should be encouraging large social media companies to become more actively involved in the work of the foundation, and of the disinformation sharing standards it supports such as DAD-CDM (https://github.com/DAD-CDM). Development and support of these standards will allow government and industry to work together to combat disinformation campaigns more effectively.”

David Mitchell, Chief Technical Officer, HYAS:

   “China appears to be playing a PR campaign to shine their activities in a positive light, especially when it comes to Taiwan and human rights. While this campaign doesn’t appear to have made an impact, it shows that they are tuning their capabilities to mimic what the Russians have previously pulled off. 

   “Based on the ties to Chinese law enforcement, this also could be an op to target and identify ex-pats overseas that do not agree with their views — potentially to relay to the Chinese police stations discovered in US and other cities. 

   “Security personnel, whether executive level or operators, should pay attention to disinformation campaigns just as they would an attack campaign. Disinformation can target a company (Anheuser-Busch InBev) and the links may also include phishing or malware that employees may click on, if the targeted message fits their views.”

   “While it is fantastic that Meta is finally taking a proactive stance against disinformation campaigns, this problem is going to continue to get worse during geo-political strife and election seasons. Because these platforms do not verify the identity of accounts, nor charge for their services, they are rife for coordinated nation state abuse. Dealing with these campaigns will always be a global form of whack-a-mole and will not change until social media networks change how they are monetized & valued – just a few dollars per user per month significantly increases the barrier to entry for malicious actors.”

Every social media platform needs to step up and do more to combat this sort of disinformation. If Facebook/Meta can do this, there’s zero excuse for other platforms to not do so as well.

Meta’s Twitter killer Threads is now live in most parts of the world. I did think about getting a Threads account just to test it out and joining the 10 million or so users who apparently signed up in the last 10 hours or so. But I have to admit that I have thought twice about doing so and will avoid it like Superman avoids Kryptonite. Here’s why:

• Privacy: As I have mentioned before, Threads appears to be a privacy nightmare. So much so, that Threads didn’t launch in the EU as I am guessing that Meta didn’t want to get smacked by the EU. Given those facts, and Meta’s past behaviour, I would suggest that this is a key reason to avoid Threads.
• Threads was rushed to market: This isn’t a shock as Meta is clearly trying to get something out there to try and kill Twitter. 9to5Mac has a list of some of the notable omissions and failings of Threads. Including the fact that you can’t delete your account without deleting your Instagram account which I think may not an omission but a deliberate design decision. Some of the design issues may change over time, but clearly on top of Threads users being the product as is typical for any Meta product, they’re also beta testers.

There’s one other reason that I am avoiding Threads. We’ve kind of seen this sort of thing before with Google+. If you don’t remember Google+, this will help you to get up to speed. Google+ signed up millions of users very quickly in 2011, but was dead by 2019 as Facebook and other social networks became more popular that it. Thus Threads might be “the new hotness” at the moment. But it doesn’t mean that it will be “the new hotness” long term.

Having said all of that, Threads is a serious threat to Twitter and Elon Musk. And I am sure that Elon is very concerned as he’s shot himself in the foot so many times, it likely won’t take much for a Twitter competitor to come in and yank the rug out from under him. I just question if Threads is the one to do just that. And I most certainly won’t get an account to find out.

Earlier today, I posted this story about Meta’s Twitter competitor Threads launching tomorrow, and coming for your data. I said this in the story about Meta coming for your data:

n a way, I am not surprised. This is Meta we’re talking about. And this is a company that has a history of grabbing any and every piece of data that they can get their hands on so that they can make a buck off of it. But in a way I am surprised. Because with this now becoming public, this might actually make it hard for them to get sign ups for Threads. Sure existing Facebook and Instagram users won’t care. But for someone like me who doesn’t use Meta apps, there’s ZERO chance that I would ever sign up for Threads based on this. On top of that, Meta has been smacked down by people like the EU in cases like this or this so often that you would think that they would try not to do things that would draw attention to bad behaviour like the above.

Well, it seems that Meta is aware of the implications of trying to grab that much data in the EU. The Independent is reporting that Meta is not yet ready to have a European launch of threads:

Meta will not launch its new Twitter rival, Threads, in Ireland or the EU for the foreseeable future.

It is being released in the US and the UK on Thursday of this week as an alternative to Twitter.

A spokesperson for Ireland’s Data Protection Commission (DPC) said that the regulator had been in contact about the new service and that it would not be rolled out in the EU “at this point”.

However, it is understood that the DPC has not actively blocked the service. Instead, the tech giant has not yet prepared the service for a European launch outside the UK, which is not fully governed by GDPR or EU privacy rules.

Sources close to Meta said that the tech giant has refrained from rolling the service out in the EU because of what the company believes is a lack of clarity contained in the EU’s Digital Markets Act. Under the Act, companies such as Meta become “gatekeepers”, with restrictions on how they mingle users’ personal data. 

I think that tells you all you need to know about Threads. From Meta’s perspective, if they can’t get your data, they won’t enter a market. Because with Meta, you are the product if they’re offering something to you for free. It should also tell you that signing up to Threads may be a bad idea if you value your privacy.

Yesterday, I wrote about the fact that Meta was about to launch Threads which is a direct shot at Elon Musk’s Twitter. In that post, I said this:

To be frank, Twitter’s days have been numbered for some time. But Meta’s entry into this space may be the final nail in the coffin for Twitter. And what could make it very interesting is that rumours suggest that Threads will federate with Mastodon. Which could give it a lot more exposure and make it a viable alternative for users and advertisers.

Well, the app is about to become available tomorrow on the Apple App Store as evidenced by this screen shot:

But I would advise you to scroll down and read the not so fine print in terms of what data the app wants to have access to on your iPhone (and I assume that this applies to Android phones too):

So I have to ask. Why on God’s green Earth does a social networking app want to have access to my health & fitness data, my financial info, my purchases, browsing data, and sensitive info which is defined as follows:

Such as racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data

In a way, I am not surprised. This is Meta we’re talking about. And this is a company that has a history of grabbing any and every piece of data that they can get their hands on so that they can make a buck off of it. But in a way I am surprised. Because with this now becoming public, this might actually make it hard for them to get sign ups for Threads. Sure existing Facebook and Instagram users won’t care. But for someone like me who doesn’t use Meta apps, there’s ZERO chance that I would ever sign up for Threads based on this. On top of that, Meta has been smacked down by people like the EU in cases like this or this so often that you would think that they would try not to do things that would draw attention to bad behaviour like the above.

I guess Mark Zuckerberg is using the logic of it’s only illegal if we get caught.

I was actually rooting for Threads to “end” Twitter. Not because I like Meta, but because I hate Twitter and Elon Musk. Now it still might “end” Twitter. But many people who may want to dump Twitter may think twice about joining Threads if they see what the app wants in terms of data.

UPDATE: Damir J Brescic, CISO, Inversion6 sent me this comment on Thread’s privacy issues:

The new Threads app is a messaging platform focused specifically on providing an environment for those who wish to communicate privately, such as friends and family, allowing them to share their locations with one another. However, there are still possible data privacy and cybersecurity risks that issues that I can see. An example of this would be that Threads does not encrypt messages providing an opportunity for hackers, and users are required to have a Facebook (Meta) account to use the platform.

Overall, the Threads app does not have a stated policy for informing its users about any security breaches, leading them vulnerable in the instance of an attack.  For the reasons denoted above, I would caution organizations to think carefully before allowing the use of the Threads app. I would recommend doing further research before downloading and using this app, to understand the possible impact and risk it could pose to your company from a data privacy standpoint.

Sometimes, I have to wonder if Meta who owns Facebook really wants to play by the rules as they seem to have the attitude that it’s only illegal if they get caught. Here’s an example of that. Apparently Meta has been shipping Facebook data that is tied to the EU to the US. The EU wasn’t thrilled about that and has lowered the boom on the company. Big time:

The European Union slapped Meta the privacy fine on Monday and ordered it to stop transferring user data across the Atlantic by October, the latest salvo in a decade-long case sparked by US cybersnooping fears. 

The penalty fine from Ireland’s Data Protection Commission  (DPC) after a three-year probe into the social media giant is the biggest since the EU’s strict data privacy regime took effect five years ago, surpassing Amazon’s $807million penalty in 2021 for data protection violations.

The DPC said that Meta had breached part of the European GDPR (General Data Protection Regulation) rules in the way that it had moved data of Facebook users across borders.

It ordered Meta Ireland to ‘suspend any future transfer of personal data to the US within the period of five months’ and also levied a record fine on the business ‘to sanction the infringement that was found to have occurred’.

That fine is far from trivial. Even for Meta. And this fine clearly this got their attention based on this response from the company:

Meta, which had previously warned that services for its users in Europe could be cut off, vowed to appeal and ask courts to immediately put the decision on hold.

‘There is no immediate disruption to Facebook in Europe,’ the company said.

‘This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and US,’ Nick Clegg, Meta’s president of global and affairs, and Chief Legal Officer Jennifer Newstead said in a statement.

‘We are … disappointed to have been singled out when using the same legal mechanism as thousands of other companies looking to provide services in Europe,’ the statement added. 

It continued: ‘We are pleased that the DPC also confirmed in its decision that there will be no suspension of the transfers or other action required of Meta, such as a requirement to delete EU data subjects’ data once the underlying conflict of law has been resolved.

‘No country has done more than the US to align with European rules via their latest reforms, while transfers continue largely unchallenged to countries such as China.’

That last sentence is a reference to TikTok by the way. And to make their case, Meta has put out a blog post to tell its side of the story. But here’s the core issue in my mind. Personal privacy is a human right. And Meta’s whole business model is based on the violation of users personal privacy. The company has no way to pivot away from that a they know it. Thus fines like these and demands that they change their business practices are threats to their business that they have to fight. That explains why you’re seeing such a strong response from Zuckerberg and company. And you can fully expect that if they fight back, the EU will find new and creative ways to twist the screws on Meta until they have to make a call about staying in the EU as there is zero chance that they will alter how they do business in the EU.

This will be interesting to watch.

I don’t normally cover WhatsApp, but this announcement is important. WhatsApp has announced several new security features, one of them they are calling “Device Verification” designed to combat account takeover (ATO) attacks.
 
“Device Verification” is intended to prevent malware from using stolen authentication keys to impersonate accounts. Attackers’ account-hijacking attempts will automatically be blocked by undetectable back-end checks using three new parameters:

1. A security token stored on the device,
2. A nonce used to identify if the client is connecting to retrieve a message from WhatsApp’s servers, and
3. An authentication challenge that will asynchronously ping the user’s device

Furthermore, “Account Protect” will act as a double-check when WhatsApp accounts are being linked to new devices, alerting users of unauthorized account transfer attempts.
 
Lastly, “Automatic Security Codes” is a new cryptographic security feature that uses key transparency and the Auditable Key Directory (AKD) to allow WhatsApp clients to validate user encryption keys automatically and to confirm if end-to-end encryption is enabled.

I have two comments on this. The first is from George McGregor, VP, Approov:

   “The announcement of integration of device verification into WhatsApp provides a clear message to the industry about the dangers of stolen authentication keys being used by cloned and copied mobile apps.

   “All mobile app developers should take steps to prevent keys being stolen and exploited and there are solutions which can make it easy to manage keys properly and implement device and app attestation at runtime.”

Willy Leichter, VP, Cyware follows up with this:

   “It’s encouraging to see applications like WhatsApp and other application vendors implement protection features for the host device – not just their internal application. WhatsApp seems to realize that hijacked accounts are bad for their business, and they need to deal with ATO attacks targeting user devices.”

I for one hope that this move by Meta will be copied by others as that will make us all safer. The bottom line is that this is a great idea that is long overdue.

News is filtering out that Facebook’s parent company Meta is planning to lay off thousands people. Keep in mind that Meta has already laid off thousands of people not too long ago, which means the following:

It’s uncommon for a company to conduct multiple rounds of layoffs, according to data from Crunchbase. Last year, around 9% of the 433 tech companies it tracked laid off workers more than once. 

That might be because it’s generally considered bad practice to do multiple rounds, said Kerry Sulkowicz, the managing principal of the Boswell Group, which advises CEOs and boards on people and culture issues. “Doing layoffs in dribs and drabs creates instability,” he told Insider. 

“When a CEO does this, it’s important to communicate that this is a difficult decision, and to the extent possible, to do it one fell swoop.”

One bout of layoffs can leave a dent in employee morale; a second round can be devastating. Surviving employees often mourn the loss of their colleagues and feel guilty they were spared. 

They’re also likely to feel extra nervous about their job security: Instead of focusing on the work at hand, they’re looking over their shoulders, which is not good for their productivity or sanity, said Sulkowicz.

“They’re constantly wondering, ‘Is there another round coming? Am I next?'”

If I were working for Meta, I’d be mass emailing my CV right now as one could argue that Meta is not a great place to work right now. The problem is what with the failure of SVB right now, it could be really difficult to find a safe landing spot. But you have to try I suppose as anything is better than the stress of wondering what the lifespan of your career at Meta is going to be.

First Donald Trump got his Twitter account back. And now Facebook and Instagram are doing the same thing:

Nick Clegg, president of global affairs at Meta, which owns Facebook and Instagram, said Trump’s accounts will be reinstated “in the coming weeks” and come with “new guardrails in place to deter repeat offenses.”

Those guardrails will include “heightened penalties for repeat offenses — penalties which will apply to other public figures whose accounts are reinstated from suspensions related to civil unrest under our updated protocol. In the event that Mr. Trump posts further violating content, the content will be removed and he will be suspended for between one month and two years, depending on the severity of the violation,” Clegg said on the company’s website.

A spokesperson for Trump did not immediately respond to a request for comment.

It will be interesting to see if whatever “guardrails” Meta has will actually moderate Trump’s behaviour. And that assumes that his agreement with his own social media platform Truth Social doesn’t get in the way of this. This might be interesting to watch and see how Trump plays this.

Meta is in trouble again and potentially having to cut a big cheque as a result. This time they got nailed by the EU for the following reasons:

A top European Union privacy regulator ruled that Meta Platforms Inc. can’t use its contracts with Facebook and Instagram users to justify sending them ads based on their online activity, delivering one of the bloc’s biggest blows yet to the digital advertising industry.

Meta, the parent of Instagram and Facebook, said it disagrees with the ruling and plans to appeal it. The ruling was announced Wednesday by Ireland’s Data Protection Commission.

The agency imposed fines of 390 million euros ($414 million) on Meta, saying that the company violated EU privacy laws by saying such ads are necessary to execute contracts with users.

Litigation could take years, but if the decisions are upheld, they could mean that Meta will have to allow users to opt out of ads that are based on how individual users interact with its own apps–something that could hurt one of its core businesses.

So why would Meta appeal this? Well it’s because ads are its business and anything that interferes with that is a 9-1-1 type of emergency. So they really have no choice. But this is the latest EU fine that Meta has been served with. You have to wonder how many more of these that Meta will get hit with before they alter how they do business. If they can actually alter how they do business.