Facebook’s head of security, Alex Stamos, is leaving the social network in August, according to the New York Times as well as multiple journalists citing sources within the company Monday evening. The Times reports that Stamos has already started to prepare for his exit, a slow-motion exodus that began last year following a push from Stamos and his security team for Facebook to be more forthcoming about how Russian operatives utilized the social network to attempt to influence voters during the 2016 election. Though Facebook was eventually forced to disclose information about that activity, Stamos reportedly lost the fight.
Why does the egress of a Facebook executive unknown to the vast majority of its users matter? Because of the awkward timing of the reporting—just days after Stamos struggled to publicly defend the company’s fraying reputation in the aftermath of its stunning disclosures involving the data firm Cambridge Analytica—and because of the internal debate that apparently led to Stamos’ exit in progress: It was between those who think Facebook should prioritize doing right by its users and those who think its first responsibility is to its profits.
Not that you got that sense listening to Stamos and Facebook on Monday night. Both said that the Times’ reporting is off—kinda. In a notable nondenial, Stamos wrote on Twitter: “Despite the rumors, I’m still fully engaged with my work at Facebook. It’s true that my role did change. I’m currently spending more time exploring emerging security risks and working on election security.” Facebook issued a kind of nondenial of Stamos’ nondenial: “Alex Stamos continues to be the Chief Security Officer at Facebook. He has held the position for nearly three years and leads our security efforts especially around emerging security risks.”
News of Stamos’ departure comes as Facebook is grappling with a long string of public relations nightmares over the past year, the most recent being the company’s announcement this past Friday evening that it had suspended the accounts of the Trump-hired data analytics firm Cambridge Analytica and two others involved with firm—this in advance of damning reports from the Guardian and the New York Times. Those reports detailed how Facebook allowed for data on more than 50 million user profiles to be harvested and then passed to Cambridge Analytica, which ran voter-targeting operations for both Ted Cruz’s and then Donald Trump’s presidential campaigns. Facebook says that when it found out that user data had been improperly passed to Cambridge Analytica in 2015, it requested the company and its associates delete it and confirm that the data had been destroyed. After recently learning, more than two years later, that the data had not actually been destroyed, Facebook shared publicly that it was suspending the data firm and its associates’ accounts.
Immediately after sharing the news, Facebook started receiving criticism for not notifying tens of millions of users who had their profile data illegitimately handed over to a voter-targeting operation when it first learned of the incident. And Stamos, who has encouraged responsible disclosures of security missteps in the past, tweeted an attempt to rationalize the company’s data-security practices at the time, which allowed for app developers to scrape the Facebook data of their users and their users’ friends, the method by which associates working on behalf of Cambridge Analytica were likely able to collect Facebook data on tens of millions of people. With details of Stamos’ pending goodbye coming into focus Monday night, Facebook’s decision not to inform users that their data was improperly handed to Cambridge Analytica—on top of newly reported details about how Facebook delayed the disclosure of evidence the company had collected of Russian government–sponsored propaganda efforts on its site—the reputation of the security operation Stamos was tasked with managing is hurting. After all, Facebook’s users put a lot of trust in the company’s security every time they post a photo or missive, even if they don’t always think deeply about the privacy bargain they make in order to use a free service. That’s something that can’t sit well with Stamos, who is highly respected in the information security community for being a staunch advocate of working in the interest of users.
Tensions between Stamos and Facebook reportedly began to mount in spring 2017, after Facebook’s security team had spent the past year uncovering evidence about how Kremlin-backed trolls weaponized Facebook to push disinformation as well as news about the reportedly Russian-orchestrated hack of the Democratic National Convention, according to the Times. Although Stamos’ team had found evidence of Russian meddling by November 2016, it wasn’t until April 2017 that Facebook even nodded at the idea publicly. And even then, it was in a footnote in a report saying its findings were in line with the January 2017 report from the director of national intelligence that stated with “high confidence” that Russia worked to undermine Hillary Clinton’s presidential campaign and help secure Donald Trump’s election.
Less than a month later, in May, Time reported that Russian agents had created fake accounts on Facebook and Twitter and had bought ads on Facebook in an attempt to manipulate American social media users. Despite the fact that Stamos had reportedly found evidence of Russian meddling on Facebook back in fall 2016, Facebook told Time that it had “no evidence” of Russian agents buying ads on Facebook to target specific users with divisive content. Four months later, in September, Facebook came forward with more specifics in a blog post. The company admitted that Kremlin-linked operatives had spent $100,000 to push some 10,000 ads to Americans since mid-2015. This admission sparked congressional concern, ultimately leading to three public hearings where lawyers from Facebook, Twitter, and Google testified in front of Congress about the extent of Russian disinformation on their platforms and what they should have done to stop it. All along, according to the Times, a debate raged within the company over whether Facebook should err on the side of full disclosure or foremost protect its business.
By the end of last year, Facebook had reportedly started to whittle down Stamos’s security team and assign employees to work under two other executives at Facebook as their old boss began to prepare for his departure.
This isn’t the first time Alex Stamos has left his post as chief of security at a major Silicon Valley company after it failed to protect its users. The engineer resigned from a similar job at Yahoo in 2015 after learning that the company had complied with a secret request, either from the National Security Agency or the FBI, according to Reuters, to scan all of its customers’ incoming emails, affecting hundreds of millions of users. In May 2015, Stamos’ team found the surveillance installation, which had reportedly been approved by then-CEO Marissa Mayer, and he resigned shortly after. In June 2015, he started at Facebook. Considering Stamos once organized a conference called TrustyCon in protest of reported collaboration between the security firm RSA and the NSA to put back doors in popular encryption products, I have to imagine Stamos won’t go for a tech-giant hat trick after he leaves Facebook’s Menlo Park headquarters for good. Either way, when he leaves, he will be the first major executive to depart Facebook since it became embroiled in a controversy over how it mishandled a plague of disinformation and bad faith during the 2016 presidential election. He probably won’t be the last.