Syrian Facebook users develop strategies against online threats

Jennifer Preston in the New York Times reports on some stories that we also have been hearing from Syrian Internet use. She documents incidents of passwords extracted by force, and the deliberate defacing of social networking pages by security forces, apparently in order to sabotage reports of unrest from that country.

A man in his 20s living in Syria said that the police demanded his Facebook password late last month after arresting him where he worked and taking his laptop. “I told him, at first, I didn’t have a Facebook account, but he told me, after he punched me in the face, that he knew I had one because they were watching my ‘bad comments’ on it,” he said. “I knew then that they were monitoring me.”

The man, who asked that his name not be used because he fears that talking openly could cost him his life, gave up his password and spent two weeks in jail. After he was released, he said that he found pro-regime comments made in his name on his Facebook account. “I immediately created a new account with a fake name and so did most of my friends,” he said.

A strong password is not much protection against what computer security types drily call “rubber-hose cryptanalysis” — the use of violence to extract login details. We know that Syrian security forces also threaten users that they will violently punish anyone who changes their password after they leave.

Instead, Preston reports on new strategies developed by those on the ground. They share their passwords with colleagues, so if a Facebook user is arrested and his account misused, colleagues can log in and remove personal information or delete vandalised content. Distributors of content also create multiple Facebook accounts so that when threatened, they reveal an innocent account, instead of the one they use for dangerous activities.

Can Facebook and other US companies help their users working under these conditions? They could remind readers in that region to set their Account Security settings to force secure browsing, login notifications, and explain how to monitor account activity. And they may want to be more cautious in pro-actively taking down apparently fake accounts, in case these are being used as decoy accounts.