Last weekend, some Facebook users discovered what appeared to be the cloning of their accounts, often bearing their abridged name followed by numbers. The first groups who sounded the alarm were concerned that the targets were those posting antigovernment sentiments and opposing what critics describe as the railroaded “Anti-Terrorism Act.”
The dummy accounts have alarmed many, and rightly so. Identity theft online is a serious threat that could lead to further harm, such as scams and phishing, to more serious breaches of personal (including financial) information.
More disturbingly, some victims claim that their duplicate accounts sent private messages, threatening them for being a government critic. Many have described the timing of the cyberattack and the backlash against the anti-terrorism bill as undeniably uncanny. But without an in-depth investigation and knowing the identity of the perpetrator, no connection can be made for sure.
Cloning is nothing new. Impersonating someone has been applied to snail mail before the internet, then to email, and now to Facebook, according to Lito Averia of PH-CERT. Same tactic, different technology, evolving motive. But this is probably the first Facebook cloning of this scale and nature.
The Department of Information and Communications Technology has announced that it is coordinating with Facebook Philippines and working with its Cybersecurity Bureau and the National Privacy Commission. The Philippine National Police and the Department of Justice also launched their own investigations.
According to cybersecurity expert Pierre Tito Galla, “various methods, whether crude or relatively sophisticated, [could] have been used. It can range from manual creation using ‘garbage’ information… to the use of automated scripts, or even the use of commercial off-the-shelf software.”
With people willingly uploading personal information on Facebook, the job of bad actors is made easy. But is it a user problem or a design issue? Lawyer Cecile Soria, a data privacy expert, asks: “Why should Facebook require its users, most of whom only have a limited familiarity with the platform settings, to be the one to tweak the settings so that their privacy is protected? Why isn’t Facebook private—but visible among friends—by default?”
To prevent cloning, the Legal Network for Truthful Elections (Lente) is exploring the possibility of requiring online social platforms to adopt a know-your-customer (KYC) process, where users submit identification when creating an account or validate their identity for existing accounts. According to lawyer Ona Caritos of Lente, this can help remove troll accounts, bot accounts, and online criminals who take advantage of anonymity. However, Lente notes that the KYC should not transgress or violate the right to privacy.
But until Facebook makes any design and process changes, social media users must take steps to protect themselves. Bear in mind that the internet is like a “public town square” where, the court has ruled, one cannot expect complete privacy.
Make it difficult for bad actors to find vulnerabilities they can exploit. We can restrict who can search and view our Facebook profile and vet people we add as friends, even the Facebook groups they join. Similarly, we can manage our preferred privacy settings to minimize exposure.
Another security hotspot is the use of third-party apps and games hosted on Facebook or third-party platforms using Facebook log-ins. In the past, this has resulted in data breaches and cases where the third party used information without the user’s express consent.
The coming days and months may reveal the impact of this cloning scheme. Should we expect phishing and scams to follow? Or will we see fewer posts criticizing the administration? The former will affect the individual, the latter our democracy.
(With inputs from Grace Mirandilla-Santos, Liel Pascual, and William Yu)
Angelo Niño Gutierrez is a researcher for Secure Connections, a cybersecurity project of The Asia Foundation-Philippines. He is an advocate of reliable, affordable, and secure internet connectivity for all Filipinos. The views expressed in this article do not necessarily reflect the views of The Asia Foundation-Philippines.