Alex Stamos - Facebook

For Facebook’s Stamos, conflicts over breaches and disclosure a theme

The departure of Facebook Chief Information Security Officer Alex Stamos is just the latest in which the respected security executive clashed with higher ups over the handling of a major data breach. 

Stamos will leave Facebook in August after clashes over how the company dealt with the spread of misinformation on the social network by Russia during the 2016 election, according to a report in the New York Times. His departure from Facebook – like his decision to leave Yahoo in 2015 – highlight growing tension within executive ranks and among regulators about the best way to respond to security incidents and data leaks.

According to published reports, Stamos’ departure is the byproduct of tension between Facebook’s security and policy teams about how much to disclose about foreign government activity on the massive social network – more evidence of that company’s tortured response to the misuse of its massive network.

Company founder and CEO Mark Zuckerberg initially scoffed at suggestions that Facebook may have played a role in tipping the US Presidential election to Republican Donald Trump. But news reports in recent months revealed that groups working for the government of Russia were active participants in the election. They used Facebook and other social networks to promote pro-Donald Trump rallies and events in several states, purchased ads promoting outsider candidates, and created accounts to spread the notorious Hillary Clinton e-mails stolen from the Democratic National Committee, according to reports.

Alex Stamos - Facebook
Stamos, Facebook’s Chief Security Officer, said he will step down by August in part over differences with company management over the handling of questions about misuse of the Facebook platform during the 2016 Presidential Election in the US

More recently, Facebook has haltingly acknowledged the role its platform played in those operations. In September, for example,  the company released the findings of an internal audit that seem to corroborate theories that Russian actors were behind a campaign of social media stories and memes designed to foment discord in the the months leading up the November 2016 presidential vote. Facebook investigators identified around 3,000 advertisements that ran from June of 2015 to May of 2017 and were linked to fake accounts controlled from Russia that spent around $100,000 to run the campaign.

Even before the election Stamos wanted to disclose more information about such activity than other executives inside the company were comfortable with, according to the New York Times. He began keeping his eye on Russian activity on Facebook in July 2016 and wanted the company to reveal his findings to the public. Facebook top executives, however, had a different opinion on the matter.

Now Stamos seems to be taking the fall for recent backlash about the company’s decision finally to disclose what they know about how Russia interfered with the election, the report said.  Though he once ran a group of 120 people, only three remain, the report said.

For his part, Stamos is downplaying the news of his imminent departure. He acknowledged on Twitter that his role “did change” at Facebook, but that he’s still “fully engaged” with his work there. “I’m currently spending more time exploring emerging security risks and working on election security,” Stamos tweeted.

Not the first conflict over breaches

Stamos is no stranger to having to depart a company because of his unpopular opinion on corporate responsibility and disclosure. The drama at Facebook is similar to the one that played out at his former employer, Yahoo! There, Stamos also clashed with his previous boss, Yahoo CEO Marissa Mayer, over decisions by Yahoo! senior management to not tell the public about a massive breach of the company’s database that left users open to hacking from state-sponsored bad actors.

As at Facebook, Stamos wanted to go public with the potential threat he knew was happening behind the scenes, and his higher-ups didn’t. The disagreement ultimately prompted his move from Yahoo to Facebook in 2015. Meyer was later fined $14 million over her handling of the incident—the combined amount of a cash bonus and stock award she had to forfeit.

At Facebook, the situation is less straight forward. The user data at the center of the controversy over the firm Cambridge Analytica was not stolen from Facebook by hackers. Rather, it was knowingly released to an individual who posed as a researcher. Stamos’ earned the ire of privacy advocates for tweets he made defending Facebook from scrutiny over how Cambridge Analytica inappropriately acquired user data from the social network.

Data obtained from more than 50 million Facebook users was given to behavior research firm Strategic Communication Laboratories–a clear violation of Facebook’s terms of service. Cambridge Analytica is Strategic Communication’s data-analytics firm and was involved in both the U.S. and U.K. elections.

The companies collectively ran data operations for President Donald Trump’s 2016 election campaign, helping him target voters on Facebook against his then-rival Clinton.

Cambridge Analytica has denied any wrongdoing in the situation, which spurred heated and widespread public debate over Facebook’s persistent failure to protect the privacy of its users and their data, as well as how easy it is to game the social network’s system to spread false or misleading information.

Defending Facebook, defending himself

After the news broke, Stamos published a series of tweets defending Facebook against what he insisted was not a “data breach,” because the data was knowingly shared – though without a full understanding of how it would be used.

“It should be noted that several other prominent platforms, like Android and iOS, allow access to friend (contact) data with user permission,” he wrote in a tweet that he later deleted. “Like us, those platforms have policies about the use of data, but misusing contacts gathered knowingly from a phone is also not a ‘breach.'”

After receiving a flurry of criticism over his comments, Stamos acknowledged that he “should have done a better job weighing in” and asserted the opinion that eventually got him bounced at Facebook.

“I have always felt that the individuals who actually work on these problems should be engaged publicly,” he wrote on Twitter. “Doing so means balancing one’s personal beliefs with their responsibility to their co-workers and employers. I don’t know how to do that in this media environment.”

Growing tension over handling of breaches

Stamos’s struggles at both Yahoo! and Facebook underscore growing tension within companies and between the private sector and regulators over the handling of data breaches and other cyber security incidents. In addition to criticism of Yahoo!’s handling of a massive breach, companies have been fined by federal regulators and state attorneys general for failing to responsibly disclose and respond to data breaches.

More recently the Securities and Exchange Commission has updated guidance on when they should disclose cyber security incidents. That, following the outbreak of the NotPetya malware, which caused billions of dollars in damages to firms including Merck Pharmaceuticals, Mondelez Candy and Federal Express.