Roger Parloff, February 8, 2019<\/p>\n
In October 2018,\u00a0Alex Stamos<\/a>, whose highest degree is a BS in computer science and electrical engineering, delivered his first academic lecture.<\/p>\n It was the\u00a0Sidney Drell Lecture<\/a>\u00a0at Stanford University, named for an august physicist and arms control expert. It\u2019s the event of the year at Stanford\u2019s Center for International Security and Cooperation. Stamos\u2019s four immediate predecessors at that podium were a former director of the National Security Agency, two U.S. Secretaries of Defense\u2014one former, one sitting\u2014and Vint Cerf, the co-inventor of the fundamental architecture of the internet.<\/p>\n Then 39, Stamos\u00a0had just stepped down<\/a>\u00a0as Facebook\u2019s chief security officer in August\u2014after having been stripped of most of his authority nine months before that. Though Stamos generally favors jeans, flannel shirts, and Ecco loafers, he looked resplendent that night in a well-tailored, corporate suit, a uniform he\u2019s learned to wear credibly at board committee meetings and Congressional hearings.<\/p>\n \u201cLooking around the room,\u201d he said nervously as he began, \u201cit\u2019s pretty clear that there are some differences between this audience and the hacker conferences I feel more comfortable speaking at. Not just in academic credentials, but most obviously in the amount of body piercings.\u201d<\/p>\n Despite the incongruities, Stamos was the obvious choice for the speech, says\u00a0Amy Zegart<\/a>, a senior fellow at both CISAC and the Hoover Institution. While Drell had devoted himself to averting the national security challenge of his era\u2014nuclear war\u2014Stamos has battled with one of the paramount security threats of ours: cyberwarfare. For that reason, she\u2019d wanted to lure Stamos to the university for almost three years, she says. When he became available, Stanford cobbled together an interdisciplinary, policy-cum-research-cum-teaching post just for him, notwithstanding his lack of any advanced-degree parchment to adorn his office wall. (He hangs his five patents there, instead.)<\/p>\n \u201cAlex is a unique person in all respects,\u201d says\u00a0Nate Persily<\/a>, a Stanford law professor who also heads the university\u2019s Project on Democracy and the Internet. \u201cThere are very few people like him in their deep knowledge of the multiple challenges that technology is posing for society. He gave this incredible talk to my class mapping the information warfare environment. He\u2019d say, this is what this country does. This is what that country does. The entire talk was brand new to me. You realize he is just this repository of information very few people have.\u201d<\/p>\n \u2018Rough around the edges\u2019<\/strong><\/p>\n This is a profile of Stamos\u2014a complex man we will be hearing about, and from, for years to come. Over the past three months, Yahoo Finance has spoken with 19 people who have known him professionally over the course of his career\u2014at Facebook; during his stormy tenure before that as Yahoo\u2019s chief information security officer; and, still earlier, as an outside consultant for the likes of Microsoft, Google, and Tesla. (Some requested anonymity, either because of employer policies, non-disclosure agreements, protective orders, or other considerations.) Over that same period Stamos also sat down for three in-depth interviews\u2014at his cramped Stanford office, at a casual, bus-your-own-plate eatery not too far away, and, lastly, at his airy, colonial-eclectic, $3 million home in the hills of a Silicon Valley community he asked Yahoo Finance not to identify.<\/p>\n Stamos is no shrinking violet. He publishes op-eds; launches contrarian, pugilistic tweets\u00a0to a following of nearly 48,000<\/a>; and now has a gig as an NBC analyst. He is best known, though, for his stint at Facebook during what turned out to be a historic moment of cultural epiphany. He was at ground zero just as the free world began asking itself the urgent question Persily posed in a scholarly\u00a0article<\/a>: \u201cCan Democracy Survive the Internet?\u201d<\/p>\n But cyberwarfare, fake news, and internet-based propaganda continue to pummel and menace our culture. That means that Stamos, with his unique skill sets, honed during an unduplicatable career path, will remain in the headlines, too. Stamos also reveals here, more candidly than ever, why he left Facebook, the mistakes he made there, which criticisms of Facebook miss the mark, and what he thinks are the true threats to democracy posed by social media. As we\u2019ll see, he takes aim, in particular, at the opaque \u201chypertargeting\u201d of campaign ads. He\u2019s less concerned about what Cambridge Analytica did in the past than about \u201cthe 20 Cambridge Analyticas that still exist,\u201d lawfully buying their data from other sources today.<\/p>\n From his colleagues, a picture emerges of an inspiring, but polarizing figure. There\u2019s a reason Facebook nudged Stamos toward the exit door. Some former colleagues\u2014including many who still revere him\u2014acknowledge that he is \u201cimpolitic,\u201d \u201cvolatile,\u201d \u201cdogmatic,\u201d \u201ca self-promoter,\u201d \u201cexhausting,\u201d \u201crough around the edges,\u201d \u201cnot the greatest manager,\u201d \u201cshort-tempered,\u201d and, above all, \u201cunfiltered.\u201d<\/p>\n In fact, these are strengths, some claim, because they\u2019re what give him the \u201ccojones\u201d to speak truth to power, as one puts it.<\/p>\n But they take their toll.<\/p>\n \u201cIn some situations he lacked political skills, so he wasn\u2019t as effective as he wanted to be and needed to be,\u201d says someone who worked with him at Facebook.<\/p>\n \u201cAlex is very smart and passionate,\u201d says a former senior official at Yahoo, previously Yahoo Finance\u2019s parent company. (Verizon Media now owns Yahoo properties, including Yahoo Finance.) \u201cBut he can be so<\/em> passionate\u2014so hyped up, so emotional\u2014that it could be difficult to distinguish threats that were critical from those that were much less so. That was tough, given the importance of his role.\u201d<\/p>\n Roughly speaking, Stamos is more admired in information security circles than in traditional corporate ones. Basically, the security people feel they know what he\u2019s up against, while corporate people, for whom cybersecurity was just one of many competing concerns, think he\u2019s \u201cimmature\u201d and \u201cnot a team player.\u201d<\/p>\n The fact that he quit Yahoo in a rage, after just 14 months, and that his rocky stay at Facebook ended unhappily, actually redound to his favor among some infosec types. In January 2017, influential tech writer Cory Doctorow\u00a0called Stamos<\/a>\u00a0a \u201chuman warrant canary,\u201d because, as Doctorow understood matters, he\u2019d quit Yahoo rather than countenance unethical conduct. (A \u201cwarrant canary\u201d is an indirect, wink-wink way that an ISP can signal to users that the FBI has obtained a court-order to surveil their accounts, though the order forbids directly alerting the user.)<\/p>\n Doctorow\u2019s view seemed to be reinforced in November, when The New York Times published a deep-dive investigation of Facebook\u2019s attempts to downplay Russia\u2019s exploitation of its platform for election interference. The lede of the story (\u201cDelay, Deny, and Deflect<\/a>\u201d) portrays the then-recently-departed Stamos as one of the very few good guys there.<\/p>\n \u201c\u2018You threw us under the bus,\u2019 [Chief Operating Officer Sheryl Sandberg] yelled at Mr. Stamos,\u201d the article recounts, after Stamos had given the company\u2019s audit committee an unexpectedly unvarnished account of the extent of the Russian interference. (Stamos has said that he doesn\u2019t remember those words. A Facebook source says executives were \u201cfrustrated Alex had not shared his conclusions with leadership or even his manager or colleagues before going to the board.\u201d)<\/p>\n Some corporate types, on the other hand, reacted differently to the article.<\/p>\n \u201cHe\u2019s doing to Sheryl what he did to Marissa,\u201d says one corporate consultant\u2014nearly shouting over the phone in alluding to former Yahoo CEO Marissa Mayer. This consultant had advised Yahoo when it was dealing with the fallout from a 2014 state-sponsored intrusion at that company\u2014one of the largest ever. That hack, which occurred during Stamos\u2019s watch but\u00a0wasn\u2019t disclosed until September 2016<\/a>, long after he departed, left the company awash in class-action suits and an assortment of probes led by the Securities and Exchange Commission, Department of Justice, and state attorneys general. Former CEO Mayer testified to Congress in November 2017 that she only learned of the key theft of data\u2014estimated to have impacted 500 million user accounts\u2014nearly two years after it occurred.<\/p>\n Nevertheless, in April 2018, an SEC inquiry found that Stamos and his team had, in fact,\u00a0informed Yahoo\u2019s \u201csenior management and legal teams<\/a>\u201d of the key theft \u201cwithin days\u201d of finding out, in December 2014.\u00a0An independent board inquiry<\/a>\u00a0reached murkier conclusions, but even it acknowledged, in March 2017, that Stamos\u2019s group had provided the \u201clegal team \u2026 sufficient information to warrant substantial further inquiry in 2014,\u201d though the legal team \u201cdid not sufficiently pursue it.\u201d<\/p>\n Though Stamos does see his departure from Yahoo as reflecting matters of principle, he does not see his Facebook exit in the same light. He offers nuanced views about the company\u2019s missteps over the past several years, defending the corporation more than he criticizes it. He also describes his departure from Facebook in wistful terms, admitting having misplayed his cards. Facebook declined to comment for this piece, other than to refer Yahoo Finance to a statement COO Sandberg issued when Stamos\u2019s departure was first announced last April: \u201cAlex has played an important role in how we approach security challenges and helped us build relationships with partners so we can better address the threats we face. We know he will be an enormous asset to the team at Stanford and we look forward to collaborating with him in his new role.\u201d<\/p>\n (Though Stamos\u2019s severance contract contains a non-disparagement clause, Stamos says he has since received written permission from Facebook\u2019s general counsel to speak freely of his time there. A research institute he is now launching at Stanford\u2014focusing on social media and elections\u2014may eventually seek funding from Facebook, he acknowledges, just as it may solicit funds from other companies and nonprofits.)<\/p>\n At Facebook Stamos misplayed the \u201cGame-of-Thrones-y stuff,\u201d he says. It wasn\u2019t so much that he alienated COO Sandberg or CEO Mark Zuckerberg, he says, but that he offended laterally situated people with his lack of guile and tact. Those people, with many more years at the company, had Zuckerberg\u2019s ear and loyalty, he believes\u2014a view shared by another Facebook employee who was there at the time.<\/p>\n Says Stamos: \u201cA legitimate criticism that I\u2019ve heard is, \u2018Alex, you can\u2019t just be right.\u2019 \u2026 I didn\u2019t come up in the corporate world. My job as a consultant was to be 100 percent perfectly honest. These guys in the corporate world learn about how to effect change passive-aggressively, right? Without being in people\u2019s faces. And I\u2019ve never learned that skill. So I pissed them off.\u201d<\/p>\n The letter from the NSA<\/strong><\/p>\n Stamos was born in the Sacramento suburb of Fair Oaks in February 1979. He is the son of an orthodontist and a homemaker. His ethnically Greek grandfather, a goatherder\u2019s son, immigrated from eastern Cyprus after World War II with a fifth-grade education, Stamos recounts. He got a job as a lineman with AT&T and, by the 1990s, worked his way up to engineering manager in PacTel\u2019s Sacramento office.<\/p>\n Whether in class or in interviews for this article, Stamos speaks quickly, occasionally slipping into burst-fire mode where words become so compacted as to be unintelligible. He speaks of inmationscurty <\/em>(information security) or yesP <\/em>devices (USB devices) or the ausraliansigdirectorate<\/em> (the Australian Signals Directorate\u2014its NSA, basically). At the same time he is apt to forget that a lay listener can\u2019t instantly process all the acronyms and code names that pepper his narratives: PLA, FSB, SVR, GRU, APT1, ECPA (pronounced Ek-pa), Aurora, Lazarus, and on it goes.<\/p>\n \u201cSo I was seven or eight when wegottacomder64<\/em>,\u201d he narrates\u2014i.e., \u201cwhen we got a Commodore 64.\u201d He used the family\u2019s dial-up modem to access BBSes (bulletin board services). \u201cI kind of taught myself from these groups what was early hacking. Just taking over forums, breaking into other people\u2019s BBSes and stuff.\u201d<\/p>\n Nothing malicious. \u201cBut as a teenager,\u201d he continues, \u201cif you were interested in this kind of stuff, you had no legitimate outlet, right?\u201d<\/p>\n Like most security people of his generation, Stamos is largely self-taught and peer-taught. The security industry is only about 30 years old, with most people dating its origin to the release of the\u00a0Morris Worm in 1988<\/a>. When Stamos was growing up, not only did formal courses not exist, but the technology was evolving so fast that books couldn\u2019t possibly keep up.<\/p>\n By his senior year of high school, Stamos\u2019s skills were drawing attention. He received an unsolicited letter from the National Security Agency, he recounts. It was offering him a full college scholarship in exchange for a ROTC-like commitment to work for it afterward.<\/p>\n \u201cWhich is really creepy,\u201d he says, \u201cbecause you have no idea how they found you.\u201d He turned them down and went to the University of California at Berkeley. Though he also got into Stanford, he adds, he chose Cal because they offered him a full scholarship and, also, because of the atmosphere. While Stanford seemed \u201ccalm and chill,\u201d the Berkeley campus was \u201ctotal chaos,\u201d he says. \u201cI\u2019d grown up in a suburb, so this was it.”<\/p>\n In college he finally got some formal computer science training. But peer-training from hacker conferences was crucial.\u00a0Jeff Moss, a\/k\/a The Dark Tangent<\/a>, had launched the first DEF CON conference in 1993, with about 100 people in attendance, Moss estimates. As a gauge of how the community has grown, the most recent one, in 2018, drew 28,000.<\/p>\n In the summer of 1997, just before Stamos started college, his father took him to DEF CON 5\u2014Stamos\u2019s first\u2014in Las Vegas. Stamos wasn\u2019t yet old enough to rent a room.<\/p>\n Already by then, though, it wasn\u2019t just kids with blue hair showing up. Big companies, like Microsoft, and government agencies had started sending employees there. Seeing an opportunity, Moss started a second, more expensive series\u2014called Black Hat Briefings\u2014which catered to these grownups. Stamos would later attend those, too, once he started drawing an income. (Though Moss sold Black Hat in 2005, he still runs DEF CON. He also holds other positions, which hint at how important these conferences turned out to be. Now 44, Moss serves on the Council on Foreign Relations, the Cyber Statecraft Initiative of the Atlantic Council, and the U.S. Homeland Security Advisory Council.)<\/p>\n Hacker \u201clunch and learns\u201d<\/strong><\/p>\n Upon graduation in 2001, Stamos got a job doing security at LoudCloud, a pioneering cloud computing company. There Stamos worked with an outside security boutique called @stake, which was one of the two leading such outfits of the era. <\/em>When LoudCloud split in two in 2002, with Stamos\u2019s half being acquired by Electronic Data Systems, Joel Wallenstrom of @stake recruited Stamos to join.<\/p>\n \u201cTo be successful at @stake,\u201d Wallenstrom recalls, \u201cyou needed to be a Swiss Army knife across all layers of computing. That\u2019s what made Alex so successful. He has full-stack understanding of what is happening, from building on bare metal to using any sort of cloud service to you name it.\u201d Wallenstrom is now CEO of Wickr, a heavily encrypted messaging app.<\/p>\n At @stake, Stamos continued his education.<\/p>\n \u201cWe had \u2018lunch and learns,\u2019\u201d recalls Katie Moussouris, who worked there at the same time as Stamos. Some of the best hacking minds in the country would share their knowledge. Moussouris later moved to Microsoft and now leads her own firm, called Luta Security. She has become a nationally recognized authority on bug bounties\u2014programs whereby companies or agencies offer rewards to hackers for responsibly reporting vulnerabilities in their infrastructure. Moussouris has set up such programs for the Department of Defense, including \u201cHack the Pentagon.\u201d<\/p>\n Stamos\u2019s biggest client at @stake was Microsoft. \u201cIt was an amazing experience,\u201d he recalls. \u201cWe got to work on XP SP2 and Windows 2003, which were kind of Microsoft\u2019s first stabs at fixing the security problems that had accrued over a decade.\u201d<\/p>\n In 2004 Symantec, which was then embroiled in a legal dispute with Microsoft,\u00a0acquired @stake<\/a>. \u201cMicrosoft kicked my team off campus that day,\u201d Stamos recalls, because of potential conflicts.<\/p>\n It was a great opportunity. He, Wallenstrom, and three other @stakers split off to found their own boutique, called iSEC, with Microsoft as an anchor client. A second early client was Google, which launched a product it called Gmail that year.<\/p>\n Bliss was it in that dawn to be an infosec geek. Interactive e-commerce, or Web 2.0, was in its infancy. \u201cSo a lot of security issues inherent in that model were just being discovered and researched,\u201d says Heather Adkins, who joined Google in 2002 and is now its director of information security and privacy. \u201cAlex and the team he built were at the forefront of identifying and battling that.\u201d<\/p>\n iSEC was a classic startup, composed of 20- and 30-somethings who couldn\u2019t even afford an office. Stamos had gotten married in 2003, and his wife\u2019s clothes closet doubled as the firm\u2019s server closet. He remembers draping a shoe rack over the server to dampen the whirring noise at night. (Today, Stamos and his wife, a teacher, have two boys and a girl, ages 11, 9, and 7.)<\/p>\n Now directly interacting with clients, Stamos had to master the interpersonal challenges of his job. He was constantly a bearer of bad news. Security consultants had to warn clients of major risks they were running unless they invested large sums of money on fixes.<\/p>\n \u201cWe\u2019re kind of in the business of telling people that their babies are ugly,\u201d says Wallenstrom. \u201cAlex was pretty good at that.\u201d<\/p>\n It\u2019s fitting, Stamos notes to me in an aside, that had he been born a girl, his mother had planned to name him Cassandra. (In Greek mythology, Cassandra was a seer who issued accurate prophecies of doom that no one listened to.)<\/p>\n Aurora: A Chinese state-sponsored intrusion<\/strong><\/p>\n Over the years, iSEC picked up more blue-chip clients, including Oracle, Bank of America, JPMorgan Chase, Tesla, and Facebook. Stamos\u2019s assignments expanded beyond the nitty-gritty of malware and penetration testing, and brushed up against bigger public policy issues. In 2010, when Google got in trouble with European privacy authorities for its Street View data collection practices, it hired Stamos to oversee the forensic destruction of the offending files. (\u201cA shredder that can eat a hard drive is a very scary machine,\u201d Stamos observes.)<\/p>\n In 2009 he got his first exposure to state-sponsored intrusions. Google discovered that it had been subjected to a series of attacks\u2014now known as Operation Aurora\u2014by a team of highly persistent Chinese hackers. (A few years later the security firm Mandiant\u00a0identified<\/a>\u00a0them as having come from two units of the Chinese People\u2019s Liberation Army.) Google, which publicly\u00a0revealed<\/a>\u00a0the attacks in January 2010, also came to realize that the intruders had infiltrated at least 20 other companies, as well. Google\u2019s Adkins referred many of those companies to Stamos for help, she says.<\/p>\n These assignments eventually took Stamos to the National Counterterrorism Center in Liberty Crossing, Virginia. \u201cWe did a briefing for DNI [the office of the Director of National Intelligence] on, basically, this is what we\u2019ve learned about Chinese tactics from what we\u2019ve seen.\u201d<\/p>\n From his discerning perspective, were state-sponsored hackers a marvel to behold? That\u2019s actually a misperception, he responds. They aren\u2019t necessarily \u201chead and shoulders above other adversaries,\u201d he explains. \u201cThe big difference is that the attack doesn\u2019t have to be economically viable, or end in monetization. So they can put months and months into breaking into a company with no end in sight.\u201d<\/p>\n In late 2010, iSEC was acquired by the British security firm, NCC Group, but otherwise the group continued operating much as before. Then, in 2012, Stamos launched an ambitious internal startup within NCC called Artemis Internet. He wanted to create a sort of gated community within the internet with heightened security standards. He hoped to win permission to use \u201c.secure\u201d as a domain name and then require that everyone using it meet demanding security standards. The advantage for participants would be that their customers would be assured that their company was what it claimed to be\u2014not a spoof site, for instance\u2014and that it would protect their data as well as possible.<\/p>\n The project fizzled, though. Artemis was outbid for the .secure domain and, worse, there was little commercial enthusiasm for the project.<\/p>\n \u201cPeople weren\u2019t that interested,\u201d observes Luta Security\u2019s Moussouris, \u201cin paying extra for a domain name registrar who could take them off the internet if they failed a compliance test.\u201d<\/p>\n From Edward Snowden to Aaron Swartz<\/strong><\/p>\n In June 2013, highly classified information from the National Security Agency, leaked by\u00a0former government contractor Edward Snowden<\/a>, began to appear in articles in The Guardian, The Washington Post, Der Spiegel, and The New York Times.<\/p>\n The revelations roiled the tech world and opened a rift of distrust between Silicon Valley and the U.S. intelligence community. Beyond the civil liberties issues raised by surveillance of U.S. citizens, tech companies were shocked that the NSA had been exploiting vulnerabilities in their infrastructure for years, rather than reporting them promptly, so the companies could fix them.<\/p>\n Stamos was among the outraged. \u201cThe Snowden documents demonstrated that all they cared about was gathering information from America\u2019s enemies. None of their interest was in actually making American technology or companies safer.\u201d<\/p>\n To be sure, his reactions were nuanced. \u201cIt\u2019s not like I was just anti-cop,\u201d he says. As a consultant, he had helped gather evidence that was used to prosecute bad actors.<\/p>\n On the other hand, he had also been retained as a defense expert in a couple cause celebres<\/em> in the hacking world, including the hugely controversial federal criminal prosecution of Aaron Swartz<\/a>, who helped create Reddit. In January 2013, Swartz, who was facing felony charges for having broken into MIT\u2019s servers in an attempt to create a free internet archive of scientific journals, had hanged himself. He was 26.<\/p>\n Stamos went to Swartz\u2019s funeral in Chicago. \u201cTo hear his mom wailing,\u201d he recounts, \u201cthat was radicalizing.\u201d<\/p>\n In December 2013, wrestling with these emotions and conflicting impulses, he delivered a talk at DEF CON 21, entitled \u201cThe White Hat\u2019s Dilemma<\/a>.\u201d In it he talked about the Hippocratic Oath that doctors began adhering to more than 2,000 years ago.<\/p>\n \u201c[They] were the original scientific priests, right? \u2026 [They] used observation and knowledge to make people better, and that put them in a super powerful part of society, and so doctors decided . . . that that gave them some kind of responsibility. We are the technological priesthood of the 21st century, or perhaps of the third millennium. Everyone here has fixed their family\u2019s computers,\u201d he noted in his talk. \u201cEvery time you do that, it reminds you of the incredible complexity of the world that underlies our day-to-day activities and that the majority of people do not understand. And we do. Maybe that gives us moral obligations just like doctors have always had.\u201d<\/p>\n At the end of the talk, he posed a series of hypotheticals in which a security official was being asked to betray his ethical convictions, usually by a corporate superior. One example was: Suppose you find, for instance, a secret \u201cdata collection\u201d mechanism in your company\u2019s infrastructure, and your boss orders you to \u201cdrop it.\u201d<\/p>\n For each hypothetical he then discussed a series of possible responses. Tellingly, the correct response was never to do as you were told.<\/p>\n Three months later, he became the chief information security officer of Yahoo.<\/p>\n The crumbling aqueducts of Rome<\/strong><\/p>\n By early 2014 Stamos was a prominent figure in the security community. He was a frequent speaker at conferences, had a growing Twitter following, and was writing an influential blog called\u00a0Unhandled Exception<\/a>\u00a0(meaning a software flaw that\u2019s not fixed).<\/p>\n When Artemis failed to win control of the .secure name, Stamos went looking for a new challenge. He yearned to dirty his hands in the arena.<\/p>\n \u201cBoth as a consultant and commentator,\u201d he recalls, \u201cI\u2019d spent years as somebody who just got to complain about other people\u2019s actions. \u2018Oh my god, look how these people screwed up. So stupid.\u2019 I did start to realize that just complaining is not, in the long run, helpful. Somebody\u2019s going to have to take responsibility for making the hard calls. One of the reasons I took the Yahoo job was to finally try to see behind the curtain.\u201d<\/p>\n When he joined, in March 2014, some in the security community were surprised to see him take it on. An old infrastructure\u2014Yahoo was founded in 1994\u2014is inherently more difficult to secure, and, at the time, Yahoo\u2019s had been neglected. \u201cI thought of it as the crumbling aqueducts of Rome,\u201d says Moussouris, of Luta Security. \u201cSecuring it was going to take years.\u201d<\/p>\n Though Yahoo\u2019s security team had been highly respected in the early-to-mid 2000s\u2014when members were admiringly dubbed The Paranoids\u2014those days were passed. The company had gone through contraction, financial hardship, and turmoil. When Marissa Mayer took over in July 2012, she was the company\u2019s fifth CEO in three years. Early in her tenure, in January 2013, she fired Yahoo\u2019s then-CISO and didn\u2019t replace him for 14 months, until Stamos was hired.<\/p>\n \u201cNot having a CISO at the helm was incredibly detrimental,\u201d a then-member of its security team, Ramses Martinez, would later testify in litigation that arose from the company\u2019s subsequent data breaches. Its security sank to \u201cdeplorable\u201d levels during that period, he said. With no one at the helm, the Paranoids shrank in number from 62 to 43, according to figures that later emerged in litigation. (Martinez, who moved to Apple in August 2015, did not return messages.)<\/p>\n In fact, we now know that in August 2013\u2014seventh months before Stamos arrived\u2014the company had been victimized by the largest intrusion ever,\u00a0with 3 billion accounts compromised<\/a>. (This was a different intrusion from the earlier-mentioned state-sponsored one in 2014, which is now believed to have involved 500 million accounts.) The attackers responsible for the 2013 hack remain a mystery. The repercussions from the 2013 hack were exacerbated by the fact that personal passwords at the time were then still being encrypted with an outdated technology\u2014an MD5 hash\u2014which was easily cracked using the processing power available in 2013. (The password encryption was improved shortly thereafter. Indeed, all descriptions of Yahoo\u2019s security problems in this article are historical. In the years since the intrusions, numerous security upgrades were instituted by both Yahoo and Verizon Media, whose parent company acquired the company in June 2017.)<\/p>\n Nevertheless, Stamos was also joining Yahoo at a time of optimism. \u201cI joined at what you can call the end of the beginning [of Mayer\u2019s stint at Yahoo],\u201d Stamos says. \u201cMarissa brought all this excitement.\u201d<\/p>\n \u201cPart of my deal was, I would be able to invest in hiring good people,\u201d he continues. And for several months he did.<\/p>\n In September 2014, though, activist investor Starboard Value bought into the company. It demanded that Mayer immediately find a way to monetize value for shareholders. Suddenly everything changed, Stamos says. It became hard to hire, there were stealth layoffs, and he couldn\u2019t use his allocated head count.<\/p>\n In addition, the technical challenges were proving greater than anticipated. \u201cThere were parts of the network where nobody knew how it worked anymore,\u201d he says. \u201cLike the people who built the stuff had left or retired.\u201d<\/p>\n Most important, there was no intrusion detection system, which he considered \u201cbasic\u201d for protecting a major tech company in 2014. \u201cThere was no way to see if anyone had broken into any computers or to track bad guys on the network.\u201d<\/p>\n When he got there, Yahoo was having a big problem with \u201caccount takeovers\u201d\u2014situations where spammers would send ads that appeared to come from users\u2019 Yahoo mail accounts. (Stamos now believes these takeovers must have stemmed from the 2013 intrusion.)<\/p>\n \u201cThere was statistical evidence that their passwords had been breached,\u201d he recounts. \u201cThere was a cliff on this one graph that indicated to us that that was the point at which access to passwords was cut off to the attackers.\u201d<\/p>\n But there was no hard evidence. He says he discussed the matter with general counsel Ron Bell at the time, but because Yahoo invoked attorney-client privilege as to those conversations in later litigation, he declines to relate them.<\/p>\n Unable to invest in a state-of-the-art intrusion detection system, Stamos\u2019s team \u201ckind of MacGyvered together\u201d a substitute, he says. Using that they poked around the network to see if any attackers had exploited an industry-wide software bug of the time, called Shellshock. They found something weird.<\/p>\n By October 9 the incident response team, led by Martinez, identified the issue. There were hackers in the system. They had located and attacked Yahoo\u2019s Account Management Tool, and were using it to stage surgical raids on the email accounts of specific targets\u2014Russian journalists, Russian government officials, Russian industrialists, and so on. The team code-named the attack \u201cSiberia.\u201d<\/p>\n By November at least 26 accounts had been compromised, in addition to CEO Mayer\u2019s and Stamos\u2019s. Yahoo notified the FBI and, in December, the 26 victims, but there was no wider disclosure. The security team gave numerous debriefings during this period to senior Yahoo officials, which no one contests.<\/p>\n Meanwhile, Stamos\u2019s team was fighting to get the hackers out. \u201cI feel like the work to investigate and stop the breach was probably some of the best work I\u2019ve done in my career,\u201d he says. \u201cBecause we were handed a network that had none of the standard protections that you would expect in a production-level network in 2014. Some of the [internal server] passwords had not been changed in 15 years. There was this thing called the Filo password [after Yahoo co-founder David Filo] that the hackers got, which was a backdoor password to enter every single server. There was no network flow data available. The configuration management was horrible.<\/p>\n \u201cTo get them off the network,\u201d he continues, \u201cwe had to change massive parts of the network while it was running. Over one weekend in December we finally were able to put all of these things in place and completely change fundamental parts of how Yahoo worked. I thought there was a decent chance we were going to bring all of Yahoo down doing that, and we didn\u2019t. So I\u2019m proud of the team.\u201d<\/p>\n The big exfiltration, Aleksey Belan, and 30 million forged cookies<\/strong><\/p>\n On Wednesday, December 10, 2014, however, a crucial event occurred that altered the gravity of the event. This is the event that Mayer and some other senior officials have claimed they were not told about until two years later, after Stamos was gone. The Paranoids discovered that in early November the attackers had copied and transferred (\u201cexfiltrated\u201d) to a server outside Yahoo at least a portion of a backup user database (UDB) storing vast quantities of users\u2019 personal information.<\/p>\n That same day, at 5:03 p.m., Stamos emailed an \u201cincident presentation\u201d to five Yahoo in-house lawyers, including general counsel Bell, according to an email later produced in litigation. The full presentation\u2014a slide deck prepared by incident response chief Martinez\u2014is still under protective order. But excerpts quoted in unredacted filings are clear and blunt: \u201cbest case scenario is 108M [million] credentials in UDB compromised, and worst case scenario is all credentials in UDB compromised.\u201d<\/p>\n Stamos, who had been trying to schedule a face-to-face meeting with Mayer about the intrusion for more than a month, finally met with her the following evening, according to contemporaneous email traffic. After the meeting he emailed general counsel Bell\u2014who was out of town\u2014to arrange a call to fill him in and talk about next steps. Bell promised to call him as soon as he reached San Francisco.<\/p>\n Stamos says there were a lot of briefings, and he can\u2019t remember the specifics of any particular conversation. (He and Martinez also briefed the Yahoo board\u2019s audit committee on the intrusion in April and June, according to minutes that relate no details.)<\/p>\n Stamos says that senior management, including Mayer, \u201cknew everything we knew. We were not hiding anything.\u201d Martinez\u2019s testimony was to the same effect.<\/p>\n Yahoo made no public disclosure of the mammoth exfiltration, nor did it require users (other than the 26 known targets) to change passwords.<\/p>\n \u201cI disagreed with it,\u201d says Stamos, \u201cbut it was not my decision. And I didn\u2019t set myself on fire over it. I considered it my job to actually beat the bad guys.\u201d<\/p>\n Despite his team\u2019s best efforts, we now know that he did not succeed in chasing the hackers off the Yahoo network. According to\u00a0a federal indictment <\/a>unsealed in March 2018\u2014the \u201cattackers\u201d were actually one very skilled individual: Alexsey Belan, then 27. Born in Riga, Latvia, and a Russian citizen, he had already been indicted twice in absentia in the United States for earlier e-commerce intrusions. He had been on the FBI\u2019s \u201cmost wanted\u201d list of hackers and the subject of an Interpol Red Notice since 2012.<\/p>\n Belan was acting on the orders of two officers of the Russian FSB (Federal Security Service), a successor to the Soviet KGB. At the same time, according to the indictment, the FSB appears to have been allowing Belan to compensate himself for his intelligence work by also pillaging Yahoo\u2019s network for personal gain, through assorted digital mayhem, including credit card theft, spamming schemes, and diverting searches to spoof sites.<\/p>\n In April 2015, Belan\u2014using \u201clog cleaner\u201d software to cover his tracks\u2014returned to the network to raid several accounts targeted by the FSB, while also shopping for credit card numbers from others. In June, the month Stamos left Yahoo for Facebook, Belan installed a malicious script on the network that could mint, or forge, \u201ccookies\u201d in bulk, which he then exfiltrated outside the company. With the cookies\u2014software installed on a user\u2019s browser that indicates someone has visited a site previously\u2014he could stealthily enter targeted accounts without a password. In July, he made 17,000 such cookies, and showed his FSB handler how to use them. In August he stole and exfiltrated Yahoo\u2019s source code for making cookies, enabling him and the FSB to mint cookies off site. Eventually they forged 30 million of them. (The cookies replied on cryptographic data in the exfiltrated user database. Had passwords been changed, the cookies would not have worked, according to the indictment.)<\/p>\n Using cookies, Belan continued breaking into the accounts of dozens of FSB targets\u2014an investigative reporter for Kommersant Daily, an International Monetary Fund official, a Nevada gaming official\u2014through October 2016, a month after<\/em> Yahoo disclosed the 2014 intrusion.<\/p>\n Often when Belan broke into a Yahoo account he would find information relating to the users\u2019 other online accounts. The FSB hired a second hacker, a Canadian national named Karim Baratov, to use that information to break into the target\u2019s other accounts\u2014mostly gmail. Baratov was arrested in Canada in March 2018, extradited to the U.S., and is\u00a0now serving a five-year prison term<\/a>. Belan is still at large.<\/p>\n Yahoo disclosed the 2014 breach in September 2016 and the 2013 breach in December 2016. (The company had been tipped off by law enforcement, after data from hundreds of millions of accounts was offered for sale on the Darknet.) The SEC fined Yahoo $35 million in April 2018 for not disclosing the 2014 breach earlier, and Yahoo is still in negotiations to settle the last of the resulting class actions, which have already cost it more than $80 million. Yahoo\u2019s then-general counsel, Bell, resigned in March 2017 with no severance, losing millions. The board denied then-CEO Mayer a cash bonus, worth up to $2 million, and she voluntarily agreed to forego a 2017 equity award,\u00a0reportedly<\/a>\u00a0worth $12 million. Mayer and Bell did not return multiple emails, and an attorney for Bell declined comment.<\/p>\n The kernel module<\/strong><\/p>\n In early 2015, less than a year into his stint, Stamos was becoming frustrated at Yahoo. He had still not been able to get an intrusion detection system.<\/p>\n In February, he fired off an email to his boss, Jay Rossiter, the company\u2019s then-senior vice president for science and technology. He complained that he\u2019d lost seven people\u201411% of his headcount\u2014due to belt-tightening. These cuts left his team \u201cwell below \u2026the minimum staffing necessary to protect Yahoo in the current threat environment,\u201d he warned in the email, which surfaced in the litigation. \u201cWe will need to begin passing on future product and vendor security reviews with \u2018Paranoids cannot review, please have your L2 accept the risk.\u2019\u201d L2s were the top officials who answered directly to Mayer\u2014like Rossiter. (Rossiter could not be reached for comment.)<\/p>\n At about that time, Stamos says, Facebook\u2019s chief security officer, Joe Sullivan, asked him to lunch. Sullivan knew him from when he did consulting work for Facebook while still at iSEC. Sullivan told him he was leaving to take another job, and suggested he apply for his Facebook position. Stamos did have some exploratory discussions, he says, but he wasn\u2019t yet ready to jump.<\/p>\n The last straw came in May, he says. His team found what he calls a \u201ckernel module,\u201d or \u201crootkit,\u201d on the Yahoo mail servers\u2014software that provides access to the computer in a hidden manner. \u201cInitially, we thought the Russians had come back.\u201d<\/p>\n He discovered, however, that the device had been placed there by engineers in the mail unit who were apparently complying with a court surveillance order. The device was searching for a particular character string in emails, according to a later\u00a0Reuters<\/a>\u00a0account.<\/p>\n Stamos was furious this had been done behind his back. He asserts that the engineers did it in a way that \u201ccreated a security vulnerability.\u201d He suspects he was kept out of the loop because managers feared he would urge them to fight the surveillance order.<\/p>\n \u201cMy understanding is that it was an intentional decision,\u201d he says. \u201cThat Marissa made that decision.\u201d<\/p>\n On the other hand, one person familiar with the situation provides Yahoo\u2019s perspective. Yahoo was always diligent about protecting its users\u2019 privacy, this person maintains. In this particular instance, however, not only did legal requirements seem to be met, but the company was led to believe that the request was uniquely urgent and important. Complying was straightforward, and was handled by the team that always handled such issues, the person asserts.<\/p>\n In any case, Stamos gave 30 days notice.<\/p>\n \u201cIt was like, really?\u201d he recounts. \u201cHow can I do this if you don\u2019t trust me enough? I wasn\u2019t making things better. I wasn\u2019t getting anything approved. They were actively making the systems worse without telling me. A backdoor! What\u2019s my point to being here?\u201d (Verizon Media declined comment.)<\/p>\n He left Yahoo in June and started at Facebook the same month.<\/p>\n \u201cThe most important company in the world\u201d<\/strong><\/p>\n Notwithstanding Stamos\u2019s fury at Yahoo, the breadth of his experience grew greatly while there. The White House National Security Council and its Office of Science and Technology periodically consulted with him on infrastructure and encryption issues, according to people who served on those bodies. He worked with law enforcement to combat abuses of the technology that were not narrowly cyber at all: child sexual abuse rings, fraud, kidnappings.<\/p>\n Lay people began to hear about him. In February 2015, he had a live-streamed\u00a0confrontation<\/a>\u00a0with the then-NSA Director, Adm. Michael Rogers, at a security conference in Washington, DC. Rogers was calling for tech companies to build backdoors into encrypted products to permit U.S. law enforcement and intelligence agencies to penetrate communications between consumers.<\/p>\n \u201cSo it sounds like you agree with [then-FBI] Director [James] Comey that we should be building defects into the encryption in our products so that the U.S. government can decrypt\u2014,\u201d Stamos began.<\/p>\n \u201cSo that would be your characterization, not mine,\u201d Rogers responded.<\/p>\n \u201cWell, I think \u2026 all of the best public cryptographers in the world would agree that you can\u2019t really build backdoors in crypto,\u201d Stamos pressed. \u201cThat it\u2019s like drilling a hole in a windshield.\u201d<\/p>\n The tense back-and-forth, which lasted several minutes, was not just cheered on by the tech press\u2014\u201cYahoo exec goes mano a mano with NSA director<\/a>\u201d\u2014but drew coverage in the\u00a0Washington Post<\/a>, the\u00a0BBC<\/a>, and\u00a0CNBC<\/a>.<\/p>\n Upon moving to Facebook, his portfolio and visibility would each expand by another factor of 10.<\/p>\n \u201cIt was perhaps the most important company on the planet,\u201d Stamos says.<\/p>\n He felt the increased scrutiny immediately. Within two weeks of arriving, he flew into a rage one Sunday morning when his team told him that a flaw in Adobe\u2019s Flash software\u2014widely used on Facebook for social games\u2014was being exploited by malicious actors in China to threaten students in Hong Kong.<\/p>\n Characteristically, he dashed off an angry tweet: \u201cIt\u2019s time for Adobe to announce the end-of-life date for Flash.\u201d But this time his fit of pique generated\u00a0headlines<\/a>\u00a0in tech publications: Facebook\u2019s CSO wanted to kill a leading software product.<\/p>\n \u201cThe CEO of Adobe actually called executives at Facebook to complain,\u201d Stamos recalls. \u201cThey were supportive of my position, but also asked me to be more careful.\u201d (Adobe did not respond to inquiries.)<\/p>\n Then came the 2016 presidential election. It placed Stamos in a spotlight the likes of which no other infosec guy had ever found himself before.<\/p>\n Candidate Donald Trump was not just a master of social media, but someone many saw as its demonic embodiment. Social media metrics craved and rewarded exactly what Trump dished out. Its algorithms sought engagement<\/em> above all, which happened to be driven by sensation, outrage, provocation, hate, anger, and lies. When he was elected president of the United States by a razor thin margin, the vanquished wondered: Was it coincidence that just as social media was coming of age, this politically inexperienced reality TV star had pulled off the electoral upset of the century?<\/p>\n Facebook came under wave after wave of scrutiny, as people blamed it for Trump\u2019s victory. Its algorithms had caused filter bubbles, they theorized. Its failure to protect user data privacy had allowed Republican Super PACs, through Cambridge Analytica, to hypertarget key voters with misleading campaign ads. Its negligence had allowed Russian intelligence agents and internet trolls to run riot across its platform.<\/p>\n As Facebook\u2019s chief security officer, Stamos was presumed involved, if not guilty. (He actually had nothing to do with its algorithms, or with its evolving data privacy policies, which spawned the Cambridge Analytica controversy.)<\/p>\n \u201cIt\u2019s an interesting question,\u201d muses professor Persily, the head of Stanford\u2019s Project on Democracy, \u201cwhether, if Hillary Clinton had won, we would have had these years of national and international criticism of the social media platforms and, particularly, Facebook.\u201d<\/p>\n More Russians: the GRU<\/strong><\/p>\n For Stamos, the world began changing in spring 2016, when a Russia specialist working under him raised a warning. As first reported by The\u00a0New York Times<\/a>, he told Stamos that people he believed were Russian government agents were looking at the Facebook accounts of officials involved in the U.S. presidential campaign. They weren\u2019t doing anything illegal, or even violating Facebook\u2019s terms of service (TOS) at the time, but it might have been the type of reconnaissance that could precede a cyber attack.<\/p>\n Facebook notified the FBI, but did not close the accounts.<\/p>\n We now know that in March 2016, two units of the GRU, the Russian military\u2019s Main Intelligence Directorate, launched a spear-phishing campaign aimed at volunteers and employees of the Democratic National Committee, the Democratic Congressional Campaign Committee, and the Hillary Clinton campaign. They were, according to an indictment obtained by Special Counsel Robert Mueller III in July 2018, tricking people into surrendering their password credentials, which could then be used to pry inside their employers\u2019 networks.<\/p>\n On March 21, GRU officers stole 50,000 emails from the account of Clinton campaign chairman John Podesta. In April they penetrated the DNC network, eventually gaining control of 33 of its servers. In late May they stole thousands of DNC emails.<\/p>\n On June 8, purporting to be \u201cAmerican hacktivists,\u201d they launched the website DCLeaks.com. That same day they also set up a DCLeaks Facebook page (and opened an @dcleaks Twitter account).<\/p>\n Soon, the GRU began leaking some of the stolen emails from the DCLeaks.com site. The intelligence officers used the affiliated Facebook page, registered in the phony name of Alice Donovan, to send readers to the leak site. They also set up other fake accounts, using names like Jason Scott and Richard Gingrey, to do the same.<\/p>\n On June 14, the\u00a0Washington Post<\/a>\u00a0reported that the DNC had been hacked by agents of the Russian government\u2014the conclusion reached by the DNC\u2019s consulting firm, CrowdStrike. (For those keeping score on a different developing story, that happens to be the same day that Michael Cohen, personal attorney to candidate Donald Trump, told hotel developer Felix Sater that he, Cohen, would not be going forward with a trip to Russia they\u2019d been planning for months. The trip related to plans to build a Trump Tower in Moscow.)<\/p>\n By August another security boutique had specifically\u00a0identified<\/a>\u00a0DCLeaks as a Russian front. But Facebook still didn\u2019t close the account immediately, because it wasn\u2019t violating Facebook\u2019s TOS of the time.<\/p>\n \u201cThis was a big internal argument,\u201d Stamos says. \u201cBut in the end it didn\u2019t really matter.\u201d<\/p>\n What he means is this. After the CrowdStrike report, the GRU created a persona, dubbed Guccifer 2.0, to contest its conclusion. Claiming to be a lone hacker from Romania, the Guccifer 2.0 persona then reached out to reporters (and to recently indicted Trump campaign adviser Roger Stone) to tell them where to look for damning emails\u2014like those, for instance, suggesting that top Democratic campaign officials had played dirty to undermine Bernie Sanders\u2019s primary bid. Wikileaks soon contacted Guccifer 2.0, offering the use of its more renowned conduit for leaking the contraband.<\/p>\n \u201cSo once they got this stuff in the hands of Politico and The Hill and others,\u201d says Stamos, \u201cthose guys wrote the first stories, and then The New York Times, Washington Post, and others amplified it, and with 24-hour cable news, whether we took down their Facebook accounts or not didn\u2019t matter.\u201d<\/p>\n Stamos put it more truculently in a\u00a0tweet<\/a>\u00a0last November: \u201cThe mass media was completely played by the GRU and wrote the stories they wanted\u2026. You could argue that this was much more impactful than the IRA disinfo, and there has been almost no self-reflection by NYT\/WaPo\/WSJ\/TV on their role.\u201d<\/p>\n (Eventually, in October 2016, after the GRU officers did post some stolen emails on the DCLeaks Facebook page\u2014a violation of the TOS\u2014Facebook removed the account.)<\/p>\n And still more Russians: the IRA<\/strong><\/p>\n We also now know that there were still other Russians exploiting Facebook during the run-up to the election. As early as April 2014\u2014when Stamos was still at Yahoo\u2014the Internet Research Agency, a Kremlin-supported troll farm based in St. Petersburg, began preparing to interfere in the 2016 elections, according to yet another Mueller indictment unveiled in February 2018.<\/p>\n By September 2015, three months after Stamos got to Facebook, the IRA began placing videos on YouTube, a Google unit, as part of its political influence campaigns, eventually producing 1,107 of them across 17 channels. By early 2016 its members, pretending to Americans, were creating individual and group Facebook pages under names like \u201cSecured Borders,\u201d \u201cBlacktivist,\u201d \u201cUnited Muslims of America,\u201d and \u201cHeart of Texas.\u201d (They were opening similar accounts on other social media, including Facebook\u2019s Instagram, Twitter, Reddit, Yahoo\u2019s Tumblr, and Pinterest.) The messages were mainly geared to promote the Trump campaign, but some also supported Bernie Sanders. After Sanders lost the nomination, IRA accounts also lent some support to vote-draining, third-party candidate Jill Stein, while the agency\u2019s phony Black and Muslim groups urged their followers not to vote at all. (The most recent reports on IRA activity, published in mid-December by contractors hired by the Senate Intelligence Committee,\u00a0found<\/a>\u00a0that in 2017, as Facebook drew scrutiny, the IRA switched its activity to Instagram, and that misinformation on Instagram may have had wider reach than on Facebook.)<\/p>\n If U.S. government authorities knew anything about this influence operation at the time, they weren\u2019t sharing it with social media companies. And such campaigns weren\u2019t on anyone\u2019s radar at Facebook.<\/p>\n \u201cMy responsibility was either governments hacking Facebook or using Facebook to hack others,\u201d says Stamos.<\/p>\n Ashkan Soltani<\/a>, a former chief technologist for the Federal Trade Commission and White House adviser, says the whole security community was slow to anticipate this sort of assault. \u201cWe\u2019ve done a decent job at foreseeing platform abuse,\u201d he says, \u201cbut only in terms of hackers getting on our system to take our data. We haven\u2019t thought so much about how they might get on our systems to hurt people outside<\/em> of our networks. These people wanted to use our tools to hurt society.\u201d<\/p>\n \u201cThey were using technology as it was technically designed to be used, but not as it was philosophically designed to be used,\u201d says Moussouris, of Luta Security. \u201cIt\u2019s impossible for technical people to design a philosophically abuse-proof system.\u201d<\/p>\n Three days after the election, Facebook CEO Mark Zuckerberg made a now-infamous impromptu\u00a0statement<\/a>\u00a0at a conference: \u201cPersonally I think the idea that fake news on Facebook \u2026 influenced the election in any way is a pretty crazy idea.\u201d (He later\u00a0apologized<\/a>.)<\/p>\n \u201cIt was clear to me [then],\u201d Stamos says, \u201cthat he had not been getting briefed on anything we were finding.\u201d<\/p>\n His team wrote up a memo about what it knew at the time about Russian activity\u2014mainly the GRU activity\u2014which was presented to Zuckerberg and COO Sandberg in December. (The\u00a0Times<\/a>\u00a0has reported that Sandberg was angry that Stamos drew up this report without being asked. Stamos says she never expressed anger to him, but doesn\u2019t know if she expressed it to others.)<\/p>\n Zuckerberg then ordered the products team to conduct a quantitative evaluation of fake accounts and \u201cfake news\u201d on the site\u2014a nebulous term at the time. By January, this effort, known as Project P (for propaganda), had found that the vast majority of fake news was actually financially motivated. Facebook took steps to stanch this activity\u2014disabling inauthentic accounts.<\/p>\n While Project P was occurring, and in parallel with it, Stamos was becoming aware of Russian (and possibly Iranian) influence operations\u2014coordinated political activity by inauthentic accounts\u2014on the site.<\/p>\n On January 6, 2017, the U.S. Director of National Intelligence\u2014amalgamating the joint assessments of the FBI, CIA and NSA\u2014issued a report concluding that \u201cRussian president Vladimir Putin ordered an influence campaign in 2016 aimed at the U.S. presidential election\u201d and that \u201cPutin and the Russian government developed a clear preference for President-elect Trump.\u201d The report mentioned not just the GRU hack-and-leak campaign, but also the Kremlin\u2019s use of \u201cpaid social media users, or \u2018trolls.\u2019\u201d With one exception, however, the report never singled out Facebook by name. (The exception was a reference to the fact that the Kremlin-funded quasi-news organization RT America TV had created a Facebook app to connect Occupy Wall Street protesters during the run-up to the 2012 US election.)<\/p>\n Stamos decided to have his team write a white-paper about the influence operations on Facebook.<\/p>\n \u201cHe\u2019s an envelope-pusher, and that was an envelope pushing thing to do,\u201d says one person who worked with him at the time. \u201cTrying to get it out the door was a Herculean feat.\u201d<\/p>\n Facebook\u2019s legal team, policy team, and communications team\u2014all risk-averse\u2014had to sign off. \u201cWe had like 80 or 90 drafts,\u201d says Stamos. The main thing that was taken out were examples of such posts, which the legal team feared would violate various privacy laws or decrees. Weirdly, he says, the Russians\u2014even though they were lying about their identities\u2014were considered customers of Facebook Ireland, and covered by strong privacy laws.<\/p>\n Notoriously, Stamos\u2019s final\u00a0report<\/a>, which came out April 27, 2017, never used the word \u201cRussia.\u201d Instead, it said its data did \u201cnot contradict\u201d the DNI report, to which it linked in a footnote.<\/p>\n \u201cWhile I lost that battle,\u201d Stamos says, \u201cin the end I agreed to the compromise.\u201d Otherwise, he notes, \u201cwe were going to be the second organization on the planet to say the Russians helped Trump. And you have to be an idiot to read this and not see that we\u2019re saying Russia. Without creating the situation where people will be able to directly quote us and turn that into the headline.\u201d<\/p>\n There were still shoes to drop. Congress was asking Facebook for information on the Russians\u2019 use of ads. The company performed another massive quantitative analysis. Stamos then authored a\u00a0post<\/a>\u00a0summarizing its findings, which emerged on September 6, 2017. This one revealed that Russians, acting through 470 \u201cinauthentic accounts,\u201d had spent $100,000 on about 3,000 political ads between June 2015 and May 2017.<\/p>\n It was while debriefing Facebook\u2019s audit committee on this impending post that committee member and former White House chief of staff Erskine Bowles became enraged, according to the\u00a0Times<\/a>\u00a0report that came out 14 months later. The day after the Bowles debriefing, according to the same article, was when COO Sandberg accused Stamos of \u201cthrowing [her and Zuckerberg] under the bus.\u201d<\/p>\n Hypertargeting and \u201cone-hundred-million-faced\u201d politicians<\/strong><\/p>\n The most disturbing statistic was yet to come. General counsel Colin Stretch revealed it in testimony before a Senate committee on October 31, 2017. The company estimated that about 126 million people\u2014about 40% of the U.S. population\u2014had been shown at least one piece of IRA-generated content between January 2015 and August 2017.<\/p>\n At the same time, though, Stretch said that the total number of stories Americans were exposed to in their newsfeeds during that period was about 33 trillion<\/em>. So the Russian content accounted for about \u201cfour-thousandths of one percent,\u201d he testified.<\/p>\n If so, was Zuckerberg\u2019s notorious, now retracted, statement\u2014that the notion that fake news could have swung the election was a \u201cpretty crazy idea\u201d\u2014actually right?<\/p>\n \u201cPeople are writing books right now about whether the overall Russian activity affected the election,\u201d Stamos says. \u201cWe might never know. Quantitatively, the direct Russian activity is still quite small. Even with everything we know now.\u201d<\/p>\n The more important issue, he believes\u2014and this is characteristic of Stamos\u2019s views on a host of Facebook controversies\u2014is one that neither the press nor Congress is adequately focusing on.<\/p>\n \u201cAlmost certainly the thing on Facebook that was most impactful in the election was the fact that the Trump campaign and the Republican PACs were so much better at Facebook ads than the Democratic side. You\u2019re talking about well over 100 times more dollars spent than the Russians did, and not quite twice what the Democrats did.\u201d<\/p>\n \u201cThe Russian stuff was not that advanced,\u201d he continues. In contrast, \u201cthe Trump campaign was generating thousands of ads programmatically. They were testing those ads against hundreds of different segments of the population. They were automatically, then, saying, this one tested well, we\u2019ll put our money behind it.\u201d<\/p>\n This \u201chypertargeting\u201d of ads is \u201cnegative for our democracy,\u201d he asserts. \u201cImagine you could afford to send a mailer to every single voter in the country and every single one of them is different. You\u2019re not two-faced; you\u2019re one-hundred-million-faced. I wish people had access to the entire database of Trump ads and Hillary ads and all the targeting data.\u201d<\/p>\n But due to various privacy laws, he says, Facebook can\u2019t currently make that data available. Congress should demand it, he proposes, via subpoena or legislation.<\/p>\n He\u2019s also frustrated by the media\u2019s continuing focus on Cambridge Analytica. \u201cThey talk about the 50 million [Facebook] profiles that were viewed by [academic Aleksandr Kogan and later passed on to Cambridge Analytica]. The problem is not that he was able to get this data in 2014. It is that today there are twenty Cambridge Analyticas that still exist. They\u2019re just not dumb enough to steal data from Facebook. They legally buy it from Equifax and Transunion and Acxiom and all these different data brokers. And Facebook and Google create an ecosystem for those to exist by allowing them to then hypertarget ads.\u201d<\/p>\n The reorganization<\/strong><\/p>\n About three weeks after Stretch testified before Congress, Stamos decided to address a long-festering issue he had relating to lines of reporting at Facebook. In some respects, it was an issue that\u2019s bothered him his whole career.<\/p>\n Throughout the industry, Stamos contends, security teams are often brought in too late in the game. The goal of people who design products, he says, \u201cis to make something that people love and that eventually makes money. \u2026 These product visionaries come up with these big decisions, and then push the responsibility to make it safe and secure to other folks. \u2026 But the actual responsibility has to be there when you\u2019re making the big design decisions.\u201d<\/p>\n At a more micro-level, Facebook had some organizational issues specific to it. When Stamos arrived, there were two silos of security\u2014one in the engineering department, which ultimately answered to Zuckerberg, and a separate one, which he was hired to run, which answered to general counsel Stretch, who answered to Sandberg.<\/p>\n Stamos wanted to merge the two groups, and have them answer to a vice president of product\u2014closer to the decision-making process\u2014who would then answer to Zuckerberg, he says. He submitted a proposal around Thanksgiving. He imagined that he might be kicking off a six-month, back-and-forth process, with multiple meetings that Stamos would be participating in.<\/p>\n Instead, the decision came back about two weeks later, fait accompli<\/em>. A variant of his proposal had been accepted, but without him in the picture. He could keep his CSO title (and comp package) and continue to do public policy work, or he could do security for Oculus\u2019s augmented reality\/virtual reality project, or some other alternatives.<\/p>\n Stamos suspects the putsch was payback for having alienated people shortly after he arrived at the company, he says. Back then he\u2019d done a blunt assessment of the company\u2019s then-security needs\u2014what was good, what was bad\u2014and had stepped on toes.<\/p>\n After the reorg, Stamos helped with the transition and worked on security for the upcoming midterm elections while he looked for a new position.<\/p>\n \u201cI had a couple job offers for CISO jobs,\u201d he says, \u201cbut I wanted to work on bigger picture issues.\u201d<\/p>\n The challenge of our age<\/strong><\/p>\n At Stanford, he is certainly working on big picture issues. His vision for his Stanford Internet Observatory is so ambitious that it might well prove unworkable. \u201cOur goal is to perform a multi-year study across multiple platforms and types of communication networks, to really understand how these attacks on democracy can be stopped,\u201d he says.<\/p>\n The hurdle is: How will academic researchers ever gain access to the mammoth databases of sensitive, private, social media data in our post-Cambridge Analytica world? Remember, that scandal occurred because an academic allegedly misused data he got from Facebook for research purposes.<\/p>\n Last July, a nonprofit called\u00a0Social Science One<\/a>\u00a0was set up to provide \u201cprivacy protected access\u201d to data that Facebook committed to making available last April. SSO\u2019s long-term vision is to persuade Google, Twitter, and other social media companies to offer access to their data, too.<\/p>\n \u201cYou\u2019re talking about tens of petabytes of data,\u201d says Stamos, for the Facebook data alone. \u201cTo store that you need something like 1,000 computers. You\u2019re going to have to come up with a model where academics can do the research and the data stays within the companies.\u201d<\/p>\n SSO is funded by seven big nonprofits, works in conjunction with the Social Science Research Council, and is under the supervision of two professors, Harvard\u2019s Gary King and Stanford\u2019s Persily.<\/p>\n \u201cThis is the challenge of our age,\u201d Persily says. \u201cIt\u2019s really unique in human history that these private companies have so much private data on social interaction that is out of reach of academics that might try to study it, or of governments that might try to use it to enforce the law.\u201d<\/p>\n