Facebook’s Ad Confirmation Process Won’t Stop the Russians

Without a doubt, if you are on the advertising services side of the Facebook house you’ve been sitting in a kitchen with the oven on broil and all four burners on high—the kitchen is hot. The social network is being viewed by many as culpable in allowing the Russian intelligence services to use their advertising infrastructure in such a way as to cause considerable decisiveness within the U.S. electorate. 

Facebook Taking Steps to Know Its Political Ad Customers

Facebook’s global director of policy programs, Katie Harbath, said Facebook is taking measures to better know its customers who take out political ads. “If you run an ad mentioning a candidate, we are going to mail you a postcard for advertising that mentions a specific candidate running for a federal office,” she told attendees of the National Association of Secretaries of State conference, according to Reuters.

In January 2018, Harbath noted on Facebook’s blog, “Now, we’re as determined as ever to fight the negative influences and ensure that our platform is unquestionably a source for democratic good.” 

The concept of sending confirmatory codes via snail mail is designed to ensure only U.S. persons are being engaged for the advertisement in a federal, state of local election, as foreign nationals are prohibited from financial contributions or expenditures. The Federal Exchange Commission (FEC) is looking at making the rules for political ads more strict when used on social network, according to FEC Chief Ellen Weintraub, speaking at the same conference as Harbath.

Russians Know How to Use the Mail

As noted, the content of the mid-February 2018 indictment of 13 Russian nationals evidenced the Russian intelligence ability to create false personas. The indictment also evidence the Russian’s ability to travel to the United States and to set up infrastructure to support their active measures. As someone who has spent a good deal of my life analyzing Russian realpolitik, none of the Russian abilities surprises me.

The flaw I see with the Facebook postcard validation methodology is that it isn’t presenting a means to sufficiently challenge and vet who is purchasing the political ad. The Russian intelligence officer abroad is often tasked with identifying the means to create mailing addresses to which letters may be mailed to and from in support of Russian operations.

As Oleg Gordievsky, former head of the KGB Rezidentura in London (1980s), wrote in his autobiography “Next Stop Execution” that every Russian intelligence officer serving abroad is trained and tasked at setting up “letterboxes” for use by various entities, to include illegals within a given country. Gordievsky tells of how he acquired “a live letterbox (a gentleman) and his wife, who agreed to pass letters to and from illegals in Denmark.

Here we are 30+ years after Gordievsky’s defection to the UK and suggesting the use of a methodology that plays into Russian espionage tradecraft 101: How to use letterboxes to disassociate one’s self from the sender and hide the identity of the recipient.

That is exactly what Facebook is trying counteract by its use of postcards.

Facebook of Sound Intention

There is no doubt Facebook’s intention is well-meaning and meant to raise the bar for those trying to meddle in the elections of the United States by using the Facebook platform to place and share political advertising. Perhaps if the company engaged in dialog with one of the many Russian emigres with intelligence background, it could understand the modus operandi used by Russian intelligence more thoroughly and create methodologies designed to thwart Russian use of false personas.

A Suggestion

There is no doubt that the mailed cards will raise the bar on the level of difficulty for some wishing to disguise their identity. The methodology isn’t going to give pause to the Russian intelligence apparatus, given its many years of experience in creating and recruiting individuals to act as “letterboxes.” 

Perhaps an interim solution may be to couple the mailing of postcards and the payment to Facebook together. Accept payment only via direct withdrawal by Facebook from a U.S. bank account, the identifying information for which must be the same, thus bringing into play two sets of Federal infrastructure: those who watch the postal system and those who watch the financial system. After all, moving large sums of money greater than US$10,000 leaves a glowing paper trail, and drawing attention to one’s self is anathema to the basic tenets of espionage.

Featured eBook
The Complete Guide on Open Source Security

The Complete Guide on Open Source Security

This joint report by Microsoft and WhiteSource discusses the difference in finding & fixing vulnerabilities in open source components opposed to proprietary code, how to grasp the unique challenges of open source security and how to tackle them, as well as how to master the best practices of managing your open source security risks. This ... Read More
WhiteSource

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 56 posts and counting.See all posts by burgesschristopher