
Zuckerberg Takes Steps to Calm Facebook Employees - SREinSF
https://www.nytimes.com/2018/03/23/technology/zuckerberg-facebook-employees.html
======
mehrdadn
I feel like someone should also give Zuckerberg the memo that it's only a
matter of time before an insider also goes rogue and abuses data access (edit:
or otherwise; see below). Facebook fundamentally seems to trust itself way too
much, and it worries me that it thinks the only threats are external
entities... to me, this is another silently ticking time bomb.

EDIT: And don't forget that going rogue is just one scenario. Another is just
a bigger attack surface: the more insiders have broad system access, the more
credentials there are that can be phished by/leaked to/stolen by outsiders.
Really, it would be completely missing the point of security to have arguments
about _how exactly_ insiders' credentials might get compromised.

~~~
harryh
You'd think so, but most companies have pretty strict internal controls for
this sort of thing. Access is also carefully logged so a leaker is pretty much
guaranteed to get caught at which point they'd immediately lose their job and
likely face criminal prosecution.

With so much to lose and so little to gain internal leaks of this sort are
extremely rare.

~~~
specialist
Who watches the watchers?

#1 - There's always a back door. I did some medical records stuff for a while.
I looked myself up, just to confirm for myself how trivial it was to do. Yup,
there I was. Which is why I insist that all data at rest is encrypted. (I have
yet to win this argument.)

#2 - Our "portal" product had access logs for auditing. Plus permissions,
consent trees, delegation. The usual features. Alas. We also had a "break the
glass" scenario, ostensibly for emergency care, but was more like the happy
path. And to my knowledge, during my 6 years, none of our customers ever
audited their own logs.

#3 - My SO at the time worked in a hospital and went to another disconnected
hospital for care because she knew her coworkers routinely, illegally looked
up patient records, and she didn't want them spying on her.

~~~
underwater
As an ex-employee, I feel _much_ more confident in Facebook's processes than
the company you're describing. Facebook would have no problem terminating
people who do what you're describing.

~~~
robrenaud
Imagine you are the Egyptian government. You want to squash a social media
fueled rebellion, lead by some anonymous person. How hard is it to get one of
your bright and loyal minds hired by Facebook? How much data could such a
person exfiltrate before getting fired?

The 'We will log your access and fire you' line of defense prevents nothing
from someone who only has a job for the purpose of moving data out.

~~~
taurath
They don’t fire you, they arrest you. And then they find out who you work for.

~~~
gruturo
Doesn't matter. At the first hint of trouble you escaped back to your country,
protected by the government which had sent you there in the first place, and
now the rebels have been murdered thanks to the data you got out.

------
JumpCrisscross
Facebook's Board of Directors is a remarkable collection of silent-yet-
complicit heavyweights:

-Marc Andreessen;

-Erskine Bowles ("President Emeritus of the University of North Carolina" and "White House Chief of Staff from 1996 to 1998");

-Ken Chenault ("Chairman and Chief Executive Officer of American Express Company");

-Susan Desmond-Hellmann ("Chief Executive Officer of The Gates Foundation" and former "Chancellor at University of California, San Francisco (UCSF) from 2009 to 2014");

-Reed Hastings ("Chief Executive Officer and Chairman of the board of directors of Netflix");

-Jan Koum ("co-founder and CEO of WhatsApp"); _and_

-Peter Thiel [1].

Might not be a bad idea to pen a letter to their Board [2] with your state
attorney general [3] and perhaps a U.S. Senator [4] copied.

[1] [https://investor.fb.com/corporate-
governance/default.aspx](https://investor.fb.com/corporate-
governance/default.aspx)

[2] [https://investor.fb.com/corporate-
governance/?section=contac...](https://investor.fb.com/corporate-
governance/?section=contact)

[3] [http://naag.org/naag/attorneys-general/whos-my-
ag.php](http://naag.org/naag/attorneys-general/whos-my-ag.php)

[4]
[https://www.senate.gov/general/contact_information/senators_...](https://www.senate.gov/general/contact_information/senators_cfm.cfm)

~~~
swyx
probably because speaking out would cause more trouble than its worth. i
recall an Uber director decided to open his mouth during the incidents of last
year...

~~~
hkmurakami
Or recall the HP leaks.

~~~
JumpCrisscross
> _the HP leaks_

The HP leak and spying scandal was so convoluted and left so many loose ends
that I question its pedagogical utility.

"On September 5, 2006, Newsweek revealed that Hewlett-Packard's general
counsel, at the behest of HP chairwoman Patricia Dunn, had contracted a team
of independent security experts to investigate board members and several
journalists in order to identify the source of an information leak. In turn,
those security experts recruited private investigators who used a spying
technique known as pretexting. The pretexting involved investigators
impersonating HP board members and nine journalists (including reporters for
CNET, the New York Times and the Wall Street Journal) in order to obtain their
phone records. The information leaked related to HP's long-term strategy and
was published as part of a CNET article.

Board member George Keyworth was ultimately accused of being the source and on
September 12, 2006, he resigned, although he continued to deny making
unauthorized disclosures of confidential information to journalists and was
thanked by Mark Hurd for his board service. It was also announced at that time
that Dunn would continue as chairwoman until January 18, 2007, at which point
HP CEO Mark Hurd would succeed her. Then, on September 22, 2006 HP announced
that Dunn had resigned as chairwoman because of the "distraction her presence
on our board" created. On September 28, 2006, Ann Baskins, HP's general
counsel, resigned hours before she was to appear as a witness before the House
Committee on Energy and Commerce, where she would ultimately invoke the Fifth
Amendment to refuse to answer questions."

[https://en.wikipedia.org/wiki/Hewlett-
Packard_spying_scandal](https://en.wikipedia.org/wiki/Hewlett-
Packard_spying_scandal)

~~~
hkmurakami
Tom Perkins' memoir recounts this.

------
tuna-piano
Can someone explain to me why the Cambridge Analytica story is making people
so much angrier than the later revelation that Facebook was scraping call+text
info? That seems to be the larger problem to me.

Somewhere at Facebook there is a team of people who wrote software to scrape,
store and analyze the personal call+text data that users didn't explicitly
mean to give to Facebook.

The data that Cambridge Analytica attained (from Facebook's API) doesn't seem
surprising at all. Isn't the Cambridge Analytics headline really just, "Group
doesn't follow website's terms of service from five years ago".

~~~
m52go
> Isn't the Cambridge Analytics headline really just, "Group doesn't follow
> website's terms of service from five years ago".

I think the the headline people are seeing is more like "Group doesn't follow
website's terms of service from five years ago, and ends up helping Donald
Trump win presidency."

A big part of the reason this has become so big a story is political.

~~~
wdr1
> I think the the headline people are seeing is more like "Group doesn't
> follow website's terms of service from five years ago, and ends up helping
> Donald Trump win presidency."

Exactly.

The Obama campaign already acknowledge they did the same thing, but on a
bigger scale.

[https://www.washingtonpost.com/business/economy/facebooks-
ru...](https://www.washingtonpost.com/business/economy/facebooks-rules-for-
accessing-user-data-lured-more-than-just-cambridge-
analytica/2018/03/19/31f6979c-658e-43d6-a71f-afdd8bf1308b_story.html)

"In 2011, Carol Davidsen, director of data integration and media analytics for
Obama for America, built a database of every American voter using the same
Facebook developer tool used by Cambridge, known as the social graph API. Any
time people used Facebook’s log-in button to sign on to the campaign’s
website, the Obama data scientists were able to access their profile as well
as their friends’ information. That allowed them to chart the closeness of
people’s relationships and make estimates about which people would be most
likely to influence other people in their network to vote.

“We ingested the entire U.S. social graph,” Davidsen said in an interview. “We
would ask permission to basically scrape your profile, and also scrape your
friends, basically anything that was available to scrape. We scraped it all.”"

~~~
softawre
> We would ask permission

They asked each user for permission to look at their social graph, in an app
designed for this task (Obama election).

------
tbrock
I respect Facebook and their engineering chops as much as the next person,
they are truly world class programmers, but how the holy hell is everyone
daydreaming that they don’t work for an advertising company?

You sell and use people’s data to get money: this is the business plan. Full
stop.

Connecting people can definitely be lucrative and useful in other ways but
facebooks particular implementation is impression based not action/outcome
based.

~~~
ramphastidae
Because they’re paid well. Very well. Everyone I know that works at FB for 2+
years is making 300-500k (including stock) and already owns or is on their way
to purchasing a home. That makes it a lot easier to ignore the reality of FB.
Meanwhile chumps like me that consider the ethics of their employer will be
renting forever. I honestly don’t blame them.

~~~
tbrock
To be clear, I'm not criticizing or holier than thou —- I'd work there in a
heartbeat without complaint and love it.

The part I don't get is that it seems everyone who does work there is in shock
and awe that this is going on. SHOCKED!

It's comical to the point of parody.

~~~
sah2ed
It's a cognitive bias that kicks in when your monthly salary is involved, as
succinctly noted in 1935 by Upton Sinclair:

 _" It is difficult to get a man to understand something, when his salary
depends upon his not understanding it!"_

------
madez
Facebook is an enabler for individuals to successfully undermine our
democratic mechanisms. It shouldn't feel nice to work for a company that has
to explain itself in front of the government. The employees of Facebook should
be aware of what monster they are building.

~~~
sp527
No they’re not. They’re in denial. I used to work there as an intern, so I get
a front row seat to how a lot of employees are reacting. The word I would use
is: indignation.

I’ve seen this us-against-them mentality play out elsewhere in various toxic
cult-like organizational cultures. The NSA was a great public example of just
how manifestly horrifying things can get with tens to hundreds of decent
people willfully participating in corrupt or unethical practices.

The way this all works is terribly fascinating, but the short of it is that
you have to become closed off and indoctrinated in order to fit in.
Particularly at places like Facebook, Google, and generally anywhere else that
provides free on-campus dinners (a good heuristic), employees build their
social circles and identities around the company. This, coupled with various
other factors, permits an astounding cognitive dissonance amongst a large
group of otherwise benign and rational people.

EDIT There’s an interesting additional complication I’ve seen at times:
internal spin. The media gets things about companies so wrong so frequently
that it’s almost too easy to discount the things with an uncomfortable shred
of truth as ‘fake news’.

~~~
Karrot_Kream
Agreed. I've never been at FB, but been at a similarly big "darling" software
company (don't want to go into specifics for identification reasons) and it
largely is about creating an internal "us-vs-them" mentality and a culture
that lionizes the good deeds over the bad.

Don't think of the employees as evil, they are probably legitimately not aware
of the entirety of what's going on. Like soldiers in a war, they only know how
their battles are going, not the war.

~~~
pdkl95
> evil

Hollywood _et al_ popularize the misconception that evil is fantastic and done
with _intent_. Most of the time evil is _banal_ [1]. The larger problems
happen when the unremarkable, small deviances from acceptable behavior becomes
_normalized_ [2][3].

[1]
[https://en.wikipedia.org/wiki/Eichmann_in_Jerusalem#The_bana...](https://en.wikipedia.org/wiki/Eichmann_in_Jerusalem#The_banality_of_evil)

[2]
[https://en.wikibooks.org/wiki/Professionalism/Diane_Vaughan_...](https://en.wikibooks.org/wiki/Professionalism/Diane_Vaughan_and_the_normalization_of_deviance)

[3]
[https://www.youtube.com/watch?v=PGLYEDpNu60](https://www.youtube.com/watch?v=PGLYEDpNu60)

------
Mc_Big_G
I hope anyone worth their weight in salt leaves Facebook as an employee and as
a user. Employees should already feel shame since the election. They all know
what Facebook is built on and what they've done and what they're doing.

~~~
legostormtroopr
Which election are you talking about? The 2016 one where everyone cares about
Facebook helping elect the US president, or the 2008 and 2012 elections where
everyone was ok with Facebook helping elect the US president?

~~~
craigyk
I've seen this nonsense spouted a few places now. Personally, I think there is
a big difference between the two, one focused primarily on cheerleading to get
out the vote, the other using inflammatory fabrications to enrage your base
(and get out the vote). I see this as a classic example of when "the ends
don't justify the means".

------
jondubois
>> One of [the Facebook employees] said he had avoided a trip home to see his
family last weekend because he did not want to answer questions about the
company he worked for.

Wow, some people/families are way too media-sensitive. It's just hypocrisy.
Facebook is fundamentally the same company as it was last week, last year and
5 years ago. Everyone knew this, especially Facebook employees.

Facebook today is mostly made up of two kinds of employees; money-hungry
sociopaths and hypocrites.

~~~
slivym
There's a big difference between a theoretical "Well technically they have all
our data and they could share it with anyone and they could use it to target
ads quite precisely"

In fact, that statement is true of the government as well. Most people just
think it won't really happen, and if it does happen it'll be something fairly
trivial like selling me shaving kits because I'm a man, and that my data isn't
really all that revealing.

That is vastly different from:

"This specific data you gave facebook went to this specific company, in
violation of facebook's own policies.

The breach of ToS wasn't followed up, and we have video of the CEO bragging
about fake news, blackmail and honey traps.

This wasn't even a US company influencing the election.

Your data was directly used to campaign for someone you probably deeply
oppose.

Not only that, but this specific targeting was probably highly important
because we know the result of the election relied upon victories in specific
states that are important to the electoral college whilst losing the popular
vote.

It also turns out that what had seemed to be deep real organic discussion
topics turned out to be targeted propaganda showing a scary ability to control
the public discourse

Oh. And this is all carried out by a company whose CEO openly wants to run for
political office and could use this to get himself elected next time."

------
colordrops
What could they possibly do to fix things that wouldn't destroy their business
model?

~~~
heurist
Their business model does not rely on third parties accessing private user
information.

~~~
renaudg
Agreed, it's quite the opposite in fact : their business model relies on
jealously guarding private user information to remain the only entity in the
world who can sell highly-targeted ads

~~~
fatbird
How do you sell highly targeted ads without revealing your data? How did the
Obama campaign download the entire U.S. social graph in 2012, and brag about
doing so, with Facebook’s approval? How did Cambridge Analytica do a
comparable thing in 2016?

Facebook doesn’t sound that jealous to me.

~~~
heurist
They abstract most of it away. Marketers can set specific targeting criteria
and can get a high level estimate of how an ad will perform. Beyond that it's
tracking impressions, clicks, split testing, etc.

The app API was different until 2013(?). App developers only needed a single
user's permission to access all of that user's friends' information. Both
Obama and Cambridge Analytica came out of that period. Now, users can only
authorize the release of their own information.

------
newscracker
Seriously, I don’t have much respect, if any, for those working for
Facebook...unless they’re working on and can implement drastic changes in how
privacy, tracking and profiling are handled for the betterment of humankind.
But Facebook being an advertising company that thrives on such details, I
doubt if employees would have much say on these aspects or can do anything.

There ought to be a #quitfacebook topic to get many employees to quit. But I
don’t believe that would get much traction due to the attractiveness of
compensation/benefits and probably some challenging work. If someone working
at Facebook believes that things will get better, I’d say they’re just
deluding themselves. It cannot happen with the current management.

P.S.: Since this post is about Facebook, I’m not going to talk about other
companies.

------
discordance
Sounds like Facebook is having their NSA moment

~~~
yorby
can't wait for the next Snowden

~~~
mynameishere
I still remember the first Snowden, who revealed to a shocked world that the
NSA was involved in signals intelligence. I suspect that the next Snowden will
reveal to a shocked world that 3rd party databases have a tendency to leak
into other 3rd party databases.

~~~
craigyk
What amazed me the most from the first Snowden leak was that the NSA was
vastly more effective and competent in their efforts than I had expected.

~~~
yorby
I think that most people think that...

------
stretchwithme
This one company's unauthorized access to millions of records may just be the
tip of the iceberg.

------
bogomipz
>"There was a feeling, said one of the people, that Facebook wanted to take
aggressive steps to make sure it could regain user trust. And over all, he
said, confidence was up."

I'm curious what might be the source of this regained "confidence."? The idea
that this will all just blow ever in a few months?

------
marcoperaza
I don’t really understand the outrage. Just what do you expect when you share
things with hundreds of people (your FB friends) online? For it _not_ to be
used? The only reasonable assumption is that anyone and everyone can read
whatever you share on FB.

------
kerng
Recommended read to add to this[1]. Employee was shocked with the amount of
data they have access to without clear business need.

[1] Might be behind paywall:
[https://m.washingtontimes.com/news/2018/mar/17/ex-
facebook-e...](https://m.washingtontimes.com/news/2018/mar/17/ex-facebook-
employee-rips-mark-zuckerbergs-secret-/)

------
BadassFractal
On the plus side, it's good to know that Facebook has employees who care about
being ethical citizens of the Internet ecosystem. Hopefully they can exert
pressure on the upper ranks in some way to bring things under control.
Facebook has the opportunity to be a force for good, while also accomplishing
its business model, but it won't naturally lean in that direction.

------
avoidit
Someone I know closely worked at Facebook in its heyday, but it has been a
while since he left. I asked him around 2014 (he had just left the company)
"So what do you think about the way Facebook handles privacy issues?" His
response was not defensive at all. Rather, it was a very curious "FB is one of
the most open cultures you can ever work in. Any employee can ask any question
of anyone at the highest levels and expect to get a honest answer". My thought
was "So you didn't have _anything_ to ask questions about?". He was actually a
pretty nice fellow, so I stopped asking anything else at that point.

But I remember thinking that it was a very funny, cult-member like response.
And you can test this too. Ask your friends who work at FB and I bet you will
get some pre-programmed response very similar to that.

~~~
renaudg
I worked at Facebook even longer ago than that.

What makes you assume it's got to be a pre-programmed, cult-member like
response and cannot believe that this is the actual work culture ?

~~~
avoidit
Ok, perhaps you are the best person to ask.

1\. What was Mark Zuckerberg's response when people asked him if Facebook
might be overstepping bounds in terms of data collection (shadow profiles)?

2\. What did the company employees think of the backlash over their beacon
project?

3\. When Facebook told the EU that they cannot match FB user profiles and
WhatsApp user profiles to create a single profile (remembering that they would
be fined), what was the general consensus among employees? Did they know that
FB had lied? Were they still OK with that? If they were, was there not a
single person expressing dissent?

------
feelin_googley
"KW: Mark, can you give us a sense of the timing and cost for this? Like, the
audits that you're talking about. Is there any sense of how quickly you could
do it and what kind of cost it would be to the company?

I think it depends on what we find. But we're going to be investigating and
reviewing _tens of thousands of apps from before 2014_ , and assuming that
there's some suspicious activity we're _probably_ going to be doing a number
of formal audits, so I think this is going to be pretty expensive. You know,
the conversations we have been having internally on this is, _" Are there
enough people who are trained auditors in the world to do the number of audits
that we're going to need quickly?"_ But I think this is going to cost many
millions of dollars and take a number of months and hopefully not longer than
that in order to get this fully complete."

Source: [https://www.recode.net/2018/3/22/17150814/transcript-
intervi...](https://www.recode.net/2018/3/22/17150814/transcript-interview-
facebook-mark-zuckerberg-cambridge-analytica-controversy)

~~~
brrrrr
And even if anyone ever considers it " _complete_ ," the reality is, that it's
just going to be white wash and bullshit.

Why waste the fucking money. Quit being sentimental. Just trash Facebook and
pivot (lol pivot). Be a real motherfucker, and let Facebook burn. Make
something cooler than Facebook. Fuck this audit stupidity.

Come on, man.

------
jk2323
Honestly, I am not very worried about rouge data analytic companies or Russian
trolls on facebook.

I am worried that questionable semi-private German entity can block me (e.g.
30 days ban) on facebook at will. I am an US citizen and don't live in
Germany. This is outrageous.

~~~
fenk85
Whatabout a semi-private German entity?

~~~
jk2323
Take this as a start (I know, Breitbart)

[http://www.breitbart.com/london/2015/09/17/german-govt-
hires...](http://www.breitbart.com/london/2015/09/17/german-govt-hires-ex-
stasi-agent-patrol-facebook-xenophobic-comments/)

I just read about "FTC’s Bureau of Consumer Protection Regarding Reported
Concerns about Facebook Privacy Practices". Since I am an American citizen and
was blocked for 30 days on facebook by this dubious organisation, I may
actually drop the FTC an email and ask about their opinion on this.

------
joshjdr
How fast can I kill all my karma by pointing out that the 3 of the top 4
articles on HN are some realization that Facebook does not give an ef about
anybody's privacy?

~~~
noxecanexx
It's been almost a week of this. Actually wondering when we'll get back to
interesting tech

~~~
jhayward
It is attitudes like this that created the problem in the first place.

------
mankash666
Let's cut to the chase. Would you work for Facebook in your dream role, at
industry leading pay.

The answer, for most of us is an emphatic 'yes'

~~~
rimliu
My dreams exclude anything with "Google", "Facebook" and "Uber". And if the
role we talk about involves iOS, then Facebook is even less attractive,
because imho their app is an example how not to do an iOS application.

------
knuththetruth
These performances by CEOs before their employees to “calm” them reminds me of
Jonestown or some other cult.

Everyone kind of knows the leaders are corrupt liars and false prophets. It’s
all a scam. But they’ve invested so much of their lives and identities into
the ideology, there’s not really any turning back. It’s like some “When
Prophesy Fails” inflection point for the whole industry.

[https://en.wikipedia.org/wiki/When_Prophecy_Fails](https://en.wikipedia.org/wiki/When_Prophecy_Fails)

~~~
drcode
> These performances by CEOs before their employees to “calm” them reminds me
> of Jonestown or some other cult.

To be fair, the sentence that refers to "calming the employees" was from the
New York Times and probably supposed to evoke that sort of feeling. The facts
presented in the article are simply that Zuck had a meeting with employees to
talk about current issues, which is pretty much standard practice for any
company.

------
thotaway
Are we going to talk about the fact that a whole bunch of these employees are
former elected officials, or related to one? Which is part of why Zuckerberg
isn’t actually concerned about the political fallout?

~~~
SirLJ
Running for president...

------
suyash
Zuckerberg should resign at this moment. Facebook needs new leadership if it
wants to change the way it has been operating.

~~~
gus_massa
Nah. In a week all of this will be forgotten (do you still remember the
helicopter in the river, and the bridge that collapsed?). You and me and a few
more people will remember, but we all already know that everything that is
posted privately on Facebook will be leaked sooner or later.

I even expect to see a few angry post from people that decided to delete their
account now, and when they tried to undelete the account after a few weeks
they surprisingly discover that all the old information was missing and
Facebook can't recover it because it is deleted.

fake quote > _If they used Windows instead of Linux, they could have send the
account to the Recycler Bin, and recover it now._

~~~
cloakandswagger
I thought the same a week ago. Nearly bought some FB calls even. But this
controversy has surprised me with its staying power.

The real sizzle comes not from the emotional outrage but the calls for
government inquiry and potential regulation, which would do structural damage
to all of Silicon Valley. This has been a stunningly bipartisan effort, the
left supporting it ostensibly because they like regulating big businesses, and
the right supporting it because they (perhaps correctly) see Silicon Valley
megacorps as adversaries.

~~~
tehlike
I did buy some calls. I am sweating currently, bad timing with all the other
economic developments.

