Match.com has a fake problem. That is, they have a problem with fake accounts and there is a clear reason why they have, for years, refused to do a single thing about it.
A Little About Me
Before I dive in, let me note that I'm a software architect. I've been designing systems and writing code for almost 30 years (no, I'm not that old, I started in junior high school - if you want to get serious, I've been a professional developer since about 1990). The design of secure systems is something I know more than a little about. I'm not above admitting that in my youth I was what you'd call a hacker. Seen War Games or Hackers? It's not like that, but you get the idea. So when I see systems that have flaws, I tend to geek out on them. When those flaws affect me directly, I geek out even more. This issue has become the fingernails-on-the-chalkboard of my geek cred. I'll own that. Let me also start by saying that I met my girlfriend on Match.com, so I have no gripe with the idea of online dating and Match's business in general. Indeed, I'm a shareholder. But getting that out of the way, I need to blog about a problem the site had when I was active, and appears to still have. And I have to comment on the absolute lack of concern the site's administration seems to have regarding the problem, to the point of appearing to actively ignore it. So... what's got me all frothy?
The problem I have is with the vast number of fake accounts and fake activity, and how Match profits from this and, thus, has no incentive to remedy the situation even in the face of obvious steps that could be taken. Let's dive in. When one first signs up at Match, the activity and interactions begin. Presuming you've actually gone to the trouble to create a reasonable profile and filled out the demographics, you will begin to show up in the searches that others do. Once you start looking at other profiles and liking their photos or stating that you're interested by clicking on the checkmark of your "daily matches," you will start to interact with others. Unfortunately, many of these interactions come from fake accounts. Why fake accounts? Simple - those looking for love are vulnerable. Strike up a conversation with someone and you have a motivated target that is much more liable to fall for whatever pitch you're throwing. This avenue has a much higher success rate for the scammer than does simple spam. So if you're looking to profess love and then ask for money ("I need $500 for a plane ticket to come see you!"), plea hardship ("I'd love to come to the United States but I need $750 for a visa"), or even make a few bucks peddling porn ("I have sexy pictures, but they're on a site that requires you pay $20 to prove you're an adult."), you've got a much higher chance of success on a dating site. Scammers know this, so they make tons of fake accounts and lure people in. It's a thing.
The Analysis and Solution
The source of my angst is that it's dead simple to spot these accounts both through their content as well as activity, and Match seems to make no effort to remove them short of customer complains. After this analysis, I'll show why this policy is actually a money-maker for them and then also allows them to state that they do their best based on complaints, a position that is somewhat disingenuous. So how easy is it to spot these fake accounts? Blindingly-so. First, let's take the easy attributes. Given a decent match on these, one could filter out fake accounts based on this alone (note that I consider fake females, since that's what I see):
The age being picked lately is 29. While fake accounts use many ages, this one is picked most often.
The profile has one paragraph. It is comprised of a few sentences, typically picked randomly from a list of about 30 as far as I can tell.
The profile has one picture.
The age range of the men the profile is looking for is typically in the early 30s to 50s. This clearly gets it in the right searches for its purpose.
The requirements for the profile's match are never filled in except the height, which is set at the maximum range. I suspect this is because the bots only fill in the first field.
But it gets even easier when you actually pattern match on the written profile. As I pointed out, they're typically just one paragraph. Given that, one could find duplicate sentences and create candidate filters based on that alone. But the real kicker comes in that all of these fake accounts have the same sentence embedded, which is a call to email. The email is split up to apparently avoid a pattern match that doesn't exist (if it did, Match would be using it on the known patterns). In all cases, the emails look like "username g mail com" or some broken variant thereof. A simple regular expression match of the known patterns would have 100% of the fake accounts identified as they are created. Here's an actual example:
Unfortunately I am unable to read messages on this site so you can emal me at nnak06 a gmal and send me a wink so I know who I'm taking to.
So let's presume for sake of argument that Match decided to get serious and implemented a solution based on my above observations. As a developer, I can tell you that I could code this up in a weekend. That's not hyperbole. And that's not an idle note - Match? I'll come into your San Francisco offices any weekend you like and do it. Free. So let's imagine that Match did this and the fake account folk got wise. That means they'd have to have humans mixing it up, which is more work than they want to do. But let's further presume that they did. What then? Simple - Any account that doesn't fill out all the fields, or at least go through the clicks to choose a "decline to answer" with appropriate human-necessary interaction (use the ReCaptcha x/y algorithm, guys) can't send winks or likes until they do. They can do everything else. They can even receive interactions, so in the rare case that they're a real person, that creates more incentive to finish their profile or even pay for a subscription. One other clear solution would be to throttle notifications. Many times a member will receive an email telling them that they got a wink or a like, only to find, when clicking through, that the profile no longer exists. Match did, indeed, remove it after the abuse happened. But why wait until after? (I answer this, below). When the account sends a lot of winks and likes (and thus gets reported in a spike of activity), it is removed. So why not just throttle those notifications for a small period of time and trigger a warning when an account goes over a threshold. Watching the activity would clearly identify an automated system as opposed to a human looking at profiles and liking lots of them. If this pattern is seen, the account is suspended and flagged for further scrutiny.
The Smoking Gun: Top Spot
Another metric is sheer site activity. Match has a feature called "top spot" that artificially places a profile in the top search results. You pay for this, of course. I was curious when I was using Match last year, so I paid for a couple tries at it to see how it worked. Sure enough, the views on my profile went way up and, with that, so did the activity from fake accounts. One benefit of "top spot" is that it shows you who has viewed your profile in an interesting real-time timeline. The difference here is that whereas you usually see who has viewed you in a grid of accounts, in the case of "top spot," you see the timeline which includes duplicate views. So if someone clicks to view you and then does it again 30 seconds later, you see them twice. Sure enough, fake accounts come up ten, twenty or even thirty times in a few-minute span. Clearly it's automated, scraping the search results multiple times per second. When you pay for the top spot, you artificially show up at the top and these automated scripts pick you up each time. If I, as a customer, can see this, Match's code could see it even better. There is simply no way that Match cannot see, based on usage metrics, when automated scripts are being used. It's just not possible that they don't know that this goes on and could prevent it if they chose.
Yes, I wrote Match about this. I even went as far as to state, specifically, that I would like my mail sent to senior management and not handled by a customer service representative. Of course that was ignored and I got a canned response, including (apparently to pacify me?) an offer of free subscription time. As you can see, my concern was not addressed at all, but the hand-waving is pretty good:
I appreciate the time you've taken to contact Match about your general concerns with the site. Please be assured, Match.com does not send members misleading notifications, e-mails or winks professing romantic interest. We have too much respect for our members to ever compromise their trust. I can assure you that we are absolutely interested in pursuing any situation involving those who attempt to use our site in dishonest ways. We have a dedicated team that works diligently to identify and remove these kinds of members. Unfortunately, though, some of them still manage to get a few emails out, which is why we appreciate it so much when you take the time to let us know about the situations you see that we may not have caught. In the future, you're welcome to streamline your reports by using the "Report a Concern" link on the member's profile. This will send your report directly to our security team that can open a case immediately and take the right action. Unfortunately, privacy policies stop us from being able to share with you what actions we take, but this really is the fastest way to ensure that the situation is addressed appropriately. Thank you so much for what you are doing to help us in this area. For more information, feel free to review our Online Dating Safety Tips.
I didn't expect otherwise, frankly. For all the protestations to the contrary, Match doesn't really seem to care or listen to their paying customers.
So why, if this problem is so easy to solve, does it persist? The reason is likely clear - metrics and activity and, ultimately, paying subscribers. These fake accounts still increase the number of members. From a sheer numbers game, Match can say, "Hey, we remove them when we can, so don't worry about it." Indeed, I've gotten this response from them when I've brought it up. The point remains that these fake accounts artificially increase the membership numbers. But the real heft comes when you realize that these fake accounts are sending winks and likes and even emails. Why is this important if they're clearly fake? Because if you don't pay for Match, the notification you get tells you that "She is interested!" and asks you to subscribe (read: pay) to see who she is. You plunk down your $60 for three months of subscription and find that the love of your life is a fake. You complain. Match sends a canned response saying that they're removing fake accounts as they find them, and hey, check out these other profiles. But the bottom line is that you paid. They have your money and you're now a customer.
The fake accounts generate revenue for Match. It's that simple. They have no incentive to remove them, and thus, they never will.
I’m going to start off with a story, which, I promise, is relevant. I am a proponent of marriage equality. I can be flippant about it and note that I feel that everyone should get to experience the pain of marriage, but that’s not fair to my wife, who is one of the greatest people I know. I actually have my reasons for being in favor, which I will get to shortly. But first the story.
A few years ago an organization that goes by the name of The National Organization for Marriage launched a campaign against marriage equality that they called “Two Million for Marriage.” Their goal was to get two million people to march in Washington and declare their support for marriage being reserved as a one-man-one-woman institution. They branded this campaign, “2M4M.”
The problem was, of course, that they failed to get the obvious domain name for this campaign, 2m4m.org. Being in the domain name business, it was the first thing I checked, and I got it first, before they realized their error. The next move was obvious: I created, in about 48 hours, a fully formed campaign web site for my own campaign, 2M4M: Two Men For Marriage. Yeah, that was me.
It was a spoof site, to be sure, but also made the point for marriage equality. I was pretty proud of the site and was thrilled when it went viral. Did it change anyone’s mind? Of course not. But it was just one milestone in a larger movement, and I’m glad I got to play my part.
Which brings me to the issue of women in computing and the current situation around this issue. Just as my close personal friend Ferris once said about Europeans, why should I care about this issue? I’m not a woman.
The reason I care is the same reason I care about marriage equality, even though I’ll never really need the rights that the equality movement is securing: I’m selfish.
There is No Such Thing as a Selfless Act
Researchers Lara Aknin, Elizabeth Dunn and Michael Norton concluded, "Happiness runs in a circular motion". In their research, they found that by spending a financial windfall on someone else, participants in their study felt happier, and when they felt happier, they were more inclined to spend money on others. This applies to all aspects of life, be it giving money or giving help. Ultimately, people “do the right thing” because it makes them feel good to be doing the right thing. This is subjective, of course – not everyone agrees on what the “right thing” is. Like Potter Stewart, you know it when you see it.
In the same way that being generous can be seen as selfish because it makes the giver feel good, doing the right thing, socially, can be seen as selfish because it can also promote the needs and desires of the person helping. The fact that “doing the right thing” makes one feel good is simply a bonus, if you will. In this way, I (and others) would argue that selfishness is a good thing.
This, in and of itself, might be enough. But wait, there’s more.
So What Are the Selfish Goals Here?
Call me naïve and perhaps call me simplistic, but, at least for me, it all boils down to one, simple truth: everyone deserves to be able to play by the same rules. We can debate what those rules are, and we can even tweak them now and again to make things better, but once we decide to play, everyone should be playing the same game. I realize there are a myriad of other issues, and I’m not dismissing any of them. But without the acknowledgement that there should be a fundamental base of fairness, we’re building on a very shaky foundation.
It’s All About Me
So how does being selfish play into the issues of social fairness? Simple: taken as a whole, it applies to me as well. There are areas in which I could make an argument that the issue affects me, personally - aspects of life where those entrenched in power are actively working to maintain that position and prevent participation. Some are trivial. Some are very serious. To be fair, most don’t rise to the level of the issue at hand, and I am genuinely grateful for the luck I’ve had in life. But some do apply to me, and even those few are enough to demonstrate the point.
The position, then, is that if I want any credibility when I call out things that I find unjust to me, personally, I’d best be prepared to call out those things that are just as unjust, even if they don’t apply to me directly. If I’m going to be selfish, I’m going to be consistent about it.
Is That It?
No, of course not. As I said, there are reasons for days why the issue is as important as it is complex. My engagement barely scratches the surface. But in the realm of selfishness, I could make the argument that a diverse workplace is a good one for me, and that it’s to my direct benefit to live in a world where this problem doesn’t exist. I, and my company benefit from all viewpoints and skill sets. I want to hire lots of talent and not have to worry about silly things that, at least to me, should not matter. I’m selfish in that I want my life to be easier in this respect. I’d like to work with people based on their skills and talents. Plus, let’s be honest, I can be a pretty myopic guy sometimes. One thing I’ve learned is to always run my stupid ideas past my wife, who gives me viewpoints and insights I simply never would consider on my own. It’s naïve to think that the fact that she’s a woman doesn’t play into this. She has angles that I, as a man, would never have (and the opposite is also true). It’s an advantage to me to have this resource. I’ll take that advantage any day of the week.
The Electric Third Rail
I debated for a while before writing this. Is this position just too simplistic? Is anyone going to think I’m trivializing the issue by trying to boil it down? Worse, am I setting myself up for someone to say, “So, Chris, you only care about the rights of others because if you don’t, you don’t get yours?” While none of those are true (indeed, my point is somewhat the opposite of the last possible response), they’re valid presumptions. So I dance around the electric third rail, but I felt that my position was worthy of calling out. If this is somehow misinterpreted, the fault is mine for not being as clear as I could be.
Unfortunately, I have no great ideas on how to solve the current problem, but I’m thinking about it. I’m listening and learning. And if I have ideas, I’m throwing them out there. Often, they get laughed-at, but I’ll keep it up and see if maybe I get lucky at some point. It happens now and again, like finding the missed domain name registration that lets me strike a point in favor of doing the right thing. Seriously, that felt really good. At the end of the day, it’s a basic way of saying, “this should be obvious, now let’s work on the problem.”
Because if it’s not right for you, then it’s not right for me. And I’d like it right for me.
By now you're aware that there's yet another security bug, this time in "bash," a "shell" used on many servers. For the non-geeks, the gist of the issue is that a very common and absolutely necessary part of the operating system could, in some reasonable circumstances, allow a malicious user to run any code they want on a server to which they should not have access. This is, of course, a bad thing. The bug, now identified, has been fixed and system operators are rushing to patch their systems with newer versions that don't exhibit the flaw.
It's been over 25 years, so I think I can come clean. I knew of such a bug when I was in college that gave me 100% read access to any file on any system. I couldn't modify them, and this bug didn't let me execute arbitrary code, but if I noticed that you had a file in your home directory called "ChrisIsADoodyHead.txt," I could read it. Even if it was in a closed-off directory and locked down, itself. While I never had a need to, I could have looked at all of your code for the computer science class we shared and cheat on my homework. And I mean every file on the file system.
I could read all of your email.
After about a year, the bug was discovered, and I was actually beta testing a version of UNIX (SCO - remember SCO?) that had it and I reported it. It took about another year to move through production and be deployed. Remember, these were the days before automatic patching. Most installs were done from a stack of floppy disks and new versions came out yearly. Maybe quarterly, at best.
The point I'm making is twofold. First, these bugs are everywhere and will always be around. Don't be shocked when they're reported. They happen, they get fixed, and the next one comes along. You're going to get burned by them. And yes, evil douchebags are going to exploit them to, say, illegally download nude pictures of celebrities. There's no victim-blaming when I say that you should acknowledge this reality and do what you can to protect yourself.
And my second point, which is the takeaway here, and the reason I've "come clean" after 25 years to make the point: These bugs are in the wild and known right now. Please stop and think about that. Someone, somewhere, is almost surely reading or copying your stuff if it's online. These bugs don't live in obscurity until someone discovers them and immediately fixes them. Someone finds them and uses them for years until someone else discovers them in a more public way. Remember the speculation and then confirmation that the NSA was exploiting a bug for years before it was ever discovered in public? You don't need to take my word for this.
And please don't shoot the messenger.
Full disclosure: I never shared this bug with anyone else in college as far as I remember. I never found anything illegal, and only once found something that, if disclosed, could have caused problems (someone was cheating something seriously in a number of classes). I never said anything. I honestly can't remember ever seeing anything on anyone that was even remotely bad. Email, back then, also was only something shared among geeks, for the most part. There was pretty-much no private social online usage. I mostly poked around administrative stuff. This being a time before digital photography, I never even saw any nude selfies :-) Some people may not believe this disclosure, and I'm okay with that.
I think the higher-ups at Facebook are just now realizing that they're facing their first real crisis. Diaspora likely gave them about a half-day of indigestion and then some good laughs. But Ello is the real deal when it comes to a threat.
That said, I predict it will not succeed as a Facebook replacement. Indeed, their founder insists that it's not intended to be such. Is that hipsterism? Probably. But he's probably also right. While they're getting 30k+ signups per hour, people are going to react like they did to Google+ - that is, they'll sign up, play a little, find that it has nothing that Facebook doesn't already have, and usage will drop off. Ello has significantly fewer features that people want. If Google+ didn't get traction, Ello won't, either.
Yes, people want to migrate from Facebook because of their policies, but this threat is likely going to be the catalyst that forces Facebook to back down on the real name issue.
For this reason, I think Facebook will weather this storm.
Now... want to know the issue that Ello could press that just might win it for them? Your feed. You don't want "top stories," you want everything, in order, without someone telling you what they think is relevant. You want to see it all and make that decision for yourself. That's Ello's concept of Friends/Noise and it makes sense. It's the one thing that Facebook won't back down about, and Ello could press this point.
Then again, Google+ didn't win that argument with "Circles." So maybe that won't work after all. But I think Circles were before the relevance issue came to a head.
Time will tell. But at least I'm on record so I can say I called it ;)
As will happen once or twice a year, we have a new social site that many are prematurely calling the death of Facebook. And as happens even more rarely, it appears to be getting traction towards overcoming the network effect. For those unaware, the "network effect," simply put, states that nobody will use a thing until enough people are using a thing. To overcome this seemingly catch-22 circumstance, you need a degree of interest and virality in a short period of time. It doesn't matter how good something is, if it relies on a critical mass of users, you'll have most people standing around waiting to see if anyone else jumps first, and nobody jumps.
In the case of a very few sites, if you get enough people to jump at the same time, you overcome the initial barrier. Chemistry geeks can consider this the activation energy threshold. Physics geeks can consider this the coefficient of static friction.
LiveJournal did it. Heck, Facebook did it to MySpace.
And yes, there are "tricks" to help. Artificial scarcity, for example - you need an invite to join, and you can ask for one, but you'll have to wait. Never mind that once you're in, you get 10 invites. The laws of simple math will make it clear that getting an invite from a friend should be no problem at all if you're even remotely connected. And this makes total sense to the site's owners, as it biases new signups to people who are connected. Using an invite code also gives you an initial social graph connection (to the person who invited you), thus bootstrapping the graph of the site.
In short, Ello is doing everything right.
And it may or may not matter, because once you overcome the network effect barrier, you still need to keep the users. Just ask Google+. That said, Wil Wheaton is already there. Consider that the low-threshold gating function: his presence doesn't make the site, but his absence would be a statement.
So, for right now, Ello is clean, crisp, simple, and pretty-much no better than a somewhat expanded Twitter feed. Friends/Noise has an appeal, but it's pretty basic. Many people want basic, but many more have come to rely on features that Facebook provides. Ello needs to find a way to provide these features, but in a non-cluttering way.
And, of course, the policy - transparency. You own your content. There's no curation and filtering happening. And, in an interesting (and dare I say refreshing) twist, everything is public. Anyone can follow anyone else, and all of your posts are public. It's wide open, and intended to be so from the start.
Some people have a problem with that. This morning, a friend of mine had a post on Ello, "Dear @person, please unfollow me, I only want friends here." Now perhaps @person will comply, but @person is under no mandate to do so. There's nothing my friend can do. Again, there are no private posts on your feed.
The open question now is what Ello does with the current rush of early adopters. Will they roll out features that everyone wants and loves and maintain the elegant simplicity? Will they stick to their philosophical guns and will the fickle crowd agree? Will there be an initial rush, only to have the novelty wear off like Google+? Only time will tell. I'm keen to wait, watch, and see.
So I'm @dogberry over on Ello. Feel free to follow me.