Leaked audio from an internal Facebook meeting in July caught Alex Stamos, Facebook’s chief security officer, discussing his apparent qualms with the security of the social media giant’s corporate network.
In the recording, published by ZDNet on Thursday, Stamos says, “The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost.”
Stamos also seems to have almost faulted the company for running behind on its digital protections. In the leaked audio, he says, “The threats that we are facing have increased significantly and the quality of the adversaries that we are facing. Both technically and from a cultural perspective I don’t feel like we have caught up with our responsibility.”
Given the detailed nature of the data that Facebook keeps on its users, along with the intensifying onslaught of data breaches, Stamos’ comments are disquieting.
Stamos—who, again, works for Facebook—went on Twitter to clarify his statements in an 11-part tweet thread. Strung together, the chain reads:
“I've said this before, internally, to describe one of the basic challenges security teams face at companies like ours … Tech companies are famous for providing freedom for engineers to customize their environments & experiment with new tools … And also frameworks & development processes. Allowing for this freedom helps creativity and productivity … We have to weigh that against the fact that we have become a potential target advanced threat actors. … As a result, we can’t architect our security the same way a defense contractor can, with limited computing options and no freedom. … Keeping the company secure while allowing the culture to blossom is a challenge, but a motivating one, I’m happy to accept. … The ‘college campus’ wording is just a figure of speech to make the point; … My team runs network security for the company. Of course we secure it thoroughly. … It would not be correct to read my quote as a criticism of management not caring about security; they care a great deal. … It’s not a criticism of anybody, just a statement of why our team needs to be creative in how we protect our corporate network.”
He has raised concerns in the past about guarding the privacy of internet users. According to reporting from Reuters, he stepped down from his position as Yahoo’s chief information security officer in 2015 as a protest against the web service provider’s decision to search through email accounts at the behest of national security officials. He joined Facebook after leaving the Yahoo post, which he had occupied for a little over a year.
The larger threat isn’t exactly new. Tech giants have fallen victim to unauthorized snoops seeking out user data for more than a decade. In 2010, Google claimed that Chinese actors managed to access info from the Gmail accounts of activists, along with the company’s trade secrets. In 2014, Russian intelligence allegedly hacked into Yahoo’s email service, exposing the accounts of 500 million people—including government officials and tech workers.
The cache of data that Facebook safeguards is no doubt similarly enticing to hackers. ZDNet notes that the social media site in all likelihood has more citizen data than even most governments. Through monitoring clicks and other web records, Facebook is able to build hyper-specific profiles of its users, which is useful for targeted advertising. The company collects everything from basic “age/sex/location” info to ethnicity, educational level, and even the year one’s home was built. As John Lanchester argues in the London Review of Books, “Facebook, in fact, is the biggest surveillance-based enterprise in the history of mankind.” Let's hope it has the security measures befitting of that title.