Facebook Will Crack Down on Anti-Vaccine Content

As Clark County, Washington, combats an ongoing measles outbreak, Facebook announced Thursday that it’s diminishing the reach of anti-vaccine information on its platform. It will no longer allow it to be promoted through ads or recommendations, and will make it less prominent in search results. The social network will not take down anti-vaccine posts entirely, however. The company also said it was exploring ways to give users more context about vaccines from “expert organizations.”

The decision was widely anticipated: Facebook, along with YouTube and Amazon, has faced criticism from journalists and lawmakers in recent weeks for allowing vaccine misinformation to flourish on their sites. Facebook also told media outlets in February that it was looking into how it should address anti-vaccination content.

Last month, Adam Schiff, a Democratic representative from California, sent letters to the CEOs of YouTube and Facebook demanding they answer questions about the spread of anti-vaccine information on their company’s platforms. He followed up with a similar letter to Amazon CEO Jeff Bezos last week. On Wednesday, an 18-year-old from Ohio testified before the Senate that his mother primarily read misinformation about vaccines on Facebook and opted not to inoculate him. (A major study released Monday found no link between the MMR vaccine—which protects against measles, mumps, and rubella—and autism.)

In a blog post written by Monika Bickert, Facebook’s vice president of global policy management, Facebook said it will begin rejecting ads that include false information about vaccinations. The company also removed targeting categories such as “vaccine controversies” from its advertising tools. Last month, the Daily Beast reported that more than 150 anti-vaccine ads had been bought on Facebook, which often targeted women over 25. Some of the ads were shown to users “interested in pregnancy.” In total, they were viewed at least 1.6 million times. YouTube similarly announced last month that it would begin preventing ads from running on videos featuring anti-vaccine content.

Facebook will also reduce the ranking of pages and groups that spread misinformation about vaccines in search results and in its News Feed. In February, The Guardian found that anti-vaccination propaganda often ranked higher and outperformed accurate information from more reliable sources on Facebook.

The social network’s effort to fight vaccine disinformation extends to Instagram, where the company says it will stop recommending content that includes vaccine misinformation on the app’s Explore page. Instagram will also stop displaying vaccination misinformation in hashtag search results. It’s not clear how long these new controls will take to roll out: An Instagram search for #vaccine Thursday afternoon surfaced the hashtag #vaccineskill as the number one result, for instance. Last month, Pinterest received praise for its decision to stop displaying search results for vaccines entirely, even if they are medically accurate. (In 2017, Pinterest previously banned “anti-vaccination advice” from its platform.)

As The Atlantic has pointed out, the majority of anti-vaccination content on Facebook appears to originate from only a handful of fringe sources. It likely won’t require a herculean effort for Facebook to tackle this strain of misinformation. The question is why the company waited until it became the subject of media reports and criticism from lawmakers to finally act.

Facebook increased its efforts to fight false information more broadly on the platform in the wake of the 2016 presidential election, including with initiatives like third-party fact-checking. The company admits it won’t catch everything, and demonstrably fake stories still do go viral. While there is little public data about user behavior on Facebook, researchers have found signs that the reach of fake news declined between 2016 and 2018 midterm elections. (Though they also say there remains plenty to be concerned about when it comes to misinformation.)

It’s not yet clear whether the proliferation of anti-vaccination content online has led to a significant decrease in vaccination rates in the United States. Unscientific information about vaccines has been circulating on- and offline for well over a decade. But as Slate has pointed out, the number of children under 3 who have received their first dose of the MMR vaccination has remained steady for years, according to data from the Centers for Disease Control and Prevention. The World Health Organization named vaccine hesitancy one of its “ten threats to global health in 2019,” but cites “complacency and inconvenience in accessing vaccines” as two of the key reasons why people choose not to vaccinate, in addition to “lack of confidence.”

There’s still little doubt that social media platforms like Facebook, but also YouTube and Amazon, have indeed made anti-vaccination talking points more accessible to wider audiences. Its proponents were aided by recommendation and search ranking algorithms, which often promoted anti-vax content to the top of the pile. Facebook’s announcement today is further acknowledgment of its role in that ecosystem, and the idea that free speech is not the same as free reach.


More Great WIRED Stories

An Email Marketing Company Left 809 Million Records Exposed Online

By this point, you’ve hopefully gotten the message that your personal data can end up exposed in all sorts of unexpected internet backwaters. But increased awareness hasn’t slowed the problem. In fact, it’s only grown bigger—and more confounding.

Last week, security researchers Bob Diachenko and Vinny Troia discovered an unprotected, publicly accessible MongoDB database containing 150 gigabytes-worth of detailed, plaintext marketing data—including 763 million unique email addresses. The pair are going public with their findings today. The trove is not only massive but also unusual; it contains data about individual consumers as well as what appears to be “business intelligence data,” like employee and revenue figures from various companies. This diversity may stem from the information’s source. The database, owned by the “email validation” firm Verifications.io, was taken offline the same day Diachenko reported it to the company.

While you’ve likely never heard of them, validators play a crucial role in the email marketing industry. They don’t send out marketing emails on their own behalf, or facilitate automated mass email campaigns. Instead, they vet a customer’s mailing list to ensure that the email addresses in it are valid and won’t bounce back. Some email marketing firms offer this mechanism in-house. But fully verifying that an email address works involves sending a message to the address and confirming that it was delivered—essentially spamming people. That means evading protections of internet service providers and platforms like Gmail. (There are less invasive ways to validate email addresses, but they have a tradeoff of false positives.) Mainstream email marketing firms often outsource this work rather than take on the risk of having their infrastructure blacklisted by spam filters, or lowering their online reputation scores.

“Companies have email lists and want to start emailing them, but they’re not sure how valid they are,” says Troia, who founded the firm Night Lion Security. “So they go to a company that will essentially send out spam.” Troia speculates, but has not confirmed, that the database may be so large and varied because it comprises all of Verification.io’s customers’ data. WIRED was unable over the course of several days to contact the company or CEO Vlad Strelkov. On Monday, the entire Verifications.io website went offline and has not been restored since.

Record Setter

In general, the 809 million total records in the Verifications.io trove include standard information like names, email addresses, phone numbers, and physical addresses. But many also include things like gender, date of birth, personal mortgage amount, interest rate, Facebook, LinkedIn, and Instagram accounts associated with email addresses, and characterizations of people’s credit scores (like average, above average, and so on). Meanwhile, other records in the collection seem related to generating sales leads at businesses, including company names, annual revenue figures, fax numbers, company websites, and industry identifiers for categorizing companies called “SIC” and “NAIC” codes.

The data doesn’t contain Social Security numbers or credit card numbers, and the only passwords in the database are for Verifications.io’s own infrastructure. Overall, most of the data is publicly available from various sources, but when criminals can get their hands on troves of aggregated data, it makes it much easier for them to run new social engineering scams, or expand their target pool.

In the exposed database, the researchers also found some of what appear to be Verifications.io’s own internal tools like test email accounts, hundreds of SMTP (email sending) servers, the text of emails, anti-spam evasion infrastructure, keywords to avoid, and IP addresses to blacklist. Diachenko suggests that in the Verifications.io work flow, customers would upload an Excel spreadsheet listing the email addresses to validate, and then Verifications.io would run their tests and return lists of clean addresses and ones that bounced back. It’s possible, given the piecemeal nature of the data and evidence that it was imported from numerous different Excel files, that Verifications.io also retained some or all of the data it received from customers after concluding its email address checks.

The researchers validated samples of the data with companies listed as Verifications.io customers. Troia says his own information appears in the database. WIRED spoke to the proprietor of an email marketing firm who confirmed the validity of a segment of the data. WIRED also checked for four individuals, but did not find them listed. Diachenko and Troia also note that they have no way to know whether anyone discovered and downloaded the Verifications.io data while it was publicly available and fully exposed.

“I have no idea if anyone else accessed this besides us,” Troia says. “But it was definitely out there for anyone to grab.”

‘Another Day on the Internet’

Much remains unknown about the database and Verifications.io, because the company is difficult to track. When the researchers initially contacted the company through a messaging portal on its site to disclose the database exposure, someone responded with an unsigned note. “Thank you for reporting the issue. We appreciate you reaching out and informing us,” the reply said. “This is our company database built with public information, not client data. We were able to quickly secure the database. Goes to show, even with 12 years of experience you can’t let your guard down.”

Much of the data in the database is publicly available, though it’s not clear that all of it is. When the researchers asked in the portal for the name of the owner of the company and the legal name of the company, someone wrote back declining to answer.

It is also unclear where Verifications.io is based. Most of its materials list Boca Raton, Florida, but some of its web assets are registered in California and Delaware. The Verifications.io website lists addresses in Estonia, but some of those matched up with what appear to be a museum and a government building.

Security researcher Troy Hunt is adding the Verifications.io data to his service HaveIBeenPwned, which helps people check whether their data has been compromised in data exposures and breaches. He says that 35 percent of the trove’s 763 million email addresses are new to the HaveIBeenPwned database. The Verifications.io data dump is also the second-largest ever added to HaveIBeenPwned in terms of number of email addresses, after the 773 million in the repository known as Collection 1, which was added earlier this year. Hunt says some of his own information is included in the Verifications.io exposure.

“The main takeaway for me is that this is just another case where someone has my data, and hundreds of millions of other people’s data, and I’ve absolutely no idea how they got it,” Hunt says. “I’d never heard of the company until now and I certainly can’t ever recall consenting to their use of my data. Of course, it’s entirely possible that buried in some other service’s terms and conditions it says they’re allowed to pass my data around in this fashion, but that’s not really consistent with my expectations of how my data should be used.”

As with recent data exposures from the business data aggregator Apollo and the marketing firm Exactis, there’s not a lot you can do to individually protect yourself when vast repositories of data compiled from both public and private sources leak. Check HaveIBeenPwned to see if your data was in the Verifications.io exposure, and continue your general vigilance about using strong, unique passwords, monitoring your financial statements, and giving out your Social Security number as infrequently as possible. But also know that none of those measures provide a full solution to this society-scale problem.

The disjointed nature of the exposed Verifications.io data speaks to the chaotic state of the data industry overall. People’s personal information is shared by massive companies like Facebook, bought and sold by shady marketers, or stolen from data giants and doomed to circulate endlessly in the purgatory of criminal forums. The churn makes it difficult for consumers to control who has their data and where it ends up. As Hunt puts it, “Sadly, it’s just another day on the internet.”


More Great WIRED Stories