Joe Sullivan hunts down the bad guys drawn to the world's largest social network. How far will he go to keep the site safe and still protect your privacy?
If Facebook were a country, it would be the third largest in the world and Joe Sullivan would be head of Homeland Security. His actual title is chief security officer. The “terrorists” he’s up against include malware miscreants such as the “Koobface gang,” a quintet of Russians who unleashed a worm that turned Facebookers’ computers into enslaved bots; the spammers who flooded the site with violent and pornographic images in December; scammers who trick Facebook users into clicking links and filling out surveys for the swindlers’ profit; paedophiles using the site to make contact with minors; and scrapers who inappropriately raid Facebook for users’ valuable personal information. These scoundrels include those who use malicious apps, hackers and an amateur porn purveyor who matches profile pages to private nudie photos submitted by vengeful exes—making it easy to contact, harass and “poke” the unwitting and involuntary porn stars.
The dirt Facebook holds on its users makes it as attractive to cops as to criminals. Among Sullivan’s responsibilities are daily decisions about how much user information to give to law enforcement when it comes calling.
And, as a digital nation’s DHS, Sullivan and his 50-person team actively police the site for user data worth volunteering to the authorities. Still, he says, “we err on the side of not sharing and have picked quite a few fights over the years.”
Users may have constitutional rights against unreasonable searches by the state, but the only Facebook Constitution is the company’s dense terms of service agreement. It focusses on prohibitions for users, such as bullying, creating fake accounts or uploading images of violence or nudity, as well as Facebook’s rights to intellectual property uploaded to the site. It doesn’t spell out when Facebook may dive into data for policing purposes or hand it over to the authorities.
Should Facebook give users a Miranda warning before they sign up—that anything they post and do on the site can and will be used against them? The company gives law enforcement “basic subscriber information” on request: A user’s name, e-mail address and IP address (which reveals approximate location). Sullivan insists that everything else—photos, status updates, private messages, friend lists, group memberships, pokes and all the rest—requires a warrant.
Sullivan, 43, usually wears the “Mark Zuckerberg uniform” at the office: Gray hoodie, sneakers, jeans. With longish light brown hair and gray-speckled goatee, he looks more like a bouncer at a country music bar than an ex-federal prosecutor, let alone the guy responsible for safeguarding and investigating Facebook’s 845 million users.
Most of his security team is based at headquarters in Menlo Park, California, and sits at clusters of desks close enough to take dead aim at one another with Nerf darts. Broken into five parts, the team has 10 people review new features being launched, 8 monitor the site for bugs and privacy flaws, 25 handle requests for user information from law enforcement, and a few build criminal and civil cases against those who misbehave on the network; the rest are digital bodyguards protecting Facebook staffers (“We have someone trying to hack an employee’s account every day,” says Sullivan).
It’s a big kingdom to police, populated with mundane and highly personal information about its subjects. Its value, shaping up to be $100 billion when the company goes public later this year, depends on keeping the populace happy and safe—from over-probing law officials, as well as from predators.
the oldest of seven children, Sullivan grew up in Cambridge, Massachusetts. He describes his father as a painter and sculptor, and his mother as a schoolteacher who wrote mystery stories about a nun who was a private eye. “So I rebelled and went to law school,” he says.
Sullivan got his law degree at the University of Miami in 1993. A self-described early adopter, he was the first of his friends to get a computer and an e-mail account. In his first job at the Department of Justice (DOJ) in Miami, he convinced his superiors that the office should have an internet connection.
He has been riding the internet crime wave since 1997, when he moved to Las Vegas as a federal prosecutor. When the DOJ started a computer crime programme, recruiting one prosecutor in every office to work on cyber crime cases, he volunteered and began working on early eBay fraud and software piracy cases. After Bob Mueller, now director of the FBI, started recruiting a high-tech team to work in the DOJ’s Silicon Valley office in 1999, Sullivan jumped at the chance, putting him at the centre of cyber crime during the internet boom. In 2002 he went to eBay, where his security detail included the units PayPal and Skype. That’s when he had to make a fundamental shift in his thinking—not just how best to prosecute criminals but also how much information to hold back from authorities to protect the rights of customers.
“Depending on the product, we had fundamentally different philosophical approaches to the law and user expectations around data-sharing with law enforcement,” he says. As one might expect from someone who had been a prosecutor a scant year before, Sullivan’s relationship with law enforcement when he first joined eBay was cozy. In 2003 off-the-record remarks Sullivan made at a cyber crime conference were secretly taped and given to a reporter at Haaretz.com, the Israeli news site. Sullivan claimed that eBay’s privacy policy was “flexible,” allowing it to freely provide information to investigators—“no need for a court order,” Sullivan said. Haaretz wrote an outraged report about eBay’s collusion with Big Brother.
“With Skype we’d tell law enforcement to go through Luxembourg, and good luck with that,” says Sullivan now. “But with eBay, if you were law enforcement investigating a seller, you didn’t even need a subpoena. You could just ask for it on your letterhead and we would hand it over. Back then some people were just putting money in envelopes, sending it to eBay sellers and hoping to get their products. There needed to be an expectation that sellers were being scrutinised.”
While a youth pastor reaching out to young people doesn’t seem particularly nefarious, Sullivan suggests that his use of fake accounts to do so, as well as the content of his communications, was disturbing enough to warrant police involvement.
Sullivan went the extra step because he thought he had to. With Sophos he tracked digital bread crumbs to expose the guys responsible for Koobface (an anagram for Facebook). They gave their evidence to the FBI and waited for it to make a move. After over a year of inaction, though, they took a vigilante approach, exposing the gang members in the New York Times after a security blogger blew the whistle on one member, thus alerting the group they were being pursued. Facebook and Sophos detailed how they tracked them down using IP fingerprints, Foursquare check-ins, Twitter activity, friend lists on a Russian social networking site and Flickr photos that showed the gang vacationing in Europe. “It’s not about monitoring the users,” says Kollberg, who participated in the Koobface sting, “but producing security for users.”
(This story appears in the 13 April, 2012 issue of Forbes India. To visit our Archives, click here.)