I found myself last week in the unusual situation of wishing Facebook actually had more personal information about one of its users.
After being "friended" by myself on Facebook, I set out to learn as much as I could about who had created the bizarre -- and unsettling -- Bianca Bosker impostor account, a profile created under my name, with my profile photo, my cover picture, my personal information and even my most recent status update. Fake Facebook accounts have long plagued the social network, but this one was particularly eerie, as the user who'd duplicated my online identity had evidently friended no one except me.
I submitted a data request via Facebook to obtain any information the social network had collected about the creator of the fake account, a process that required sending the site a scanned copy of my driver's license and a notarized statement confirming my identity.
Unfortunately, the single page of data I received via email two days from "Barry" with Facebook User Operations only confirmed what I already knew: I had no idea who'd created the account. And I still know very little about whoever knows a great deal about me.
"It's a little more information, but it's almost like we're in a pitch black room and someone inappropriately touched us, yet we can't see anyone around us and we're operating quite blind," said Alex Horan, a senior product manager with Core Security who I previously interviewed about my Facebook doppelganger, after he reviewed the data. "It's the open nature of the Internet that makes it that way. It's easy for someone to disappear or hide the paths to themselves."
My data request netted sixteen lines of data about when the duplicate "Bianca Bosker" account had been created and accessed, along with the email addresses associated with the profile and the IP address from which the timeline had been registered. (An "Internet Protocol" address consists of a unique series of numbers that identifies a device connected to the web.)
Details on when and with what IP addresses the account was accessed yielded intriguing -- albeit potentially untrustworthy -- information. Geobytes, WhatIsMyIPAddress.com and IP-Lookup -- services that match an IP address to a specific location -- suggested the bogus account had been created in the Gujarat region of India on Wednesday, Nov. 7 at 4:30 p.m. EST, exactly an hour and forty-five minutes before I received the friend request from the account.
But security experts warned that the IP address and its location are not necessarily to be trusted, as my Facebook fake could easily have used an open proxy server to mask his or her true IP address. Using any number of free tools that act as an intermediary between a device and the Internet, a user in Paris or Shanghai could make his or her IP address appear as if it were based in New York or Bangkok.
Kaspersky Lab senior researcher Roel Schouwenberg noted in an email to The Huffington Post that there "isn't anything to immediately suggest those IP addresses are indeed proxies."
"One of the used email addresses definitely has an Indian ring to it. So that means the entity is either indeed in India, or wants you to believe he or she is in India," he added.
Fake Facebook accounts, which make up 8.7 percent of all profiles, according to the social network, are often created by scammers hoping their bogus profiles will attract a large number of "friends" that can be spammed or conned into sharing personal details. While Horan speculated that my profile may have been copied for this reason, he also noted it wouldn't make sense for the fraudster to turn around and friend me, ensuring I'd see the impostor.
"The main thing that jumped out at me was that IP addresses were in Ahmedabad, India, and that's where a lot of the fake Facebook accounts are created," Horan said. "The thing that still gets me is that they sent you the friend requests. Other than trying to freak you out, there's no rhyme or reason for wanting to do that."
According to Facebook's report, the name used to create the account was my own -- not a very helpful piece of information. The email address associated with the account was another dead end: I couldn't link the Yahoo account to any other social media profiles via Rapportive, a tool that displays any social networking accounts associated with a particular email address. And a Google search for the email address did not turn up a single result. As Facebook does not have a way for individuals to search their list of subscribers, I couldn't try to match the email address to a specific individual who subscribes to my updates. Facebook's data also suggested the person behind the specious Bianca Bosker account may have been online at the same time I reported it to Facebook: the fake profile was last accessed by its creator on Thursday, Nov. 8 at 7:54 a.m. EST, 34 minutes before I checked out and reported the bogus Bosker.
Google wasn't much help in tracking down who the email address belonged to.
Horan suggested I might be able to track down more information about the mystery user by requesting data from a local Internet service provider, but said it would require involving law enforcement. Schouwenberg's tip was to see if I could surface the fraudster's motivation by engaging him or her in conversation online, something I'd tried unsuccessfully.
His other advice? Get used to the creepiness.
"Threats -- perhaps harassment in this case -- are part of everyday life in cyber-space," Schouwenberg wrote in an email. "There's no escaping it, and you'll just have to be vigilant."