Fake accounts are not your friends!

October 3, 2022 Jonathan Care

By Jonathan Care

(A version of this article first appeared on Dark Reading.)

Introduction

From a certain perspective, growth in new accounts at any expense looks great, but if fake accounts get in that mix, they are not providing the value you (and your investors) need. If you are a social media platform striving for growth, they may seem like the answer to your prayers - something you can show investors and demonstrate your reach. And to the innocent end user, all those accounts that listen to music online or follow us on social media seem great. But the reality is that fake accounts are harmful, even before the truth comes to light. This is especially damaging when real human data, stolen and offered for sale on the dark web without the knowledge of the real human, is used by bots to create these fake accounts. And when they are exposed to sunlight, as the situation with Elon Musk's stalled acquisition of Twitter has shown, the effects can be unexpected and rampant, quickly taking on a life of their own. We're going to look at what fake accounts mean, why they exist, and what you can do to combat this pernicious adversary using Modern Defense.

Enter the Billionaire

With a measured IQ of 160 and an appetite for reading and learning a regular part of his weekly schedule, Elon Musk is smart. With a reported wealth of $219Bn, he's also one of the wealthiest people on the planet. He has many followers, and love him or hate him, no one can deny the impact he's made on the tech industry. It's also arguable that second-guessing his motives and actions is very much like my dog trying to work out what the significance is of my sitting at my desk drumming my fingers on the keyboard all day.

When I spoke with Tamer Hassan, CEO and co-founder and CEO of HUMAN Security, I asked him what he believes is the core challenge facing any investor looking at Twitter. "It's really all about the question, 'What would you do if you could look like a million humans?' The answer is a lot. Cybercriminals have proliferated sophisticated bots and spam accounts across social media platforms with limited accountability, and the combined result is diminished trust in the brand, a negative user experience, and a negative impact on the company's valuation and bottom line."

Twitter - the tragedy of the digital commons

Twitter is an increasingly rare internet resource. It is a common platform connecting humans all over the world and, with some rare exceptions, does not inhibit or censor free expression. As with most common goods, it is subject to overuse (the original "Tragedy of the commons" was people overusing grassy common land to graze their livestock). As anyone who has dipped a toe into the Twitter stream knows, the slew of tweets is overwhelming and impossible to keep up with. This is made worse because as well as all of the humans desperate to air their opinions, points of view, and excitable investment plans, there are The Bots.

Bots are part of much of our life nowadays. Those of us using Office365 are familiar with the coy daily email saying Hey, we aren't analyzing what you do or the content of your inbox, but here's some stuff to be aware of, and of course, on Twitter there are beneficial bots and harmful bots. Many bots watch for tweets that seem to relate to a particular subject (for example #cybersecurity), and then amplify those tweets to their audience. And of course, many will try and game these amplifiers, sometimes using bots of their own. And so the overgrazing continues.

No one should pay for false volume, including geniuses

The primary incoming revenue stream for social platforms is advertising, which of course is driven by how many interested eyes can be shown targeted ads that are likely to lead to conversion. It therefore follows that the value of any social platform is in the number of active users - whether it be a general-purpose networking platform such as Twitter, or a narrow - purpose use case such as music, or even accommodation rentals (inactive users are just sludge at the bottom of the well). But bots, while they may generate activity, defraud advertisers, and in fact can be seen as artificially inflating the user count. Elon Musk will have seen this problem very clearly and is understandably squeamish about paying for accounts that have zero (or even negative) lifetime value. When asked about what can be done, Hassan commented "Having the right protections in place (including transparency and regulation around the use of automation) to ensure they have a genuine view of human users on their platform can help brands establish greater credibility while also stopping cybercriminals from impacting their business".

Pulling out of an acquisition is high-impact - if it's even possible!

Elon Musk very publicly tried to withdraw from the acquisition, which has generated continuing legal ramifications that are likely to run and run. If we take Elon Musk's statements at face value, then the clear message is that bots and other fake accounts are bad business. But why is this true? If we look at the ways that future Twitter (or any social media platform) could make money, then clearly being a trustworthy source of curated identity that can be relied on by doctors, banks, governments and any other interested party (including peer-to-peer) would be a significant advantage.

Identity is the cornerstone of cyber security, despite some of the more wild-eyed "Zero Trust" advocates. It remains true that when an identity is successfully compromised, all of the other security controls will fold up and get out of the attacker's way. The opportunity for Twitter to provide an identity service based on its userbase is a significant one. It is clear, however, that if we cannot trust that the identities being asserted and corroborated by Twitter are genuine, then Twitter's usefulness in this area will always be limited. Twitter has felt that the cost of validating every account (and giving us all a little blue tick) is prohibitive, as the lifetime value of each Twitter account is very low.

HOW many bots did you say you had?

One of Elon Musk's stated concerns about his Twitter acquisition is that he has no certainty over how many of the platform's user base of 396.5 million are human. To add fuel to Twitter's bonfire of the vanities, its former CISO, Peter "Mudge" Zatko, has blown the whistle on poor operational security controls, non-existent software governance, and (yes you guessed it) inadequate user enrollment verification. In other words, no one knows how many users are bots, and what vulnerabilities exist in the platform that can be exploited by unfriendly groups (some of which are backed by nation states). A former Facebook security engineer pointed out that "Mudge has a decades long reputation of being highly ethical and one of the most respected practitioners in the cybersecurity community". When I asked if they believed Mudge's claims about foreign intelligence infiltration, they responded "I believe enough of it not to care about the rest." And this shows one of the problems that the cybersecurity profession has in communicating with executives. Robert Graham takes an opposing view in his "Errata Security" blog and talks about the difference in focus between a cybersecurity activist and a corporate executive. In his view, any executive has their primary objective as furthering the interest of the company and its shareholders, which does not correlate with the ideals of many cybersecurity activists. In his view, Mudge has allowed his passion for cybersecurity excellence to overwhelm his responsibilities as an executive. It is arguable however, that Mudge was hired because of his passion for excellence, and as history shows, an overwhelming passion in a particular area (such as Mozart's passion for music) tends to overwhelm other perspectives.

The difference is HUMAN

I'm sure that Twitter is well aware of this and has come to the same conclusion. It would make sense to them that a good use for some of Elon Musk's proposed investment would be to clean up the town square and correct the tragedy of the digital commons that we discussed earlier. My guess is that when Elon Musk and his team discovered this they freaked out, leading to the disintegration of the deal.

This is a great example of why identity is important, and in particular being able to prove that a particular identity is being operated by a human. HUMAN's unique reach across the ad-tech space coupled with its in-depth enterprise analytics are specifically designed to address this problem in a cost-effective way that is far less obtrusive than demanding each of your customers wave their passport in front of a handy camera. If we managed to turn Twitter into a place where free speech is valued precisely because the speakers are identified as human, then its value - to investors, the Twitter team, and most importantly, its constituent users - would be invaluable.

Previous Article
Bridging the Gap in Tech
Bridging the Gap in Tech

Why do we love the idea of working in tech? From reputations of good company culture and flexible w...

Next Article
Meet A Human: Maxence Duclos
Meet A Human: Maxence Duclos

At HUMAN, we believe everyone is a hacker. But even though we share a similar mindset and a common ...