back to article Facebook security profiling doesn't like African log-ins

A tip-off from a source has turned up an interesting quirk in Facebook's security measures. He claims the social networking site appears to discriminate against log-ins from Africa. Our tipster, Raj from Vancouver, Canada, has an interesting if unusual set of circumstances. Raj runs a tech business and uses Facebook to …

COMMENTS

This topic is closed for new posts.
  1. LennartBon
    Pint

    Maybe misusing FB?

    The takeaway point here seems to be that he's trying to use Faecbook in a way that Facebook doesn't want to be used - and their ToC's are pretty clear about this. So hard to feel sorry for him, but maybe for his Kenyan subcontractor.

  2. KJB
    WTF?

    I don't see the problem here, Raj is using Facebook in a way that is not supported; if this is causing issues for him, instead of labelling it as "discrimination" he should simply find a service which provides and supports the service he requires.

  3. The Reaper
    FAIL

    Profiling isn't a dirty word, it's a sensible practice. If 80% of your attacks are coming from a certain geographic location should you A) adjust your risk policy to suit B) put your head in the sand and pretend you live in Narnia?

    Answers on a postcard (Hint: it's not B)

  4. Dave 27

    Amount of sympathy felt for "Raj from Vancouver" = 0

  5. Paul 25

    No sympathy

    He's trying to use Facebook in a way it clearly isn't designed for, by doing something they explicitly tell you not to.

    If you are going to base your business around someone else's service, then you really need to learn to play by their rules. If you don't like it then find another line of business.

    This is no different from your credit card company flagging a transaction from a company or country that is likely to be fraudulent based on reported rates of fraud.

    If Facebook genuinely see more fraudulent access from Kenya than they do from Singapore then this would seem entirely sensible.

    So long as Facebook's blocking is based on real numbers of reports, and not some person in an office making arbitrary decisions then this is not at all like racial profiling of people in airports on for arbitrary stop and search.

  6. Cameron Colley
    Happy

    Stop being a cheapskate and set up your own site, Raj.

    You've already admitted breaking the terms and conditions of Mr Bitch's service and it's clear you're only using it because you're too cheap to set up your own page and do it properly.

    1. Brezin Bardout

      Well, to be fair he might have a proper site and he could just be using Facebook to complement that and reach out to more potential customers. If he's running a tech business then I'd certainly hope that's the case anyway.

      But yeah, these businesses who think Facebook is an acceptable platform for their web presence, they can go fuck themselves. Yeah, I might want to know more about your product or sevice. But no, I don't want to be liking your fucking Facebook page and getting my wall spammed with whatever.

  7. SMabille

    Personal account

    I'm usually the last one to sympathise with Facebook, but if you login in a Personal Account from Vancouver, Singapore and Kenya all in a few hours I would be more than happy for this to be flagged as suspicious and the account locked!

    Hope the same would happen to my credit card :-)

  8. Anonymous Coward
    Anonymous Coward

    use technology to get round this

    Set up an ssh server locally, (eg. a linux box), and get your kenyan employee to SSH tunnel over that, and proxy his web traffic via that tunnel.

    Presto: network is no longer "kenyan" from FB's point of view.

    C

    1. Elmer Phud
      Facepalm

      Tech

      Apparently 'Raj' is a techie . . .

    2. JimmyPage Silver badge
      FAIL

      I think you'll find

      cost of using Farcebook = $0

      cost of anything else != $0

      was the algorithm this guy used.

    3. some vaguely opinionated bloke
      FAIL

      You've been beaten to it...

      "Raj... engineered a workaround by setting up a VPN so that Sam's IP address matched his in Vancouver"

  9. Anonymous Coward
    Anonymous Coward

    Standard Practice

    "So this is profiling: the same as airport security guards choosing to search an Arab man rather than a white woman, or cops in Brixton searching a disproportionate number of black male teenagers – but in this case it was on the verge of costing a man his job."

    Every, and I mean *every* security system I have worked on has a concept of "hot countries" ones that, for one reason or another, get a higher level of scrutiny than others.

    Spend a few days in one of these countries and use your credit card and I almost guarantee you will get a call from your bank. If you didn't I would be surprised and concerned.

    You may or may not approve of this on moral grounds, but to treat this as a major scoop is, for an IT related website quite laughable.

    1. Anonymous Coward
      Anonymous Coward

      Very true

      I spent one hour in Kopenhagen airport (transfer) and both transactions I did in LEGO store were flagged by Amex. Admittedly, Denmark is a very nice small country and I fail to understand why anyone would put it on such a list.

      1. Anonymous Coward
        Anonymous Coward

        AMEX in Denmark

        The credit card companies - AMEX at least - do more than maintain "hot" country lists. If a purchase doesn't match your typical patterns (say, you've never been to Denmark and/or don't usually purchase toys) then it will tend to flag their fraud protection. I would put money down to bet that phone call had nothing to do with "[those shifty Danes]"

        : )

        1. Anonymous Coward
          Anonymous Coward

          Yep, and Amex do have limits on their cards

          just not limits like most CC companies do. Worked with a non-profit once that held one big event per year over a weekend. They signed up for the points program, and figured they'd bill all the hotel costs to the card because there was no limit. At the end of the first day the hotel couldn't run the card any more. Group went to the bank toot suite and paid the current charges. Card still wouldn't run because they payment wouldn't clear until Monday. Wound up paying the rest of the hotel in cash.

          Look on the hotel clerks faces when we paid them: priceless.

  10. amanfromMars 1 Silver badge

    AIR&dD Bombardments .... Reverse Engineering Defeat into Valour.

    "The disadvantage is that Facebook might terminate you and your Facebook activity. That's in their terms and conditions too. "

    To facilitate and/or support an activity is then to condone and encourage IT. That is Infinitely Progressive/Ever Expanding Creative Virtual Control Territory. And a Source of Future Powerful Energies in Control with Commands and Comments ....... RESTful ChIT Chatter.

    1. awomanfromVenus

      Mr Mars

      I thought the capital letters may be some sort of code

      TIT. TIP/EECVCT. ASFPECCC ....... RESTCITC.

      Nope, still dosent make sense...

  11. Gordon 10

    Reasonable precaution

    I for one don't want 419ers on Facebook.

    (insert joke alert icon here)

    1. Andy Enderby 1

      @Gordon 10

      They're already there....... And some of them doubtless will meet all manner of interesting times as a result.

  12. Matthew 3

    "Facebook might terminate you and your Facebook activity."?

    Seriously?

    Death is one hell of a penalty for bending the rules a bit.

    1. BristolBachelor Gold badge
      Terminator

      You have 15 seconds....

  13. John Wilson
    Facepalm

    B*llocks

    "So this is profiling: the same as airport security guards choosing to search an Arab man rather than a white woman, or cops in Brixton searching a disproportionate number of black male teenagers – but in this case it was on the verge of costing a man his job."

    The type of profiling you're describing is racial profiling and is illiberal, racist, pointless and stupid. It's the type of profiling that leads to "driving while black". It is profiling a person based upon the colour of their skin.

    The profiling going on with Facebook security is not racial profiling: it's geographic profiling. It's a sensible precaution based on remarkably unusual activity on an account. Not even remotely the same thing.

    1. peyton?

      But it does illustrate

      That the author assumes everyone in Kenya is black. Sam could've just as well have been your run-of-the-mill white guy for all facebook knows.

      1. Mark 8
        Thumb Down

        Not racial profiling

        There is also a large asian contingent in Kenya so unless a mixture of people of white, black and asian and various mixtures of the three is racial profiling I think you are well off the mark here.

  14. Anonymous Coward
    Anonymous Coward

    There seems to be a lot of point missing going on

    How he's using the page and how that contravenes the rules is irrelevant.

    The guy logging in from Africa gets security checks. The guys logging in from other parts of the world don't.

    They're all working within the same framework. Wether that framework contravenes the rules or not is irrelevant because _within that framework_ there is discrimination.

    1. Steve Gill

      It's not discrimination if it's based on a known higher risk of fraudulent transactions from that location, it's simply an essential level of security.

    2. Amonynous
      WTF?

      ...including this post

      dis·crim·i·nate Verb

      1. Recognize a distinction; differentiate.

      2. Perceive or constitute the difference in or between.

      Discrimination is not illegal or even morally wrong per se, it is an essential part of risk management, but (rightly) there are grounds on which is is illegal to dscriminate in many countries, e.g. race, gender, disability, etc.

      For example, my insurance company is perfectly entitled to discriminate by charging me more or less based on what type of car I drive, my age, my driving experience and whether or not I keep crashing in to other people, etc. They are not allowed to charge me differently because of my race or my gender (as recently set down by the EU).

      The implication seems to be that Facebook is discriminating (illegally) on the grounds of race, when the available evidence indicates that they are discriminating (legally) on the grounds of geography due to a higher risk of fraudulent access to accounts from some locations. The reasons for higher rates of fraud in certain locations are varied and complex, but poverty juxtaposed with access to global communications have a lot to do with it (419 type scams did not start with email, they started with text messages as mobile phones started to penetrate poorer regions of the world, and actually fax messages were being used in scams even before that).

      To coin a phrase, "On the Internet, nobody knows you are a dog" (Google it if you are not of a certain age). All FB has to go on is the login details being used, the IP address of the machine (and therefore a way to infer your geographical location) and a fair bit of technical information about your browser plus any evil zombie tracking data the Overlords have managed to secret on the machine. Put simply, if a non-Kenyan went to Kenya and logged on to FB from a local machine, would they face the same security challenges? The evidence presented indicates that they would.

      I suppose it might be possible that FB based its geographical risk profiling on illegally discriminatory criteria, i.e. "Most people in country X are of race Y and I therefore more likely to be criminals in my view, so I'm going to increase the risk rating in the database for IPs in that location", but nothing in this article provides any evidence that this is the case.

      Knowing how naiive many of these Web 2.0 businesses are in so many areas, it wouldn't be a surprise if the basis of their risk profiling *was* down to the predjudices of some wet-behind-the-ears college grad rather than empirical (and legally defensible) data. Now that would make an interesting story, but this article does not.

      1. dssf

        Discriminator and discrimi nation and discriminate shun

        Also, in the various military organizations, radars, IFF and other sensors have "discriminators"; they discriminate between various risks in identifying vessel and aircraft threats in a complicated matrix of decisions.

        Those using the word "discrimination" were less than precise in their use of it, and probably assumed that the readers wil *infer* that "racial discrimination" is what is being spoken of.

        I, too, feel that "discrimination" as a single-word description that contains relevant checks and balances is not in itself illegal. If i make such a decision based on race, it STILL may not be illegal. If I'm running a BUSINESS of selling goods or services, I should not court a lawsuit by denying people based on race and publicly saying that race is the reason, or class or other visible or invisible components are the reason. If I am renting apartments, I cannot legally set up a homogenous enviroment and claim only one color or economic standing can rent from me or buy my units.

        BUT, if i am renting a ROOM in MY HOME i don't think anyone has a right to say i MUST rent to someone i don't like the appearance, smell, eating choices, and so on of. As a property renter or housing sell, the job is to generate revenue from all qualified members of society if those people are interested while units or supplies last. But, coming home... no, home is one's last refuge, one's abode from the rest of the world. If I choose and publicly say before or after (but not in the advert) that I want ONLY someone of a specific race with or without a reason (maybe I want to learn a language or learn how to cook based on a specific race/culture, or maybe I grew up in or became fond of a specific culture), then neither i nor the advert medium should be penalized. After all, when people join dating or hookup services, they are allowed to specify what they are interested in.

    3. Paul 25

      Ummm

      The comparison is between Singapore and Kenya.

      Singapore is one of the counties in the world with the highest standards of living, with extremely low levels of corruption (according to Transparancy International) and very low levels of crime.

      Kenya on the other hand, while significantly more developed than many in Africa is still nowhere near the same level of development. Just like many less developed nations, I'm sure Kenya is a prime recruiting ground for the kind of people who phish, hack and generally abuse the internet, just like poorer parts of south-east asia, and other african nations like Nigeria, home to the 419 scam.

      I would be stunned if Singapore had the same level of fraudulent account activity coming from it as Kenya.

      If it had been Cambodia, or China, instead of Singapore, then I'd think there was something amiss, but this seems perfectly reasonable.

      1. Tom 13

        Kenya is the sort of place where

        despite the development it is still hard to keep a land line up and functional because the line is worth too much to the copper thieves. How do I know? One the places I use to work for had a regional office there. Coworker went there. They have more guns per capita than Texas, and of the full-auto variety to boot.

  15. The Mole

    Dynamic IP Addresses?

    Could it be to do with dynamic IP addresses? Perhaps Sam in Africa is on dial up or something and gets a new IP address each time, the guys in other countries may have stable IP addresses and so each login isn't considered totally different?

  16. Anonymous Coward
    Anonymous Coward

    For the retards...

    I am using "discrimination" in the sociological sense as I hoped would be patently obvious to all but the most retarded.

    Here, try this: http://en.wikipedia.org/wiki/Discrimination

    4 thumbs down already. I thought the kids were back in school.

    ----

    "It's not discrimination if it's based on a known higher risk of fraudulent transactions from that location, it's simply an essential level of security."

    Bollocks. By that argument the police should go back to focusing on black Londoners for "random" stop & search based on the stats that indicate they're more likely to commit crime. The fact that the vast majority of black Londoners are law abiding is, by your argument, irrelevant.

    1. Amonynous
      Flame

      I think you'll find that we did understand that you were using discrimination in its "socialogical" sense, i.e. discrimination on illegal grounds, in this case racial. We just don't concur with your opinion on the matter.

      By the way, using the perjorative term "retards" suggests that perhaps you are happy to discriminate unfairly against those with learning difficulties?

    2. Cameron Colley

      RE: For the retards...

      I think you'll find that "By that argument the police should go back to focusing on black Londoners for "random" stop & search based on the stats that indicate they're more likely to commit crime." is actually something which, in an ideal world, may not be discrimination*. But, since it tends to promote the idea of black==criminal it is most certainly not a good idea. I'd certainly say that police would be well within their right to, say, search more 18 to 30 year old males and wouldn't call that "discrimination" in any pejorative sense.

      Though this is actually more akin to the police advising motorists not to stop at red lights if the road is clear in the early hours in certain neighborhoods, or advising your friends or family not to walk through a certain part of town when dark. It's not discrimination it's learning that certain areas are more likely to be home to criminal elements.

      *can of worms with a big debate, which I'm sure most people are aware of most of the sides of.

    3. ElReg!comments!Pierre

      Re: For the retards

      I think that if you look closely enough you will notice that this particular discrimination is for an account that was:

      -Personnal, i.e. explicitely designed NOT to be shared

      -Created from Canada

      -Mostly accessed from Canada

      -Suddently accessed from a country from where a lot of scammers operate (allegedly).

      That's hardly racism, just common sense. I guess the title should read "Facebook security profiling doesn't like occasionnal African log-ins into Canada-based personnal accounts" to make it clear enough for some. So who's the retard now?

    4. Anonymous Coward
      Anonymous Coward

      Personally

      I find your use of the word "retarded" used in a derogatory fashion discriminatory.

  17. Disgruntled
    Facepalm

    I've got an idea

    I'll setup a business that relies on me using Facebook in a way that's fundamentally opposed to its terms and conditions and when I have a problem operating that way instead of keeping my head down I'll shine a big red light on the issue and go to the press!

    <instruction within Facebook> Delete profile</instruction within Facebook>

    Raj, have you ever considered writing an article for Harvard Business Review or the FT?

  18. Noons

    legal trouble for FB?

    IANAL but in the US corporations are people too, so FB's TS may well be illegal because of insisting that businesses have "pages" instead of "profiles". I have none, so I'm a non-person, wether corporated or incorporated.

    To be honest, this is all pointless, which is what makes it fun to watch. A bit like football... I particularly enjoy the detail that Ranting Raj is drawing attention to the fact that he is going against the TS **after** finding a solution to this problem... Somebody please stick a "kick me!" note to his back, I'll go get some popcorn...

  19. Anonymous Coward
    Anonymous Coward

    Ahh now there's the problem....

    Facebook

  20. Anonymous Coward
    Anonymous Coward

    Perhaps...

    -as occasionally can happen- the password for access in Kenya is "kitu kidogo"

  21. Anonymous Coward
    Anonymous Coward

    419 what

    I note the wikipedia page here : http://en.wikipedia.org/wiki/Advance-fee_fraud clearly identifies these are originating from specific regions.

    Is this discriminatory ?

  22. InfosecChap

    It's not really surprising

    If this chappie isn't paying for the service, it's hardly surprising he doesn't get the service he wants.

    but this is the nature of the "free cloud". the services that are free at the point of use come without SLAs

    but a scary world ... "most crimes come from africa, therefore all africans are criminals" similar problem with home broadband email routing. oh brave new world

  23. Harthin
    Thumb Down

    This may be the dumbest article on The Reg ever...

    A person mis-using a service has problems with the service? Primarily because the service which has been previously criticized for inadequate security uses a basic security measure that is in wide use and we're supposed to be outraged?

    I really don't get it. Unless someone finally put the monkeys with typewriters theory to the test.

  24. dssf

    VPN and fb

    Is there a VPN clearing house?

    Imagine if companies or individuals all logged in via a VPN, and fb caught on after deep packet and other inspections. I wonder what it would do then. Imagine if the various spy/mal-ware originating countries CHOSE to use VPNs end to end (does fb support VPNs on ITS side of the connection) or at some point use VPNs as intermediaries. I can imagine there have been people figuring out nefarious ways to use VPNs and spoofing to avoid being screened or "discriminated" as hostile or threatening in nature or capacity.

  25. Cameron 2

    duh

    When was the last time your network got legitimate traffic from Kenya, Nigeria, or Ivory Coast?

    Fraud is Nigeria's third largest source of foreign exchange, after oil and coffee. Same with Kenya, but they don't have much oil. Firewall any network segment belonging to domestic ISPs in those nations. It's best practice network security.

    1. carl 10
      FAIL

      What do you actually know about Kenya?

      "Fraud is Nigeria's third largest source of foreign exchange, after oil and coffee. Same with Kenya"

      Wrong. Kenya's largest sources of foreign exchange are: Tourism, cut flowers, tea, coffee, other agricultural produce. Fraud does not feature in there. Yes it exists, yes it's a significant problem, not in the form you imply - as a source of foreign exchange, but as Kenyan MP's and other bigwigs fleecing other Kenyans.

      411 type fraud typically but not exclusively originates -if we are talking about Africa- in Nigeria and other West African countries. Kenya does NOT have a particular reputation for this type of fraud any more than, say, The Netherlands.

      You seem to think all African countries are the same. Er, yes they're both in Africa. A bit like UK and Ukraine both being in Europe. Most similarities end there.

This topic is closed for new posts.

Other stories you might like