I had a chance recently to talk with reporters from the Associated Press and the Hill about the recent Anthem data breach and what that means for online security and privacy for healthcare and what people need to know about it.
It is a rare thing to have my background in online security and dealing with “hackers” and my work in PR and communications come together outside of online security and privacy incidents.
But the “Are Internet Explorer (IE) users dumb” story that broke late last week really brings those two worlds together in very interesting, and enlightening ways.
To recap, late last week we saw a spike in stories claiming that a Canadian company had done research that they believed showed a correlation between IE usage and lower IQ scores. They wrote about it on their blog and managed to get broad, mainstream press pickup pretty quickly. This CNN story is a good example of the coverage we saw.
I’m not surprised at how broadly the story went. It had a nice mixture of scientific authority, average-reader comprehensibility, and taps into a pervasive, latent anti-Microsoft sentiment (I should know about that, I dealt with it when working there).
We have found out now that the “study” that formed the lynchpin of this whole story was bogus. How do we know this? Well, the people that make the fake helpfully came clean and admitted it on their site. To add insult to injury to all those reporters who now have to explain why front page and “most viewed” stories on the CNN and BBC sites (among others) were bogus, the folks behind the fake “helpfully” detail
five eight reasons why people should have known this was a hoax.
This is hardly the first time people have gotten hoaxes into the news pipeline. But this is one of the more audacious examples I’ve seen. It’s also one of the more egregious failures on the part of the press to detect fraud. And the authors of this “study” listing five reasons we should have known it was fake really begs the question of how something as fake as this could get out there so widely.
First, it looks to me like a variation of what an online security expert, Rob Rosenberger termed “False Authority Syndrome” back in 1997. That is when someone gives an “expert” a degree of authority that they shouldn’t be entitled to. In the case of this issue, the people creating the fake made it plausible enough to seem like they had the authority that they claimed. They borrowed text from legitimate websites, and gave the site enough depth to look like it had been up for a while when looking at it (you could only figure out it was new if you dug into the internet registration records).
Next, the challenges around time pressures in the press arena really come into play. Reporters often don’t have the time to contact other known, credible sources when they’re dealing with an unknown “expert”. In the case of this story, the time element was exacerbated by the natural sensationalism of the piece, the clear simplicity of the message and the catchiness of the narrative. Any reporter and editor worth his or her salt could see this is a story that would have a lot of immediate pick up. And in the age of “viral” sharing, if you don’t get your story out first, your competition will. That makes it even harder to take time to get it right and do deep and thorough checking. In an era of easy updating with corrections, it’s often OK to just go with what you’ve got now to land the eyeballs, and worry about tidying any errors later.
Another piece of this, which the authors may or may not be aware of, is that they posted later in the week when we start to see major news cycles wrapping up in a way that opens up space for late-in-the-week new stories. That the news in the US had been inundated with debt ceiling stories all week also created a pent-up demand for something, anything different. And with the heavy diet of debt ceiling stories that week, a lighter, snarky story like this is a welcome counterbalance for readers.
A final piece of why this happened is perhaps one of the most maddening of all. It happened just ‘cos. I say you can only assess part of the factors that make a story interesting. There’s always a host of unknown and unknowable factors that come together to set in motion a huge story (or fail to and the story disappears without a trace). Everything from the time of day the posting RSS hits, to what reporter is at his or her desk, to if that reporter still has a story to file for that day, all of these and more play a role. Ultimately, I lump all of these unknowns under the title “luck” and accept the reality of that, frustrating though it is.
Taking all this and putting it together: why did this fake story succeed in getting bigger and broader coverage than most legitimate stories? Because it was a well-crafted hoax that told an interesting and amusing story that successfully exploited weaknesses in the press “system” related to time pressures that ultimately got lucky.
Any of you with a background in online security will recognize that I’ve essentially outlined there a successful “hack”. They found vulnerabilities in a system (time pressures and susceptibility to catchy stories), built a good exploit (the hoax) and got lucky.
Unfortunately, those vulnerabilities aren’t going away anytime soon. Which means we may see more of these in the future.
[Updated to reflect that there were eight reasons why the hoax should have been caught and not five as I originally posted. Because, well, I can’t count.]