Facebook's reported user numbers appear to me to be off by a country mile. Multiple user accounts seem to be chronic. Moreover, besides run-of-the-mill fakes and duplicates, Facebook's identity-theft-enabling business model is, in my opinion, a disgrace for any U.S. public company. Yet Facebook's prospectus and 10Qs for the periods ending June 30, 2012, and September 30, 2012, make no mention of the words: imposter, impersonator, or identity theft.
In the prospectus for its May 2012 IPO, Facebook "estimated" fraud at 5-6 percent of user accounts. (Fraud for the purposes of this report is defined as a user who is not what the user pretends to be, which may or may not have legal ramifications.) This estimate appears much too low to me. Later, in its 10Q filing for the period ending June 30, 2012, Facebook "estimated" 8.7 percent fakes on a then reported even higher user base. This updated estimate also appears much too low to me. Based on my unscientific survey of 50 U.S. Facebook users and further publicly reported anecdotal evidence, Facebook's prospectus's representation of fakes may be off by a factor of ten.
While my estimates are unscientific, so are Facebook's. But the discrepancy between Facebook's representations and what I've been able to discern is so great that it merits further study. To get a more scientific estimate, an independent third party, perhaps the SEC, might do a proper poll of a broad cross-section of Facebook's U.S. user base.
In its 10-Q filing for the period ending June 30, 2012, Facebook reported 552 million daily average users (DAUs) and 955 million monthly average users (MAUs). Note that the press seems to repeat Facebook's suspect MAU numbers, but advertisers may be more interested in its daily average users. As I noted in a previous commentary, Facebook reported fakes as a percentage of MAUs and admitted to the following: Relative to the December 31, 2011 base of 845 million MAUs with Facebook's claim of 5-6 percent fake users, by June 30, 2012, Facebook reported a 64-97% increase in fake users (69-104 percent increase in fakes if Facebook netted before reporting the 845 million MAUs), or an increase of around 168-287 percent in fake users on an annualized basis (185-319 percent increase in fake users on an annualized basis if Facebook netted before reporting the 845 million MAUs). Facebook's own reported numbers suggest its "controls" are inadequate.
On September 28, 2012, IT World's Dan Tynan wrote that his 13-year-old daughter has at least three Facebook accounts, possibly more, and she uses them for different reasons. (She's now exploring Tumblr to have more privacy from parents and relatives.) Tynan's remark about his daughter's multiple (not merely duplicate) accounts tracks with the results of my unscientific survey. Some people have only one account, but many others have multiple accounts, suggesting that the percentage of U.S. fakes could easily be well over 50 percent. That doesn't even include identity theft, and that is just in the U.S.
The U.S. market is the chief source of Facebook's advertising revenue. In my November 26, 2012, report, I mentioned that overall user growth is decelerating. The deceleration problem is most pronounced in the U.S. and Canada. From September 30, 2011-12, the number of Daily Active Users (DAUs) grew from 124 million to 132 million -- by only 8 million or 6 percent. Monthly Active User (MAUs) grew from 176 to 189 million -- by only 13 million or 7.3 percent. Should you rely on those numbers? Given Facebook's own estimation of its percentage and number of fakes (83 million globally or 91 million if Facebook didn't net out fakes from base numbers), the number of users may have actually declined.
From October 2011-12, Facebook's U.S. desktop visitors declined from 166 million to 149 million or 10.2 percent. (New Myspace desktop users increased by 1 percent off a lower base.) U.S. mobile usage appears up, but even that isn't clear. Facebook doesn't know how much it is double counting when it comes to multi-platform users. It acknowledges this. It also acknowledges that mobile users that have automatic updates may be reported as active when they are not. Facebook estimates this at only 5 percent. But it has no way of really knowing, and its estimate hasn't been checked by an independent source.
But that's not all. Facebook disclosed that it believes fake accounts are an even greater problem in less developed countries than in developed countries. It admits this estimate is a subjective opinion and may be flawed. Really? If Facebook's opinion proves correct, then less developed countries have an even bigger fake-fest than the U.S.
Facebook might consider issuing a disclaimer that its fake accounts may be greater in number than its genuine user accounts.
But Facebook's user count problems don't stop there. The issues surrounding identity theft are even uglier.
Facebook's Identity Theft Enabling Business Model
I don't use Facebook and never have, yet my first-hand experience made me feel Facebook's business model is pernicious. I had to jump through hoops to get my impersonator's profile removed from Facebook. I discovered the impersonator in June 2011 via Google Alerts; otherwise it would have gone undetected by me. Note that this was almost a year before Facebook's IPO.
Facebook required me to fill out a form and provide the fake profile's URL -- which I had only thanks to Google Alerts. (People not on Facebook who don't use Google Alerts may be the victim of identity theft without even knowing about it.) Then I had to provide a scan of a government issued photo I.D., information I didn't want to provide, but the potential consequences of a malicious use of my profile made reluctant compliance seem the lesser of two evils. I felt as if I were the victim of tag-team malware.
Facebook's lack of controls enabled this fraud. Meanwhile Facebook may have reported the fraudulent profile as a "user," and after the fraud was found out by me, Facebook extracted valuable information from me. I'm not saying Facebook was the original source of the fraudulent profile only that it can benefit from the existence of it. Anyone, including Facebook, could have been the source. Facebook potentially benefits from identity theft both by counting fake users as real, and then when a victim tries to get the fake removed, by getting more valuable information that it can sell.
Update: Facebook public policy manager Frederic Wolens sent me an email asking me to clarify Facebook's position with respect to this identity theft incident. At least I believe it was he. Unlike Facebook, I didn't insist that he supply me with a scan of a government issued photo I.D. I'm happy to let Facebook have its say: "When describing your unfortunate run-in with a fake account you state, 'Facebook extracted valuable information from me,' in reference to providing your passport and then you state, '[it gets] more valuable information that it can sell.' The second inaccuracy is understandable, and a common misconception, but we do NOT sell any data. We do not give advertisers access to your personal information, and we do not, and never will, sell any of your information to anyone. ( Learn more here - https://www.facebook.com/
My position is that advertisers come to Facebook because they get indirect access to Facebook's data and users, that is what I mean by selling data. A scan of a government issued photo I.D. has value in some circles in and of itself; perhaps to the "infiltrators" that seem to be running rampant within Facebook. Moreover, I'm reminded of Mr. Zuckerberg's comments in college of people trusting him with information being -- in his words -- "dumbf$cks." Facebook claims it doesn't store the data beyond confirming identity. I hope that it true. But Facebook asked me for the following: 1) Your full name 2) Your relationship to the person being impersonated, 3) Your contact email address, physical address and phone number, 4) A digital copy of a government-issued photo ID of the person being impersonated (ex: your ID or the ID of the person you're authorized to represent). Just as I accepted Mr. Wolen's information, it seems to me that Facebook could have accepted mine without the government issued photo I.D., and if it wanted to speak with me, it could have picked up the phone. If I seem skeptical of the way Facebook operates and of its explanation above, it seems to me that its own actions earned my skepticism. I'm not alone in my skepticism. Separately, Austrian law student Max Schrems is taking Facebook to court alleging it collected information without prior consent, retained deleted information, and was in violation of European privacy laws. Facebook maintains it is in full compliance with the law.
But Facebook's business model is even more perverse if you are a Facebook user and a victim of identity theft on Facebook.
Facebook: An Identity Theft Fraud Magnet That Makes It Easy for Fraudsters
On November 27, 2012, Bianca Bosker, Executive Tech Editor for the Huffington Post, wrote that the previous week she discovered an account set up by someone impersonating her:
After being 'friended'" by myself on Facebook, I set out to learn as much as I could about who had created the bizarre -- and unsettling -- Bianca Bosker impostor account, a profile created under my name, with my profile photo, my cover picture, my personal information and even my most recent status update.
Since she was already on Facebook, she was able to get Facebook to pull down the fake profile -- but only because the impersonator hadn't blocked her (more on that later). But when she asked Facebook for the information it collected about the fraudster, it didn't immediately accommodate her. First she had to scan her driver's license and provide a notarized statement verifying her identity. Her independent investigation with Alex Horan of Core Security revealed IP addresses that appeared to be in Ahmedabad, India, and he said it seems to be the source of lot of fraudulent Facebook accounts. But there are ways to make it only appear that way, so the source could be anywhere.
Facebook Makes Users Run in Circles after Identity Theft, and Provides No Solution
On November 29, 2012, IT World's Dan Tynan wrote about a Facebook user whose identity was stolen, and who is blocked from remedying the theft. Tynan also describes in his article how he separately verified the story.
The victim's wife, Jennifer, was friended by a fake profile of her husband, Andrew. Andrew was already her friend, so she investigated. The fake profile had her husband's name, photo, and Timeline. Andrew was unable to see the profile himself, because the impersonator blocked him. Jennifer tried to report the fake, but Facebook only allows the real account owner to report the fraud. But Andrew is unable to access the reporting mechanism, because he is blocked by the fake account.
Jennifer then used the Report/Block process to tell Facebook that an identity thief created a fake profile of her husband. But all that did was to send Andrew a message telling him his account was duplicated and that he should report the fraud, which he can't do because he's blocked.
If you delete your Facebook account, there appears to be nothing to prevent an impersonator from creating a new fraudulent profile that appears to be you. I recommend every regulator read Tynan's article: "Facebook's Crazy Catch 22: How Imposter's Can Assume Your Identity and Run Wild."
The SEC must have been napping during the IPO process, when it let Facebook's lack of controls, self-reporting of fakes, and lack of mention of the identity theft problems go unchallenged.
Disclosure: I've bought and monetized puts on Facebook since they became exchange-traded shortly after the IPO. ("Investors Bet on Facebook Fall," Kaitlyn Kiernan and Jonathan Cheng, Wall Street Journal, May 19, 2012.) I'm currently long other puts on Facebook.
See also: "Facebook's Soaring Fraud and Decelerating User Growth," November 26, 2012.
This post has been updated since its original publication.
Follow Janet Tavakoli on Twitter: www.twitter.com/JanetTavakoli