If there is one company that seems unable to stay out of the news, it's Facebook. Last week, while we were off, the company got itself into a world of trouble. The Wall Street Journal published a string of reports on the company based upon a huge stockpile of leaked documents from the company. This included special rules for VIPs, that allowed millions of users to "violate our standards without any consequences," promoting troll farm content within the US, knowingly causing harm to girls through Instagram specifically, ignoring drug and human traffickers, and even undermining the company's COVID efforts. These reports are worth reading because they are wild.
But, Facebook wants you to know that they are very sorry, and they pinky promise to never do it again. In a statement from the company, which came with no signature or name, someone from the company said,
In the past, we didn't address safety and security challenges early enough in the product development process. Instead, we made improvements reactively in response to a specific abuse. But we have fundamentally changed that approach.
What is changing
The big change, in this case, is considering safety and security at the product design and development level. This process is standard fare in the software development world - security is the most important part of a product and should be considered and decided upon, at least at a high level, before the first line of code is written. If you try to implement security procedures later, it will always be reactionary, and reactionary responses are always less effective.
At our former software company, we often discussed the Bank of America ATMs. When they first released them, people would forget their debit cards and drive away. So, to address the problem, they added the ability for the ATM to suck in the card if it was abandoned for a certain period of time. Eventually, people discovered that they could steal the whole ATM and get a ton of abandoned ATM cards. So, they added a card shredder into the machine to make sure they were useless. However, if they had simply made you take your card before getting your money, all of this could have been avoided.
This is exactly what Facebook has been doing for years - something happens on the platform, and they respond to it with a direct and specific solution. Then, that solution provides ammunition for another problem, which they respond to in a direct manner, creating a cycle that ends with all ATMs having a card shredder in them.
We saw this exact situation play out when Facebook demoted still videos, because they had promoted video over images. This caused people to simply create videos with no motion. So, the company had to create an algorithm to test every video to see if the frames changed. If they didn't, the videos would not be promoted above still images. So, people would create slightly animated backgrounds to get around the algorithm, eventually causing Facebook to reconsider the entire weird behavior.
Where is the problem coming from
According to Alex Stamos, the company's former chief security officer, the problem comes because growth and policy teams often overrule the safety and security team on decisions. This causes a lot of internal conflict and is likely the cause of the leaks to the Journal. He tweeted,
The big picture is that several mid-level VPs and Directors invested and built big quantitative social science teams on the belief that knowing what was wrong would lead to positive change. Those teams have run into the power of the Growth and unified Policy teams. Turns out the knowledge isn't helpful when the top execs haven't changed the way products are measured and employees are compensated.
This issue certainly suggests that it won't be as easy as flipping a switch within the company to begin thinking about security as an essential part of the development process. It's going to require a full corporate culture shift in order to implement these changes in any meaningful way.