Facebook Will Verify the Physical Location of Ad Buyers with Paper Postcards

It's not a great solution, but it's something:

The process of using postcards containing a specific code will be required for advertising that mentions a specific candidate running for a federal office, Katie Harbath, Facebook's global director of policy programs, said. The requirement will not apply to issue-based political ads, she said.

"If you run an ad mentioning a candidate, we are going to mail you a postcard and you will have to use that code to prove you are in the United States," Harbath said at a weekend conference of the National Association of Secretaries of State, where executives from Twitter Inc and Alphabet Inc's Google also spoke.

"It won't solve everything," Harbath said in a brief interview with Reuters following her remarks.

But sending codes through old-fashioned mail was the most effective method the tech company could come up with to prevent Russians and other bad actors from purchasing ads while posing as someone else, Harbath said.

It does mean a several-days delay between purchasing an ad and seeing it run.

Posted on February 20, 2018 at 6:34 AM • 61 Comments


ChristofferFebruary 20, 2018 6:47 AM

Wont this just meen that one person in the US will be the "front guy" for a lot of russian ads ?

mike ackerFebruary 20, 2018 6:48 AM


one of the biggest players in the industry concedes they can't do computer security

the proper management of PGP/GPG keys is not easy. to date I've not seen an easy solution offered: participants have to roll up their sleeves and get to it.

there are four "myths of security" listed on HelpNetSecurity this morning. the biggest one is No.5 which is that someone is going to give you security. ain't happening.

UthorFebruary 20, 2018 7:24 AM

Yeah, getting a random person to be a front seems like an obvious and easy workaround. Just post a Craigslist or Task Rabbit ad.

David RudlingFebruary 20, 2018 7:27 AM

Seems a robust enough form of multifactor authentication despite the embarrassing technology failure it highlights. Should we expect to see more of this level of technology reversion in cases where security takes precedence over urgency? I can think of several online activities where the delay would be worth the extra security of this form of "token" being part of the authentication process. I now await the roars of outrage from those enthusiasts for whom cyber-technology has to be seen to be superior to realism whatever the cost.

jbmartin6February 20, 2018 7:34 AM

Just because there is a way around a single control does not mean it has no value. In this case, you are forcing ad buyers to leave a bit more of a trail, and in the US where it is easier to follow up on. No, it isn't perfect nor foolproof. It does exactly what is was supposed to do, raise the bar a little.

NixFebruary 20, 2018 7:45 AM

You don't even need a front. Sending a postcard only proves you are temporarily present within the borders of the USA. You need not be a voter or a US citizen: you could perfectly well be (say) a random member of Russia's Internet Research Agency.

marvinFebruary 20, 2018 8:25 AM

What about a Mexican billionaire who owns a controlling interest in the New York Times and went all out to prop up the "other" candidate? Does that count as meddling? No? This is a San Francisco psychosis that is spreading. So be sure to send the Mexican billionaire a postcard.

What a joke.

ScissorsFebruary 20, 2018 8:25 AM

@Bruce or @Moderator,
Looks like the article's HTML is broken.
Anyone else note that this second form of authentication is sent plain-text and in the open? NIST has encouraged not using SMS for 2FA for pretty much those same reasons, and if anything postcards are easier to intercept than SMS. For advertising, this might work fine, but I sure hope people think good and hard before they use this approach for more important functions.
@Bruce and @Moderator again,
Thank you so much for the time and effort put into this blog. The selection of material that's blogged about is exceptional, and you do a good job of keeping comment toxicity to a tolerable level (which is a feat in and of itself). I appreciate it.

marvinFebruary 20, 2018 8:57 AM

Is preventing global nuclear war a security issue? Or just sending postcards to verify residence of advertisers? Way back in 2015 there were a series of interviews with Russian officials in which they disclosed fear that is the "other" candidate became president within six months there would be all out war between the US and Russia. This was according to them, based on experiences they had had. I don't think any of us have any idea of what has happened. All you have is garbage pop media and the echo chamber of elitists. The whole issue about stopping Russian meddling in US politics is the tip of the iceberg. Of course they went all out and they didn't care if they were discovered. Ask yourself why the Russians were scared to death. Just be sure to put on your full-face mask because you will get splattered by San Francisco phlegm.

Paulo MarquesFebruary 20, 2018 8:59 AM

So, all a foreign government has to do extra is bribe/blackmail/threaten a postman in California wherever all postcards go through. Yeah, that's tough.

HarimadFebruary 20, 2018 9:11 AM

Dayam, that's about the most useless bit of security I've heard of in a long time. Obvious response is one or both of the below:

1) The Russians hire someone State-side to receive the postcard and call it in, or call the Russians to call it in.

2) The Russians shift to issue ads.

TreblaFebruary 20, 2018 9:27 AM

Almost all nation states already have people inside the United States, they are called diplomats. And the diplomats have connections to other people from the same states living inside the United States. This won't stop nation states. It might stop kids that buys ads for pranks (is that a thing?) but it won't stop much more. And even kids can connect to people living in the United States through online games and such.

Will HannahsFebruary 20, 2018 9:34 AM

I've been wondering when Facebook and other sites would start doing this to verify all users; rather than just sending an email to verify a new user, send a letter to a physical address. Not just a postcard, but an actual letter that would require a posted, perhaps certified, response.

Kind of weird FB didn't do this earlier. I mean wasn't their ability to verify user identities due to their school connection provide them a competitive advantage on MySpace?

TatütataFebruary 20, 2018 10:07 AM

The German postal service has a service called "PostID". Even though the link labels this service as "new", it has been around for a decade or so.

In a nutshell: Online providers can contract the Post Office to perform a check of your documents.


You open a bank account online, and provide your details. The bank then asks you to go in person to the next branch of the Deutsche Post, where you would usually show your national German ID card, which carries your current address. The bank would then be informed electronically, and the procedure completed.

Foreigners like me would show some documents like their passport and their "Anmeldebestätigung", a document stamped by the residence registration authority. It's interesting how much trust and respect a well-worn scrap of recycled paper carried for years in your pocket can get in that country.

Most of the procedure occurs electronically, except the trip to the post office, so things can go quite fast.

I'm not sure how well the service will fare in the future when most branches will be either closed and/or subcontracted.

They have other variants using videochats and "Handy's" [sic, that's a "mobile" in English].

I don't think this can be transposed to places the UK or the US, which don't have ID cards. The US is more interested in making sure to make things as complicated as possible for voting, and as easy as possible to deport you...

HowardFebruary 20, 2018 10:59 AM

Security theater at its finest. As several commenters have pointed out, this will prevent nothing, but lets Facebook give the appearance of "doing something" ...

In the meantime, foreign meddling in elections - a time honored tradition for millennia - will continue unabated.

Matt from CTFebruary 20, 2018 11:35 AM

>What about a Mexican billionaire who owns a controlling
>interest in the New York Times

He may own a lot of the Class A shares that represent the majority of equity in the Times.

The Sulzberger family owns the Class B shares that control 70% of the voting rights.

Carlos Slim would have had stronger leverage over the Times when he was a lender and not an owner. Lenders can force a bankruptcy which would break the control of Class B shares.

Griffin3February 20, 2018 1:20 PM

I had a mailing service once, they sent you images of all your mail, you chose the one you wanted opened, they opened and scanned it for $0.30/page. I think it started at $10/month. It was intended for people living in mobile homes to receive their mail in a timely manner, but sounds like it would defeat this security theater without breaking a sweat.

albertFebruary 20, 2018 1:22 PM

Here we go again!

"...It's not a great solution,..."

It's a solution in search of a problem.

Assuming, for the sake of argument, that the Russians have -any- influence at all in US politics, why don't we just improve -our- propaganda?

Since everything here is so great and terrific, it should be a simple task, shouldn't it?

Why do private entities need to censor users? What are they afraid of? Is it really the Russians? Or is something else going on?

. .. . .. --- ....

BearFebruary 20, 2018 1:33 PM

More effective than you'd first think.

First, it requires a US address. The reason the "remailer" solution doesn't immediately negate this is because it requires a lot of *different* US addresses if you're going to pretend to be a lot of different people. Every address is resources - place, personnel - that you're going to have to be ready to lose control of or relocate on a moment's notice. It makes the operation of pretending to be a grassroots movement expensive.

Second, it's a postcard. Yes, 2fA sent in the clear. This is done specifically for the convenience of the intended eavesdropper, because it's sent through a USG channel that photographs the outside of every piece of mail, and with a postcard the outside is everything. The instant something goes agley, the USG knows exactly where the specific code that enabled the ad they object to was sent. Facebook gets complete deniability, because they don't have any USG subpeonas or disclosure letters to deal with. USG has complete access to the information, without any possibility that Facebook will withhold it, stall, encrypt, stonewall, or get sued by privacy activists in a way that prevents them from complying. USG also has complete discretion in that Facebook nor anybody else knows WHICH postcards it's investigating at any moment. This is 100% deliberate.

Third, statutes for mail fraud are in place and have strong precedent, with the jurisdiction and powers of federal inspectors and investigators looking into mail fraud cases cutting across a surprising slice of places and activities involving mail. Even for the FBI, and even on espionage cases, involving mail fraud charges can cut a lot of red tape in terms of getting investigative powers granted and charges filed. Even better from their POV, involving mail fraud charges can get a lot of investigative powers granted and charges filed even BEFORE THEY CHOOSE TO MENTION words like 'espionage' and 'foreign agent' and 'conspiracy against the united states' and so on.

Y'all don't have to like it, Y'all don't have to believe in it, it doesn't have to map to what you think good computer security would be. It's smart and it gives them quite a bit of leverage to move to old-fashioned ground-based investigation with the goal of arresting people.

hmmFebruary 20, 2018 1:45 PM

@ Albert

Or you could just stop being an apologist for propaganda efforts and subterfuge generally?
You equate all media with propaganda because you aren't critically evaluating any of it.

It's not the fact that Russia put out false stories that is the big deal. It's that the sitting Republican candidate and now "statesman" (I know..) endorsed that effort, held it up as believable for his moronic followers, pushed known lies that aligned with the propaganda effort, did everything in his power to discredit factual reporting or evidence-based investigations into it, and ultimately is beholden to that effort both financially and politically.

"it should be a simple task" - Yet Fox News finds it a massive endeavor.

"Why do private entities need to censor users?"

- Why do proven troll-farm liarbots continue to try to influence factual reporting, you mean?
A: Because they're paid to undermine that private entity by another one.

Just because you see "nothing wrong" with known-from-inception-false information presented as factual reporting despite all fact-checking that destroys it instantly, that doesn't really prove you're seeing better than everyone else in the effort.

It's not the propaganda, it's your support of it KNOWING that it IS propaganda.

What are you, Goebbel's butler? Who supports that?

Brad TempletonFebruary 20, 2018 1:56 PM

This could actually be a good market for ATM machines. They are everywhere, they are secure, they have video cameras watching every transaction.

If a company needed to do "proof of geography" with a party, the party could be given a code on their computer. Take the code and find a compatible ATM machine, and enter the code on its keypad and smile for the camera.

If you want to verify physical ID cards like a driver's licence, the machine might be able to read that but it could certainly be able to video as you hold it up to the camera. The ATM company would charge the company needing verification.

On the other hand, I am not sure I like making it this easy to identify yourself, as more people will start demanding it when they don't need it so much.

Of course ATMs can also read and verify credit cards if you want proof of physical possession of one, including CHIP cards.

Or wait for the postcard if you are not in a hurry.

peterFebruary 20, 2018 3:44 PM

as @paul said... the USPS supports a feature called "informed delivery"... if this is truly a "postcard" and the "secret" number is printed on the outside of the card... then it's pointless... criminals just need to register on usps.com on behalf of someone in the usa, presto, they can see the code from anywhere in the world...

VFebruary 20, 2018 4:42 PM

I get spam emails promising $$$ to forward packages. If you can get suckers to be money mules you sure can get them to be password-on-a-postcard mules.

MartinFebruary 20, 2018 4:47 PM

Upon hearing this news I'm betting Vladimir Putin said, "Damn, now what to we do?" If Facebook can't authenticate advertising accounts then they should NOT accept political ads. This postcard approach is total nonsense and completely unreliable.

65535February 20, 2018 7:03 PM

Facebook will use postcards with a code to verify users for advertising purposes? As other posters have noted this is a step back in technology or a technology failure.

Given the Mail Cover Act enforced in the USA I could see where this postcard and its photocopy image to be of great benefit to the government. If Facebook prints the pin or code on an postcard that code could be copied also. This is not exactly a good thing. The governmenat could know the pin and collect information on Facebook users in a way that was never intended.

Next, is how this postal card with pin will interact with the GDPR being put into EU law. It may violate parts of said law. This assumes the GDPR law will be enacted as currently proposed.


GMcKFebruary 20, 2018 7:13 PM

With better lawyering than the Reuters article describes, they could make a much stronger case when the inevitable abuse attempts occur. Mailing a one-time code to a US address, which could be a remailing service to an offshore location at least gets a location that can be raided by the police or FBI to obtain further evidence. It's not much, but it's a start.

With a postcard from Facebook, assertions that the ads are from US sources not illegal foreign sources are dependent on the laws concerning click-thru contracts, which haven't been rigorously tested.

If Facebook could obtain a return postcard containing an assertion that the online terms of use have been complied with, then violations of the TOU would trigger mail fraud considerations, which have hundreds of years of legal precedents behind them.

WarrenFebruary 20, 2018 7:42 PM

Who cares who buys ads for what?

Honestly - let anyone and everyone buy them. It's the only way Facebook (or most online services) make any money.

zer0dayd0llFebruary 20, 2018 9:03 PM

Someone else will offer more assurance than Facebook without the inconveniences and delays for the same service. Those will get the business. Facebook will lose.
Flaws will be found in the process generating the codes. Those will bypass mail altogether...
Another failed control on the sight...
Oh, sigh...

hmmFebruary 20, 2018 11:06 PM

"Foreign spending on US political campaigns is banned by campaign finance law."

To the extent that they audit all superPACs, 501c4 et al.

hmmFebruary 20, 2018 11:23 PM


Remember when "international law" was a thing?

Neither does Henry Kissinger, still around.

AlejandroFebruary 20, 2018 11:55 PM

Using USPS is a slick way of bringing federal law enforcement into the game with, for example, potential charges of mail fraud and obstruction of justice.

Also, post cards sounds like LEO has involved himself altogether.

Nonetheless, Citizens United et al might suggest fake ads by foreign agents are free speech, too.

Denton ScratchFebruary 21, 2018 3:01 AM

@65535: "This assumes the GDPR law will be enacted as currently proposed"

The GDPR regulation has already "been enacted". It is not a proposal. It is an EU regulation; that is, it is a decree of the EU Commission that automatically has the force of law in all member states. Unlike EU Directives, member states are not expected to frame their own legislation in compliance with the terms of the directive; the regulation states exactly the terms of the law that is to be enforced.

It becomes enforcible 25th May, in its current form. There will be no further debate.

65535February 21, 2018 8:01 AM

@ Denton Scratch [dent and scratch is a nice play on words]

“It becomes enforcible 25th May, in its current form. There will be no further debate.”

That is a difference without a distinction. And no further debate doesn’t mean no further administrative changes.

I the USA politicians frequently stuff changes into law either wording changes or administrate changes at the stroke of midnight during a weekend or holiday before enforcement goes into effect. I would guess that is possible in the EU. Thus, a little caution is in order. I have to put a qualifier statement because all of actual administrative details that have not been complete before the enforcement is in place.

Take a look at the Whois issue brought to the surface by Brian Krebs. The Whois organization proposing nuts and bolts changes to domain registration procedure for privacy in the EU. But, as I understand said changes have not be fully announced.

“…ICANN has been seeking feedback on a range of proposals to redact information provided in WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges (IP addresses)… current ICANN rules, domain name registrars should collect and display a variety of data points when someone performs a WHOIS lookup on a given domain, such as the registrant’s name, address, email address and phone number. (Most registrars offer a privacy protection service that shields this information from public WHOIS lookups…In a bid to help domain registrars comply with the GDPR regulations, ICANN has floated several proposals, all of which would redact some of the registrant data from WHOIS records. Its mildest proposal would remove the registrant’s name, email, and phone number, while allowing self-certified 3rd parties to request access to said data at the approval of a higher authority — such as the registrar used to register the domain name.The most restrictive proposal would remove all registrant data from public WHOIS records, and would require legal due process (such as a subpoena or court order) to reveal any information supplied by the domain registrant…I can say without hesitation that few resources are as critical to what I do here at KrebsOnSecurity than the data available in the public WHOIS records. WHOIS records are incredibly useful signposts for tracking cybercrime…” Krebs on Security


As person viewing the unfolding GDPR situation from afar I cannot say definitively if the ICCAN/Whois changes will be made and to what extent. This is true for other significant data privacy points which I am unsure about.

I’ll wait until enforcement is fully in place before definitively staying such and such about the to GDPR rules. So, we are back to my qualifying statement which I believe is prudent.

Jim AndrakakisFebruary 21, 2018 9:33 AM

Totally agree with @Bear, @David and others --it's a correct measure to take. It certainly achieves two things:

- it raises the cost of the operation
- it leaves a paper trail in the US that can be investigated

Do remember that any foreign operation, wherever is coming from and for whatever reason, still has its resource limitations. Time, manpower, budget, computing resources, whatever. These things aren't unlimited; never were, never will be. So making sure that the foreign operation gets less "bang for the buck" (people who see the ads and potentially are influenced vs. money spent) is a smart strategy.

Plus, I definitely expect it to be a pilot, i.e. if this works in practice it will be used more and more for other sensitive ads.

PeterFebruary 21, 2018 10:19 AM

So, where do American spies send a postcard when they manipulate foreign elections ? Do they have to send a telegram if they want to stage a colour-revolution ??

This "evil commie-kgb lost neocon warmonger Hillary the presidency" nonsense has to end .
59.000 ad-views on faecesbook changed the outcomne ?
Gimme a break, will'ya ? Or some of the drugs you are on ...

albertFebruary 21, 2018 12:28 PM

Unless you have secret inside information about US assertions about Russian meddling, your -opinions- are no more valid than mine. Neither of us (even if you're very young) don't want to wait 50 years to find out what's really going on, so we have to base our opinions on what we perceive to be 'true'.

"...Or you could just stop being an apologist for propaganda efforts and subterfuge generally?

I'm not an apologist for propaganda, that's your assumption.

"...You equate all media with propaganda because you aren't critically evaluating any of it...."

No, just the MSM.

I asked the question: "..."Why do private entities need to censor users?"..."

Because they aren't bound by 1st Amendment issues, they can do whatever they want. Best guess is government pressure.

"...Just because you see "nothing wrong" with known-from-inception-false information presented....."

I never said that, that's your assumption.

"...It's not the propaganda, it's your support of it KNOWING that it IS propaganda. ..."

I don't support propaganda. I never said I did.

"...What are you, Goebbel's butler? Who supports that?..."

What makes you resort to snarky insinuations?

In the future, avoid trying to paint an individual with assumptions not based on statements. It's an old propaganda technique, and it's really tiresome. Only trolls buy into it, here on this blog.

Perhaps you can find another venue on which to preach your gospel.

. .. . .. --- ....

JimFebruary 21, 2018 1:37 PM

Well, it's better than nothing.

Of course, if the person buying the ad is located in the US, it won't help. And if a foreign entity is determined to buy an ad, they could station someone here in the US to receive the card.

hmmFebruary 21, 2018 5:12 PM

@ albert

"I'm not an apologist for propaganda" An enthusiast perhaps? A connoisseur, aficionado? As you say.

Your previous comment:

"Assuming, for the sake of argument, that the Russians have -any- influence at all in US politics, why don't we just improve -our- propaganda?"

"Why do private entities need to censor users? What are they afraid of? Is it really the Russians? Or is something else going on?"

It does seem to be defending propaganda efforts and suggesting more propaganda is a solution.
Then it trails off into an open-ended conspiracy theorist's non-explanation explanation.
It's difficult to see another reading there but by all means, do offer one?

Alt-facts do not exist, if they did you could point to them specifically as a counter-narrative and we could vet them individually - which is a function of mainstream journalism and not microblogs written via Google translate.

Obama turned out NOT to be a Kenyan after all, remember? The UN didn't take your guns or force you to eat soy to weaken your gender characteristics. Those weren't picked up by the mainstream media, they didn't pan out when basic fact checking occurred as a basic function of that "mainstream" industry. Those are NOT tenets of the blogosphere generally.

"No, just the MSM."

- An undefined trope of propagandists working to establish non-journalist sources as journalism.

If you're saying "all media" = liars who are "in" on it, I'll call that lie out right here.
It's notable that you didn't disagree that you don't critically analyze it either way.
You are instead decrying "the media" as if it's an evil conspiracy hivemind out to get you.

We have proof the Russians run troll farm propaganda efforts. FBI != the media, either way.
The fact is we do have some information that we can verify and you can't prove any of it false.
And the media reported it fairly accurately, with a few noted fails that were corrected.

"Deregulated" info is failing your cohort. Micro-propaganda isn't a solution to macro-propaganda.
Continuing to defend alt-facts as alt-traitors go down in flames is just fanning them.

I'd love to believe, walk me through the conspiracy specifically? So far it seems like excuses.

JamesFebruary 21, 2018 5:15 PM

This is just a waste of people's time. It will do nothing to prevent foreign nationals from engaging in electioneering without being properly registered.

No one could possibly setup a front company in the US that receives the postcards and scans them to send via email, right? Like maybe Traveling Mailbox (https://travelingmailbox.com/) or Anytime mailbox (https://www.anytimemailbox.com) or a million other options.

Or maybe just hire someone via one of the 'gig' sites to do this for you. Or post an ad on craigslist in any city in America. Or maybe just move here (locate an agent here) to do the entire thing locally.

Last I checked there were, depending on whose estimates you believe, several million illegal aliens in the US and I'd bet none are registered with the FEC. Each of them could potentially violate the law by posting political ads or commentary intended to influence an election.

Or, of course, these same illegal aliens could also hold a public rally, protest, or 'march' and be really obvious about their violations of election law. As a bonus, they get free advertising from the media (who would then be a willing culprit in the scheme to defraud our elections).

But sure, let's send postcards out to prevent Russia from buying ads. That'll work.

hmmFebruary 21, 2018 5:26 PM

@ James

Like someone mentioned it would add mail fraud felonies for misusing the info in any way.
That's actually a smart way to ~double any criminal prosecution if someone is caught.

" and scans them to send via email " - Email is pretty insecure, leaving a nice trail.

"Or maybe just hire someone via one of the 'gig' sites to do this for you"

Job offered : Mail and election fraud, must type 30 wpm and be proficient in MS WORD
Bonus - you may get free rent paid for by your local county sheriff!

Going on about illegal aliens like that has anything to do with the topic... but why?

"Each of them could potentially violate the law by posting political ads or commentary intended to influence an election"

Oh you think illegal aliens are the big manipulators of our electoral system, I see now.

Not the huge volume of untraced multinational corporation money. The fruit pickers, etc.
Because they've got so much free time to organize and save up their food stamps for TV time.

It's a real concern.

hmmFebruary 21, 2018 5:35 PM

You know what, I made a mistake - illegals don't get food stamps.

Back to the propaganda board, I mean the mainstream media, I mean..

hmmFebruary 21, 2018 6:57 PM

What media sources can we all agree are pretty good, make an effort to be correct on the facts?

Is the intercept.com part of the mainstream media conspiracy?

Snopes? Factcheck.org? Reuters? NYT? WAPO? CNN obviously, MSNBC is like a curse word...

RT? Sputnik? O'keefe? Kirstey Alley? Your pal Hans Kletus on Facebook?

It's probably important that we nail that down before we try to agree on how elections should run.
It feels like people are talking right past eachother, non-baryonic fact sets.

AnonFebruary 21, 2018 7:28 PM

That is the dumbest idea I've seen yet.

So... they send a postcard, but do they vet the address? What if it gets sent to one of these generic "virtual office" firms that handles 100,000 other clients?

The next time I want to advertise a product, I'm hiring Russian - apparently they are more effective than anything else you could possibly use.

hmmFebruary 22, 2018 12:37 PM

" I'm hiring Russian - apparently they are more effective than anything else you could possibly use. "

If you're targeting low-information voters or buyers, it doesn't really matter who delivers the message.
They're easily manipulated.

JamesFebruary 22, 2018 7:36 PM


" Like someone mentioned it would add mail fraud felonies for misusing the info in any way.
That's actually a smart way to ~double any criminal prosecution if someone is caught. "

They are already committing election fraud, I don't think they care if they also commit mail fraud. It is unlikely that anyone participating in this (as the 'forwarder') would be prosecutable since they are simply providing a generic service (mail forwarding). I already pointed out a couple of the literally thousands of services that do this on a daily basis. Attempting to prosecute them for participating in election fraud would be laughable. They clearly would have no idea that they were being used in this way and obviously no intent to defraud.

" Email is pretty insecure, leaving a nice trail. "

Email is incredibly insecure, which is an advantage to the attackers. One can create thousands of fake accounts on multiple online services with no ID check and no way to track who the user is. Using TOR, a VPN, or similar spoofing technology, it would impossible to even trace the IP address that received the mail. No trail to follow.

" Job offered : Mail and election fraud ... "

Hiring someone to scan your mail is not illegal. You don't have to disclose the intent to defraud in the listing. Pretty easy to get someone to sign up to receive mail, scan it, and forward it to an email address.

" Going on about illegal aliens like that has anything to do with the topic... but why? "

The point of my comments about illegal aliens is that we already have millions of people PHYSICALLY IN THIS COUNTRY who are committing the exact same illegal acts as FB is trying to mitigate. It isn't like the Russians are the only ones who are illegally meddling in our elections. For example, every person who is not a US citizen who posts anything about DACA (or any other political issue or person) is technically breaking the exact same law. They are not registered with the FEC and they are influencing elections. I simply point out the illegal alien example to show how silly it is to try and catch a very small fraction of the 'violators'.

" Oh you think illegal aliens are the big manipulators of our electoral system, I see now. "

Yes, I think one post each by a million people probably has more influence than the paltry few ads purchased by 13 Russians. Posts and reposts by those in your network are vastly more influential than a random ad from an unknown source.

" Because they've got so much free time to organize ... "

Some of them apparently have free time because I see repeated coverage of DACA marches across the country. The participants are definitely not all American citizens.

" It's a real concern. "

I completely agree. However I think this "solution" is poorly thought out and thoroughly ineffectual. And, even if it were effective, it addresses a small sliver of the problem of outside actors influencing US elections.

hmmFebruary 23, 2018 2:55 AM

@ James

1. Just about nobody commits election fraud. It's in the tens to hundreds nationwide.
Lots of people by comparison commit mail fraud and are convicted. So yeah, it does stuff.

2. "unlikely that participating in this (as the 'forwarder') would be prosecutable" -Er, false.
Your own idea of what is "prosecutable" doesn't apply, it's mail fraud to mishandle some items period.

3. "no way to track who the user is" Missing the point, which was noting/voiding fraudulent votes.
"No trail to follow." They wouldn't be following singular trails, yes that would be pointless.
(You seem to think NSA/FBI can't defeat TOR, which I find humorous but it's also not the point.)

4. "easy to get someone to sign up to receive mail, scan it, and forward it to an email address."
In the hypothetical scenario, you're talking about misusing official mail. Felony.
If it was too easy why haven't you usurped elections yourself just for giggles? Right.

Yes it's illegal whether or not disclosed in the ad. Put up a lot of illegal ads do you?
They tend to get spotted/flagged. You're recruiting hundreds of thousands of them right?
You're going to need to be pretty conspicuous and in fact ubiquitous. That's exposure.
Anything less is going to have near-zero effect in any election. You're under-thinking this part.

5. "Yes, I think..." No, you're imagining illegal aliens are a singular bloc. That's false.

Your dismissal of a known troll-farm operation doesn't really matter to the FBI or DOJ.
They're already being prosecuted, because they actually did commit a provable crime.
Protesting isn't one, per your example, nor sending messages to people they know.

6. DACA = brought to the US as children and deliberately opt-in enrolled to pursue becoming official citizens through then-offered legal processes, and really there's not a whole lot of difference between them and those selected to get green cards or other means of being in the country legally. It's an individual case in every case. In fact criminal convictions would screw that up, and have, so anyone in your example committing crimes related to fraud would be jeopardizing that. (Assuming DACA reinstated, which it probably will be in some form in 2018)

Furthermore protesting is a human right and civil right in America regardless of citizenship status.
There are many rights that are granted to non-citizens by our system. You should read about this.
Persecuting people solely for not being "born here" isn't a great example of American exceptionalism really.

7. You agreed with obvious dripping sarcasm, you realize of course. (Of course!)

You're right though, this won't solve "the problem" any better than ranting about foreigners solves illegal immigration, terrorism, drug trafficking, human smuggling, the sex trade, etc, or any more than a 75 billion dollar wall stops people who overstay their once-legal visas. I think you obviously wanted to go out of your way to talk about illegal aliens while downplaying the Russia investigation into a foreign adversary's proven deliberate and funded attempt to undermine our elections and faith in our democratic processes, for whatever reason you do so.

America is a nation of immigrants first and in the best spirit. Everyone in America comes from somewhere else within a couple/few generations, with the exception of a few million of our

It wasn't long ago that Germans, Jews, Africans, Indians, Natives, Irish, Dutch, Italians, Chinese, Japanese, Russians, anyone who wasn't fully an amorphous backwoods country redneck was discriminated against for no reason related to their intellect or the quality of their work or the strength of their character - just because they weren't the angry dispossessed peasants of America's white underclass. Even those born here experienced that. It seems like you want to return to that post-colonial homesteading riffraff past rather than live in modern American society which is made up of great people (and better minds...) from all around the world, with every race and creed represented.

If you wanted to be a stickler about paperwork details more than any meaningful approach to election or migration security, it's perhaps worth noting that Trump's imported wife is quite likely an illegal immigrant herself having arrived here a full year before she "officially" did. https://www.theguardian.com/us-news/2016/aug/04/melania-trump-nude-photos-work-visa-immigration But worry about her having undue influence? Of course not, she's a hard working... model, bringing her exceptional... job skills... Or like Trump's father who was kicked out of Germany a debtor and became a citizen somehow (easily) anyway. Or John McCain, born in Panama. I mean since you're being so specific in your approach, you might as well be thorough right?

hmmFebruary 23, 2018 3:02 AM

"with the exception of a few million of our..." - I truncated that somehow.

With the exception of our forebearers on this continent whose ancestors crossed the Bering strait bridge.

The most disenfranchised Americans among any and bar none, the native Americans.

If nationalists are upset about shoddy treatment from newcomers, they ought to get in fucking line.
Pardon my French.

65535February 27, 2018 7:27 AM

@ Alejandro

“Using USPS is a slick way of bringing federal law enforcement into the game”-Alejandro

Yes, it is.

As I noted:

“Facebook will use postcards with a code to verify users for advertising purposes? Given the Mail Cover Act enforced in the USA I could see where this post card and its photo copy image to be of great benefit to the government. If Facebook prints the pin or code on an post card that code could be copied also. This is not exactly a good thing. The government could know the pin and collect information on Facebook users in a way that was never intended.”-65535

It looks like scammer’s can do the same thing now the USPS is giving about everyone access to those scanned USPS letters.

See Krebs on this new twist:

"In October 2017, KrebsOnSecurity warned that ne’er-do-wells could take advantage of a relatively new service offered by the U.S. Postal Service that provides scanned images of all incoming mail before it is slated to arrive at its destination address. We advised that stalkers or scammers could abuse this service by signing up as anyone in the household, because the USPS wasn’t at that point set up to use its own unique communication system — the U.S. mail — to alert residents when someone had signed up to receive these scanned [letter] images… A review of the methods used by the USPS to validate new account signups last fall suggested the service was wide open to abuse by a range of parties, mainly because of weak authentication and because it is not easy to opt out of the service… Currently, the USPS allows address changes via the USPS Web site or in-person at any one of more than 35,000 USPS retail locations nationwide. When a request is processed, the USPS sends a confirmation letter to both the old address and the new address… Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions. The USPS told me it uses two ID proofing vendors: Lexis Nexis; and, naturally, recently breached big three credit bureau Equifax — to ask the magic KBA questions, rotating between them randomly. KrebsOnSecurity has assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles…It’s also nice when Equifax gives away a metric truckload of information about where you’ve worked, how much you made at each job, and what addresses you frequented when. See: How to Opt Out of Equifax Revealing Your Salary History for how much leaks from this lucrative division of Equifax.All of the data points in an employee history profile from Equifax will come in handy for answering the KBA questions, or at least whittling away those that don’t match salary ranges or dates and locations of the target identity’s previous addresses.”- Krebs on Security




[See comment section for clarity]

As I said, there now many facets to using USPS and interacting with Facebook. Any and every new scam could potentially be used with social websites and the USPS including stalking to shady LE spying.

*yxMarch 12, 2018 1:38 AM

@Bear, @GmK are I think getting to the 'due diligence / buck passing' bottom line. In the good ol' days we sent a scan of our driver's license to grand state of Colorado where the Spirit Of The Night would grant us access to this new somewhat dark space to fly in. Gatekeepers, lol, it doesn't get old. I'd characterize a bottom line in all this as websites correctly passing the buck for client identification to the government. If there was a better answer it would be used. Identification against criminals intent on fraud is nearly as old as time. Proper governmental jurisdiction.

Egor BerdnikovMarch 16, 2018 6:01 AM

> "It won't solve everything"

Oh, it will. Any solution is perfect, if you solve a problem that does not exist.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.