When an Oregon science fiction writer named Charity tried to log onto Facebook on February 11, she found herself completely locked out of her account. A message appeared saying she needed to download Facebook’s malware scanner if she wanted to get back in. Charity couldn’t use Facebook until she completed the scan, but the file the company provided was for a Windows device—Charity uses a Mac.

“I could not actually run the software they were demanding I download and use,” she says. When she tried instead to log in from her computer at work, Facebook greeted her with the same roadblock. “Obviously there is no way for Facebook to know if my device is infected with anything, since this same message appeared on any computer I tried to access my account from,” says Charity.

A Facebook spokesperson said Charity may have been asked to download the wrong software because some malware can spoof what kind of computer a person is running. Still, Charity was left without any way to access her account. And her experience is far from unique.

Scantron

The internet is full of Facebook users frustrated with how the company handles malware threats. For nearly four years, people have complained about Facebook's anti-malware scan on forums, Twitter, Reddit, and on personal blogs. The problems appear to have gotten worse recently. While the service used to be optional, Facebook now requires it if it flags your device for malware. And according to screenshots reviewed by WIRED from people recently prompted to run the scan, Facebook also no longer allows every user to select what type of device they're on, which ostensibly would have prevented what happened to Charity.

'I could not actually run the software they were demanding I download and use.' Charity, Facebook User

The malware scans likely only impact a relatively small population of Facebook's billions of users, some of whose computers may genuinely be infected. But even a fraction of Facebook's users still potentially means millions of impacted people. The mandatory scan has caused widespread confusion and frustration; WIRED spoke to people who had been locked out of their accounts by the scan, or simply baffled by it, on four different continents.

The mandatory malware scan has downsides beyond losing account access. Facebook users also frequently report that the feature is poorly designed, and inconsistently implemented. In some cases, if a different user logs onto Facebook from the same device, they sometimes won’t be greeted with the malware message. Similarly, if the “infected” user simply switches browsers, the message also appears to occasionally go away.

“It is actually tied to one specific Facebook user on one specific browser—if I change either to a different account, or use Safari instead of Chrome with the locked-out account, I do not get the scanner dialog,” says Anatol Ulrich, a Facebook user from Germany who was locked out of his account after sharing several Google docs in comment threads on Facebook. He, too, was prompted to download a Windows file on a Mac device.

“Our visibility into each account on a given device isn’t complete enough for us to checkpoint based only on the device, without factoring in whether the particular account is acting in a suspicious manner,” Facebook spokesperson Jay Nancarrow said in a statement. In some ways that might be comforting; Facebook doesn't collect enough information about your computer to say whether malware has infected it.

But if Facebook doesn't know for sure, why would it push you to clean your device? Antivirus software is a powerful tool, capable of accessing nearly everything on your computer. Some users might reasonably not want to give Facebook and its chosen cybersecurity partners that level of access. Antivirus and anti-malware software are also prone to vulnerabilities themselves; in 2016, Google’s Travis Ormandy discovered critical flaws across all of Symantec’s antivirus products, for example.