=> https://www.reddit.com/r/RedditSafety/comments/su8p2e/q4_safety_security_report/
created by UndrgrndCartographer on 16/02/2022 at 22:45 UTC
204 upvotes, 26 top-level comments (showing 25)
Hey y’all, welcome to February and your Q4 2021 Safety & Security Report. I’m /u/UndrgrndCartographer, Reddit’s CISO & VP of Trust, just popping my head up from my subterranean lair (kinda like Punxsutawney Phil) to celebrate the ending of winter…and the publication of our annual Transparency Report. And since the Transparency Report drills into many of the topics we typically discuss in the quarterly safety & security report, we’ll provide some highlights from the TR, and then a quick read of the quarterly numbers as well as some trends we’re seeing with regard to account security.
As you may know, we publish these annual reports[1] to provide deeper clarity around our content moderation practices and legal compliance actions. It offers a comprehensive and quantitative look at what we also discuss and share in our quarterly safety reports.
=> 1: https://www.redditinc.com/policies/transparency-report-2021-2
In this year’s report, we offer even more insight into how we handle illegal or unwelcome content as well as content manipulation (such as spam, artificial content promotion), how we identify potentially violating content, and what we do with bad actors on the site (i.e., account sanctions). Here’s a few notable figures from the report, below:
And here’s what y’all came for -- the numbers:
┌──────────────────────────┬─────────────────────────┬─────────────────────────┐ │ **Category** │ **Volume (July - Sept │ **Volume (Oct - Dec │ │ │ 2021)** │ 2021)** │ ╞══════════════════════════╪═════════════════════════╪═════════════════════════╡ │ Reports for content │ 7,492,594 │ 7,798,126 │ │ manipulation │ │ │ ├──────────────────────────┼─────────────────────────┼─────────────────────────┤ │ Admin removals for │ 33,237,992 │ 42,178,619 │ │ content manipulation │ │ │ ├──────────────────────────┼─────────────────────────┼─────────────────────────┤ │ Admin-imposed account │ │ │ │ sanctions for content │ 11,047,794 │ 8,890,147 │ │ manipulation │ │ │ ├──────────────────────────┼─────────────────────────┼─────────────────────────┤ │ Admin-imposed subreddit │ │ │ │ sanctions for content │ 54,550 │ 17,423 │ │ manipulation │ │ │ ├──────────────────────────┼─────────────────────────┼─────────────────────────┤ │ 3rd party breach │ 85,446,982 │ 1,422,690,762 │ │ accounts processed │ │ │ ├──────────────────────────┼─────────────────────────┼─────────────────────────┤ │ Protective account │ 699,415 │ 1,406,659 │ │ security actions │ │ │ ├──────────────────────────┼─────────────────────────┼─────────────────────────┤ │ Reports for ban evasion │ 21,694 │ 20,836 │ ├──────────────────────────┼─────────────────────────┼─────────────────────────┤ │ Admin-imposed account │ │ │ │ sanctions for ban │ 97,690 │ 111,799 │ │ evasion │ │ │ ├──────────────────────────┼─────────────────────────┼─────────────────────────┤ │ Reports for abuse │ 2,230,314 │ 2,359,142 │ ├──────────────────────────┼─────────────────────────┼─────────────────────────┤ │ Admin-imposed account │ 162,405 │ 182,229 │ │ sanctions for abuse │ │ │ ├──────────────────────────┼─────────────────────────┼─────────────────────────┤ │ Admin-imposed subreddit │ 3,964 │ 3,531 │ │ sanctions for abuse │ │ │ └──────────────────────────┴─────────────────────────┴─────────────────────────┘
Now, I’m no /u/worstnerd, but there are a few things that jump out at me here that I want to dig into with you. One is this steep drop in admin-imposed subreddit sanctions for content manipulation. In Q3, we saw that number jump up, as the team was battling with some persistent spammers and was tackling the problem via a bunch of large, manual bulk bans of subs that were being used by specific spammers. In Q4, we see that number drop back to down, in the aftermath of that particular battle.
My eye also goes to the number of Third Party Breach Accounts Processed -- that’s a big increase from last quarter! To be fair, that particular number moves around quite a bit - it’s more of an indicator of excitement elsewhere in the ecosystem than on Reddit. But this quarter, it’s also paired with an increase in proactive account security actions. That means we’re taking steps to reinforce the security on accounts that hijackers may be targeting. We have some tips and tools you can use to amp-up the security on your own account[2], and if you haven’t yet added two-factor authentication to your account[3] - no time like the present.
=> 2: https://www.reddit.com/r/redditsecurity/comments/bletrr/how_to_keep_your_reddit_account_safe/ | 3: https://www.reddithelp.com/hc/en-us/articles/360043470031
When it comes to account security, we keep our eyes on breaches at third parties because a lot of folks still reuse passwords from one site to the next, and so third party breaches provide a leading indicator of incoming hijacking attempts. But another indicator isn’t something that we look at per se -- it’s something that smells a bit…phishy. Yep. And I have about a 1000 phish-related puns where that came from. Unfortunately, we've been hearing/seeing/smelling an uptick in phishing emails impersonating Reddit, that are being sent to folks both with and without Reddit accounts. Below is an example of this phishing campaign, where they’re using the HTML template of our normal emails but substituting links to non-Reddit domains and the senders aren’t our redditemail.com sender.
First thing -- when in doubt or if something is even just a little bit suspish, go to reddit.com directly or open your app. Hey, you were just about to come check out some rad memes anyway. But for those who want to dissect an email at a more detailed level (am I the only one who digs through my spam folder occasionally, to see what tricks are trending?), here’s a quick guide on to recognize a legit Reddit email
Of course, if your account has been hacked, we have a place for that too, click here if you need help with a hacked or compromised account[5].
=> 4: https://reddithelp.com | 5: https://reddit.zendesk.com/hc/en-us/articles/360045768792-I-need-help-with-a-hacked-or-compromised-account
Bringing the conversation back out of the phish tank and back to transparency, I also wanted to give you a quick update on the success of our public bug bounty program. We announced our flip from a private program to a public program [6]ten months ago, as an expansion of our efforts to partner with independent researchers who want to contribute to keeping the Reddit platform secure. In Q4, we saw 217 vulnerabilities submitted into our program, and were able to validate 26 of those submissions -- resulting in $28,550 being paid out to some awesome researchers. We’re looking forward to publishing a deeper analysis when our program hits the one year mark, and then incorporating some of those stats into our quarterly reporting to this community. Many eyes make shallow bugs - TL;DR: Transparency works!
I want to thank you all for tuning in as we wrap up the final Safety & Security report of 2021 and announce our latest transparency report. We see these reports as a way to update you about our efforts to keep Reddit safe and secure - but we also want to hear from you. Let us know in the comments what you’d be interested in hearing more (or less) about in this community during 2022.
=> Comment by Poro-3 at 16/02/2022 at 22:57 UTC
47 upvotes, 2 direct replies
1,422,690,762
Holy shit what the fuck
=> Comment by Halaku at 17/02/2022 at 00:55 UTC
29 upvotes, 2 direct replies
We received 292 requests from law enforcement or government agencies to remove content, a 15% increase from 2020. We complied in whole or part with 73% of these requests.
Is it okay to inquire for a further breakdown?
That sort of thing.
=> Comment by mizmoose at 16/02/2022 at 23:21 UTC
25 upvotes, 1 direct replies
Admin-imposed subreddit sanctions for content manipulation 54,550 17,423
To what do you attribute this big drop in sanctions? Pre-emptive strikes? Better monitoring? More spankings? Space aliens?
=> Comment by Emmx2039 at 16/02/2022 at 22:58 UTC
23 upvotes, 0 direct replies
1.4 billion 3rd party breach accounts processed?
what...
=> Comment by admirelurk at 16/02/2022 at 23:59 UTC
18 upvotes, 0 direct replies
We received a total of 806 routine (non-emergency) requests for user information from law enforcement and government entities, and disclosed user information in response to 60% of these requests.
This language seems to chosen very carefully. I imagine a single request can relate to many users, especially under US surveillance law. For approximately how many users did you disclose disclose information to authorities? Less than a thousand? A hundred thousand?
=> Comment by snakeplizzken at 17/02/2022 at 00:09 UTC
19 upvotes, 3 direct replies
Granting spam accounts the ability to block others from replying to them or their threads is the single biggest mistake I've ever seen. It's given them carte blanche to scam with no repurcussions. As a result I've seen a massive uptick in repost bots farming for future use by spam accounts. I sincerely hope reddit chooses to undo this "update" before the majority of the site is taken over by spam accounts either farming or advertising.
=> Comment by ErasmusDarwin at 17/02/2022 at 00:29 UTC
13 upvotes, 1 direct replies
Issues I've noticed:
=> Comment by Sym0n at 17/02/2022 at 07:33 UTC
6 upvotes, 0 direct replies
Legal Removals
- We received 292 requests from law enforcement or government agencies to remove content, a 15% increase from 2020. We complied in whole or part with 73% of these requests.
Always makes me wonder what Gov Agencies would want removing and, more so, if they really believe that it was only available on Reddit.
Our Public Bug Bounty Program
In Q4, we saw 217 vulnerabilities submitted into our program, and were able to validate 26 of those submissions -- resulting in $28,550 being paid out to some awesome researchers.
This bugs me, excuse the pun. Why are the payments so low? On average, that would equate to less than $1,100 for each submission - in reality I doubt each was of equal severity or received equal payout.
Reddit was valued at more than $10,000,000,000 last year, those payments aren't sufficient or fair.
=> Comment by realpolitikcentrist at 17/02/2022 at 03:08 UTC
4 upvotes, 1 direct replies
Is reddit monitoring activity for state-sponsored or directed activity?
=> Comment by enc1pher at 17/02/2022 at 03:52 UTC
4 upvotes, 0 direct replies
Folks still reuse passwords from one site to the next
One of the biggest problems in infosec today
=> Comment by genmud at 17/02/2022 at 01:22 UTC
7 upvotes, 1 direct replies
Could we as the Reddit community, or even specific/trusted security researchers have a better way of flagging inorganic accounts and content?
I feel like I run across these all the time and there is no good way for me to say “hey, this is probably a fake account spreading disinformation/astroturfing because $x, $y or $z”.
=> Comment by N3DSdude at 17/02/2022 at 00:14 UTC
3 upvotes, 0 direct replies
Great insight, how long does it often take for Reddit to deal with legal requests i.e DMCA?
=> Comment by [deleted] at 17/02/2022 at 00:36 UTC
2 upvotes, 0 direct replies
Wait, what do we have to be worried about? I don't understand.
=> Comment by wiskblink at 17/03/2022 at 16:55 UTC
2 upvotes, 0 direct replies
I can't be the only one that realized that the new block feature actually makes things much worse, from both a safety and harassment perspective, as well as a open discussion perspective.
Users can now block others to prevent them from both replying and seeing their posts..
So a malicious user (which now happens much more often...) can post any amount of malicious, fake, or personal information about a user. All the bad actor has to do is block the victim, and the victim never becomes aware of it unless a third party user notifies them. This also completely stifles any open discussion or fact checking of misinformation. The VICTIM should get to decide what content they see or not, not the bad actors. The victim should also be able to respond to fake posts.
This is a HUGE step backwards in terms of safety and harassment.
=> Comment by NorthenS at 16/02/2022 at 23:40 UTC
4 upvotes, 0 direct replies
gah daym
=> Comment by [deleted] at 16/02/2022 at 22:53 UTC
2 upvotes, 1 direct replies
[deleted]
=> Comment by [deleted] at 17/02/2022 at 03:08 UTC
1 upvotes, 0 direct replies
Have any foreign governments requested critical content be removed?
=> Comment by AwesomeKitty6842 at 17/02/2022 at 00:23 UTC
1 upvotes, 0 direct replies
What do you do if a user (like me) had an account they used for a while then lost access to it and then had to make a new one? If the account password hasn't been breached or anything and the account is still up, do you just leave it alone?
=> Comment by Subduction at 17/02/2022 at 04:22 UTC
1 upvotes, 2 direct replies
Reports for abuse 2,230,314
Admin-imposed account sanctions for abuse 162,405
Am I reading this correctly that only about 7 percent of abuse reports result in sanctions?
=> Comment by barrinmw at 17/02/2022 at 16:32 UTC
1 upvotes, 0 direct replies
How about any uptick in Russian psyops? Any indication of that?
=> Comment by [deleted] at 17/02/2022 at 07:08 UTC
1 upvotes, 1 direct replies
Did you beat the leakgirl spammer[1]?
=> 1: https://www.reddit.com/r/redditsecurity/comments/pwo54j/q2_safety_security_report/
=> Comment by [deleted] at 17/02/2022 at 17:39 UTC
1 upvotes, 0 direct replies
OK WTH IS IS THIS UPDATE?!
=> Comment by 2h2p at 15/03/2022 at 18:37 UTC
1 upvotes, 0 direct replies
Why are conservative subreddits allowed to spread and share blatant propaganda?
=> Comment by youvenoideawhoiam at 20/03/2022 at 23:31 UTC
1 upvotes, 0 direct replies
Removed 108,626,408 pieces of content
This is why its Mods are killing Reddit for the rest of us and I’m now done. Im fed up with being banned for no reason, I receive no explanation or warning. I don’t even get a temporary ban first. When I ask why was I banned? The mods mute me.
I’ve seen threads get locked when it didn’t go the same way as the Mods opinion. And I’ve had threads removed because they didn’t like the way I wrote the title.
What makes everything worse is the Reddit user has no way to appeal or complain about these Mods who are abusing their position and doing a bad job.
Can Reddit explain why I have spent $ hundreds on buying credit to give other users rewards for their useful posts. Only to be treated like s**t by Reddit afterwards?
I’m done. Goodbye
=> Comment by xScar12 at 31/03/2022 at 02:54 UTC
1 upvotes, 0 direct replies
Hello admin, I am facing a issue, when i posts a photo or video on a subbreddit, my post isn't showing in the subbreddit... I got the massage, that the your post is uploaded successfully..
text/geminiThis content has been proxied by September (3851b).