Social networks irritate many of us at least part of the time, but they have their good points. While some networks have a habit of moving the security goalposts from time to time for the benefit of its real customers – i.e. those who are paying for upgrades from the free service, or to take advantage of marketing potential – they offer lots of opportunities for people to connect (or re-connect) with friends or colleagues, share information of local or specialist interest, show off selfies to an audience that won’t usually be too critical of blurriness and trees growing out of heads, and publish flash-heavy over-exposed views of the meal they just demolished. (OK, some types of post are more interesting than others…)

Of course, you need to be aware that you – or at any rate your purchasing habits and, on occasion, other activities and characteristics – are the commodity, not the customer, as we security drones are always anxious to remind you. But you also need to bear in mind that the details of day-to-day human contact can be magnified enormously for an online community, whether it’s an official group you belong to or your own contact list, and there are good and bad aspects to that. It’s certainly gratifying for many people to reach people across the globe with photographs of a new baby, for example, with a single post. On the other hand, if your dress sense is harshly criticized by someone in the same room, it’s possibly less humiliating than being flamed for your grammar or an alleged lack of intelligence in a group with 300,000 members.

If someone shares misinformation with you on the bus or in a bar, it may have relatively little impact on the community at large. But I’ve often described social media as the natural supplement to or even replacement of email as the hoaxer’s weapon of choice, and because the last thing social media are noted for is restricting the flow of information (or misinformation), they could well be described as a weapon of mass deception. It’s not that users are automatically gullible or stupid, though I often see comments on blog articles here that suggest that they are. In fact, we shouldn’t underestimate the potential of a social network as an educational tool.

Premium Rate Semi-Hoax

Every year at around this time, I see warnings like this about a scam intended to trick victims into calling a premium rate number.

"Can you circulate this around especially as Xmas is fast approaching - it has been confirmed by Royal Mail. The Trading Standards Office are making people aware of the following scam:

A card is posted through your door from a company called PDS (Parcel Delivery Service) suggesting that they were unable to deliver a parcel and that you need to contact them on 0906 6611911 (a Premium rate number).

DO NOT call this number, as this is a mail scam originating from Belize. If you call the number and you start to hear a recorded message you will already have been billed £315 for the phone call.

If you do receive a card with these details, then please contact Royal Mail Fraud on 020 7239 6655."

Snopes cites almost the same message but with a little extra that I can’t resist quoting:

Hi all just received this via a solicitors office so we know it's genuine. 

(Apologies to any of my lawyer friends who are offended by my finding this amusing. There will now be a short break while I try to remember whether I have any lawyer friends. If not, now might be the time when I need one.)

As Snopes points out, there is (or rather was in 2005) some truth in this, though the £315 phone bill is wildly exaggerated. According to Action Fraud, PhonepayPlus issued the following statement. The PhonepayPlus site shows a link to a statement, but the page it links to seems to have been moved or removed, else I’d have linked it directly. However, it sounds about as I remember it.

  • The chain email refers to a service (operating on 0906 6611911) that was shut down by PhonepayPlus (then ICSTIS) in December 2005.
  • PhonepayPlus subsequently fined the company that was operating the service, Studio Telecom (based in Belize), £10,000.
  • The service is NO LONGER running and has NOT been running since December 2005.
  • You do NOT need to contact PhonepayPlus, or the Royal Mail, about this service as it was stopped almost eight years ago.
  • If you receive a copy of the email warning you about the alleged scam, please do NOT forward it to others. Instead, please forward this statement from PhonepayPlus. 
  • If you receive a delivery card through your letterbox which you do not believe is genuine and which asks you to dial a premium rate number, you can contact PhonepayPlus on 0800 500 212 (Mon-Fri, 8am-6pm) for further guidance.

Shooting the Messenger

Because hoaxes became an obsession of mine long before I joined the security industry – an obsession with fighting them, that is, not creating them – I usually find myself pointing out that stuff like this is a hoax. Despite the fact that I sometimes get bad-tempered responses from people who refuse to believe it. Recently, however, I saw an instance where the message above was posted to a Facebook group and got an immediate response from several people who recognized it as a hoax (long before I got to it). So sometimes the message does get through, and education does work (to an extent).  While hoaxers are helped by the fact that when lots of people spread misinformation, this will be seen as somehow more corroborative than if only isolated instances are seen, it’s clear that people are likelier to believe that a hoax is a hoax if several of their friends say so, rather than one ‘so-called expert.’ (Takes a sardonic bow…)

However, it’s important to note that while this particular scam is no longer current, the principle on which it works is one that could be revived. Certainly there is no shortage of scams mean to trick the unwary into ringing premium rate numbers.

Nevertheless, old favourites do resurface that have little or no basis in fact. Since 2012 this image has regularly recirculated on Facebook.

Your Contract with Facebook

nativity hoax

Of course, it isn’t usually conveniently tagged as a hoax: I inserted that text because it’s not unknown for people to look at something like this without reading further, so they may think that it’s genuine. But it certainly isn’t genuine, as you might guess from the number of times it gets reposted. Facebook does have a Statement of Rights and Responsibilities that ‘governs [its] … relationship with users and others who interact with Facebook.’ Snopes points out that one of these provisions is:

You will not post content that: is hate speech, threatening or pornographic; incites violence; or contains nudity or graphic or gratuitous violence.

In fact, there’s a great deal more to that Statement (and there are many good reasons for looking through it, as we’ll see in a minute), but there’s certainly no suggestion there that religious images are forbidden in their own right. It would, presumably, be another matter entirely if they fell into one of the categories of unacceptable content defined in that extract and other parts of the Statement (such as the one that mentions copyright infringement). Hoax-Slayer suggests that the hoax originates with attention-seeking individuals trying to boost their page stats.

Given how many subscribers Facebook actually has, it’s slightly odd that so many of them regard it with such suspicion, yet make such frequent use of it. Certainly, what you post to Facebook (including unequivocal Intellectual Property) is not entirely your own, as that Statement of Rights and Responsibilities makes perfectly clear. As a result many people have posted this disclaimer or a close variant in the belief that it will allow them more control over their content:

I do declare the following: on this day, [Month] [Day], [Year], in response to the new Facebook guidelines and under articles L.111, 112 and 113 of the code of intellectual property, I declare that my rights are attached to all my personal data, drawings, paintings, photos, texts etc... published on my profile. For commercial use of the foregoing my written consent is required at all times.
Those reading this text can copy it and paste it on their Facebook wall. This will allow them to place themselves under the protection of copyright.
By this release, I tell Facebook that it is strictly forbidden to disclose, copy, distribute, broadcast, or to take any other action against me on the basis of this profile and/or its contents. The actions mentioned above apply equally to employees, students, agents and/or other staff under the direction of Facebook.
The contents of my profile include private information. The violation of my privacy is punished by the law (UCC 1 1-308 - 308 1 -103 and the Rome Statute). Facebook is now an open capital entity.
All members are invited to post a notice of this kind, or if you prefer, you can copy and paste this version.
If you have not published this statement at least once, you will tacitly allow the use of elements such as your photos as well as the information contained in your profile update.

However, your agreement with Facebook is a contract, as is the case with other social media providers: you can’t use a unilateral statement like this to opt out of the contract stipulations you agreed with the company when you joined, as long as they’re conditions that Facebook can legally impose (or modify, if it chooses). You can try to negotiate a non-standard contract with a provider, but a service with hundreds of millions of subscribers isn’t likely to consider one-to-one contract variations, especially when it isn’t charging for the service it provides.

Continuing use of the service is conditional upon the user’s terms of service and the data use policy and changes in Facebook’s legal status as an entity don’t in principle affect its rights to use its users’ information and content. Reproducing that disclaimer has no real legal force.

The good news is that those rights aren’t as comprehensive as has been suggested. Facebook put it like this, back in 2012.

Anyone who uses Facebook owns and controls the content and information they post, as stated in our terms. They control how that content and information is shared. That is our policy, and it always has been.

Though that 2012 page seems to have disappeared from the site, an earlier post still survives that expresses Facebook’s difficulty in reconciling conflicting user expectations:

Our philosophy is that people own their information and control who they share it with. When a person shares information on Facebook, they first need to grant Facebook a license to use that information so that we can show it to the other people they've asked us to share it with. Without this license, we couldn't help people share that information.

[…]

People want full ownership and control of their information so they can turn off access to it at any time. At the same time, people also want to be able to bring the information others have shared with them—like email addresses, phone numbers, photos and so on—to other services and grant those services access to those people's information. These two positions are at odds with each other.

More legalistically expressed, in its Statement of Rights and Responsibilities, the company states that:

…subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide licence to use any IP content that you post on or in connection with Facebook (IP Licence). This IP Licence ends when you delete your IP content or your account, unless your content has been shared with others and they have not deleted it.

The essence of the Facebook service is to facilitate on your behalf the sharing of the content you choose to share, subject to the control it allows you over where and to whom it is shared. That licence agreement is what Facebook deems necessary to enable it to provide that service. And it is an agreement: if you’re using the service, you’ve agreed to it, even if you haven’t read it. That’s how contractual obligation works. If your account (or the content) is deleted, the company relinquishes its right to it, though Facebook has stated that when it deletes your account, it doesn’t delete data that have been shared so that they could still be found on someone else’s account or even outside Facebook. Which is pretty much how Internet services work anyway. (For example, once I’ve sent email to you, I can, via my mail provider, delete it from my account but not from yours, let alone from the account of anyone you’ve shared it with.)

Pity the Poor Politician

If people find it hard to be fully sympathetic to social networks, they seem to find it even harder to raise some sympathy for politicians, in general. I have long thought that in a rational world, wanting to be a politician would automatically disqualify an aspiring representative of the people, or at least require comprehensive evaluation of his or her mental health. So I can understand that people are ready – especially in times of economic hardship – to expect the worst from their leaders. It doesn’t help when politicians are most often seen in public milking media opportunities and slagging off the opposition.

In the UK, a common group of memes analysed by The Spectator purports to demonstrate that most Members of Parliament only turn out in force for debates in the House of Commons to discuss their own salaries. But when social networks are used as a forum for political discussion, all is not always what it seems, for several reasons.

  • A snapshot of the chamber at a given moment in the course of a long-running debate may give a seriously misleading impression of how many MPs (and which MPs) participated overall.
  • Parliamentarians do a lot of work (no, honestly!) apart from attending debates: as Isobel Hardman’s article puts it:

When debates go on for several hours, MPs often pop in and out as they have other business going on at the same time. They may be in a select committee, meeting constituents, taking part in a Westminster Hall debate, running an all-party parliamentary group meeting, briefing journalists, plotting a rebellion with colleagues or working in their office.

  • There’s even an argument that how much MPs is paid is important, given the influence they have on the lives of the rest of us. I suppose. Though there are MPs I would actually pay to stay away from Westminster, if I could afford it. (Let’s not talk about expenses fiddling and ex gratia consultancy fees: I’m depressed enough as it is.) And in fact, MPs salaries are apparently now set by an independent body in any case. But that argument isn’t really relevant because…
  • …many of the photographs deployed to support this meme have been totally (and presumably deliberately) misrepresented. For instance, a photo showing a packed chamber (I’m talking about lots of MPs in the same room, not attempts to game the democratic process!) that is claimed to have been taken at a debate on MP’s expenses or pay, actually shows Prime Minister’s Question Time. If you’ve ever seen Prime Minister’s Questions – characteristically a choice mixture of sycophancy, cheap insults across the floor, and general bad behaviour – you may think that’s no better than an expenses debate, but that’s a different discussion.

Conclusion

There’s a very simple moral to this article. Not everything you see on the Internet in general or social media in particular is gospel truth. Sometimes interesting or gratifying or controversial facts, posts and memes are complete fabrications. The fact that tens of thousands of people have ‘Liked’ an article doesn’t prove that it’s true. (Though it doesn’t prove that it isn’t, either.) The fact that one or more of your very intelligent and well-informed friends posted it isn’t conclusive proof that it’s accurate, either. Sometimes, very bright people fall for bogus messages because they want to believe them: for instance, because they fit with their political views, or offer some exciting gift, or refer to some threat that they don’t have the technical knowledge to recognize as improbable. Intelligence and omniscience are not synonyms. Sometimes, people just don’t care: they like the story the message tells too much to check it. A while ago on this blog I said:

E.M. Forster said something like "the confidence trick is the work of man, but the want-of-confidence trick is the work of the devil." The fact is, though, that a little paranoia can save a lot of heartache, and some very bad men rely on the gullibility of others.

I was talking about education as a countermeasure against social engineering in general, but a little scepticism goes a long way towards countering hoaxes, too. I suspect that the sort of extreme scepticism (or paranoia) that tends to characterize security researchers is something you either have or don’t have, but here are a couple of resources you might find interesting anyway.

  • Truth, Lies and the Internet, a Demos report referenced in the Spectator article, is focused on ‘young people’s digital fluency’, but many of the points made are highly relevant to the community in general.
  • Here’s an article by Maria Popova that summarizes Carl Sagan’s Baloney Detection Kit.

HT to Richi Jennings for drawing my attention to the Spectator article.

David “Of course, I could be lying about all this” Harley
ESET Senior Research Fellow