There's breaking reporting that Facebook just had personnel in the Cambridge Analytica offices before the UK authorities could get there with warrants.
> BREAKING: Facebook WAS inside Cambridge Analytica's office but have now "stood down" following dramatic intervention by UK Information Commissioner's Office..
> To be clear, @facebook was trying to "secure evidence" ahead of the UK authorities. Nice try, @facebook. The UK Information Commissioner's Office cracking whip...British legal investigation MUST take precedence over US multibillion $ company.....
> Facebook have confirmed that auditors and legal counsel acting on behalf of the company were in the offices of Cambridge Analytica this evening until they were told to stand down by the Information Commissioner. These investigations need to be undertaken by the proper authorities
I seriously feel like I’m missing something here, why isn’t Facebook fully behind getting to the bottom of this? Going back even further, why was it so difficult for them to even admit they had a problem during the election? I don’t think it’s as simple as “more money,” but maybe as simple as people too close to the problem and too enamored by what they’ve created?
"Facebook WAS inside Cambridge Analytica's office but have now "stood down" following dramatic intervention by UK Information Commissioner's Office.."
Uhh....that's not good.
In effect, this is a sanctioned data breach. Facebook opened the firehouse of user data by knowingly keeping very lax access to their developer APIs while not at all preventing developers from storing the data they accessed.
That's a very serious breach of consumer trust. A terms of service is only as good as your user's ability to understand it's implications. Just because users check a box doesn't mean Facebook is any less liable.
My greatest hope with all of the noise surrounding this, is that the engineers and employees at Facebook realize that Facebook and Zuckerberg’s vision does not line up with reality. Zuckerberg believes that Facebook will connect people and change the fabric of society and communities for good in a way that was heretofore impossible.
Between Facebook’s political issues and the happiness-depressing effects of its use, I think it is pretty easy to draw the conclusion that Facebook is a net negative for society. This is without even taking into account the amount of PII that has been concentrated into a single entity (who monetizes it), or the effects of algorithmically appealing to people’s desires.
A hundred years from now, Equifax, YouTube, and Facebook will be lumped into the same pile: companies who profit off of information about consumers. The algorithmic veneer that protects YouTube and Facebook will be gone by then.
I’m not trying to condemn anyone, and I’m not in the position of having to weigh providing for my family with making ethical choices.
But, I think it is clear that change for Facebook will not come from the top. It will only come as people leave.
I don't disagree with these sentiments, but the hope that engineers/IT staff will leave is wishful thinking. I speak from my own experience which my differ from others in other industries/regions/countries but, I find people who work in tech to be generally dispassionate with regards to the downstream effects of their contributions. I think that's because:
a) We're often small cogs ...
b) ... working on often interesting technical problems that require much detail ("think down here" I was once told by a manager, who put his hand to the ground, "not up here" he said putting his hand up and waving it[1]) ...
c) ... and we don't always get to choose. Not everyone is a superstar who can leisurely choose which exciting opportunity to pick and choose. And yes, most of us have rent/mortgages/children/ other obligations to concern ourselves with.
"Zuckerberg believes that Facebook will connect people and change the fabric of society and communities for good.." is marketing speak. What does Zuckerberg believe? Nobody knows that except Zuckerberg. But I really doubt it's that.
You don't even need to look at meta-effects of Facebook. Look at how it operates, in effect. It splits people into mutually exclusive echo chambers that are falling increasingly far away from reality in terms of median ideological view. Far from connecting people social media has become, arguably, the single biggest factor in societal division in modern history. People even speak of this casually without realizing the implications of what they're saying - 'I can't believe what [non echo chamber approved views] my [friend/family member/acquintance/etc] has. Unfriending!' Of course these views and differences always existed, but in typical social interaction agreeing to disagree on issues is fine. In the social media era, people have started to condemn people over any failure to abide group ideology. It's cult like behavior without the formality.
There's no way in the world you can possibly spin this into a positive or unifying force for society. You've even had founders and executives of speak out against the social harm the company is causing. The point of this is that there's no 'algorithmic veneer' protecting YouTube and Facebook, and I strongly doubt Zuckerberg himself has any delusions about what he's doing. Even most users themselves could easily reason that Facebook is a net negative. But they enjoy and/or are addicted to the services, so they keep using it. It's slot machines on a global scale, where instead of inserting coins - you insert your personal information and get that dopamine rush when somebody likes or otherwise interacts with you.
---
As for employees - you'll never make a company change from the bottom up. Most people don't work for ideologies - they work for money. And Facebook has deep enough pockets to ensure that they'll never suffer for a lack of employees.
Zuckerberg SAYS that. But I think we've all known CEOs who live in a reality distortion field. I'm not sure he believes that Facebook isn't a bad actor. But he has a ton of financial incentive to deny it's a bad actor.
Why would people leave? Facebook knows your buttons and pushes them just right. In aggregate this is terrible for society, but individually it feels good.
> Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security.
Wondering what he thought would be him doing "a better job weighing in"? It seems like his deleted tweets were apparently too honest? i.e. in arguing that there was no data breach, he argued that FB's API and TOS allowed (without oversight) for all app developers to do the kind of data harvesting Cambridge Analytics did? That was well-known by developers, but I guess it's different stating it as an official policy.
The man makes some extremely reasonable points. I just wrote a comment along the same lines. I'm glad to see there is some common sense at Facebook. Stamos always seemed a bit too rational to be working at a company like that. I worry what will happen to Facebook after he leaves; they were lucky to have him.
Also, I think the real problem here is that the media is attempting to politicize the term "breach," and security professionals are rightly offended.
In the deleted tweets, he was using "breach" in the narrow sense of computer security, basically saying "my team didn't mess up, we didn't get hacked".
There are two problems with that:
1) That view is already too narrow for practical security engineering. It's not enough to have a technically correct solution, you need to consider the entire product to ensure that it has the expected security properties in the way it's actually used.
2) Worse, it ignores how the message is going to be interpreted outside of the computer security field, which is especially important when the company is under political scrutiny.
For a C-level executive, it seems like an unfortunate lapse.
Note that Stamos' clarification doesn't contradict the NYT, which says he effectively gave 8 months notice in December, a notice period he'd now be just 3 months into.
I can easily see how FB wants to throw CA under the bus and make it look like data theft while the truth FB wants to draw attention away from is that this is the system working as intended.
Or if not technically "intended" then well within the boundaries of what FB is willing to tolerate as long as it's making them money.
I don't understand why he deleted that. It seems a reasonable summary. When I originally saw his tweet about the deletion I thought he may of gone on some crazy rant.
As a point of anecdata, I worked with Alex in 2005. He's a standup guy, and one of the best in the business.
I think what's missed in this conversation, is that this sort of shenanigans isn't really in the purview of a CIO anyway. Too bad he got himself mixed up in it.
While it is buried in the article, an interesting data point that I noticed as a former alum of the team is that the FB security team has apparently been picked apart and divided up between the prod and infra orgs. Being able to stand apart from these two massively powerful entities within FB and tell them when they were screwing up had been one of the moderating influences between the desire of the prod team for 'increase engagement, fuck privacy', and the desire of the infra team for 'move fast, screw safety.' This will not end well...
It also relieves Facebook of any sufficiently necessary capability to surveil, centralize, and manage risk.
Given the firm's susceptibility to GDPR and its newfound position under the microscope of a series of international criminal and counter intelligence investigations, this would seem objectively to be the wrong move.
Zuckerberg's and Sandberg's response to all these events has been the weakest and lamest that I have ever seen from any leadership, regarding controversial issues that involve a company of this size...and that's hard to beat when you have the likes of BP and Volkswagen... Do they really think that just ignoring the issue will make the problem go away?
This problem may be both existential and intractable for Facebook to solve, which is why they have been giving it the silent treatment. I believe the operators and investors are just now realizing how damaging the business model was for consumers.
When have they really ever had their feet held to a fire on a controversial issue? Zuckerberg is still a pretty young guy, despite his position and all he's done he's still inexperienced in some things. Ever since he started Facebook things have pretty much gone his way. Maybe he just doesn't instinctively know what to do.
>"Mr. Stamos had been a strong advocate inside the company for investigating and disclosing Russian activity on Facebook, often to the consternation of other top executives, including Sheryl Sandberg, the social network’s chief operating officer..."
This is quite a telling - advocating for transparency and disclosure put this individual at odds with the C0O Sheryl Sandberg. It's worth noting that Chapter 6 of Sandberg's very successful book "Lean In" is titled "Seek and Speak the Truth."[1]
On the CA story, I get where the guy is coming from with the “It was not a breach.” He’s a technical guy, and this wasn’t a technical hack. It’s like a lock manufacturer wanting to let everyone know that the customer had the door open, and their locks weren’t broken.
But in this case, he wasn’t just a lock manufacturer, he was in charge of security for the home.
I can’t help but think of Steve Jobs parable of the Janitor and the Vice President[0]. Reasons stop mattering at his level. Part of the job was to convince Facebook that these permissions were bad for privacy.
Stamos likely knows this. To me, it looks like he resigned when he realized he couldn’t persuade the other executives of things like this.
I could be wrong but I'm pretty sure the word "breach" is reserved for specific security incidents that fall above a certain threshold. Something like if X amount of users were affected it must be considered a breach, which means the company must alert the authorities and alert all users who have been affected.
If he's saying it wasn't a breach it's probably because it doesn't fit the actual criteria for considering something a breach, but doesn't mean he's trying to downplay the severity of what happened.
> On the CA story, I get where the guy is coming from with the “It was not a breach.” He’s a technical guy, and this wasn’t a technical hack.
“Not a technical hack” and “not a breach” are hardly even related concepts, and anyone, in a technical role or not, working around private data ought to understand that.
> Facebook’s chief information security officer, Alex Stamos, will leave the company after internal disagreements over how the social network should deal with its role in spreading disinformation, according to current and former employees briefed on the matter.
This opening sentence is frightening, I would rather have learned that FB executive disagree about how to deal with FB "role in NOT spreading disinformation"
Between this story and the other one on the front page about the whistleblower who exposed the leak getting blacklisted, I think it's pretty clear that, of the two options
A) acknowledge the serious underlying problems and work hard to fix them
B) deny everything, retaliate against anyone who dares bring it up to create a chilling effect
Facebook is going all-in on option B.
(EDIT: And if you don't believe me, check out foeey's post about Facebook desperately trying to clear out CA's offices before the authorities can.)
> He has been overseeing the transfer of his security team to Facebook’s product and infrastructure divisions. His group, which once had 120 people, now has three, the current and former employees said.
So with Stamos's departure/resignation, Facebook will have also reorganized its structure to not have a dedicated security team? Or at least one at the same level in the hierarchy as product and infrastructure?
With the benefit of hindsight, it seems almost cute how strongly the DOJ went after Microsoft in the ‘90s, when they were just victimizing competitors rather than destabilizing democracies.
"Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security." 2 minutes ago
>Alex Stamos
>Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security.
https://twitter.com/alexstamos/status/975875310896914433
>To be clear, the security team has never been prevented or discouraged from investigating any Russian activity by any executives.
>Josh Sternberg
>The NYT reporting that Facebook Chief Information Security Officer, Alex Stamos, leaving the company. He lost the debate to Sandberg and other execs on investigating and disclosing Russian activity. …
The question in my mind is - what's the real story? You don't go from a team of 120 to a team of 3 for no reason, and Stamos hasn't denied that reporting.
"Mr. Stamos had been a strong advocate inside the company for investigating and disclosing Russian activity on Facebook , often to the consternation of other top executives, including Sheryl Sandberg, the social network’s chief operating officer, according to the current and former employees, who asked not to be identified discussing internal matters."
I guess this had already been brewing for a while:
"After his day-to-day responsibilities were reassigned to others in December, Mr. Stamos said he would leave... He was persuaded to stay through August to oversee the transition... executives thought his departure would look bad".
> Mr. Stamos had been a strong advocate inside the company for investigating and disclosing Russian activity on Facebook, often to the consternation of other top executives, including Sheryl Sandberg, the social network’s chief operating officer, according to the current and former employees, who asked not to be identified discussing internal matters.
I guess I shouldn't be too surprised. He was for disclosing this information which ostracized him from the other executives who don't seem to care at all in regard to how their data is used as long as they profit from it.
[+] [-] fooey|8 years ago|reply
https://twitter.com/carolecadwalla/status/975844154361221121
> BREAKING: Facebook WAS inside Cambridge Analytica's office but have now "stood down" following dramatic intervention by UK Information Commissioner's Office..
https://twitter.com/carolecadwalla/status/975855218490519552...
> To be clear, @facebook was trying to "secure evidence" ahead of the UK authorities. Nice try, @facebook. The UK Information Commissioner's Office cracking whip...British legal investigation MUST take precedence over US multibillion $ company.....
Something VERY wrong is going on at Facebook.
edit, with another account:
https://twitter.com/DamianCollins/status/975856097163702272
> Facebook have confirmed that auditors and legal counsel acting on behalf of the company were in the offices of Cambridge Analytica this evening until they were told to stand down by the Information Commissioner. These investigations need to be undertaken by the proper authorities
[+] [-] zilchers|8 years ago|reply
[+] [-] debt|8 years ago|reply
Uhh....that's not good.
In effect, this is a sanctioned data breach. Facebook opened the firehouse of user data by knowingly keeping very lax access to their developer APIs while not at all preventing developers from storing the data they accessed.
That's a very serious breach of consumer trust. A terms of service is only as good as your user's ability to understand it's implications. Just because users check a box doesn't mean Facebook is any less liable.
[+] [-] oflannabhra|8 years ago|reply
Between Facebook’s political issues and the happiness-depressing effects of its use, I think it is pretty easy to draw the conclusion that Facebook is a net negative for society. This is without even taking into account the amount of PII that has been concentrated into a single entity (who monetizes it), or the effects of algorithmically appealing to people’s desires.
A hundred years from now, Equifax, YouTube, and Facebook will be lumped into the same pile: companies who profit off of information about consumers. The algorithmic veneer that protects YouTube and Facebook will be gone by then.
I’m not trying to condemn anyone, and I’m not in the position of having to weigh providing for my family with making ethical choices.
But, I think it is clear that change for Facebook will not come from the top. It will only come as people leave.
[+] [-] mancerayder|8 years ago|reply
a) We're often small cogs ...
b) ... working on often interesting technical problems that require much detail ("think down here" I was once told by a manager, who put his hand to the ground, "not up here" he said putting his hand up and waving it[1]) ...
c) ... and we don't always get to choose. Not everyone is a superstar who can leisurely choose which exciting opportunity to pick and choose. And yes, most of us have rent/mortgages/children/ other obligations to concern ourselves with.
...even if we aren't necessarily all amoral.
1 Luckily I outlasted him in that company. :-)
[+] [-] TangoTrotFox|8 years ago|reply
You don't even need to look at meta-effects of Facebook. Look at how it operates, in effect. It splits people into mutually exclusive echo chambers that are falling increasingly far away from reality in terms of median ideological view. Far from connecting people social media has become, arguably, the single biggest factor in societal division in modern history. People even speak of this casually without realizing the implications of what they're saying - 'I can't believe what [non echo chamber approved views] my [friend/family member/acquintance/etc] has. Unfriending!' Of course these views and differences always existed, but in typical social interaction agreeing to disagree on issues is fine. In the social media era, people have started to condemn people over any failure to abide group ideology. It's cult like behavior without the formality.
There's no way in the world you can possibly spin this into a positive or unifying force for society. You've even had founders and executives of speak out against the social harm the company is causing. The point of this is that there's no 'algorithmic veneer' protecting YouTube and Facebook, and I strongly doubt Zuckerberg himself has any delusions about what he's doing. Even most users themselves could easily reason that Facebook is a net negative. But they enjoy and/or are addicted to the services, so they keep using it. It's slot machines on a global scale, where instead of inserting coins - you insert your personal information and get that dopamine rush when somebody likes or otherwise interacts with you.
---
As for employees - you'll never make a company change from the bottom up. Most people don't work for ideologies - they work for money. And Facebook has deep enough pockets to ensure that they'll never suffer for a lack of employees.
[+] [-] zilchers|8 years ago|reply
[+] [-] mhneu|8 years ago|reply
[+] [-] javajosh|8 years ago|reply
[+] [-] nullbyte|8 years ago|reply
[+] [-] minimaxir|8 years ago|reply
> I have deleted my Tweets on Cambridge Analytica, not because they were factually incorrect but because I should have done a better job weighing in.
https://twitter.com/alexstamos/status/975069709140877312
Archive of those deleted tweets: https://twitter.com/aprilaser/status/975078309930311680
EDIT: Stamos responds to news:
> Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security.
https://twitter.com/alexstamos/status/975875310896914433
[+] [-] danso|8 years ago|reply
[+] [-] chatmasta|8 years ago|reply
Also, I think the real problem here is that the media is attempting to politicize the term "breach," and security professionals are rightly offended.
[+] [-] Camillo|8 years ago|reply
There are two problems with that:
1) That view is already too narrow for practical security engineering. It's not enough to have a technically correct solution, you need to consider the entire product to ensure that it has the expected security properties in the way it's actually used.
2) Worse, it ignores how the message is going to be interpreted outside of the computer security field, which is especially important when the company is under political scrutiny.
For a C-level executive, it seems like an unfortunate lapse.
[+] [-] tptacek|8 years ago|reply
[+] [-] gdulli|8 years ago|reply
Or if not technically "intended" then well within the boundaries of what FB is willing to tolerate as long as it's making them money.
[+] [-] benmmurphy|8 years ago|reply
[+] [-] mml|8 years ago|reply
I think what's missed in this conversation, is that this sort of shenanigans isn't really in the purview of a CIO anyway. Too bad he got himself mixed up in it.
[+] [-] duxup|8 years ago|reply
I can see why Facebook would not want that out there.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] evgen|8 years ago|reply
[+] [-] eganist|8 years ago|reply
Given the firm's susceptibility to GDPR and its newfound position under the microscope of a series of international criminal and counter intelligence investigations, this would seem objectively to be the wrong move.
[+] [-] whoisjuan|8 years ago|reply
[+] [-] tzakrajs|8 years ago|reply
[+] [-] ams6110|8 years ago|reply
[+] [-] bogomipz|8 years ago|reply
This is quite a telling - advocating for transparency and disclosure put this individual at odds with the C0O Sheryl Sandberg. It's worth noting that Chapter 6 of Sandberg's very successful book "Lean In" is titled "Seek and Speak the Truth."[1]
[1] https://en.wikipedia.org/wiki/Lean_In
edit COO
[+] [-] mathattack|8 years ago|reply
[+] [-] Xorlev|8 years ago|reply
[+] [-] jumelles|8 years ago|reply
[+] [-] dirtyhand|8 years ago|reply
https://www.channel4.com/news/cambridge-analytica-revealed-t...
[+] [-] iliketosleep|8 years ago|reply
[+] [-] daodedickinson|8 years ago|reply
[deleted]
[+] [-] mattnewton|8 years ago|reply
But in this case, he wasn’t just a lock manufacturer, he was in charge of security for the home.
I can’t help but think of Steve Jobs parable of the Janitor and the Vice President[0]. Reasons stop mattering at his level. Part of the job was to convince Facebook that these permissions were bad for privacy.
Stamos likely knows this. To me, it looks like he resigned when he realized he couldn’t persuade the other executives of things like this.
[0] http://www.businessinsider.com/steve-jobs-on-the-difference-...
[+] [-] dglass|8 years ago|reply
If he's saying it wasn't a breach it's probably because it doesn't fit the actual criteria for considering something a breach, but doesn't mean he's trying to downplay the severity of what happened.
Edit: difference between a data breach vs. a security incident - https://www.alienvault.com/blogs/security-essentials/whats-t...
[+] [-] dragonwriter|8 years ago|reply
“Not a technical hack” and “not a breach” are hardly even related concepts, and anyone, in a technical role or not, working around private data ought to understand that.
[+] [-] Twisell|8 years ago|reply
This opening sentence is frightening, I would rather have learned that FB executive disagree about how to deal with FB "role in NOT spreading disinformation"
[+] [-] tootie|8 years ago|reply
[+] [-] Analemma_|8 years ago|reply
A) acknowledge the serious underlying problems and work hard to fix them
B) deny everything, retaliate against anyone who dares bring it up to create a chilling effect
Facebook is going all-in on option B.
(EDIT: And if you don't believe me, check out foeey's post about Facebook desperately trying to clear out CA's offices before the authorities can.)
[+] [-] danso|8 years ago|reply
So with Stamos's departure/resignation, Facebook will have also reorganized its structure to not have a dedicated security team? Or at least one at the same level in the hierarchy as product and infrastructure?
[+] [-] eganist|8 years ago|reply
[+] [-] ggg9990|8 years ago|reply
[+] [-] robbiet480|8 years ago|reply
https://twitter.com/alexstamos/status/975875310896914433
[+] [-] mhneu|8 years ago|reply
>Alex Stamos >Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security. https://twitter.com/alexstamos/status/975875310896914433
>To be clear, the security team has never been prevented or discouraged from investigating any Russian activity by any executives. >Josh Sternberg >The NYT reporting that Facebook Chief Information Security Officer, Alex Stamos, leaving the company. He lost the debate to Sandberg and other execs on investigating and disclosing Russian activity. …
https://twitter.com/alexstamos/status/975926737111367680
The question in my mind is - what's the real story? You don't go from a team of 120 to a team of 3 for no reason, and Stamos hasn't denied that reporting.
[+] [-] JumpCrisscross|8 years ago|reply
[+] [-] rrdharan|8 years ago|reply
"After his day-to-day responsibilities were reassigned to others in December, Mr. Stamos said he would leave... He was persuaded to stay through August to oversee the transition... executives thought his departure would look bad".
[+] [-] driverdan|8 years ago|reply
[+] [-] spydum|8 years ago|reply
[+] [-] BinaryIdiot|8 years ago|reply
I guess I shouldn't be too surprised. He was for disclosing this information which ostracized him from the other executives who don't seem to care at all in regard to how their data is used as long as they profit from it.
[+] [-] tzakrajs|8 years ago|reply
[+] [-] rhombocombus|8 years ago|reply