Facebook, EFF security experts sound off on protecting the vulnerable
SAN FRANCISCO—If you’ve ever received a Facebook friend request from somebody you don’t know, and then another, and another, you’re not alone. Alex Stamos, Facebook’s chief security officer, revealed at the sold-out inaugural Enigma Interviews event that the social network shuts down the accounts of more than a million of those mysterious requesters—often outright spammers or otherwise abusive users—every day.
“The number of accounts that are turned off per day is at least seven, if not eight, figures,” Stamos said in response to criticism from free-speech advocate Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, regarding a lack of transparency in how Facebook determines which accounts to revoke.
I moderated the conversation, organized by USENIX and co-sponsored by The Parallax, New Context, Javelin Research, and Avast (which also sponsors this site) Wednesday evening here.
As a primary platform on which we engage with one another’s news, images, and thoughts related to family, jobs, political leanings, and a wide range of interests, Facebook can have a huge impact on our lives, Galperin said.
“Because you have that much power, you have greater responsibility,” she told Stamos of Facebook. “And with that responsibility, sometimes you’re going to have to bring out a little bit more transparency.”
This was one of the more contentious exchanges between Galperin and Stamos, who debated for 75 minutes on the theme of the evening: how to protect the highest-risk people on the Internet, from teenagers exploring identity in the United States to political dissidents in Egypt to women in rural India getting online for the first time through low-end smartphones. They discussed Facebook’s role as an Internet juggernaut, users’ limited understanding of who is most likely to hack them, and the importance of preserving online rights.
Here are three other interactions that drove the conversation:
On passwords and two-factor authentication:
It’s a common refrain among security experts, Stamos said, but it bears repeating because it is such a widespread problem: Password reuse is the No. 1 cause of accounts getting hacked. And he supports using two-factor authentication. He worries, however, that pushing people to use a more secure method of receiving that second factor than SMS would serve as a deterrent to using more than the default single-factor authentication.
“Passwords are reused on multiple sites, one site gets popped, they get traded on the black market, and then those are used to take people’s lives over,” Stamos explained. “So for those people, providing something that is at all better than passwords, and is extremely easy to use, is important, which is why we still offer as an option the SMS two-factor—because that is generally the lowest common denominator of what people can do.”
He compared two-factor authentication to car seatbelts. “For the vast majority people, the problem with seatbelts are not that seatbelts don’t save you in every crash. It’s that people don’t use them,” he said.
Passwords and two-factor authentication are as much a physical-safety issue as a tech security one, Galperin said. The security tech industry needs to do more to protect journalists and activists targeted by their own governments, and telling them to go buy a two-factor USB stick isn’t the answer.
“Telling somebody, ‘Just go buy a YubiKey’ is like telling somebody, ‘Just to go buy an iPhone’: It makes me sound like a really out-of-touch white lady asking them to do something impossible,” she said. “It’s time to start talking about what we can do in order to make these things cheaper, and possibly scale better, for that particular population because they are extremely physically at-risk.”
On the collection of metadata as a business model:
Getting companies to reduce their collection of user data (such as the content of posts) and metadata (such as the time a photo was uploaded) is very hard, Galperin said.
“Data on your users is your lunch money,” she said of many online services. “If the company is principled, the most that we can hope for is that they will do a very good job of protecting the data and metadata from hackers, from people trying to break into accounts, or from governments and lawyers showing up with subpoenas. But the goal is always to have more data.”
Stamos felt that she was oversimplifying the point of data collection, and he spoke about a multitude of regulations on how long companies can keep certain kinds of data.
“A lot of useful metadata is not financially useful,” Stamos added, but rather useful in protecting its users. Facebook uses metadata, for example, to create risk-based authentication, a factor in verifying a user’s identity or tracking abuse, he said. And most of metadata is “anonymized or thrown away at some point.”
On protecting anonymous, encrypted speech:
In the aftermath of last weekend’s neo-Nazi march in Charlottesville, S.C., many Internet platforms are re-evaluating their commitment to protecting their users’ speech. Internet service providers and domain name registrars have recently banned a number of neo-Nazi sites, as have social networks Facebook and Twitter.
Galperin reiterated the high value her organization places on protecting free and anonymous speech online, something Facebook must constantly evaluate in order to keep its users safe from abuse and worse.
“EFF is a strong advocate of anonymous speech, and of speech that other people cannot decrypt. Even if we occasionally yell at Facebook because we would like them to protect women, that doesn’t mean that we don’t support Tor, and that doesn’t mean that we don’t support Signal,” she said. “There is a place on the Internet for anonymous speech, and it is extremely important.”