In March, days after confirming his plans to leave the company, Facebook’s highest-ranking security official implored his colleagues to take responsibility for the social network’s failings amid the fallout of the most notable privacy scandal in the company's 14-year history.
Advocating for dramatic shifts in Facebook’s culture, Alex Stamos, the company’s outgoing chief security officer, sent a reflective, brutally honest note to employees on March 23 attributing the social network’s problems to “tens of thousands of small decisions made over the last decade.” The memo, which has not previously been circulated outside Facebook, is a rare look at some of the internal debate currently taking place over the company’s future direction and the growth-at-any-cost attitude that has driven it for years.
“We need to build a user experience that conveys honesty and respect, not one optimized to get people to click yes to giving us more access,” Stamos wrote. “We need to intentionally not collect data where possible, and to keep it only as long as we are using it to serve people.”
“We need to listen to people (including internally) when they tell us a feature is creepy or point out a negative impact we are having in the world,” the note continued. “We need to deprioritize short-term growth and revenue and to explain to Wall Street why that is ok. We need to be willing to pick sides when there are clear moral or humanitarian issues. And we need to be open, honest and transparent about our challenges and what we are doing to fix them.”
The note, titled “A Difficult Week,” came six days after stories in the New York Times and the Observer revealed how political consulting firm Cambridge Analytica had obtained and exploited the data of millions of Facebook users for political advertising purposes. After those revelations, Stamos, who had reportedly previously clashed with other executives over Facebook’s handling of Russian state-sponsored misinformation and election interference on the platform, confirmed his plans to leave by August. According to the post, his departure had long been in the works following an internal reorganization that left him with fewer responsibilities, and it was not directly related to the Cambridge Analytica scandal.
Facebook, which reports earnings tomorrow, declined to comment on Stamos's note. Stamos did not respond to requests for comment.
As news trickled out about his departure, Stamos’s note explained his reasons for leaving, criticized news organizations for their alleged quest to take the company down, and suggested that Facebook had not done enough to prevent the spread of misinformation heading into the 2016 election.
“I was the Chief Security Officer during the 2016 election season, and I deserve as much blame (or more) as any other exec at the company,” Stamos wrote, hoping to dispel the notion that he was some type of “hero” standing up to CEO Mark Zuckerberg or Chief Operating Officer Sheryl Sandberg. In a story about his departure, the Times reported that Stamos had favored more disclosure around Russian disinformation campaigns and organizational changes to allow for heavier policing of the platform — ideas that were met with resistance from other Facebook executives. Stamos later disputed that narrative on Twitter.
Beyond the narrative of internal clashes, however, Stamos focused his note on “the hard things we have to do to win back the world’s trust,” another admission that the company’s inability to completely suss out Russian misinformation or monitor third-party data abusers like Cambridge Analytica led to public reservations about Facebook.
“It would be really simple to believe that the outcomes of arguments between a handful of people got us to this point, but the truth is that we need to all own this,” he wrote. “While it has been disconcerting to hear anger and sadness in the voices of our colleagues this week, I also take heart in how widespread our desire has become to align ourselves in the new landscape. I saw this shift in many executives last year … but no number of all-hands or corporate goals was going to be able [to] turn this huge ship without a bottom-up change in culture.”
Some of those changes have already begun. In late 2017, Zuckerberg promised to hire 10,000 more staffers to Facebook’s security to moderate content and monitor misinformation at a significant cost to the company’s bottom line, he told analysts and investors at the time. More recently, following the Cambridge Analytica revelations, the company changed rules surrounding its relationships with developers to significantly scale back to the type of user data it shared with third parties.
Still, many of Stamos’s biggest concerns, including those around being less invasive and taking moral stands, remain major issues for Facebook. US lawmakers continue to call the social network “creepy” with Zuckerberg lacking a solid answer to their questions about whether the company would consider changing its business model to better protect user privacy. And earlier this month, Facebook’s CEO came under heavy criticism when he defended Holocaust deniers and their right to disseminate information on Facebook. He later “clarified” his remarks, though the company’s policy still allows for the participation of hate groups and bad-faith peddlers of misinformation.
The memo also offered a glimpse into Facebook executives’ tenuous relationship with the press. Stamos noted that “the media loves to build up heroes before tearing them down” and suggested that “at least one person is pushing lies about me to journalists.” Continuing, Stamos argued that the media is pushing a negative frame around Facebook and that he may fall victim. “I realize that the more I’m narratively built up, the further the media eventually gets to pull me down (which they will also frame as bad for Facebook).”
It’s not Stamos’s first time bristling at media coverage of Facebook; last October, in a series of tweets, he expressed his frustration at what he believed was “a ton of coverage of our recent issues driven by stereotypes of our employees and attacks against fantasy, strawman tech [companies].”
Stamos — who has sparred with reporters on Twitter over the last year — is regarded as a strong, outspoken personality at Facebook. “He's always had a reputation for being extremely candid,” a former senior Facebook employee told BuzzFeed News. “The things he's spent his career on are intense — they're the types of subjects where you're all but expected to butt heads and he's always run toward the fire. It's made him many friends and likely made him lots of enemies.”
Stamos only vaguely alluded to such clashes in his note, stating he’s “had passionate discussions with other execs” without elaborating further on whom those conversations were with or what they were specifically about. And while his note does not directly mention Zuckerberg, it’s clear that some of the directives are meant for the Facebook CEO, particularly those around de-emphasizing growth and revenue and making the company’s products less invasive.
Stamos's impassioned rhetoric and laundry list of problems Facebook needs to tackle make his departure at this crucial moment in the company's history all the more remarkable. For some familiar with the company's current culture, there is concern that Facebook is losing a voice of reason at just the wrong time.
“I think it's really important at any company to have folks inside who challenge the status quo,” a former senior employee told BuzzFeed News. “With Facebook's complexity, you need people who can stand up and advocate. Alex has a tremendous depth of expertise and reputation — he's the person you'd want in your corner to help get the company on track. If you didn't want him, who else would you want? It’s a big loss.”
Read Stamos’s note in full below:
A Difficult Week
Alex Stamos, Friday, March 23, 2018
At noon on Monday, a NY Times reporter I have long known and respected gave me a ring.
“Alex, this will probably be the most difficult discussion we’ve ever had.” She was right.
She told me that four anonymous sources had told her a variety of things that she was working into one story that would post later that day. I spent the next thirty minutes shooting down several completely false accusations and trying to prevent the true facts from being woven into a misleading narrative. I pointed out to her that, if true, her story would still be a scoop in several days and asked if she could me and Facebook more time to work with them to tell an accurate tale of our challenging last couple of years.
About three hours later, with me frantically working with our comms team to get on-the-record quotes to the reporters, the first stub version of the story went out with a headline that implied that I had just quit Facebook out of anger. This led to thousands of tweets and hundreds of stories based upon the initial, incomplete report, as well as a tearful call from my mother who thought I had been fired. The original NY Times headlines and story were corrected several times, but despite our outreach to other outlets the initial framing calcified into conventional wisdom.
Some fact checking.
Did you quit? Look up, is my name greyed out? If not, then I’m still a Facebook employee (or our deprovisioning process really needs some work).
At some point, I will leave, and this answer will become a bit ironic, but it is absolutely untrue that I quit on Monday, and today I’m still trying to do my best by our users.
Have you had passionate discussions with other execs? Yes. Have we met?
Have those disagreements been about investigating or disclosing Russian activity? The world has changed from underneath us in many ways. One change has been the thrusting of private tech companies into the struggle between nation-states. Traditionally, the standard has been to report malicious activity by adversary nations to US law enforcement. We are moving into a world where the major platforms are going to be expected to provide our findings, attribution and data directly to the public, making us a visible participant in the battle between cyberwarfare titans.
This is an uncomfortable transition, and have not always agree with the compromises we have struck in the process. That being said, I believe my colleagues have all approached the process in good faith, and together we have sorted through legitimate equities that needed to be weighed.
Did Sheryl tell you not to investigate or disclose Russian activity? Absolutely not. I have rejected this claim, on-the-record, multiple times to multiple reporters and on Twitter. Unfortunately, we are living in a media moment where sometimes an anonymous accusation is printed over the on-record denial of a direct participant. The Times, to their credit, removed a paragraph that had been written before my on-record statement had been provided, which has become its own meta-controversy (/sound inception_trombone.mp3).
Was there a reorganization of the security team? Yes, here is my post announcing that in January.
Are you leaving in August because of this change? I initiated the discussion of changing the structure of the InfoSec team just before Thanksgiving 2017. This was due to my concerns that organizational issues impaired our election security work in 2016. While the outcome of this discussion was not one I proposed, at the time I committed myself to making the transition as smooth as possible and trying to set the new teams up for success. I am genuinely proud of the capable, diverse security teams we have built and I truly want my colleagues to continue to be successful in their vital work.
The re-org, did, however, leave me with a challenge, in that it created a big mismatch between the responsibilities I felt carrying the Chief Security Officer title and the potential for big impact I could have from my redefined role. This conundrum was pretty obvious to many, and when people internally asked if I was leaving I rather openly told them that I was committed to staying through August. That was the truth; I had not made up my mind to leave, and I thought setting a date eight months in the future was responsible and reassuring about the stability of the team. Unfortunately, somebody leaked the fact in a manner meant to turn an eight-month commitment into a rage-quitting.
Are you leaving because of Cambridge Analytica? No, that makes no sense if your look at the calendar.
How are you feeling? Aww, how sweet, thanks for asking! I feel like shit.
I am extremely uncomfortable with the “heroic Alex” narrative the media is using to beat up on Facebook for many reasons:
1. It is undeserved. I was the Chief Security Officer during the 2016 election season, and I deserve as much blame (or more) as any other exec at the company.
2. It erases the work of the true heroes. If anybody deserves credit for the good things we did, it is the members of the threat intelligence team who first spotted and stopped Russian activity in 2016, and the huge cross-functional group who really studied and understood this problem in 2017. Just because I approve the expense reports of the first group and was part of the second does not give me any special virtue.
3. Heroes need villains. This narrative is popular not because people like me, but because it harms Facebook. At least one person seems to be trying specifically to hurt Sheryl by mixing in leaked facts with untrue allegations.
4. The media loves to build up heroes before tearing them down. We Greeks invented this narrative device, the fatal flaw, and I know that at least one person is pushing lies about me to journalists. Aside from this being hurtful on a personal scale, I realize that the more I’m narratively built up, the further the media eventually gets to pull me down (which they will also frame as bad for Facebook).
Most importantly, this narrative absolves us of the hard things we have to do to win back the world’s trust. It would be really simple to believe that the outcomes of arguments between a handful of people got us to this point, but the truth is that we need to all own this. The problem the company is facing today are due to tens of thousands of small decisions made over the last decade within an incentive structure that was not predicated on our 2018 threat profile. While it has been disconcerting to hear anger and sadness in the voices of our colleagues this week, I also take heart in how widespread our desire has become to align ourselves in the new landscape. I saw this shift in many executives last year, as they clearly recognized the emerging imperatives to prioritize security, safety, integrity and trust over all else, but no number of all-hands or corporate goals was going to be able turn this huge ship without a bottom-up change in culture.
So now we need to turn that angst into action. We need to change the metrics we measure and the goals we shoot for. We need to adjust PSC to reward not shipping when that is the wiser decision. We need to think adversarially in every process, product and engineering decision we make. We need to build a user experience that conveys honesty and respect, not one optimized to get people to click yes to giving us more access. We need to intentionally not collect data where possible, and to keep it only as long as we are using it to serve people. We need to find and stop adversaries who will be copying the playbook they saw in 2016. We need to listen to people (including internally) when they tell us a feature is creepy or point out a negative impact we are having in the world. We need to deprioritze short-term growth and revenue and to explain to Wall Street why that is ok. We need to be willing to pick sides when there are clear moral or humanitarian issues. And we need to be open, honest and transparent about challenges and what we are doing to fix them.
I have heard all of these changes discussed among executives over the last year, and I think we’re in a place where such aims are realistic and achievable. If any company is up to these challenges, it’s ours. I still can’t believe how lucky I am to work with talented people.
Alex, blink twice if you are being held hostage as you write this. I wrote this post myself, and did not run it by anyone. I have to thank Schrep for pulling me aside, asking how I am and suggesting that I speak to the company from my heart, but he has not seen or endorsed this post.
Now what? Are you staying? I honestly don’t know. My standard for any job has been whether I am being effective in my position, true to my beliefs, and present for my family. My fear is that stories like this one can become self-fulling, and my ability to represent the company publicly has been compromised by this cloud hanging over my head. To the last criteria, I have three children under twelve and I’ve come to the realization that I’ve spent 75% of my youngest child’s life as the CISO of companies in battle with the Russian intelligence services. This isn’t conducive to being a great parent.
If I do leave, I promise to be open and honest. Wherever I am, I am always available to anybody looking to discuss how to tackle these problems or who have thoughts on what I can do better. Thank you to everybody who has been kind to me, especially this week.