Facebook's New Privacy Hires

The Wired headline sums it up nicely -- "Facebook Hires Up Three of Its Biggest Privacy Critics":

In December, Facebook hired Nathan White away from the digital rights nonprofit Access Now, and put him in the role of privacy policy manager. On Tuesday of this week, lawyers Nate Cardozo, of the privacy watchdog Electronic Frontier Foundation, and Robyn Greene, of New America's Open Technology Institute, announced they also are going in-house at Facebook. Cardozo will be the privacy policy manager of WhatsApp, while Greene will be Facebook's new privacy policy manager for law enforcement and data protection.

I know these people. They're ethical, and they're on the right side. I hope they continue to do their good work from inside Facebook.

Posted on February 4, 2019 at 11:07 AM • 31 Comments


MattFebruary 4, 2019 11:34 AM

They might try their best, but Facebook's given us no reason to suspect this is anything other than a fig leaf. Facebook's business model depends on selling your information to third parties, so unless they're fundamentally changing their business model, these guys' job is going to be nothing more than a CYA move by Facebook.

EricFebruary 4, 2019 11:52 AM

That's a misconception. What Facebook actually sells is the ability to target it's users, no matter how specific or niche a set of criteria an ad buyer provides. Selling your information to third parties devalues buying ads on Facebook, and Facebook's leadership is too smart to agree to devaluing their profit source.

Gerard van VoorenFebruary 4, 2019 12:10 PM

After everything that Facebook went through one would start to think that quite a lot of guys want to leave. The magic of Facebook should have been over by now and one third of all their "customers" have moved out in Holland. It's obvious that Facebook has to change and they will change, just like what happened about a decade ago in Microsoft. But what Facebook does, and does very successfully, is plain wrong. Of all the GAFAM Facebook is the worst to me (next to Google and Amazon), even though I am not a customer of Facebook, and they have to advocate a lot (both inside and outside).
This weekend I went to FOSDEM in Belgium. In there a lot of guys were talking about Facebook.

CluelessFebruary 4, 2019 12:42 PM

"I know these people. They're ethical, and they're on the right side." and they will work for Facebook, whose business, from what I know, is to sell infos grabbed from morons. As for the "Trust me, I know them", what has become the saying "trust does not transfer" ?
Now, that's a developed oxymoron. Why not "honest journalist" ?

CluelessFebruary 4, 2019 12:54 PM

I just happen to read this : yet another example of Facebook's ethical behavior (sorry, it's in French but I guess this was published in English too) :
It's even worse than the good old days of M$ Evil Empire.
Don't mix the love of money (which I can understand) and real ethics.
Changing things from the inside never works : at best, it's an illusion ; at worst, it's a blatant lie.

TimHFebruary 4, 2019 1:20 PM

@Matt & Eric: We have to correct the statement "... selling your data!" to the scarier "... selling proprietary insights into how you can be manipulated, from assessments of very large quantities of your data!"

Nobody at allFebruary 4, 2019 3:41 PM

The most ethical thing anyone could do to improve Facebook's privacy posture would be to destroy the data Facebook has extracted and shut the company down. Anything less is a meaningless half-measure.

tzFebruary 4, 2019 4:01 PM

Will they be under NDA? Will their employment contracts be public?
Will they have access to anything but lots of free food and massages?
Will they be able to disclose how much they are being compensated?

Bertrand Russell: Will you go to bed with me for $1 Million?
woman: Will, maybe, well yes.
BR: How about $100 [inflation adjust]
woman: What do you think I am?
BR: Madame, we have established what you are, we only have a disagreement on the price.

Petre Peter February 4, 2019 4:02 PM

I wonder how much of this has to do with the fact that enforcement of GDPR is expected in 2019.

Sed Contra February 4, 2019 4:35 PM

Class assignments:

1. (1 point) Re-read all the fables of Aesop. Do you think Aesop would have understood the Internet ?
2. (1 point) Write 500 times “You will need a long spoon to sup with the devil.”
3. (0-3 points, depending on quality) Write a short essay comparing and contrasting bioethics boards of medical facilities with privacy ethics boards of Big Tech corporations.
4. (1 point) Russell said “Better Red than dead.” Show using predicate logic that this implies he is equivalent to the woman in the anecdote about “companion pricing”.

VinnyGFebruary 4, 2019 4:57 PM

@Eric re: FB & personal information - Once Facebook has someone's personal data, they will use it in whatever way they believe is in FB's own best interest, with complete disregard for the interests of the "original owner." Any assumption about how they will parse that value proposition in any specific instance will be prone to failure; any risk of confidential personal information made on the basis of such an assumption would be naive and foolish.
@tz re: NDA - Very good question. Hire your critics at a nice salary, make them sign an NDA that extends for 5 years after termination of employment, then stick them in an office with a view and no work. If your name is Mark Zuckerburg, that would seem to = "problem solved..."

JonKnowsNothingFebruary 4, 2019 5:38 PM

Protest from "within" almost never works. This is called Whistleblowing at the extreme edges.

Protest from "without" makes a lot of noise. No one "within" pays any attention. At the extreme edges you "Do not pass GO" and end up in jail.

I hope they enjoy their time "within" and their paychecks. They will last about 18 months and no doubt receive enough cash, stock and incentives to fund the rest of their careers "without"; provided they don't do anything "within" that might prove embarrassing once they are "without".

How can we "guess" that nothing will change?

Talk is cheap, buying talk is even cheaper and buying talk to stop talk is buying the golden goose.

Doing requires something else and there are just too many dark corners that are never touched by light. They will never see the dark corners.

Security SamFebruary 4, 2019 6:07 PM

Wow, these are great news
Facebook should be exalted
For they have shut an open door
Long after the horse has bolted.

Clive RobinsonFebruary 4, 2019 6:10 PM

@ Bruce,

I know these people. They're ethical, and they're on the right side.

That from what I can see is true.

But there is an issue... The desired outcome is,

1, They stay that way.
2, They convince Mr Z to change.
3, The company focus changes.

The issue is at the end of the day it's not down to them or Mr Z, it's down to the shareholders.

Legally the major shareholders can and in all probability will sue as they could easily arge "Their money is being left on the table" by Mr Z.. It realy doesn't matter if they have a chance of wining (which they do). They can use it as leverage to get more shares or other advantageous treatment. Once one person gets a bigger slice of the pie they will all pile in for a bigger slice. The only way Mr Z can stop that is by acquiescing to the demands he picks the money up off of the table. Which in turn means "More of the same old Same old".

To change that requires a change in legislation so that Mr Z has no choice but to change. Then the shareholders don't have a case, not even leverage from a nuisance case. I'm not sure if the EU GDPR realy counts enough. Whilst it should change the companies European arms, there is no reason for the company to change the other arms of the business. Thus blanket US legislation is required.

Personally I don't see that happening in our life times. Unless there is some major bad event and it hits the US politicians at all levels directly between the eyes. Then they will in all probability make regulatory or legislative changes. The problem is that in the UK there were changes made during the health care reforms under Tony Blair PM, but... it made two groups those of "protected status" and "everyone else" the politicians of course were protected along with "establishment figures" but the rest of us were going to have our entire medical histories sold in a non anonymous way to who ever coughed up the cash, for Tony to use to bribe voters. Ross J. Anderson if he's reading this can give you the details of what finally happened, as he was a little closer than sitting on the side lines.

I know US Politicians have already produced legislation to protect themselves but not the citizens in other areas, so I suspect they can and would do so.

But there is a further issue, lets assume points 1-3above happen, for some people what every the outcome it will not be enough. Such people tend to make such things a "cause for a mission" and that often takes the form of character assasination, doxing and worse. Journalists these days are happy to put the boot in as well, and some will quite happily stir the pot to turn up the heat.

Such treatment can effect not just themselves but those around them and could potentially damage their future opportunities (it's what muck-raking is designed to do).

All we can do is hope it does not happen to them.

FaustusFebruary 4, 2019 7:42 PM

@ Clive

I don't think your understanding of the law is correct. The stockholders can agitate for change of management but they can't sue a company simply for not using their strategy.

Do you have a citation?

Facebook is clearly reaching a point where continuing this behavior has a decent probability of backfiring on them. There is a perfectly good argument that leaving the data on the table is the prudent course.

But besides that, outside of clear negligence or malfeasance, the only stockholder remedy is trying to change the board or get the board to change the management.

RealFakeNewsFebruary 5, 2019 12:05 AM

Hires its biggest critics...to silence them.

They're on the FB payroll now. It doesn't matter what they were like prior to working there - they've signed up to sing from FB's hymn sheet.

At first FB may say "we're doing The Right Thing(TM)" and make some hand-gesture, but then these people will be cast aside like always and ignored, while their silence has been bought.

Anyone who thinks FB will behave any differently to what we know happened historically, isn't paying attention.

POLARFebruary 5, 2019 12:34 AM

@ Bruce,

I know these people. They're ethical, and they're on the right side.

A matematician, a physicist and an astronomer are on the same wagon of a train travelling through scotland. The astronomer spot what looks like a black sheep "Look - they have black sheeps!" The physicist corrects the astronomer "This just says there's at least ONE black sheep", but the matematician halts both "There's at least one field, with at least one sheep, which is black at least on one side"

So I wouldn't just assume their future in a corporation, plus this "absorb your enemy" is a tactic tried and proved by Google, Microsoft before Google, and by the Roman Empire more than two thousand years ago.

de la BoetieFebruary 5, 2019 5:36 AM

May I recommend Robert Trivers's book on Self Deception - we all do it.

While ethical and on the right side, I think they're kidding themselves they can have any positive impact on FB behavior given its business model. And it's quite likely that they will effectively do harm because of the veneer of respectability they offer FB.

We kid ourselves that we are ethical and good (and above average car drivers) - while doing things like exporting carbon emissions, poor working conditions etc. And people seem to vote for policies which have led to the disastrous inequalities and collusion of weak nation states and huge corporations such as FB - at the expense and risk to the population.

@tz, the quote you ascribed to Bertrand Russell does not have a clear source, and I think unlikely to originate from BR.

Clive RobinsonFebruary 5, 2019 6:19 AM

@ Faustus,

The stockholders can agitate for change of management but they can't sue a company simply for not using their strategy.

That was not what I was saying, they can sue for a company officer acting against shareholder interests. Which is what "leaving money on the table" can be considered.

The usuall quoted cause of this goes back just over a hundred years ago Henry Ford had two minority share holders of the Dodge brothers. Who were basically funding the build up of their rival car manufacturing business on the dividends Ford was paying. Needless to say Henry was not happy about this.

So Henry Ford basically said "screw you" and stopped paying dividends on the very feeble excuse --for his press friends to push at the public-- that he was reinvesting everything to make better less expensive cars for everyone (which he was actually not doing).

A court case followed as the Dodgr brothers sued Ford as a way to get the real value of their shares back. Thus it's widely argued / cited that Dodge v. Ford as being the grounds for "shareholder primacy".

As with all things life is a bit more complicated. But what it did confirm is the "business judgment" rule. Which is based on a fiduciary duty of directors or "company officers" not to enrich themselves at the expense of shareholders by deceitful practice (ie not to defraud). Thus company officers should be not just able to explain their actions but actually to do so (even if it does boil down to "screw you").

Thus the court did what courts are good at which is "fudge things", or in more prosaic terms "they struck a balance", which still hangs like a spector of Christmass past in the US legal system.

Basically the court produced two decisions which appear to in effect be contradictory,

1) It was beholdant on Henry Ford, as the "corporate officer" to account for the interests of shareholders in all his business decisions.


2) As long as Henry Ford's business activities were vaguely plausible to advancing the shareholder interests, then the shareholders could not compel Ford to take any other "specific" business actions.

Importantly though (and often forgotton) it was neither a total win for Ford or total loss for the Dodge brothers, because the court did also order Ford to pay some dividends as they found his arguments insufficiently plausable (as "screw-you" attitudes generaly are).

Thus the main take away is that company officers do have to make a semi-realistic pretence to care about shareholder interests. Balanced by the simple fact that there is no specific "legal remedy" to make them take "specific" actions. Because the "business judgment" rule meant that courts should not apply either hindsight or foresight to dictate how a company should be run.

However Henry Ford went on to prove that as a company director he could act against the share holder interest with impunity. He made a false series of comnents about in effect leaving the business. This significantly devalued the shares in the business. He then effectively forced the sale of shares back to him and then said he'd changed his mind...

So whilst shareholders can not force company officers to take "specific actions" by legal means they can say that the company officer is not acting in their interests and get judgment on that. As with Henry Ford being made to stump up dividends, or get a court to make compensatory adjustments in one form or another. But as Henry Ford also showed information about corporate governance can bring a companies value down. Thus people can launch what are effectively nuisance cases, bring the share price down which can lead to loss of confidence in the corporate officers which in turn can get them kicked out of their controling position by the equivalent of a vote of no confidence by the other voting corporate officers. The threat of that alone can often cause a change of direction by corporate officers, that whilst not in a specific direction would be in a general direction (face has to be saved after all).

Whilst there has since been changes in the way corporate officers can conduct themselves (as Elon Musk has found out the hardway). Non privileged shareholders don't have such constraints as they do not have knowledge that others are not party to...

Clive RobinsonFebruary 5, 2019 8:15 AM

@ tz,

The "negotiating virtue" quote you mention with regards Bertrand Russell[1] reminds me ot the one also aledgedly made by either him or Einstien or...

An atractive society hostess came over at a party and said "We should make babies together, just think with your brains and my looks how successful they would be!". After a moments thought, came the reply "But madam what if they had my looks and your brains"...

[1] There are few photagraps of Bertrand Russell and apparently in none of the later ones is he open mouth smiling. This may be due to his increasing "gravitas" bad dentistry which was common for the time or as others have suggested "the mercury treatment" founded on some comment about syphilis by his father. What is known[2] is he not only hung out with the Bloomesbury Set who had highly questionable morals for the time he also got through four wives and a long string of mistresses. Einstein also was fairly prodigious in the affairs and mistresses game as well and neither is what you might call a picture book or oil painting...

[2] https://www.telegraph.co.uk/books/authors/brilliant-men-always-betray-their-wives/

Oh sure.February 5, 2019 12:33 PM

"they can sue for a company officer acting against shareholder interests."

= Not unless it's really blatant self-dealing or incompetence, and it has to be provable that that one person had the culpability in that decision.

Zuckerberg distanced himselves from these decisions in recent Congressional testimony.

Your fantasy suit goes nowhere. You can only prove FB is generally unethical and has profited wildly from that tack. You're wearing your rose colored law glasses again.

Oh sure.February 5, 2019 12:36 PM

Don't you think someone with shares would have sued and changed their course by now, if it worked like that?


AlejandroFebruary 5, 2019 2:56 PM

Best way to silence your critics is buy them.
I'd bet their salaries are very respectable.

David LeppikFebruary 5, 2019 3:43 PM

Facebook has shown disdain for its users' privacy since the Harvard days. Zuckerberg has a long history of apologizing, doing the minimum possible to appease the critics, and then moving on. You needn't do more than search this blog's archives to see how this has played out. After decades of not caring, I find it hard to believe that he would start caring now.

That's not to say he isn't interested in taking this on seriously; I doubt these people would sign on if senior FB management hadn't convinced them that they can change. The problem is, this level of change can only come from the top, and Zuckerberg hasn't shown that he can, or wants to, change that much.

As for shareholders, I don't think the big ones care one way or the other how FB changes, so long as profitability remains high. Sure, they're in the business of selling ads to users--but that requires engaged users who aren't bots, which requires at least a minimum level of trust.

Fundamentally Facebook's problem is that their business model is not based on taking care of the needs of their users. Users don't have to like FB, they only need to not dislike it enough to change their habits. In this case, FB has embedded itself deep enough in many people's social lives that it's hard to disentangle. But if they are actively disliked, users will find other ways to connect.

As for these new hires, I suspect they will work at FB for a year or two before getting disenchanted and leaving. But I could be wrong.

JamesFebruary 6, 2019 7:59 AM

"Facebook" and "privacy" are mutually exclusive. If it would care about privacy Facebook would not even exist.

FaustusFebruary 6, 2019 10:48 AM

@ Orgze Joerwell

If you want a picture of the future, imagine a “like” emoji stamping on a human face—forever.

Right on!! Thanks.

bttbFebruary 7, 2019 7:59 AM

A National Public Radio talk show is on Facebook today on https://the1a.org/ (11 am et) :

"...We’re speaking with Roger McNamee, one of Facebook’s early investors. He says the company’s executives have abdicated their civic responsibility and that the platform is bad for democracy in his new book, “Zucked: Waking up to the Facebook catastrophe.”

We’ll also speak to Alexandra Suich Bass, a senior correspondent at The Economist, who has covered Facebook for years."


https://the1a.org/stations ; also streaming

FaustusFebruary 7, 2019 10:05 AM


Zucked seems like a good book. I'm partially through it. However, Mr. McNamee alternates attacking Facebook practices and Zuckerberg and then backhandedly defending them. It's almost like there are two authors: McNamee and his lawyers!!

And of course there is virtual signalling galore. Sure! McNamee made a billion by being an awfully nice guy! But could anyone in the public eye survive without the obligatory kowtow these days?

The latest news from facebook ("The US firm says it will appeal") https://boingboing.net/tag/facebook indicates that they have little interest in change. And I think it says a lot about the humanity of the facebook critics. After getting by on a public interest salary for a while, and suffering all sorts of financial stress, they are shutting up and taking the money.

(ACLU lawyers are hardly saints either. They make a low salary for a few years but then prosper with a prestigious ACLU bullet point on their resume.)

Hopefully I am wrong. I estimate a 10% or less chance that the critics will engender anything close to the privacy changes that would make facebook non-deceptive and non-predatory. I hope I am wrong about these chances.

I think people refusing to use facebook, or curtailing their use dramatically, is much more likely to lead to positive change. Why should three privacy critics have to carry the water for all of us? If you don't like what facebook is doing, DON'T USE IT.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.