Facebook’s Ad Confirmation Process Won’t Stop the Russians

Without a doubt, if you are on the advertising services side of the Facebook house you’ve been sitting in a kitchen with the oven on broil and all four burners on high—the kitchen is hot. The social network is being viewed by many as culpable in allowing the Russian intelligence services to use their advertising infrastructure in such a way as to cause considerable decisiveness within the U.S. electorate. 

Facebook Taking Steps to Know Its Political Ad Customers

Facebook’s global director of policy programs, Katie Harbath, said Facebook is taking measures to better know its customers who take out political ads. “If you run an ad mentioning a candidate, we are going to mail you a postcard for advertising that mentions a specific candidate running for a federal office,” she told attendees of the National Association of Secretaries of State conference, according to Reuters.

In January 2018, Harbath noted on Facebook’s blog, “Now, we’re as determined as ever to fight the negative influences and ensure that our platform is unquestionably a source for democratic good.” 

The concept of sending confirmatory codes via snail mail is designed to ensure only U.S. persons are being engaged for the advertisement in a federal, state of local election, as foreign nationals are prohibited from financial contributions or expenditures. The Federal Exchange Commission (FEC) is looking at making the rules for political ads more strict when used on social network, according to FEC Chief Ellen Weintraub, speaking at the same conference as Harbath.

Russians Know How to Use the Mail

As noted, the content of the mid-February 2018 indictment of 13 Russian nationals evidenced the Russian intelligence ability to create false personas. The indictment also evidence the Russian’s ability to travel to the United States and to set up infrastructure to support their active measures. As someone who has spent a good deal of my life analyzing Russian realpolitik, none of the Russian abilities surprises me.

The flaw I see with the Facebook postcard validation methodology is that it isn’t presenting a means to sufficiently challenge and vet who is purchasing the political ad. The Russian intelligence officer abroad is often tasked with identifying the means to create mailing addresses to which letters may be mailed to and from in support of Russian operations.

As Oleg Gordievsky, former head of the KGB Rezidentura in London (1980s), wrote in his autobiography “Next Stop Execution” that every Russian intelligence officer serving abroad is trained and tasked at setting up “letterboxes” for use by various entities, to include illegals within a given country. Gordievsky tells of how he acquired “a live letterbox (a gentleman) and his wife, who agreed to pass letters to and from illegals in Denmark.

Here we are 30+ years after Gordievsky’s defection to the UK and suggesting the use of a methodology that plays into Russian espionage tradecraft 101: How to use letterboxes to disassociate one’s self from the sender and hide the identity of the recipient.

That is exactly what Facebook is trying counteract by its use of postcards.

Facebook of Sound Intention

There is no doubt Facebook’s intention is well-meaning and meant to raise the bar for those trying to meddle in the elections of the United States by using the Facebook platform to place and share political advertising. Perhaps if the company engaged in dialog with one of the many Russian emigres with intelligence background, it could understand the modus operandi used by Russian intelligence more thoroughly and create methodologies designed to thwart Russian use of false personas.

A Suggestion

There is no doubt that the mailed cards will raise the bar on the level of difficulty for some wishing to disguise their identity. The methodology isn’t going to give pause to the Russian intelligence apparatus, given its many years of experience in creating and recruiting individuals to act as “letterboxes.” 

Perhaps an interim solution may be to couple the mailing of postcards and the payment to Facebook together. Accept payment only via direct withdrawal by Facebook from a U.S. bank account, the identifying information for which must be the same, thus bringing into play two sets of Federal infrastructure: those who watch the postal system and those who watch the financial system. After all, moving large sums of money greater than US$10,000 leaves a glowing paper trail, and drawing attention to one’s self is anathema to the basic tenets of espionage.

Sponsored Content
Upcoming Webinar
This Year at RSA: Don’t Miss The Conversation on DevSecOps!

This Year at RSA: Don’t Miss The Conversation on DevSecOps!

The 2018 RSA conference promises to feature a lively, yet critical discussion on the role of DevSecOps and how this movement is transforming the way organizations are building and securing their software.  Many agree that secure software equals good software. As we have seen in so many recent headlines, the ... Read More
March 22, 2018

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 36 posts and counting.See all posts by burgesschristopher