After insisting for over a week that its reporting supposedly exposing how Meta allowed BJP leaders to censor content on its platforms was solid, the Wire on Tuesday pulled down the work pending a “thorough internal review of all material and documents and sources”.
The Wire reported earlier this month that Meta’s controversial XCheck programme enabled BJP’s Amit Malviya to take down content critical of his party on Instagram, which the American social media company runs along with Facebook and WhatsApp.
Meta denied that XCheck gave such privileges to any user and charged that the documents the Wire had relied on for its reporting were fabricated. Newslaundry previously explained what exactly the fight between Meta and the Wire was about and what was at stake for either party.
The Wire subsequently responded by detailing the technical processes that it followed to corroborate its reporting, including redacted emails from two cybersecurity experts.
The Wire’s explanations, however, raised more questions with experts pointing out inconsistencies and supposed fabrications. The cybersecurity experts whose emails the Wire cited as validation of its processes told Newslaundry that they weren’t involved at all.
So, what precisely were the problems with the Wire’s reporting and subsequent explanations?
Newslaundry asked four domain experts.
None of them were convinced by the Wire’s rebuttal published over the weekend. The arguments made by the Wire, they felt, were inadequate at best and fabricated at worst.
David Thiel, former Facebook security engineer who is now the chief technology officer at the Stanford Internet Observatory, said he was “95% confident that this is fabricated evidence”. And whoever fabricated it has some knowledge of how Facebook works but not enough to pull it off convincingly, he added.
Debayan Gupta, an assistant professor of computer science at Ashoka University, said, “All of the stuff such as screenshots and videos can be trivially faked. An average 16-year-old can do it in a way that it is hard to tell what is real. Anything that says ‘we are posting a screenshot’ or ‘we are posting a video of doing something’ is garbage.”
The Wire has not yet got an independent expert to verify its claims on the record and has since “suspended” the stories.
The two cybersecurity experts the Wire had claimed corroborated its vetting of the source material – the email by Meta chief spokesman Andy Stone seemingly confirming the publication’s initial reporting – have since denied doing so. “I was not the source, I did not verify the DKIM, I was not a part of the verification process,” one of the experts, Kanishk Karan, told Newslaundry.
Devesh Kumar, a Wire reporter who contributed to the Meta stories, had indeed contacted him to verify the material, Karan tweeted, but Karan declined. The email the Wire had attributed to him, he added, was fake.
The other expert, Ujjwal Kumar, lead architect at Microsoft, told Newslaundry that he “did not participate in any such thing”.
A Microsoft spokesperson later added, “Over the weekend an Indian publication erroneously attributed commentary to a colleague. They have been informed of their error and a correction has been requested.”
On October 21, Ujjwal Kumar posted a statement on LinkedIn saying that he had “not even been approached by The Wire to make any verification before publication” of their October 15 story detailing the publication's purported verification of Stone's email. He categorically denied being involved with the email verification process and said the email attributed to him by the Wire was not sent from his account.
Devesh Kumar, in fact, has emerged as a central character in this saga. He is the only Wire staffer to have met one of the two Meta sources that the news platform relied on and obtained the alleged email by Stone. His explanations for the gaps in the Wire’s reporting failed to convince experts such as Thiel and Alex Stamos, former chief security officer of Facebook who now heads the Stanford Internet Observatory. For Stamos, Kumar’s convoluted explanation of the inconsistencies was when he “knew that he was almost certainly in on it”.
“There is really no innocent explanation for this. The screenshots were clearly not screen shot,” he added.
In particular, Stamos and Thiel separately explained, Kumar explaining away the inconsistencies in the Wire’s verification of Stone’s purported email as a small mistake resulting from him putting in the wrong year in the privacy focussed Tails OS made no sense. The system just could not have worked the way Kumar explained, they said.
In addition, the screenshot of the alleged email from Ujjwal Kumar of Microsoft corroborating the Wire’s verification of Stone’s purported mail was forwarded from one U Kumar to D Kumar – a red flag since forwarded emails can be easily tampered with.
The redacted video published by the Wire showing them purportedly authenticating Stone’s email did not pass muster with any of the four experts either. Stamos had been willing to give the news website the benefit of doubt, he said, but after watching the video, he concluded that whoever made it “has to be in on it”.
“It cannot be an innocent mistake,” he said.
Matthew Green, an associate professor at Johns Hopkins Information Security Institute, was less scathing in his view. “We cannot really do much with that,” he said, referring to the video. “Whoever made that video could have made a mistake, or there could be deliberate fraud and there is nothing we can do to verify anything.”
All four experts – Stamos, Thiel, Gupta, and Green – concurred that it didn’t appear that the experts cited by the Wire had actually seen the email attributed to Stone.
Not long after they had spoken with Newslaundry, Karan indeed denied having done so.
Another key piece of evidence published by the Wire was a video supposedly showing one of their sources within Meta proving the existence of instagram.workplace.com, the domain which the site claimed hosted the incident report about the Instagram post allegedly taken down at Malviya’s behest.
The video shows a user called Instagram logging into the domain which is populated by purported incident reports all created by the same user in the previous three hours. Meta disputed the veracity of this account, saying it was a spoof created using a free trial of its software three days after the Wire’s first report appeared. The implication: whoever created this account likely didn’t work at Meta.
Thiel and Stamos agreed with Meta’s assessment. As did one current and one former Meta employee familiar with the company’s internal systems who spoke anonymously to Newslaundry.
They explained that Meta only uses fb.workplace.com for internal communications. The main domain, internalfb.com, hosts all the subdomains for different activities, including those for seeking leave, generating tickets for tasks, engineering, coding, content moderation reports. The fb.workplace.com domain is Meta’s in-house equivalent of Slack while internalfb.com is a combination of multiple apps such as JIRA, GitHub and Grafana, the former Meta employee explained. The idea is to have a centralised portal for all tasks and needs.
“It just does not match with how Facebook operates,” Stamos said, referring to what the video purportedly shows.
The red flag for Stamos and the other experts was the lack of single sign-on, or SSO, which is crucial for the platform’s security, and two-factor authentication. “It’s suspicious that neither of those are there,” Stamos said. Moreover, Stamos added, fb.workplace.com requires “corporate headshot” of the employee but the Wire’s video showed the Instagram icon.
Newslaundry asked Meta if they had identified the person who created the spoof Workplace account. “Unfortunately, we would not be able to share this detail as it will go against user privacy,” a Meta spokesperson replied.
In the broader context, the Wire’s claim that XCheck enabled the users in the programme the power to remove content – and not merely give them a long rope when they post content in violation of guidelines, as was widely known – didn’t find any purchase with Thiel, who is familiar with Meta’s internal infrastructure and its content moderation process. The Wire’s description of XCheck, he maintained, simply did not sound right.
“XCheck is meant to add friction to the content takedown process, not remove it,” he explained.
Update: The report has been updated to include the statement Ujjwal Kumar posted on LinkedIn.