Written by Nick Heer.

It Appears the Wire Is Still Getting Duped by Fake Meta Documentation

Last week, New Delhi-based the Wire published what seemed like a blockbuster story, claiming that posts reported by high-profile users protected by Meta’s XCheck program would be removed from Meta properties with almost no oversight — in India, at least, but perhaps elsewhere. As public officials’ accounts are often covered by XCheck, this would provide an effective way for them to minimize criticism. But Meta leadership disputed the story, pointing to inaccuracies in the supposed internal documentation obtained by the Wire.

The Wire stood by its reporting. On Saturday, Devesh Kumar, Jahnavi Sen and Siddharth Varadarajan published a response with more apparent evidence. It showed that @fb.com email addresses were still in use at Meta, in addition to newer @meta.com addresses, but that merely indicated the company is forwarding messages; the Wire did not show any very recent emails from Meta leadership using @fb.com addresses. The Wire also disputed Meta’s claim that instagram.workplace.com is not an actively used domain:

The Wire’s sources at Meta have said that the ‘instagram.workplace.com’ link exists as an internal subdomain and that it remains accessible to a restricted group of staff members when they log in through a specific email address and VPN. At The Wire’s request, one of the sources made and shared a recording of them navigating the portal and showing other case files uploaded there to demonstrate the existence and ongoing use of the URL.


The account was set up externally as a free trial account on Meta’s enterprise Workplace product under the name “Instagram” and using the Instagram brand as its profile picture. It is not an internal account. Based on the timing of this account’s creation on October 13, it appears to have been set up specifically in order to manufacture evidence to support the Wire’s inaccurate reporting. We have locked the account because it’s in violation of our policies and is being used to perpetuate fraud and mislead journalists.

The screen recording produced for the Wire shows the source navigating to internalfb.com to log in. That is a real domain registered to Meta and with Facebook-specific domain name records. Whoever is behind this apparent hoax is working hard to make it believable. It is trivial for a technically sophisticated person to recreate that login page and point the domain on their computer to a modified local version instead of Meta’s hosted copy. I do not know if that is the case here, but it is plausible.

The Wire also produced a video showing an apparent verification of the DKIM signature in the email Andy Stone ostensibly sent to the “Internal” and “Team” mailing lists.1 However, the signature shown in the screen recording appears to have some problems. For one, the timestamp appears to be incorrect; for another, the signature is missing the “to” field which is part of an authentic DKIM signature for emails from fb.com, according to emails I have received from that domain.

The Wire issued a statement acknowledging a personal relationship between one of its sources and a reporter. The statement was later edited to remove that declaration; the Wire appended a note to its statement saying it was changed to be “clearer about our relationships with our sources”. I think it became less clear as a result. The Wire also says Meta’s purpose in asking for more information is to expose its sources. I doubt that is true. When the Wall Street Journal published internal documents leaked by Frances Haugen, Meta did not claim they were faked or forged. For what it is worth, I believe Meta when it says the documentation obtained by the Wire is not real.

But this murky case still has one shred of validity: when posts get flagged, how does Meta decide whether the report is valid and what actions are taken? The post in question is an image that had no nudity or sexual content, yet was reported and removed for that reason. Regardless of the validity of this specific story, Meta ought to be more accountable, particularly when it comes to moderating satire and commentary outside the United States. At the very least, it does not look good for political interference under the banner of an American company.

Update: Alex Stamos tweeted about another fishy edit made by the Wire — a wrong timestamp on screenshots of emails from the experts who verified the DKIM signatures, silently changed after publishing.

Update: Pranesh Prakash has been tweeting through his discoveries. The plot thickens.

  1. There is, according to one reporter, no list at Meta called “Internal”. It also does not pass a smell check of what function an email list would have. This is wholly subjective, for sure, but think about what purpose an organization’s email lists serve, and then consider why a big organization like Meta would need one with a vague name like “Internal”. ↩︎