Facebook's balancing act between trust and security
The Paris attacks highlight the delicate dance for Facebook. But Chief Security Officer Alex Stamos says it's vital for the social network to defend users' privacy – and foster trust among its online community – in the face of growing pressure from governments to reveal more information about the platform's 1.5 billion users.
The aftermath of the Paris attacks has underscored a perilous position for social media companies, which have become vital communication platforms not just for everyday people but also for terrorist groups, their victims, as well as for law enforcement and intelligence agencies.
Nowhere is this dilemma more inescapable than at Facebook.
With more than 1.5 billion global users, Facebook’s status as the Internet’s most powerful communications platform was on full display after the Islamic State's coordinated strikes.
The network became a powerful tool for relaying first-hand accounts of the violence, a means for those affected by violence to "check in" with friends and loved ones, and served as a central rallying point to voice support for terrorized Parisians. In fact, the Paris attacks marked the first time that Facebook’s Safety Check feature was made available for a terrorist attack.
But the network also faces growing pressure from law enforcement and politicians to disclose information about – and tamp down on – the darker corners of the social network inhabited by militant groups and their supporters. As The New York Times reported Friday, Facebook was a conduit for the Paris terrorists to communicate and coordinate with each other.
As Wired noted, CIA Director John Brennan said this week he hoped the attacks were a "wake-up call" and that it was time for Western leaders to "take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve." Also this week, presidential candidate Hillary Clinton said social media companies should do more to rid the Web of militants. "We must deny them virtual territory, just as we deny them actual territory," she said in a speech Thursday.
In a statement, Facebook said, "We work aggressively to ensure that we do not have terrorists or terror groups using the site, and we also remove any content that praises or supports terrorism."
But Facebook is in the difficult position of balancing the privacy and civil rights of its users with government demands for data. More and more, there is evidence that the company increasingly sees itself in the role of advocate for and defender of the rights of users in the face of unwarranted government intrusion.
21st century trust brokers
That evolving position was clearly articulated by Alex Stamos, Facebook's chief security officer, in an October speech at a cybersecurity gathering in Baltimore.
Trust will become the defining commodity of the 21st century, just as oil had been in the 20th century, said Mr. Stamos. Therefore, Facebook’s future hinges on its ability to foster trust within its massive user base. That trust, he said, would be the product of Facebook convincing users that it "makes choices in their best interests." And, more importantly, that the company "backs up those choices even in the face of adversity."
In light of continued fallout from former National Security Agency contractor Edward Snowden's leak of documents describing the agency's mass surveillance, Stamos also sought to distance Facebook from the agency's spying efforts, or those of American allies.
The dissolution of trust that Stamos focused on is also roiling trade agreements between the US and the European Union. For instance, a European court recently invalidated the transatlantic Safe Harbor agreement, which thousands of companies rely on to be able to transfer Europeans' data stateside, due to a case involving Facebook's own safeguards on data.
While it's clear America's "friends and allies do not trust us," Stamos said, he stressed that Facebook does not expose its users' data to the National Security Agency, despite allegations made in the European lawsuit that invalidated Safe Harbor.
"Facebook does not offer a secret back channel to the NSA or any other government agency around the world," he said.
Rather, said Stamos, Facebook responds narrowly to what he described as legitimate and targeted government requests for information – and only when the company is satisfied that the requests are valid.
"There has been an incorrect perception that the targeted requests received by e-mail and social networking companies represented broad, mass collection of data," Stamos said.
As evidence, he pointed to the company’s frequent transparency reports in which it discloses high-level numbers on requests for user information from governments around the world. The most recent of those, released last week, revealed that requests for data increased 18 percent over the second half of 2014 to more than 41,000 requests.
New champions of privacy?
Stamos’s words come after Facebook has taken steps in the past year to shore up its reputation as a champion of user privacy. In October, the company announced that it would begin warning users who were the target of state-sponsored hackers, following in the footsteps of companies like Google. Behind the scenes, the company also migrated more than 700 million users of its massively popular WhatsApp chat system to an open source peer-to-peer encryption scheme known as Textsecure by Open Whisper Systems, earning it the ire of the law enforcement and intelligence communities.
Speaking of the controversy over the growing use of strong encryption to secure communications, however, Stamos flatly rejected the thinking of senior officials such as CIA Director Brennan, who argue that “secure” backdoors can be created in technology so that intelligence agencies can surveil communications.
"There is no such thing as 'partial strong encryption,' " Stamos said.
The stakes for both Facebook and the US if they fail to embrace “trust” as an organizing principle are high, Stamos warned. America's status as the "provider of choice for the technologies of the future is in jeopardy," he said.
Privacy v. national security
Stamos’s comments reflect anxieties familiar to many US firms with global reach, said Steve Lipner, Microsoft’s partner director for Software Security in Trustworthy Computing.
The Snowden revelations and overt government demands for access to data continues to hurt global tech businesses, said Mr. Lipner. "Many businesses are responding with attempts to improve the trust of customers worldwide," he said.
Microsoft, for example, has recently challenged a law enforcement order for access to information in an Irish data center and announced of new data centers in Germany to host customer data outside the reach of US authorities.
"If companies' actions put them at odds with the US government, that’s not a good thing for the companies or the government," he said. However, he said, there's been a lack of real dialog between the government and the private sector when it comes to the business implications of matters of privacy and national security.
Facebook's data dynasty
Others argue that Facebook is trying to have it both ways: The company relentlessly harvests and monetizes users data, but then tries to cordon it off from access by the government.
"The fact is that Facebook isn’t terribly trustworthy with the data they collect, either," said Bruce Schneier, chief technology officer at the security firm Resilient Systems. "Everybody is punch drunk on data. This is just a question of government surveillance piggybacking on corporate surveillance."
While Facebook and other social media companies might make a show of protecting user data, Mr. Schneier sees such positioning as a "skirmish around the edges" of what is a massive, private-public partnership in collecting and mining user information. Even more troubling, Schneier says, post- 9/11 laws may compel companies to cooperate with surveillance, but prohibit them from disclosing that cooperation to their users.
"This is one of the consequences of living in a country where secret courts make secret rulings on secret laws," Schneier said. “In a democracy, that’s poison."