Culture

Outrage over Facebook's Intrusive Forced Malware Scans

How does a company that was once was the shining light of Silicon Valley transform itself into one that’s becoming despised and cast as a pariah, even by its original investors and employees? Through naivety, stubbornness, greed, and some really poor judgment. Facebook CEO Mark Zuckerberg is on the defensive, as rightly he should be. The company’s model was based on exchanging messages among friends using software algorithms that maximize engagement, a system that was supposed to essentially run mostly on autopilot.

Either Zuckerberg never assumed his model could be hijacked, or perhaps didn’t care, accepting the possibility as collateral damage. The mantra at Facebook was based on two words: “maximize engagement.” Each day they’d roll out new changes to the feed and look at engagement. If it went up, they’d make those changes permanent. If it went down, they’d try something else. But recently maximize engagement has become synonymous with maximize outrage and distortion.

And now, there’s a new controversy brewing. WIRED has just reported that Facebook has been blocking some of its customers from accessing their feeds. That’s because they’ve begun to require users to run a malware scan on their computer, tablet, or phone. While once optional, it’s now mandatory, and they decide when it should be done.

The scans are resulting in myriad problems, such as locking users out of their accounts and it’s affecting Facebook users all over the world. Not only is Facebook intruding on their users’ devices, but it’s doing so without informing users that it’s being done nor telling them whose software they are using.

Mohammed Mannan, a security researcher at Concordia University, explained to WIRED, “An antivirus product can collect a lot of useful information from the user machine—telemetry data; beyond what Facebook gets through their website—and share it with Facebook. Facebook should make their agreements with antivirus partners public.”

One common complaint is that it doesn’t ask users the type of device they’re on and often errs in recognizing that information on its own. In some cases, it assumed the users were on Windows when they were using a Mac. And for others, it required a scan when signing into the same Facebook account from one device but not from another. And sometimes the problem goes away if the user selects a different browser.

Apparently, based on postings in forums across the web, the problem has been around for several years, but what’s made it worse is that Facebook now mandates that the scans be done.

WIRED cited the example of a Facebook user who was completely locked out of her account on February 11. She received a message requesting that she download the Facebook malware scan software tool for Windows if she wanted to get back into her account. Unfortunately, she was using a Mac. “I could not actually run the software they were demanding I download and use,” she says. When she logged in from her work computer, the same thing occurred.

In response to this issue, Facebook spokesman Jay Nancarrow explained, “Our visibility into each account on a given device isn’t complete enough for us to checkpoint based only on the device, without factoring in whether the particular account is acting in a suspicious manner.”

I’m not sure exactly what that means, but if they can’t detect your device, how do they know it’s infected? The other issue is that providing access to antivirus software exposes nearly everything on your computer, far more than what an app generally does.

And it’s not even clear which virus scan software Facebook uses. WIRED pointed out to Nancarrow that Facebook’s posts don’t make it clear which software they use to do these scans. The companies Facebook works with have changed over the past three years, but the Facebook disclosures have never been updated. Nancarrow responded, “Thank you for bringing this to our attention. We will update our documentation to reflect the current set of companies.”

If Facebook has a legitimate need to run these scans, they should be much more transparent, explain what they are doing, and give you an opportunity to opt in or out, rather than just scanning your entire computer.

Of course, as one reader noted in an earlier column, “Why do people use this product?” That’s becoming more difficult to answer as we learn more about Facebook.