Jennifer Preston in the New York Times reports on some stories that we also have been hearing from Syrian Internet use. She documents incidents
of passwords extracted by force, and the deliberate defacing of social
networking pages by security forces, apparently in order to sabotage reports
of unrest from that country.
A man in his 20s living in Syria said that the police demanded his Facebook
password late last month after arresting him where he worked and taking his
laptop. "I told him, at first, I didn't have a Facebook account, but he told
me, after he punched me in the face, that he knew I had one because they were
watching my 'bad comments' on it," he said. "I knew then that they were
The man, who asked that his name not be used because he fears that talking
openly could cost him his life, gave up his password and spent two weeks in
jail. After he was released, he said that he found pro-regime comments made in
his name on his Facebook account. "I immediately created a new account with a
fake name and so did most of my friends," he said.
A strong password is not much protection against what computer security types
drily call "rubber-hose cryptanalysis" -- the use of violence to extract login
details. We know that Syrian security forces also threaten users that they
will violently punish anyone who changes their password after they leave.
Instead, Preston reports on new strategies developed by those on the ground.
They share their passwords with colleagues, so if a Facebook user is arrested
and his account misused, colleagues can log in and remove personal information
or delete vandalised content. Distributors of content also create multiple
Facebook accounts so that when threatened, they reveal an innocent account,
instead of the one they use for dangerous activities.
Can Facebook and other US companies help their users working under these
conditions? They could remind readers in that region to set their Account
Security settings to force secure browsing, login notifications, and
explain how to monitor account activity. And they may want to be more cautious
in pro-actively taking down apparently fake accounts, in case these are being
used as decoy accounts.