Skip to content

Categories:

Anyone Can Take Down Facebook Pages with a Fake Email Address

Something strange has been happening to several popular Facebook pages in recent weeks: they’ve disappeared. According to the affected page owners, they’re victims of bogus DMCA claims. The DMCA, or Digital Millennium Copyright Act, is a piece of (arguably broken) legislation which allows copyright owners to protect their copyrighted works from infringement. Over the years, it’s been used to remove content from Google’s search index, from YouTube and Yahoo Video, and by entities like Major League Baseball, record labelsdoctors who don’t like bad reviews, software companies, and many, many others, in opposition to what most would claim is “fair use” of such content.

But while the DMCA has a long history of misuse, or perhaps, heavy-handed use, the law itself is not the main concern here with these Facebook pages’ takedowns – it’s Facebook’s process for handling such complaints. Because the social network does not validate the identity of anyone submitting a DMCA takedown notice, nor does it check to see if the report was sent from a legitimate email address, anyone with an ax to grind can fill out a form with bogus information to see a Facebook Page disappear, sometimes for good.

Sponsor

Tech Blogs are Latest Victims

This has happened recently to several websites, including some which may be familiar to ReadWriteWeb readers: RedmondPie, Neowin and Ars Technica. We’ve come across others, too, like the Pakistan-based Rewriting Technology, for example, which proves that this is not just a U.S.-based problem. In many cases, the pages have been taken down multiple times.

Typically, the process for handling copyright infringement claims involves the copyright owner submitting a claim to the entity (in this case, Facebook) about the infringing content. The entity, removes the content immediately and informs the entity who had posted the content it had been removed and why. If this was a mistake, the person or organization who had posted the infringing content then has to contact the complaining party directly to resolve the issue. The hosting provider is not involved in resolving the dispute, and is protected by the safe harbor portion of the DMCA from being liable for having allowed the content to be uploaded in the first place.

This is Facebook’s general process as well. On the form it provides here (https://www.facebook.com/legal/copyright.php?noncopyright_notice=1), the copyright holder has to provide their name, mailing address, telephone, email and details of the infringement.

Facebook Does Not Verify Identity of Submitter, Not Even the Email

However, what Facebook does not do is verify whether or not any of that contact information is accurate. While doing so may be an administrative burden the network could not afford, it does not even take the simple step of verifying the reporter’s email address is valid.

Scam artists, as you may have guessed, have discovered this loophole. In one case, with Hamard Dar’s Rewriting Technology site, the page went down for over a month. Dar says he was targeted for money. “He wanted me to pay him…to get the page back,” he told us. Dar didn’t go for that option, however, because there was no guarantee the scammer would return the page once paid. Instead, Dar ran his own personal investigation until he discovered the person involved and threatened him to withdraw the complaint, saying he would report him to U.S. cyber crime enforcement (the scam artist lives in Chicago). The page was then returned.

Damage to Brand Reputation Concerning

In RedmondPie’s case, after its original Facebook page was disabled, leaving over 70,000 Facebook fans in the lurch, a new, fake RedmondPie Facebook page came online, promising its Facebook fans free iPads. Not only was this a loss on Redmond Pie’s part, the resulting action greatly damaged the site’s brand reputation.

Redmondpie screenshot

Facebook’s Statement

We asked Facebook about these situations and a spokesperson told us the company takes all IP claims seriously. It provided us with the following statement:

We want Facebook to be a place where people can share and discuss openly while respecting the rights of others. We take seriously both the interests of people who post content and those of rights holders. We work to ensure that we don’t take content down as a result of fraudulent notices. However, when a rights holder properly completes our notice form alleging intellectual property (IP) infringement, we will take appropriate action including removing or disabling access to the relevant content. When we do this, we notify the person who shared the content so he or she can take appropriate action, which may include contacting the reporting party or following up with Facebook.

Submitting an IP notice is no trivial matter. The forms in our Help Center require statements under penalty of perjury, and fraudulent claims are subject to legal process.

Facebook Could Do More

But Facebook isn’t doing enough to protect these victims, says Graham Cluley, a security research at Sophos, who has previous experience documenting Facebook scams. Facebook could set a higher bar for complainants to jump over, he said. For instance, they could confirm that the email address being used is “legitimate and contactable,” he suggested. Facebook could do this easily simply by replying to the email, and requesting the complainant to click on a link to prove they really did sent the email, for example.

Facebook could also choose to insist that throwaway email addresses (e.g. Hotmail, Gmail, Yahoo, etc.) cannot be used for these sorts of complaints – that a domain name associated with the brand which claims to being breached is used instead, says Cluley. Or it could even request these claims were sent in on headed letter paper via snail mail or fax.

Dirk Knop, a Technical Editor at security firm Avira, agreed with Cluley, saying, “reacting blindly without verifying whether the sender of the complaint even really exists and uses an existing email address is not how it should be done.” He said Facebook needs to “react fast and correct this error.”

That said, neither Cluley, Knop, nor two other researchers at security firms we contacted were aware of this sort of fake takedown notice being used in scams or for spamming purposes, nor was it known to be a common cybercrime trend.

No Recourse for Page Owners Without Lawyers

But Ars Technica, which is now the most recent victim, notes this problem has been around for some time. Last year, for example, sex blogger Violet Blue’s Facebook page was taken down through similar fake claims.

To make matters worse, when the targeted individuals are public figures or small-time bloggers, without access to the legal counsel Facebook recommends they use to resolve the matter, they have almost no recourse in resolving the problem.

Here’s what a typical Facebook response to an innocent victim suggests:

While we appreciate your concerns, as we hope you can understand, we are not in a position to adjudicate disputes between third parties. When we receive an allegation of infringement, or a suitable report of a violation of our Statement of Rights and Responsibilities, our procedures require that we take action appropriate to the report. If you believe these reports are not being made in good faith or are inaccurate, we suggest you or your legal counsel contact the complaining party to discuss this further. If the reporting party withdraws their complaint or you prevail in court, we would be happy to follow up about restoring the removed material.

But when the complaining party is a ghost, page restoration is difficult, if not impossible.

We’ve seen several of these form emails from Facebook, and they seem to be automated responses, or, at best, form letters, despite being signed with a “real” Facebook employee’s name. In some cases, the form letter writer appears to have no knowledge of actions being taken by another Facebook employee, such as is the case when the victim “knows someone at Facebook” who is helping. This leads to even more confusion in what’s already a complex situation.

How to Protect Yourself

For what it’s worth, Dar says he found a workaround that allows legitimate page owners to protect themselves until Facebook’s policy changes: submit a claim against yourself. Once it’s taken down, ask Facebook for support in migrating your fans to a new page. When the migration is complete, you can use the new page safely. If anyone ever reports the page again, you can use your first complaint as proof that the page is yours. “I know it’s crazy,” he says. But it worked for him.

However, other sources say Facebook has stopped assisting in the migration of fans. There is no way for a page owner to manually migrate fans, either. In other words, this workaround may be iffy and ill-advised.

We asked Facebook why it didn’t validate email addresses, but the spokesperson never responded to that question directly.

Discuss


Posted in Uncategorized.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.