Joe Sullivan sat in a suite atop the Rio Hotel this week, with his iPhone's Bluetooth and WiFi capabilities shut off.
Eighteen floors below Sullivan, who is the chief security officer at Facebook, were thousands of hackers who had descended on Las Vegas for their annual DEF CON gathering – many of whom could break into Sullivan's phone if he's not careful.
But Sullivan and many other corporate executives come because they need to stay ahead of the next threat, and in order to do so, they need to see not only the "white hat" hackers who play defense but also some of the community's more nefarious elements.
The Times sat down with Sullivan to talk about Facebook's security strategy.
Yahoo announced that next year it will begin allowing its email users to encrypt their messages so that only senders and recipients will be able to read the content. Any plans to do something similar with Facebook messages?
We focus on making sure all the communications through Facebook Messenger and Chat are encrypted but they're not encrypted in the way where the consumer has the key and we don't have access to it.
We have worked hard to make sure our messenger products work well with third-party products so that if people want to do encryptions where they hold the key, they can.
We've definitely spent a lot of time thinking about it. Obviously we've talked to Alex (Stamos, chief information security officer) at Yahoo about what they're working on. We've talked to Google about the stuff they're working on. We've been experimenting with different stuff. We're excited that people are innovating in this area but to date we have nothing to announce.
Facebook gets lots of requests from law enforcement for user data. Do you have any concerns about that process?
When law enforcement does get a search warrant, judges are not appreciating enough the amount of data they're giving access to. We'd like to see some changes in the law.
Think about this in the context of a physical search. If the police got permission to go into your home...they don't get to take everything they find and keep it until trial. They actually have to go through and they have a finite amount of time to extract what they think is relevant and tell a judge what they took. In the context of online, when they take an account, they're asking to take the whole account. We're saying they should have to specify something narrow.
Facebook announced Thursday that it will be buying PrivateCore, a company that specializes in securing servers and data centers. What was the thinking on that acquisition?
As a company we have this ambition to help connect millions and billions more people (while keeping the site from slowing down). We're going into different environments and facing new security challenges. When it's your data center, you control the keys to the door physically as well as technically. As we are building our network around the world, we face the challenges everyone does: a lot of situations involve putting your servers where you have lesser levels of trust. Their technology helps increase trust.
What's Facebook's biggest security concern?
As our advertising business has grown, people want to attack that side and make money through spam, like they always have. It's something we've paid a lot of attention to but it's not something that's gotten a lot of attention in the media.
But we really pride ourselves on doing a great job of keeping people's news feeds clean. You're used to looking at your email every day and seeing "Oh man, there's like 4 pieces of spam there" and you deal with it but when you look at your Facebook Newsfeed, it's usually not like that. We're constantly focused on staying ahead of attacks.
Google recently got attention for reportedly alerting authorities after scanning a user's email and detecting apparent child pornography. Does Facebook do anything similar?
We've basically handled it the same way that Google and Microsoft do (through the use of PhotoDNA software, which scans for child pornography images already known to authorities).
For our services -- as a service that has a lot of young people, that came out of a service exclusive to high school and college students -- we basically handle it the same way they do. And if you're doing something like this you should be transparent, and from the moment we started doing this we've been transparent about it. What you want is for people to understand this is being done. The only context we have done that (in regards to scanning for criminal conduct) is in the context of child safety.