SurfSafe

SurfSafe is a browser extension intended to help viewers spot fake news, in the form of altered or misleadingly used images. It is currently available for Google Chrome and Opera. RoBhat Labs, a company founded by two undergraduates at University of California, Berkeley, who had previously developed software that identified bot accounts on Twitter. It was released in August 2018 after a presentation at the Aspen Ideas Festival. The creators liken it to antivirus for Internet users' news feeds.

The extension works by comparing images that appear in the browser to a database of images culled from a hundred trusted news or fact-checking sites, such as Time and Snopes.com. If an image has been altered or has been identified as being used to mislead elsewhere online, a pop-up informs the reader of this. SurfSafe has already received recognition by universities who provide resources to students on how to avoid fake news, such as the University of Akron School of Law.

While SurfSafe has been well-received, it has also been criticized for limited effectiveness and for being a technological solution to a human problem. Neal Krawetz, an expert in network security and image analysis, has gone further, not only saying that SurfSafe does not come anywhere near doing what it claims, but recommending against installing it due to privacy concerns.

History
In 2017, Ash Bhat and Rohan Phadte, both undergraduates at the University of California, Berkeley, began developing online tools to help combat the spread of misinformation on the Internet. The first, NewsBot, was an app for Facebook Messenger that attempts to identify the political leanings in a news story. The second, BotCheck.me, was developed as an extension for Google Chrome. It uses machine learning and natural language processing to assess the probability that a Twitter account is a bot spreading political propaganda. Users who installed it saw a button on every Twitter account's page that they could click to determine the probability it was a bot.

Within a year of its deployment, BotCheck had managed to flag almost a million accounts as bots. Bhat and Phadte believed that their model, which attempted to identify and differentiate between human and bot posting patterns, had achieved a 93.5% accuracy rate. But at the same time they had noticed another problem: Many of the bots were sharing altered images to support their positions, and it was hard to identify them. The problem was compounded by the use of unaltered images that were represented as being about something other than what they depicted.

In response to that problem, Bhat and Phadte developed SurfSafe. With the extension enabled, a user can hover their mouse over a photograph; it will then be compared to others in a data base of hashes of all the images on every page any browser with the extension has visited and those hosted on a list of a hundred websites considered to be trusted sources. RoBhat believes that if it can get several hundred thousand users to install SurfSafe it will, through this method, accumulate a data base of a hundred billion images within a year. It also analyzes any text on the page and compares it with text on pages where the image has also appeared. Users can also click on a button if they believe the picture has been manipulated or misleadingly used.

Once SurfSafe has done those comparisons and searches, it will then place an icon at the corner: a check mark if the image appears to be genuine, a warning sign if it might be suspect, and an X if it has been identified elsewhere as altered; in the latter instance it also shows the original image. Other than Snopes.com, users may select their own group of websites, mostly those of major news organizations, from which to check content.

RoBhat's founders introduced SurfSafe at the Aspen Ideas Festival in June 2018. Two months later they made it available to the public. At the time, it was only available for Google Chrome;

Criticism
While much of the initial news coverage of SurfSafe was positive, at least expressing approval of the idea behind the extension, even some of those reviewers were skeptical that SurfSafe (and some other competing products ) could solve the problem all by itself. Wired noted that the underlying problem is digital literacy. "It's a bit of a leap to expect someone whose main window to the internet is Facebook to take the additional step of installing a fact-checking plug-in." Nor was the extension available for any mobile platform, although RoBhat said it was working on that.

Others noted that the user's ability to select all the sites besides Snopes that they considered reliable for the purpose of evaluating an image's authenticity was problematic, as some of the sites users had the option of choosing were outlets that have been accused of intentionally propagating fake news, or allowing their sites to be used for it, in the past. "With these publications in the user's circle of trust, SurfSafe's effectiveness may be blunted before it can make a difference in the user's perception of who they're getting their news from", The Verge wrote.

But Bhat did not consider that a serious flaw. A user who had chosen to trust only those sites considered dubious, he had told The Atlantic when the extension was presented at Aspen, would eventually notice that the news from those sites conflicted with each other and might thus start to doubt their reliability. "People will move closer to the objective truth" he argued. However, he allowed, if SurfSafe started to develop a community that elevated less reliable news outlets to a position of high trust, RoBhat would update its models. He also responded to this criticism in The Verge's story on SurfSafe by saying that news outlets with contrasting political viewpoints nevertheless often agree on the basic facts of stories they report on, making it unlikely that such an echo chamber would develop among the extension's user community.

Bhat himself acknowledged to Wired another flaw, a limitation resulting from the data base SurfSafe uses. If the extension encounters a picture that no other user with it enabled has seen, it cannot make any call on the image's authenticity and will mark it as genuine. However, he considered that a small problem, since the images the extension aims to spot are those that spread virally, meaning many people will be looking at them in a short period of time.

The Verge also tested SurfSafe at doing what it was supposed to do and found it came up short. It tested on two widely circulated altered images: one a Seattle Seahawks player apparently burning an American flag as his teammates cheered in the team's locker room (the flag had been added to the original image, which had merely showed him dancing), and another of Stoneman Douglas High School shooting survivor and gun control activist Emma González tearing up a copy of the U.S. Constitution (it had actually been some shooting targets). While SurfSafe easily recognized the most widely circulated copy of the first image, it did not similarly flag variants, which had also widely circulated on Facebook, that had been cropped or were screenshots of the image taken from elsewhere. It was even less successful with the González image, recognizing no variant, not even screenshots on the Snopes page debunking the image. On his blog, Hacker Factor, Neal Krawetz, an expert in network security and image analysis who operates the FotoForensics.com website, took a very negative view of SurfSafe. Acknowledging that it was a response to a real problem, he warned that it was complex and that "this desire for a fast, simplified solution opens the door for lots of snake-oil solutions and charlatan products." Krawetz excoriated other publications that had written positively about SurfSafe, suggesting they had only rewritten the press release announcing its release instead of downloading it and reviewing it.

Krawetz reiterated the criticism that SurfSafe's reliance on crowdsourcing for suspect images both presented an easy avenue for an organized attack with the intent of subverting its intended purpose and did not guarantee that it would favor the spread of accurate images. "Regardless of whether I think the BBC is good journalism or you think Fox is trustworthy, this says nothing about whether the reporting is actually accurate." In tests he also found that the extension did not recognize identical versions of the same image when it encountered them on different pages with different URLs.

However, Krawetz did not find these to be the primary reason he recommended readers "stay away" from SurfSafe. During his tests, the developer panel on Chrome revealed that the extension was querying his browser for the URL and all images on every page he visited to store in RoBhat's own servers. This, he noted, would include not only private images that might be on the same page as an image a reader was querying SurfSafe about, but URLs to those images, URLs that might even have credentials or tokens embedded within, since even the HTTPS protocol would not prevent them from being passed along in response to a query (Krawetz did allow that SurfSafe appeared to strip out those credentials from URLs of its stored images when displaying them publicly, but noted that in turn made for broken links should users try to visit those sites to assess the images' authenticity themselves).

Conversely, Krawetz noted, anyone looking into the domain name, which had only been registered the month before, would learn very little about RoBhat Labs or even who owned the name. Nor did the getsurfsafe.com website identify anyone involved with the company: "They don't list any of their people and there's no 'About Us' or 'Who we are'". He learned more about these things from the company's press release than its website. "When it comes to trustworthiness, I have a lot of issues with site owners who don't identify themselves on their sites."