As Chief Security Officer of Facebook, Joe Sullivan has a tough task to ensure that the over 1.1 billion users on the social networking platform feel safe while sharing personal information and photographs online. On the one hand there is the challenge of keeping away malware and hackers from stealing user information, and on the other hand he coordinates with outside law enforcement agencies to help bring consequences to those responsible for spam, fraud and other abuse. Sullivan spoke with Business Line about a range of issues including what users can do to improve online safety and the fallout of the PRISM expose.
Excerpts from the interview :
Facebook has challenged the way people interact on the net. Before Facebook, most people would never use their real names even for email IDs. When people started using Facebook they began using their real names but they still wouldn’t put a picture. Then, over time, they would put a group photo or in Halloween costume. So it’s been a gradual process to build trust.
It comes from your experience of sharing and interacting on Facebook. Unlike email, where we end up being spammed, at Facebook we have invested in machines that understand spam. Therefore it creates an environment of trust. This formula has worked.
What can users do to be safer?
The number one thing people need to think about is managing passwords. We have multiple accounts online and have let it go out of control. If someone compromises the email account they can reset passwords to all other accounts. So make sure your email password is long and unique because that’s the password for everything else. The best companies are moving to two-level authentications.
How many layers of security have you put in place to make sure Facebook is safe?
Five years ago, it was all HTTP standards which means someone could grab your data and misuse it. In 2011 we started rolling out HTTPS standards to prevent user accounts from being compromised. We found that over a third of our users shifted to the HTTPS standard without any marketing push from us. Now we have 100 per cent users on HTTPS by default. We are now investing in technology to move from 1024 bit encryption to 2048 bit encryption by the end of the year.
What are the current challenges that keep you awake?
It’s a challenge to find good people who can understand security. It’s a neverending source of frustration for me. I have eight positions open now and am willing to pay but I can’t find suitable people. The other concern is to keep up with the nature of the threats. There should be sharing of threat information between companies and governments. But this concept of sharing has become politicised. When I am talking about sharing I am talking about new threats being propagated.
Has the bug bounty programme help you address shortage of security experts ?
We run a popular initiative we call our White Hat programme that rewards security researchers who report valid security issues to us. The programme encourages more high-quality security research and helps us keep Facebook safe and secure. We’ve paid out more than $1 million in bounties, and researchers in India have received the second highest number of rewards out of all countries that have participated in our programme.
On the one hand Facebook talks about user protection and on the other hand we have PRISM where information related to many users was shared with US authorities. How do you reconcile the two?
When the PRISM story came out in public it sounded like the US government had access to information of all users on Facebook. This was false. The US government allowed us to release a report which showed that information related to less than 21,000 people was shared with law enforcement agencies that included all levels of US government from the local police department in Miami to the FBI. It was not millions as it was being made out to be. It was incredibly frustrating to live through that time for not being able to be transparent.
Why could you not be upfront about how you share data with law agencies before the PRISM story became public?
We did try to be transparent even before PRISM broke. We stated in our daily use policy how we might have to give third party access to information.
We also created law enforcement guidelines on our help centre to explain how we respond to requests from law enforcement agencies. We are in litigation with the US government because they don’t want us to talk about these requests, there’s a gag order. We don’t want any mystery around it
In your assessment, has the PRISM episode changed the way users feel about platforms like Facebook?
It is an unfortunate situation because it does make people concerned. The good thing is there’s more transparency and there are more honest conversations around this issue. Generally speaking, given the types of requests and the volume of sharing done by Facebook, it’s not something for people to be alarmed about.
Do you share information with Indian agencies as you do with the US authorities?
It gets complicated when doing business in multiple legal jurisdictions. Most users on Facebook are legally doing business with an entity in Ireland. Apart from users in the US and Canada, Facebook is regulated under European Data Privacy Laws. But data is stored in the US for everyone. So when any requests come from law enforcement agencies there is a combination of three sets of laws that come into play and we have to see how to comply.
It is a complicated evaluation system based on international standards. Based on these standards we have produced information about 1,600 cases to Indian agencies in the last six months. It gets complicated when there are inconsistent standards on what is criminal. We don’t want to be the party making that judgment. We can step out in such cases as we think the best solution is to resolve it through government-to-government agreements.
There is a section in the security establishment which wants companies such as Facebook to set up servers in India. Will that work?
If every country starts demanding a server then it becomes a server play and not a cloud server. My fear is that a lot of these stories are sensationalist as they portray that government is overarching and companies are antagonistic. I can tell you that 99.99 per cent of the time everyone’s interests are aligned.
There is a need for public-private partnership in keeping the internet safe. Worst thing to happen is to go into our own corners and stop talking about this.
Will setting up a server in each country create more security or more insecurity? We respect the laws of every country where we do business. But we also need law enforcement agencies to have technical skills to tear down malware and prosecute the people behind that malware.