While it is buried in the article, an interesting data point that I noticed as a former alum of the team is that the FB security team has apparently been picked apart and divided up between the prod and infra orgs. Being able to stand apart from these two massively powerful entities within FB and tell them when they were screwing up had been one of the moderating influences between the desire of the prod team for 'increase engagement, fuck privacy', and the desire of the infra team for 'move fast, screw safety.' This will not end well...
It also relieves Facebook of any sufficiently necessary capability to surveil, centralize, and manage risk.
Given the firm's susceptibility to GDPR and its newfound position under the microscope of a series of international criminal and counter intelligence investigations, this would seem objectively to be the wrong move.
Zuckerberg's and Sandberg's response to all these events has been the weakest and lamest that I have ever seen from any leadership, regarding controversial issues that involve a company of this size...and that's hard to beat when you have the likes of BP and Volkswagen... Do they really think that just ignoring the issue will make the problem go away?
This problem may be both existential and intractable for Facebook to solve, which is why they have been giving it the silent treatment. I believe the operators and investors are just now realizing how damaging the business model was for consumers.
When have they really ever had their feet held to a fire on a controversial issue? Zuckerberg is still a pretty young guy, despite his position and all he's done he's still inexperienced in some things. Ever since he started Facebook things have pretty much gone his way. Maybe he just doesn't instinctively know what to do.
>"Mr. Stamos had been a strong advocate inside the company for investigating and disclosing Russian activity on Facebook, often to the consternation of other top executives, including Sheryl Sandberg, the social network’s chief operating officer..."
This is quite a telling - advocating for transparency and disclosure put this individual at odds with the C0O Sheryl Sandberg. It's worth noting that Chapter 6 of Sandberg's very successful book "Lean In" is titled "Seek and Speak the Truth."[1]
Apropos of nothing, Ellen Pao commented on how Reddit handles user data:
> In 2014, we decided not to sell reddit user data because there is no way to monitor and verify use. There is no way to ensure data is deleted/corrected. It may be on any engineer's laptop. Who had access to copy it? How do you correct or delete PII or unauth porn after it's sold?
Note that this is essentially the same as facebook’s policy: they did not sell the user data as part of their advertisement business. It was an app that siphoned up user data without Facebook being paid.
A lot of reddit data is actually far more accessible via the API or the public data dump, which is on BigQuery. What makes the data less useful is the comparative anonymity because reddit users tend to use pseudonyms, and the fact that you can’t target users after building a targeting model from scraped data.
You could still trawl the reddit data to find useful correlations, and maybe get a good deal on ads if you notice the overlap of /r/the_donald with /r/bedwetting or whatever.
As someone who's done exactly that with the Reddit data (http://minimaxir.com/2016/06/reddit-related-subreddits/), posts/comments aren't as useful for intent as you note. The valuable Reddit data is the nonpublic views/subscription/upvote/downvote behavior.
On the CA story, I get where the guy is coming from with the “It was not a breach.” He’s a technical guy, and this wasn’t a technical hack. It’s like a lock manufacturer wanting to let everyone know that the customer had the door open, and their locks weren’t broken.
But in this case, he wasn’t just a lock manufacturer, he was in charge of security for the home.
I can’t help but think of Steve Jobs parable of the Janitor and the Vice President[0]. Reasons stop mattering at his level. Part of the job was to convince Facebook that these permissions were bad for privacy.
Stamos likely knows this. To me, it looks like he resigned when he realized he couldn’t persuade the other executives of things like this.
I could be wrong but I'm pretty sure the word "breach" is reserved for specific security incidents that fall above a certain threshold. Something like if X amount of users were affected it must be considered a breach, which means the company must alert the authorities and alert all users who have been affected.
If he's saying it wasn't a breach it's probably because it doesn't fit the actual criteria for considering something a breach, but doesn't mean he's trying to downplay the severity of what happened.
> On the CA story, I get where the guy is coming from with the “It was not a breach.” He’s a technical guy, and this wasn’t a technical hack.
“Not a technical hack” and “not a breach” are hardly even related concepts, and anyone, in a technical role or not, working around private data ought to understand that.
> Facebook’s chief information security officer, Alex Stamos, will leave the company after internal disagreements over how the social network should deal with its role in spreading disinformation, according to current and former employees briefed on the matter.
This opening sentence is frightening, I would rather have learned that FB executive disagree about how to deal with FB "role in NOT spreading disinformation"
You really the CEO and COO aren't capable of controlling employees despite the company growing to the size it is and having to deal with contentious issues in the past. That's a bit ridiculous.
The fact is that on an issue like this there is no way that the executive team didn't sign off it.
Between this story and the other one on the front page about the whistleblower who exposed the leak getting blacklisted, I think it's pretty clear that, of the two options
A) acknowledge the serious underlying problems and work hard to fix them
B) deny everything, retaliate against anyone who dares bring it up to create a chilling effect
Facebook is going all-in on option B.
(EDIT: And if you don't believe me, check out foeey's post about Facebook desperately trying to clear out CA's offices before the authorities can.)
> He has been overseeing the transfer of his security team to Facebook’s product and infrastructure divisions. His group, which once had 120 people, now has three, the current and former employees said.
So with Stamos's departure/resignation, Facebook will have also reorganized its structure to not have a dedicated security team? Or at least one at the same level in the hierarchy as product and infrastructure?
With the benefit of hindsight, it seems almost cute how strongly the DOJ went after Microsoft in the ‘90s, when they were just victimizing competitors rather than destabilizing democracies.
"Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security." 2 minutes ago
If anything, it wouldn't surprise me if the CA revelations led current staff to speak out to the press to make the internal division known. Alex is pretty effective as a leader; I'd be shocked if the vast majority of his team, if not his entire team, did not have his back on this.
>Alex Stamos
>Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security.
https://twitter.com/alexstamos/status/975875310896914433
>To be clear, the security team has never been prevented or discouraged from investigating any Russian activity by any executives.
>Josh Sternberg
>The NYT reporting that Facebook Chief Information Security Officer, Alex Stamos, leaving the company. He lost the debate to Sandberg and other execs on investigating and disclosing Russian activity. …
The question in my mind is - what's the real story? You don't go from a team of 120 to a team of 3 for no reason, and Stamos hasn't denied that reporting.
"Mr. Stamos had been a strong advocate inside the company for investigating and disclosing Russian activity on Facebook , often to the consternation of other top executives, including Sheryl Sandberg, the social network’s chief operating officer, according to the current and former employees, who asked not to be identified discussing internal matters."
I guess this had already been brewing for a while:
"After his day-to-day responsibilities were reassigned to others in December, Mr. Stamos said he would leave... He was persuaded to stay through August to oversee the transition... executives thought his departure would look bad".
Kind of, and it's why I liked him initially. But with every Facebook screwup and his defense of that screwup with bogus excuses (possibly directly from Zuckerberg, but irrelevant), I gradually started losing my respect for him, just like I've lost my respect for Carmack. Carmack could have been working for SpaceX and living his biggest dream (working on space stuff), but instead he's wasting his time and potential in a democracy-destroying company like Facebook.
History will not be kind to those that continue to help or defend Facebook to keep its influence in the world and power.
> Mr. Stamos had been a strong advocate inside the company for investigating and disclosing Russian activity on Facebook, often to the consternation of other top executives, including Sheryl Sandberg, the social network’s chief operating officer, according to the current and former employees, who asked not to be identified discussing internal matters.
I guess I shouldn't be too surprised. He was for disclosing this information which ostracized him from the other executives who don't seem to care at all in regard to how their data is used as long as they profit from it.
It’s right there in the quote: “...according to the current and former employees, who asked not to be identified discussing internal matters“.
And before you criticize anonymous sources: that’s how journalism works. The publication, the New York Times in this case, takes on the risk to its reputation on behalf of their sources to allow information from unauthorized sources to become public.
Edit: editing your post to erase your embarrassing ineptitude to read (and to make the people correcting you seem foolish) seems kinda assholish.
I mean, maybe that's true, but I'm not entirely certain it's a fair assessment. Yahoo and Facebook are arguably some of the largest targets (different eras of course). Being a CISO at both and not getting fired from either are huge achievements, given the CISO is generally a sacrificial role (largely ignored when done right, and beheaded if something goes wrong, regardless of your actions).
So either way, he picks hard jobs. The question is, does he truly step down when he feels he's got no remaining option to protest (which is quite respectable IMHO).. or is he simply outmaneuvering the board when his spidey senses tell him they are about to drop the axe because of recent corporate sins? Either way, style points for both I'd say.
When Stamos left Yahoo, I assumed it was because of the leaked accounts information. I wonder if he saw similar compromises at Facebook that were not disclosed.
I'm reposting just this link from another (my) comment below, because I find it incredibly relevant and insightful to anyone who wants to understand how adtech, news and Facebook combined programmatically to create a divisive (but catchy) morass of news:
“Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security.”
> Despite the rumors, I'm still fully engaged with my work at Facebook. It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security.
One day a team of talented psychiatrists will explain how a group of people who spend countless hours by solving "freind-of-a-friend-of-a-friend" types of puzzles for living can act in shock and awe over this "data breach"
well, somebody is going to be scapegoated at FB when FB's attempt to push full weight of the blame squarely on CA fails. And Security Chief i think wouldn't be a bad scapegoat ... I expect some other high people also to leave to avoid being made to take one for the team.
Of course he did - C-level officer close to hugely controversial issue, leaving the company in 6 months. It'll be predicated on an NDA, some sort of success metrics for the transition process, and a monster golden parachute.
Worth noting that CSO / CISO isn’t really a C-Level position. They usually report to the CIO or CTO and are leveled at VP or whatever one one or two levels below what the “real” execs are.
You’ll notice he isn’t listed as an exec in their SEC filings, which include their CEO, COO, CFO, Chief Product Officer, VP Business and Marketing Partnerships, CTO, and VP General Counsel.
That tells you a bit about how important tech companies really think security is. In fact you will often find the head of HR among that group before you’ll see a CSO.
It doesn’t matter though, as it’s incredibly rare for a CSO to actually know anything about security. Stamos is an exception. I’d wager that you can likely count the number of CSOs who have ever written an exploit on one hand.
Often not true. I've always advocated that the CSO report to the CEO, and that is how it came to be. I was listed on the exec page, and the current CSO is now as well.
There are quite a few ways he may have to get around an NDA: a congressional subpoena requiring testimony superceding NDAs, and so would any testimony in court if this spawns any civil or criminal cases.
People have been openly complaining about sexual impropriety in Hollywood for decades. There were comedic references to Harvey Weinstein [1] and Kevin Spacey [2] in shows like 30 Rock and Family Guy. Suddenly people started caring. What changed was the cultural moment of the 2016 election. Specifically with Cambridge Analytica and Facebook, the Mueller investigation may have taken a turn towards them in recent months.
There's also the fact that we now have two people telling mutually exclusive versions of the truth: the whistleblower and the CEO. At most one of these two people can be correct. At least one of them must be wrong. If the whistleblower is correct then the CEO has lied to a parliamentary select committee in the UK.
Now that the CEO appears to have been marketing some of the things that CA and its partners (possibly SCL Group) can do (involving bribery, hidden cameras and Ukranian sex workers) to an undercover journalist[0] , CA is becoming something that can unite people in dislike just by its very essence. The more light that is shone the worse it seems to look.
This is developing into quite a political story in the UK and it seems that unless there is a great big cover up (and it doesn't backfire) that this is only going to get bigger.
I think the public anger is justified, but I'm surprised it took an almost cartoon-villain figure of a company to raise the awareness of the value of data to those that are prepared to pay for it.
Now that Facebook is being associated with Russia—and its connection with Trump—it is being thrown into the political froth that predominates the media spotlight right now. Normally, very few people would care about data retention policies, targeted advertising, or twitter bots, but when it is connected to a hotbutton issue it becomes more palatable to pundits and dinner tables alike. There is also the new energy that was culminated in Trump's election, caused by fear and shock by some and by lifting the malaise of seemingly immutable conventions and power structures to most (although that is perceived differently to different groups), as was what propelled Trump into office in the first place. This is why both those that identify as liberal and conservative have become more active than in the past, but I think this is just an uptake in a trend which started long before now. History doesn't happen in a vacuum, that is to say.
What you are saying doesn't really add up.
If the environment is really that hostile because Trump was elected, it should not be fostering movements like #MeToo. It should have crushed dissent. A wake up call doesn't lead to something like that. There has to be some positive factor being overlooked.
The comment my above comment is replying to literally compares Trump's America to Nazi Germany. How useful was Hitler as a means to empower the oppressed by giving them a villain for their public narrative?
I am well aware that sometimes negative events can be a catalyst for positive change, that sometimes they cast light on the problem and make it visible. But comments here indicate that people long knew about, for example, Weinstein's bad behavior. It fostered jokes, not a groundswell of public outcry.
I don't know if the movements were suddenly under attack. What is more clear to me is many became more overt and loud after Trump was elected. There was a sense of urgency and threat based on nothing other than what Trump and others like Bannon had said. Mind you, just said. Whether they were actual threats (or are) is definitely a legitimate (if separate) debate. Your causality is, however, arguing that the reverse happened: the opening shot came from the Trump side.
I don't think this discussion has much to do with the Facebook story above, however.
I think the question of news manipulation based on headlines[1] affects both the left and the right and happened to be facilitated by Facebook and its hungry data chewers. It's got to monetize that somehow, right?
Oh, and I remember when the Facebook IPO happened a bunch of buddies at a large investment bank argued that there was no way a platform like that had any value, etc. and so forth. And I remember arguing that the data they had had some value, we just don't know (and I didn't know) just for what, yet.
"When do we beat Mexico at the border? They’re laughing at us, at our stupidity. And now they are beating us economically. They are not our friend, believe me. But they’re killing us economically.
The U.S. has become a dumping ground for everybody else’s problems.
Thank you. It’s true, and these are the best and the finest. When Mexico sends its people, they’re not sending their best. They’re not sending you. They’re not sending you. They’re sending people that have lots of problems, and they’re bringing those problems with us. They’re bringing drugs. They’re bringing crime. They’re rapists. And some, I assume, are good people."
Some (qualified with the half-hearted I assume) is pretty much the opposite of the overwhelming majority.
Here's the original quote from his speech in 2015:
> When Mexico sends its people, they're not sending their best ... They're sending people that have lots of problems...they're bringing drugs, they're bringing crime. They're rapists. And some, I assume, are good people.
"They're rapists." is pretty self-explanatory. "And some, I assume, are good people." is indicative of Trump's sense of the scale of "good" versus "bad" people.
That's a disingenuous transcript. "They're rapists" is much more likely to be, "their rapists". And it makes a big difference. (as in, "...they're bringing drugs, they're bringing crime, their rapists.")
In other words, they aren't sending their best, they are sending drug dealers, criminals, rapists, etc.
That's completely different than that transcript's implication, which would be like saying, "they aren't sending their best, they are sending their drug dealers, their criminals, and all of them are rapists as well."
Unless you aren't a native speaker, I'm inclined to believe that you are being willfully disingenuous by spreading that the latter was what he meant to say.
Trump has enough insanity that no one needs to make up stuff to make him look bad.
This is just like the other stupid "bigly" meme. Even linguists have had to weigh in to agree that he was saying "big league" not bigly. Again, his grammar and syntax is elementary enough that we don't have to make crap up.
No, you missed the point. They are sending drugs, crime, rapists; does not imply that everyone is a rapist. All it implies is that at least more than 1 rapist has come across the border illegally. Which is probably true.
> Unless you aren't a native speaker, I'm inclined to believe that you are being willfully disingenuous by spreading that the latter was what he meant to say.
I'm a native speaker but "they're" makes sense to me here?
> They’re sending people that have lots of problems, and they’re bringing those problems with us.
The way I read it, at this sentence the first "they" refers to Mexico, while the second refers to the people who (illegally?) immigrated. He then says
This "they're" follows directly after and again refers to the immigrants because they are "bringing" drugs and not "sending" drugs, or at least that was my interpretation.
Well, I'm not 100% sure I understand what you are saying, but I believe you are saying that "they're rapists" makes sense if you assume that the verb is dropped. If that's the case then yes, it could be:
"They're [sending their] rapists."
Which is essentially the same meaning as ", their rapists".
But the ridiculous interpretation that many people have extrapolated from "they're rapists". Is, "They [are all] rapists. Which is absurd, even for Trump.
I agree on the bigly-level stuff (it's very similar to the facile jokes about George W. Bush being dumb) but this quote specifically is clear cut. Of course Trump is not calling Mexico/Mexicans rapists (though he does disparage Mexico shortly before it) but he was calling most Mexican-Americans criminals and rapists: since the ones Mexico sends into the US are "their rapists" and Mexico isn't "sending their best", it stands to reason that the resulting Mexican-American population, for Trump, is overwhelmingly comprised of criminals and rapists.
You're still parsing it incorrectly even if this speech wasn't about the wall and illegal immigration.
"their rapists" only means that some subset are rapists because it's a category included with others. There is no hint that all of the bad ones he is referring to are rapists.
Time for Facebook to pivot, and pivot quickly they must.
edit:
Daniel Ive of GBH Insights supports this notion:
“Changes to their business model around advertising and news feeds/content could be in store over the next 12 to 18 months,” Ives wrote in a note to investors.
http://time.com/5205336/facebook-shares-fall/
Suddenly he's so concerned about transparency he's leaving over it? This report seems very fishy. All the sources are "according to current and former employees." Not one person willing to go on record?
I’m sorry but show me even 10 voters nationwide who were going to vote for Hillary, and then saw a Russian-created fake news post on Facebook and changed their vote to Trump. This Security Chief was clearly upset that his candidate lost, but blaming Facebook or the Russians is ludicrous. It seems that they attempted to influence the election, but there is zero evidence that they were successful in changing the outcome.
I admire his devotion to his candidate, and for trying to find an explanation for her defeat. But sometimes the correct explanation is the simplest one: she was just unpalatable to many voters. Deal with it, and spend your energy finding a better candidate next time, rather than trying to blame Russia or Facebook for influencing even a single vote, which likely did not happen.
You don’t need to flip the voters, just get them to not show up, and get more republicans to show up. This isn’t about politics, this is about buisiness interests, and professional reputation.
Hillary Clinton had a $1.2 billion campaign budget, along with the vast majority of active social media users, the whole of Silicon Valley, and most of the press on her side. If Democrats didn’t show up to vote for her, the root cause wasn’t less than $1 million worth of ads for fake news stories.
That’s the thing though, it wasn’t just these ads: a sizable contingent of Silicon Valley was bitter over the Bernie thing, stoked by emails from hacked Russians for example. Not saying the campaign didn’t screw it up, it’s still an achievement to fumble with all those advantages, but also this was one part of a much larger effort than a particular rash of $1 million dollar ad spends.
In any case, CA thinks they are influencing elections, and are selling as much to clients. It’s like arguing over whether or not someone is helping a drug kingpin because they don’t actually sell a lot of drugs.
The current investigation into the Russian meddling of the U.S. presidential election is still underway. It's still too soon to assume that the interference was "less than $1 million worth of ads".
For example, the Russians have been funnelling money to Trump's family for a decade. Trump sold a FL mansion for 240% of it's value ($100M) to a Russian oligarch:
Those ads read like parodies of a Russian attempting to write English. Nearly every one has a grammatical error or a factual inaccuracy that is obvious after 2 seconds of thought. I particularly like "dynastic succession of the Clinton family in American politics breaches the core democratic principles laid out by our founding fathers", especially given that the son of one of our presidential founding fathers himself became president, and the presidencies of George HW Bush / George W Bush occurred during the lifetime of nearly everyone eligible to vote.
If those ads truly had any influence whatsoever, it suggests that the problem of democracy is far deeper than Russian interference.
Does propaganda work or doesn't it? The idea being pushed that since it does, only approved propaganda should be let through. Trump winning is proof that there's a need for regulation of propaganda.
Propaganda works, which is why we have laws that require the source of messages in other mediums be identified, and why we regulate it in a variety of other ways.
IANAL but these ads are not covered by the regulation because they were not written in the internet era, and the law likely needs a refresh or at least some case law examples to figure out how to apply it.
This is the elephant in the room. U.S. based interests spent billions to influence public opinion here and abroad.
But less than $1 million spent by a Russia media organization (to maybe attract viewers?) and some trolls tossed the election? I’m more than skeptical.
This is a distraction campaign if here ever was one.
The underreported fact is that the vast majority of activity traced to the Internet Research Agency (Russian Federation) was in the free portion of Facebook and Twitter with automated and manually-curated accounts, not through ad spending.
There is a situation where enterprising researchers planned a protest via Facebook Events and also the counter-protest for an event in Texas. Altogether an impressive feat.
Facebook underplays this fact in Congress, in the hopes of evading regulation.
None of this should invalidate a lawfully-conducted election. There is no evidence ballots were tampered with whatsoever. Democratic leaders should do their best to allow Republicans to save face to their constituents by emphasizing the election is final and that all Americans are victims in this matter.
Well, that's what makes Cambridge Analytica so good, they have the data, and they're cheap. They just needed to target undecided voters in swing states, and through trawling Facebook data, they knew which voters to influence, and how to influence them, because they also have their psychological profiles. And how do you target them? By posting Facebook ads where you define your "target market" so narrowly that it basically hits individuals.
Actually, I suspect what makes Cambridge Analytica "so good" is that (big data aside) it was revealed just today: they use bribes and sex workers to entrap politicians, amongst other illegal techniques...
Isn't the low amount of money a key part of the allegation? That foreign actors were able to have such (alleged) influence so cheaply and without disclosure is a problem. If it had cost them billions to have that kind of influence, then it would have been an unfeasible or at least inefficient strategy.
i360 Themis have been far more invasive for far longer in influencing US elections. Why aren't they being investigated and outed by a pitchfork and flaming pikes mob?
Good question, as they are equally undemocratic (they hew to the goals of the billionaires that control the GOP - which is to destroy the gov't to cut taxes on the rich.)
To be fair, Obama's team also used data. But right now the threats come from billionaires or foreign powers. i360 should be the next subject of scrutiny. And they as well as think tanks and 'nonprofits' like Jud Watch should disclose who donated each and every dollar.
I don't think the argument was that Clinton voters switched to Trump. More that Clinton voters were persuaded to stay home. Which is a perfectly valid campaign strategy -- e.g. why campaign funds are so vital to a successful campaign. But political advertising is required to have disclosures. That foreign actors were allowed to push propaganda with the aim of influencing the election with the unknowing assistance of Facebook can still be considered a problem, no matter which candidate it was for.
Frankly speaking, if someone should took the blame for Clinton voters staying home, it's traditional media. They were constantly talking how her victory is predicated, how she is supposed "to take Ohio, to take Florida, to take Wisconsin", NYT and HuffPost showing election calculators with "95% probability of Hillary winning" (Nate Silver was the only one who said that Trump has 30% chance, and he was laughed out of the room for that!).
Is it really a mystery that democratic voter turnout was low? Why they should be bothered if the victory in their pocket? And Trump voters were energized beyond belief by the exactly same message from traditional media.
Of course traditional media is primarily to blame for this outcome, but legislators have no business addressing the 1st Amendment-protected activities of the New York Times et al.
Lawmakers have a duty to mitigate foreign interference in U.S. elections. Foreign campaign political campaigns, through traditional and social media, need to be monitored and regulated. The regulation is there. The enforcement is still catching up.
Not sure where you got most of that from the article, but I think we’re going to find that the data does support the theory that voters were intensely profiled and targeted with stories to make one candidate seem “unpalatable” or another one more attractive.
We’re fortunately deep enough in this story that we may get a concrete answer as to what the extent of the efficacy of this operation was.
It's not necessary to change the votes of those who have already made up their minds. If one can nudge fence-sitters and undecided votes to a particular side, that can contribute to a win. Likewise if a certain subset of voters can be persuaded not to vote, and/or people who planned to sit out the election can be convinced to go out and participate.
