The entire discussion around Facebook’s disclosures of what happened in 2016 is very frustrating. No exec stopped any investigations, but there were a lot of heated discussions about what to publish and when.

In the spring and summer of 2016, as reported by the Times, activity we traced to GRU was reported to the FBI. This was the standard model of interaction companies used for nation-state attacks against likely US targeted.
In the Spring of 2017, after a deep dive into the Fake News phenomena, the security team wanted to publish an update that covered what we had learned. At this point, we didn’t have any advertising content or the big IRA cluster, but we did know about the GRU model.
This report when through dozens of edits as different equities were represented. I did not have any meetings with Sheryl on the paper, but I can’t speak to whether she was in the loop with my higher-ups.
In the end, the difficult question of attribution was settled by us pointing to the DNI report instead of saying Russia or GRU directly. In my pre-briefs with members of Congress, I made it clear that we believed this action was GRU.
Do I wish the final compromise was more aggressive with public attribution? Yes. I also find the public outrage here to be a bit contrived. First off, the responsible parties had all of the data, and the paper very strongly pointed to Russia via the DNI release.
Second, Facebook was at the time and continues to be one of the only parts of the big ecosystem to publish anything. You haven’t seen anything at all from most tech companies, and until the SC indictments the government sat on most of what it knew.
A lot of parties failed in 2016. I failed to prepare my employer for the disinformation campaign and that is on me. The government gave no assistance to the companies in 2016 and very little in 2017 (this seems to have improved a lot in 2018).
The mass media was completely played by the GRU and wrote the stories they wanted after the DNC and Podesta disclosures. You could argue that this was much more impactful than the IRA disinfo, and there has been almost no self-reflection by NYT/WaPo/WSJ/TV on their role.
So yes, we all failed, and we need to own up to those failures to move forward. Those failures were not caused by a CSO getting chewed out in a meeting or editing of a voluntary report that nobody else was willing to publish.
I’m in the US Capitol today meeting with HPSCI, SSCI and interested members. My focus is on building a good working relationship between .gov and .com and the legal frameworks we need to protect our democracy in 2020 in beyond.

FIN

More from Tech

Recently, the @CNIL issued a decision regarding the GDPR compliance of an unknown French adtech company named "Vectaury". It may seem like small fry, but the decision has potential wide-ranging impacts for Google, the IAB framework, and today's adtech. It's thread time! 👇

It's all in French, but if you're up for it you can read:
• Their blog post (lacks the most interesting details):
https://t.co/PHkDcOT1hy
• Their high-level legal decision: https://t.co/hwpiEvjodt
• The full notification: https://t.co/QQB7rfynha

I've read it so you needn't!

Vectaury was collecting geolocation data in order to create profiles (eg. people who often go to this or that type of shop) so as to power ad targeting. They operate through embedded SDKs and ad bidding, making them invisible to users.

The @CNIL notes that profiling based off of geolocation presents particular risks since it reveals people's movements and habits. As risky, the processing requires consent — this will be the heart of their assessment.

Interesting point: they justify the decision in part because of how many people COULD be targeted in this way (rather than how many have — though they note that too). Because it's on a phone, and many have phones, it is considered large-scale processing no matter what.

You May Also Like

"I really want to break into Product Management"

make products.

"If only someone would tell me how I can get a startup to notice me."

Make Products.

"I guess it's impossible and I'll never break into the industry."

MAKE PRODUCTS.

Courtesy of @edbrisson's wonderful thread on breaking into comics –
https://t.co/TgNblNSCBj – here is why the same applies to Product Management, too.


There is no better way of learning the craft of product, or proving your potential to employers, than just doing it.

You do not need anybody's permission. We don't have diplomas, nor doctorates. We can barely agree on a single standard of what a Product Manager is supposed to do.

But – there is at least one blindingly obvious industry consensus – a Product Manager makes Products.

And they don't need to be kept at the exact right temperature, given endless resource, or carefully protected in order to do this.

They find their own way.