People who have never done this before. To be good at something, you must first be bad at it. Although I'm smh considering Facebook resources.
"“If you run an ad mentioning a candidate, we are going to mail you a postcard and you will have to use that code to prove you are in the United States,” Harbath said at a weekend conference of the National Association of Secretaries of State, where executives from Twitter Inc and Alphabet Inc’s Google also spoke.
“It won’t solve everything,” Harbath said in a brief interview with Reuters following her remarks.
But sending codes through old-fashioned mail was the most effective method the tech company could come up with to prevent Russians and other bad actors from purchasing ads while posing as someone else, Harbath said."
Less postcards, more unraveling shell corporations using their corporate metadata. Authenticate political ad buyers using LexisNexis, IRS tax IDs/political org registrations, perhaps going so far as to implement KYC [1] controls and procedures. It's not going to scale, plan on hiring if this matters. Otherwise, this is going to be defeated with a UPS store mailbox.
"KYC controls typically include the following:
* Collection and analysis of basic identity information such as Identity documents (referred to in US regulations and practice as a "Customer Identification Program" or CIP)
* Name matching against lists of known parties (such as "politically exposed person" or PEP)
* Determination of the customer's risk in terms of propensity to commit money laundering, terrorist finance, or identity theft
* Creation of an expectation of a customer's transactional behavior
* Monitoring of a customer's transactions against expected behavior and recorded profile as well as that of the customer's peers"
Facebook is only going to turn money down as a last resort, either because the PC backlash is too intense or it's regulated by the government. I assure you, they're not at the point where they'll turn political ad money away.
I'm getting a suspicious feeling that this product (I'm calling it a product at this point rather than a mitigation as it seems like it's intended to enhance election ad buys rather than actually mitigate a particular risk) wasn't actually designed with Alex Stamos' team's involvement. Which somewhat surprises me considering it's essentially acting as a second-factor for authenticating your physical location.
Expanding on your point, the biggest risk I see with postcards rather than really plain security envelopes would be that savvy postal workers may become acquainted with what even ambiguous or anonymous-sender postcards would look like, enabling them to literally deny service (acting, again literally, as a web service DoS) to particular street addresses making election ad buys by suppressing delivery. With time-critical ad purchases just weeks or even potentially <7 days before election day, this would seem like a legal pandora's box, and even anonymizing postcards wouldn't sufficiently mitigate the risk of an employee blackballing a postcard with an exposed PIN or scratch-off on it that's heading e.g. to Koch HQ or MoveOn.org within weeks of election day.
I mean...... were foreign agents so obviously involved that they were buying election ads on foreign cards/wires with foreign billing addresses?
This honestly seems like it solves literally nothing. I'd be shocked to hear that foreign powers didn't already have e.g. diplomatic staff living in the US who were buying ads and listing their home or non-consular work addresses...
Actually, is there any indication that listing a consular address is prohibited? Because if not, then not only does this seem to not solve anything, it would in fact fail with certainty to solve anything at all, except maybe give the USPS some extra much-needed revenue.
There is a whole industry of companies that exist to give mail forwarding from a US address to foreign countries. They are mostly services used to buy stuff off ebay from sellers who won't ship outside the US due to higher chances of fraud.
A: open credit or debit card account (can be stolen ID)
B: choose e-statements
C: when card arrives, reshipper just relays the card data (number/expiration/code) via email or text
Nothing physical need be shipped overseas. As long as the account stays paid up, the genuine ID holder won't know without getting and carefully reading his credit report.
What you’re missing is that Facebook doesn’t really want to solve this problem — dollars from Russians are still green. They just want the news story to go away.
It’s not these ads in particular — it’s that culturally, Facebook believes that it should be able to sell whatever the hell ads it wants to whomever it pleases, and when someone questions that, Facebook’s instinctual response is “shut up please.”
Facebook absolutely wants to solve this problem. It harms their brand, they are attracting scores of negative media and worst of all every day of inaction gets them closer to media-style regulation.
And they are unquestionably making changes from News Feed algorithm updates to more rigid rules around buying ads to additional factor authentication in this case.
Facebook leans left AF, as do most places in the Bay (whether people like it or not) apart from special cases like Palantir. From the bottom to the top of the chain of command they are as upset as anyone that they were used to nudge things to the right.
They want the news story to go away, but they also want to stuff it all down Putin's throat, and Trump's as well. Russian trolls did not make up even a small percentage of their ad profits last year, I wouldn't assume they're protecting them in the name of a very small amount of money.
Sure but don't you need to be a US Resident in order to get those ?
Which means that if they were caught working on behalf of the Russians whilst on US soil then they would be looking at decades of jail time. Also at least there would be a physical, independent paper tail back to specific individuals.
IMHO Facebook should just ban all political advertising but baring that this isn't actually a bad idea.
But then the difficulty/cost shifts from basically zero to having to procure stolen identities as well as setting up PO Box/LLC.
And since Facebook is likely to be restricting numbers/types of ads per account this could definitely make it prohibitive for a wide spread assault on Facebook ad system.
Foreign entity engaging in this kind of action probably would not like to have a direct link from the campaign to their embassy or consulate.
There's ways to get a few fake addresses, but it gets more complicated if you want thousands. If you run spend significant amounts of money for campaigns and run through just few accounts your activities are easy to detect.
Does this apply to all countries or only the United States? Doesn't seem fair if American orgs are allowed to purchase ads to influence foreign elections.
Facebook, while registered in the United States is a truly global multi-national with a majority of the users based outside the US. Users and legislators from other countries would soon start demanding similar treatment to protect their own democratic process from foreign intelligence. So yeah fair treatment of all users is kind of expected if facebook hopes to legally operate in all those countries.
Richard Pinedo pleaded guilty to selling information and identities to foreigners who then used that to appear as someone(s) inside the US. I'm guessing folks like him will be happy to offer some mail related services as well. Although it would provide yet another link to possibly track someone down, if only after the fact...
This is D.O.A, because most of the Russians indicted were charged with identity theft. They stole US Ids / SSNs and made all their ad buys using US IDs.
Stolen IDs can be bought anywhere in the world and used online. A stolen ID linked to a PO Box means that someone went into a federal facility with stolen information.
It'll have to go to a residential / business address. I suspect that theses addresses and contact information will be provided to the FEC for double checking against internal DHS lists.
That's just a USPS example. Anybody can open up their own private mailbox center. At worst, you have to live with some address standardization software sticking a "Unit" in front of the number.
You can use a real address from a virtual mailbox providers like www.postscanmail.com where you can verify anything with a real US address and get your mails and packages also if you live abroad. Guess facebook would not mind that!
As an Australian who has never shown ID to vote in any local, state, or federal election, where do you live?
"In Australia, where voting is compulsory for all adult citizens, no form of ID is required to cast a ballot at an election; instead, voters are asked three questions before being issued a ballot, so that they can be checked off the electoral roll: (1) what is your full name; (2) where do you live; and (3) have you [voted in this election]"
> As an Australian who has never shown ID to vote in any local, state, or federal election, where do you live?
I showed my ID at a voting poll on the Central Coast NSW in the 2013 federal election and in the previous state election of WA when i voted i was asked to show a drivers license.
Send in my ballot by mail for all elections and sign it. Election fraud is a miniscule problem in the USA, there's probably a bigger problem with e-voting not counting the votes correctly with all the unauditable systems being used currently. The only people who claim the USA has a signficant voter fraud problem are trying to suppress turnout among minorities.
I'm sorry but what is your counterpoint? That you don't provide ID so voter fraud is not an issue?
This is kind of what i'm saying, that in a system where there is no ID checks, what stops fraud from occurring other than people stating "we haven't found it at a large scale at this time".
I live in Australia, why would i be interested in suppressing minority voters in the USA? I don't even get the chain of logic in claiming this. How does asking for ID when voting suppress minorities? Are minority citizen entitled to ID?
Suppressing minority voters is the reason it is called for in the United States. The only people who think it is widespread in the United States are members of right wing organizations and generally states that had to have the Voting Rights Act of 1965 (made to stop the suppression of minority voters) imposed upon them by the federal government.
The reason the type of voter fraud you are suggesting is rare is because it's not that effective at swinging an election and it's cheaper to buy a politician's vote legally in the USA.
It seems like they took a page out of Nextdoor.com's playbook. That's another social network that verifies identity by postcard. I haven't really seen this technique used elsewhere at scale.
State of California made me use mail for some tax related PIN, I think the Federal government did as well for verification of something to start my automatic tax deductions for self employment but it's been a while.
This is a good step, but more reforms are needed for political ads on Facebook.
One of the most glaring problems is dynamic ad pricing. Ads from different candidates can see wildly different prices based on how 'engaging' their ads are. In my mind this gives a clear advantage to incendiary, sensational, populist candidates. In some cases the difference in pricing between ads can be as much as 10X, based on how 'engaging' each ad is.
That's fundamentally unfair for someone running a clean, policy-driven campaign.
56 comments
[ 3.6 ms ] story [ 94.7 ms ] threadThey should also require the buyer take a photo saluting the American flag while eating a hamburger.
"“If you run an ad mentioning a candidate, we are going to mail you a postcard and you will have to use that code to prove you are in the United States,” Harbath said at a weekend conference of the National Association of Secretaries of State, where executives from Twitter Inc and Alphabet Inc’s Google also spoke.
“It won’t solve everything,” Harbath said in a brief interview with Reuters following her remarks.
But sending codes through old-fashioned mail was the most effective method the tech company could come up with to prevent Russians and other bad actors from purchasing ads while posing as someone else, Harbath said."
Less postcards, more unraveling shell corporations using their corporate metadata. Authenticate political ad buyers using LexisNexis, IRS tax IDs/political org registrations, perhaps going so far as to implement KYC [1] controls and procedures. It's not going to scale, plan on hiring if this matters. Otherwise, this is going to be defeated with a UPS store mailbox.
"KYC controls typically include the following:
* Collection and analysis of basic identity information such as Identity documents (referred to in US regulations and practice as a "Customer Identification Program" or CIP)
* Name matching against lists of known parties (such as "politically exposed person" or PEP)
* Determination of the customer's risk in terms of propensity to commit money laundering, terrorist finance, or identity theft
* Creation of an expectation of a customer's transactional behavior
* Monitoring of a customer's transactions against expected behavior and recorded profile as well as that of the customer's peers"
[1] https://en.wikipedia.org/wiki/Know_your_customer
Source: I work in risk management for a financial services firm.
Expanding on your point, the biggest risk I see with postcards rather than really plain security envelopes would be that savvy postal workers may become acquainted with what even ambiguous or anonymous-sender postcards would look like, enabling them to literally deny service (acting, again literally, as a web service DoS) to particular street addresses making election ad buys by suppressing delivery. With time-critical ad purchases just weeks or even potentially <7 days before election day, this would seem like a legal pandora's box, and even anonymizing postcards wouldn't sufficiently mitigate the risk of an employee blackballing a postcard with an exposed PIN or scratch-off on it that's heading e.g. to Koch HQ or MoveOn.org within weeks of election day.
This honestly seems like it solves literally nothing. I'd be shocked to hear that foreign powers didn't already have e.g. diplomatic staff living in the US who were buying ads and listing their home or non-consular work addresses...
Actually, is there any indication that listing a consular address is prohibited? Because if not, then not only does this seem to not solve anything, it would in fact fail with certainty to solve anything at all, except maybe give the USPS some extra much-needed revenue.
Seriously, what am I missing here?
Yes. I think I've heard an egregious story in late 2016 but can't find a reference.
For something less concrete, see RT's complaint against Twitter [1].
And a few other equally less-than-concrete report regarding Facebook[2] and others [3].
[1] https://www.theguardian.com/media/2017/oct/27/russias-rt-rev...
[2] https://www.theguardian.com/technology/2017/sep/06/facebook-...
[3] https://www.recode.net/2017/10/6/16419388/facebook-google-tw...
https://about.usps.com/forms/ps1583.pdf
And of course it is possible that Facebook simply won't post letters to them (there are only a few of them around).
Scenario:
A: open credit or debit card account (can be stolen ID)
B: choose e-statements
C: when card arrives, reshipper just relays the card data (number/expiration/code) via email or text
Nothing physical need be shipped overseas. As long as the account stays paid up, the genuine ID holder won't know without getting and carefully reading his credit report.
There's zero chance they're interested in the $2 million ad buy from Russian propaganda agents.
Facebook absolutely wants to solve this problem. It harms their brand, they are attracting scores of negative media and worst of all every day of inaction gets them closer to media-style regulation.
And they are unquestionably making changes from News Feed algorithm updates to more rigid rules around buying ads to additional factor authentication in this case.
They want the news story to go away, but they also want to stuff it all down Putin's throat, and Trump's as well. Russian trolls did not make up even a small percentage of their ad profits last year, I wouldn't assume they're protecting them in the name of a very small amount of money.
Which means that if they were caught working on behalf of the Russians whilst on US soil then they would be looking at decades of jail time. Also at least there would be a physical, independent paper tail back to specific individuals.
IMHO Facebook should just ban all political advertising but baring that this isn't actually a bad idea.
And since Facebook is likely to be restricting numbers/types of ads per account this could definitely make it prohibitive for a wide spread assault on Facebook ad system.
There's ways to get a few fake addresses, but it gets more complicated if you want thousands. If you run spend significant amounts of money for campaigns and run through just few accounts your activities are easy to detect.
https://arstechnica.com/tech-policy/2018/02/mueller-flips-am...
Source: Russia’s troll identities were more sophisticated than anyone thought => https://www.theverge.com/2018/2/16/17021684/facebook-twitter...
The UPS Store chain used to be called "Mailboxes, Etc."
That's actually a PO Box. (Replace 666 with a real number) Do you think Facebook would care?
As an Australian i just find this refusal to do this as bonkers considering we have a much lesser issue when it comes to election fraud.
"In Australia, where voting is compulsory for all adult citizens, no form of ID is required to cast a ballot at an election; instead, voters are asked three questions before being issued a ballot, so that they can be checked off the electoral roll: (1) what is your full name; (2) where do you live; and (3) have you [voted in this election]"
- Wikipedia
I showed my ID at a voting poll on the Central Coast NSW in the 2013 federal election and in the previous state election of WA when i voted i was asked to show a drivers license.
That said there is zero evidence that illegal immigration correlates with increased election fraud.
A lack of evidence about correlation doesn't mean it can't be true.
Also your claim necessarily cannot be true unless there has never been a case of an illegal immigrant illegally voting, which there are.
Because now I can say that with 0 illegal immigrants, you will have 0 illegal voters.
This is kind of what i'm saying, that in a system where there is no ID checks, what stops fraud from occurring other than people stating "we haven't found it at a large scale at this time".
I live in Australia, why would i be interested in suppressing minority voters in the USA? I don't even get the chain of logic in claiming this. How does asking for ID when voting suppress minorities? Are minority citizen entitled to ID?
The reason the type of voter fraud you are suggesting is rare is because it's not that effective at swinging an election and it's cheaper to buy a politician's vote legally in the USA.
https://www.nytimes.com/2014/06/11/upshot/vote-fraud-is-rare...
* https://www.brennancenter.org/analysis/debunking-voter-fraud...
* https://www.nytimes.com/2016/12/18/us/voter-fraud.html
* https://www.washingtonpost.com/news/wonk/wp/2017/01/25/here-...
One of the most glaring problems is dynamic ad pricing. Ads from different candidates can see wildly different prices based on how 'engaging' their ads are. In my mind this gives a clear advantage to incendiary, sensational, populist candidates. In some cases the difference in pricing between ads can be as much as 10X, based on how 'engaging' each ad is.
That's fundamentally unfair for someone running a clean, policy-driven campaign.