Exclusive: Meta Said Damaging Internal Email is ‘Fake’, URL 'Not in Use', Here's Evidence They're Wrong

Exclusive: Meta Said Damaging Internal Email is ‘Fake’, URL 'Not in Use', Here's Evidence They're Wrong

A point-by-point response to Meta’s statement questioning The Wire’s story on the ease with which the BJP IT Cell head is able to get Instagram to delete posts he reports.

New Delhi: In the days following The Wire’s publication of its investigation into privileges accorded to BJP IT cell head Amit Malviya under Meta’s XCheck programme, Meta – the company which owns and runs Facebook and Instagram – has gone all out to claim our reports were based on documentation it believes is fabricated. Meta policy communications director Andy Stone and chief information security officer Guy Rosen first made this claim on Twitter. Then, on October 12, Meta also released a similar statement on its official website. Here, we respond to the statements made by Meta and its officials, and also answer other questions that have been raised about our reporting – particularly the claim, first advanced by Rosen, that The Wire may have been ‘fooled’ or have fallen prey to an elaborate hoax. We stand by our stories entirely, and here’s why.

Stone’s fb.com email address is indeed in use One of the points Rosen made in his Twitter thread was that the email ID belonging to Andy Stone in the image shared by The Wire “isn’t even Stone’s current address”. Since The Wire had redacted the first part of the email, Rosen was likely referring to ‘@fb.com’ – and his point was that email IDs have now migrated to ‘@meta.com’. Rosen chose his words carefully – seeking to cast doubt on the veracity of the email but stopping short of categorically saying Stone’s fb.com email address does not exist or is not in use anymore. The Wire had reached out to Stone on his @fb.com email address before our article was published, and the email did not bounce. Sam Biddle, a technology reporter with The Intercept, also tweeted on October 12 that he had received an email from Stone’s @fb.com address on August 31, 2022. Several others have pointed to other @fb.com accounts that are still active, including press@fb.com. One of our reporting team members also sent a test email to Stone at his @fb.com email address using an email client called Superhuman – which sends ‘read statuses’ to the sender every time an email is opened – at 12:28 pm IST on October 11. This email was sent to Stone before The Wire published his leaked internal email conversation. On October 12 at 7:54 pm IST, The Wire’s staff received a notification from Superhuman confirming that the email had been opened. The Wire’s sources at Meta told us that both email addresses were active at the time because the migration process in the company is still underway. Emails sent to both IDs land in the same inbox, and the individual can choose which ID to send an email from. One of the sources surmised that Stone, in particular, now uses his @meta.com email ID for external communications and his @fb.com for internal communications. The source assumed that this may be to keep track of potential leaks and to determine whether they occurred from within or outside the organisation. Another potential reason suggested by the source is that certain people in the internal team – including Meta’s India public policy head Rajiv Aggarwal – still use an @fb.com email address, and emailing them from an @meta.com address would mark the correspondence as ‘external’. Aggarwal had replied to Stone’s email and his reply was also visible in the leaked email screenshot The Wire had published. On October 12, The Wire emailed Aggarwal on his @fb.com email. Not only did the email not bounce but the read status from Superhuman indicated that the email had been opened at 10:54 am IST and then again at 11:16 am IST. As it happens, Meta’s official statement – released at 11:02 pm IST on October 12 – does not include the claim Rosen had made, that Stone’s @fb.com email wasn’t his “current address”. One of the other criticisms raised on social media about the leaked email is that the ‘like’ button isn’t aligned. While Meta hasn’t made this claim itself, Stone has retweeted this allegation. Both The Wire’s team members and others on social media have demonstrated how the like button on certain Outlook inboxes is indeed aligned in this way – something that would have taken only a few minutes to confirm for anyone interested in knowing whether this is true.

The leaked email’s headers have been technically verified For all sensitive emails, The Wire’s team uses a Python-based open source tool called dkimpy to verify the email’s authenticity and integrity using its DKIM signature. This tool determines whether an email has come from a sender using a specific domain and whether the body and/or attachments have been tampered with in any way. DKIM stands for ‘DomainKeys Identified Mail’. It is an email authentication protocol that adds a digital signature to all outgoing emails, which lets recipients verify whether the message actually came from the domain and/or organisation that it says it’s from. This is called the DKIM signature. The domain associated with the email, like gmail.com, fb.com or meta.com – i.e. the part after the ‘@’ – is associated with a piece of data called the public key. The recipient can retrieve this public key and use it to verify the digital signature, to determine whether the signature is valid. If it isn’t valid, it’s a sign that an external actor could have fiddled with the email. There are two steps required to verify a DKIM signature. In the first step, the email’s body is hashed. Hashing is the process of converting one block of data into another block such that the output is always of the same size. That is, if you hash one email with 600 words and another email with 1,500 words, the resulting hashes will be different – but have the same size. Once you’ve hashed the email’s body, you compare it to the value in the ‘bh=’ field in the signature. ‘bh’ stands for body hash. If your hash of the body and the included hash in the ‘bh=’ field don’t match, the email’s integrity should be in doubt. Specifically, the email’s contents were modified after the digital signature was created and added to the email. In the next step, domain and selector fields in the signature, ‘d=’ and ‘s=’ are used to determine the domain’s public key, using online tools like MxToolbox. You can use this public key, the value in the ‘b=’ field and the hashed version of the message header to verify the signature using a signature verification algorithm. When a source at Meta provided The Wire with the .eml version (the file format of a downloaded email) of the internal email bearing Stone’s name, our technical team used dkimpy to ascertain whether the email was real – and it was. The Wire understands that the full message header can be used to identify the source that received the email. Meta could potentially ask all recipients of Stone’s email for their headers and use that to match it against the header The Wire received. However, we also know that this evidence is important to show publicly, given Meta’s vehement denials. So – in discussion with our source and with their informed consent – we are releasing a video of the step-by-step process used to authenticate the email, with suitable redactions. We were able to conclude that Stone’s email did indeed arise from an fb.com domain and that the integrity of the email that The Wire reproduced is intact. Both the header – which includes the date, the sender’s email and the receiver’s email – and the email body weren’t modified after they were sent. This process confirms that the email was sent from the @fb.com address Andy Stone uses and that the contents of his email are the same as what we showed in the screenshot. The Wire also demonstrated its verification process to two independent domain experts on a video call. The screenshot of the redacted emails from these experts, one of whom is principal technical evangelist at Microsoft and the other an independent security researcher, confirming the validity of our process and findings are reproduced below.

URL on the Instagram report is indeed in use Another claim made in Rosen’s Twitter thread – and repeated in Meta’s statement – is that the URL where the Instagram post-incident report was accessed “is not in use”. Since parts of the URL were redacted in The Wire’s report, Meta likely meant ‘instagram.workplace.com’ is not in use. The company has not, however, made the claim that the URL does not exist. The Wire’s sources at Meta have said that the ‘instagram.workplace.com’ link exists as an internal subdomain and that it remains accessible to a restricted group of staff members when they log in through a specific email address and VPN. At The Wire’s request, one of the sources made and shared a recording of them navigating the portal and showing other case files uploaded there to demonstrate the existence and ongoing use of the URL. (The Wire asked the source not to open the original @cringearchivist post-incident report at the heart of the current controversy, or any other file – in case Meta was monitoring activity on the subdomain.) As is clear in the video, the URL that Meta has officially claimed “is not in use” is very much in use. New reports had been added on the day of the video’s recording. The video also showed the source navigating through the secure ‘instagram.workplace.com’ workspace and opening the notes section. The Wire asked the source to run a timer while they were screen-recording to show that it was happening in real-time. Our team also ascertained that the video hadn’t been tampered with, using the video’s metadata (they have been removed from the file we have made public). Additionally, the cursor maintained consistency throughout the video’s duration, with no abrupt breaks. All these checks together indicate with high probability that the video was not modified between the sender (the source) and the recipient (The Wire). The source told The Wire that Meta’s automated systems use the ‘instagram.workplace.com’ subdomain to store post-incident reports involving VIPs (both their own posts and posts they report). Since they are of automated origin, the reports aren’t linked to any individual. The reports are stored at this subdomain, the source said, in case law enforcement agencies need to access them. The Wire couldn’t independently verify this claim. Based on queries and comments from former Facebook employees about the @cringeactivist report, The Wire asked the source why this subdomain looked different from the main workplace instance. Incident reports, the former employees had said, would be on the SEV manager tool, and law enforcement requests too are handled through the Single Review Tool and regular task tools. Our source responded to this by saying there’s a reason why only a limited set of people – holding specific positions – are able to access this instance, while everyone else is simply redirected to workplace.com. The reports involving VIPs that are stored here, according to the source, are shared with law enforcement agencies in ways that may not meet Meta’s guidelines. “...incident reports where a user like XCheck is involved are taken from SEV Manager and uploaded here. The documents mostly remain private and are shared when an agency asks for them,” the source said. “Privacy controls [on the existing workplace instance] are insufficient because external parties and law-making agencies often receive information from this instance. There is a risk that agencies will be IDed if and when they are added to the central instance,” the source continued. When asked why Meta has left this instance there, despite the controversy over the past week and Meta’s vehement denial, the source said “the files [cannot] disappear from this instance overnight” as they are required to meet demands by law enforcement in the countries relevant to the reported posts. Since October 10, Meta has gone from saying the Instagram post-incident report The Wire published “appears to be fabricated” to “we believe this document is fabricated”. Not only does this fall short of a categorical assertion – that it is fabricated – but Meta is also yet to release any original incident reports on this case, for anyone else to independently verify the company’s drifting claims.

Another claim in Meta’s statement is that The Wire misrepresented the XCheck (or cross-check) programme. According to Meta, XCheck has nothing to do with the ability to report posts and it only adds additional levels of verification when a privileged user’s post is reported. To quote: “The system is designed to ensure that enforcement decisions related to content posted by cross-check accounts are made accurately and with additional levels of human review. We don’t exempt anyone from our Community Standards and remove content that violates them if we see it.” This brings us back to the original question that The Wire’s reporting raised: why was @cringearchivist’s post lampooning a prominent BJP leader removed citing a ‘nudity and sexual content’ guideline when the post had neither nudity nor sexual content? And why, after all this conversation, has Instagram not revoked its decision to take the post down? That is, does Meta’s stance about content moderation being “accurate and with additional levels of review” apply only to XCheck users? Meta’s statement also said, “We did not identify a user report regarding the @cringearchivist content in September as reported.” This would suggest that they are blaming the entire takedown on an automated system – even as they have yet to review the decision even three weeks since the post went down. The Wire’s understanding of XCheck is based both on the Wall Street Journal’s coverage and other public documents from Meta’s Oversight Board. The board is a mechanism which people at large can use to challenge takedown decisions on Facebook and Instagram. The Instagram post-incident report, which The Wire published on October 10, suggested that XCheck privileges extend far beyond what Meta has admitted in public. By way of explaining XCheck, Meta’s response to The Wire’s articles linked to a public article on its website. The company claimed that it has not denied this programme – and that in fact it has publicly explained what it is. However, this narrative conveniently ignores another public article from Meta’s Oversight Board, dated September 2021. Here, the board alleged that Facebook was “not fully forthcoming” with it on XCheck. To quote: “In the Board's view, the team within Facebook tasked with providing information has not been fully forthcoming on cross-check. On some occasions, Facebook failed to provide relevant information to the Board, while in other instances, the information it did provide was incomplete.” Even within Meta, then, there is a sentiment that the company hasn’t been completely honest in public about what XCheck is and does. In December 2021, the Oversight Board invited public comments on the cross-check programme. “The public comment window for this policy advisory opinion request on cross-check is open until 15:00 GMT, Friday, 14 January 2022,” the notification said. Since then, there have been no updates about this on the Board’s website. Despite internal admission that changes are required, it is unclear what action has been taken.

Timeline of Meta contact with The Wire corroborates email Before we received a copy of Stone’s internal email from our source, The Wire had already heard from another Meta staffer – a communications team member from India named Rishabh Khandelwal. From 8:48 pm IST on October 10 – the date on which the story with the Instagram takedown report was published – The Wire’s Jahnavi Sen received three (missed) calls and then WhatsApp messages from Khandelwal. Once they got on a call, Khandelwal stated the points that Stone would go on to tweet later that day, but also that everything he was saying about the story was “off the record”. He ended by saying Sen would soon receive an official statement from Meta. At the time of this call, The Wire wasn’t yet aware of Stone’s email – nor did any of our sources within Meta know that Khandelwal had got in touch with Sen. The timelines, however, line up: Khandelwal’s call to Sen came about 40 minutes after Stone’s original email and about 30 minutes after Aggarwal said he was assigning someone from Meta’s India comms team to talk to the reporter. Khandelwal’s decision to make this call close to 9 pm – our article had been online since 10:40 am IST that day – suggests he received instructions from his higher-ups to do so right after Stone’s email. He ended the call after being asked questions about Meta’s response to the document embedded in the report. Fewer than 10 hours later, Meta’s first public response to the story – in the form of Stone’s tweets – appeared. This is in line with the statement in the leaked email from Stone that he would tweet only after the India team had spoken to The Wire’s reporter. Five more hours later, Khandelwal emailed Sen a company statement from his official email ID.

Stone, in his email, had also asked his internal team why the reporter and the founding editor of The Wire were not on Meta’s watchlist. The Wire has not been able to establish the exact meaning and nature of this watchlist. However, in the copy of Stone’s email that The Wire has received, the email addresses of Jahnavi Sen and Siddharth Varadarajan were hyperlinked to their names, perhaps so that any communication from the two with Meta team members would be flagged to Stone. Meta denied the existence of such a list in its statement. However, TechCrunch reported on October 12: “Facebook, like many other companies, does maintain dossiers on journalists.” Manish Singh, a reporter who covers India for TechCrunch, said he knows of the dossier because he had accidentally received one such link five years ago. Singh told Newslaundry that while he “no longer has a copy”, he “recalled that it [the dossier] had 27-30 pages and each page had a journalist’s name, details of the kind of stories they did, and how Facebook could reach out to them in ways that served Facebook’s communication goals better”. The Wire was not able to independently verify this claim.

The Wire knows and trusts its sources When The Wire began investigating the bizarre takedown of @cringearchivist’s posts and Meta didn’t respond to requests for comment, we reached out to multiple sources within Meta whom we thought might be able to help us understand what was happening. One of them, with whom we have had a longstanding association, sent us the Instagram post-incident report on the takedown – without knowing who Amit Malviya was or why his name on the report may be significant. Once we received it, we ascertained its legitimacy with other well-placed sources within Meta. The sources who confirmed the document did not know the original source. After Stone reacted to our story on Malviya’s XCheck privileges on Twitter by claiming that the document we quoted “appears to be fabricated”, we reached out to a source whom we trust and know to be a highly-placed Meta employee. This individual – whose identity and position we know and whom some of us have met in person as well – is the one who shared with us Stone’s email expressing consternation at the leak of the Instagram document The Wire had published. The source also shared the email message file, including the header source, email metadata and the full message with The Wire. So who is this source? Ordinarily, a media organisation like The Wire – with a track record of winning multiple awards nationally and internationally for its reporting – would have no obligation to provide an explanation about its sources. But given the extraordinary claims being made by Meta, and their amplification elsewhere, we and our source thought it prudent to provide our readers with the relevant backstory. Earlier this year, The Wire received an email from someone claiming to have access to internal Meta documents that added new information and meaning to one of our older investigative projects. The documents seemed, at first glance, to be too good to be true. But we were able to cross-verify with further efforts that they were genuine. To allay any residual misgivings, however, the source also agreed to meet an employee of The Wire and share physical and electronic documents, including their company ID, pay slips and a few internal emails, helping us to verify their identity on the spot and subsequently through alternative means. The Wire also shared its whistleblower protection policy with the source, signed by our editor at the source’s request – at which point they agreed to help us with future investigations. This source believes that some of Meta’s actions, and the way it has covered up its errors, need to be brought to light. For that reason, under the promised protection of The Wire’s whistleblower policy, they have agreed to release information that they believe should be in the public domain. All our sources have placed immense trust in us. We will continue to do everything in our power to protect their identities, while also bringing out investigations that hold companies like Meta to account.

On October 13, the day after Meta’s statement formally denying The Wire’s two stories, @cringearchivist reached out to The Wire to say that one of their deleted posts – which made fun of a Hindutva supporter comparing himself to Goebbels – had now been restored. They received no notification or explanation, and the previous notification stating that their story had been taken down had vanished. But six posts by @cringearchivist still remain down and inaccessible, including the one of the senior BJP leader that The Wire had flagged – even as it seems increasingly likely that either manual reviewers (or automated systems, as Rosen claims) erred in applying Meta’s guidelines. Instagram has failed to restore these posts even after several complaints by the account and The Wire’s reports. Despite its many public statements over the past few days, we still await transparent updates from Meta about why it pulled down @cringearchivist’s posts.

Images Powered by Shutterstock