The most iconic part of the security team at Facebook is, fittingly, a wall. At the top of the wall is spray-painted a single word in blue: “SCALPS.” And below that, according to this story from CNET, is a sort of scrapbook of wins:
“… Photos of spammers getting served notices of lawsuits, copies of checks defendants have used to settle suits filed by Facebook, mug shots of child predators who were kicked off the site and face criminal charges, cease and desist letters sent to fraudsters who sold fake Facebook accounts …”
We all know that you don’t get to 500 million friends without making a few enemies. But you also don’t preside over a community of 500 million people without inviting a few bad apples. With a population almost twice that of the U.S., Facebook obviously needs something like a police force of its own. Which is where its security team comes in. The elite team is headed up by Joe Sullivan, a guy who made his name as the first federal prosecutor in a U.S. Attorney’s office dedicated solely to working on cases of high-tech crime.
How do you police a 500-million person tech-state? We distill a few lessons.
1. Play offense, not defense.
Facebook goes after spammers hard. It recently won an $873 million judgment, setting spammer forums abuzz with fear. One member of the security team even “tries to understand the mindset of attackers” is “able to predict threats,” says CNET.
2. Don’t be afraid to stare down countries less mighty than Facebook.
An ISP in an unnamed South Asian country appeared to be messing with Facebook users a few months back. “One of the largest ISPs in that country was clearly using filtering software directed by the government,” Sullivan told CNET. This was criminal, since it “broke the Facebook experience”–causing random pages to pop up on the site. What happens when a country decides to “break the Facebook experience”? It gets its own face broken. Facebook blocked the ISP until it fixed the problem. In Sullivan’s words: “You hear of countries blocking sites like Facebook. Well, sometimes we block them too.”
3. Bomb the red light district.
As The Daily Beast recently reported, porn stars are big fans of Twitter (a tweet courtesy of one: “so I had workers coming out to the house & as I hear tires crunching gravel in the driveway I suddenly realize… I’m not wearing any pants”), but they’re finding they’re not so welcome on Facebook. Profiles keep being mysteriously deleted. “Most porn stars have given up on Facebook at this point,” Pete Housley, who runs the company Porn Star Tweet, told The Daily Beast. One actress claims they’ll delete your account even if a fan posts a nude pic.
4. If all else fails, call mom.
One poignant passage in the CNET report refers to a note found on the “scalps” wall. It was a letter from a teenage Facebook user and reformed spammer. “I appreciate that you spoke to my mom,” began the letter.
Of course, if there’s one thing we know about police states, it’s that sometimes they’re not so good at policing themselves. A number of independent security folks expressed both admiration and concern over Facebook’s tight grip over data. For all its investigative and security derring-do, some of these analysts couldn’t help but notice how lax Facebook was with advertisers and third-party apps–which stand to make Facebook money. “When it comes to privacy stuff they make you opt out, but when it comes to security you have to opt in,” one of the analysts said.
[Image: Flickr user valeriebb]