Facebook started out as Mark Zuckerberg’s dorm room project. Now it’s a company that boasts more than 2 billion users and tens of billions of dollars in advertising revenue.

Those two data points are tightly linked, and together they create Facebook’s world-shaping power: Facebook users provide the company — knowingly or not — with an enormous amount of data about themselves. And Facebook uses that data to let advertisers reach those users with astonishing precision and effectiveness.

For years, political advertisers ignored Facebook (along with most of the internet) but that’s not the case anymore: Digital political ad spending may approach $3 billion in 2020 — about a third of the money politicians and their campaigns will spend in 2020.

Those ads are now a problem, not a positive, for Facebook. Critics are furious over the company’s policy that allows politicians and their campaigns to lie in Facebook ads, even as Zuckerberg and other top executives say they’re trying to promote free expression.

As Facebook defends its ad policy, Twitter has announced that it will ban all political ads, and Google has announced that it will limit targeting for its political ads. Facebook seems very unlikely to ban political ads altogether, but it has signaled that it may make other changes that might make its advertising machine less effective, in some ways, when it comes to politics.

If all of this sounds confusing to you, you’re not alone. That’s why we’ve asked former Facebook executive Alex Stamos to help out.

Related Join the Open Sourced Reporting Network

Stamos spent three years as Facebook’s chief security officer, helping the company fend off all kinds of attacks.

But after leaving Facebook in 2018, Stamos has become a sort of Facebook attacker, offering a steady stream of criticism of the company and its leadership — for instance, he would like CEO Mark Zuckerberg to step down.

Stamos has also been a loud and consistent voice calling on Facebook, and other digital advertising companies, to make a very specific reform: He wants them to place limits on the microtargeting, or hypertargeting, they offer political ad buyers.

We talked to Stamos, now the director of the Stanford Internet Observatory, about his problem with ad targeting, why he thinks Facebook’s Cambridge Analytica breach was overblown, and what you, a person who cares about security but isn’t a security expert, can do to protect yourself.

The following transcript of our conversation has been edited for length and clarity.

Peter Kafka

Can you explain what micro- or hypertargeting is, and then why you’d like to see limits on it?

Alex Stamos

When I think of microtargeting, I’m mostly thinking of what are called custom audiences by Facebook and a variety of other names by Google and Twitter. But the same product is available from a number of companies, which is an advertising product where you upload data to the advertising companies, and then they match up that data with their customer base.

The canonical example of this is a car dealer. You go look at a Toyota truck, the dealer gets your email address. You don’t buy it, and so they end up uploading [your email address] to Facebook and Google, saying, “I want to show Peter my ad.” And everywhere you go online, you now see ads for that truck that you looked at and didn’t buy.

Peter Kafka

They are showing this to me, or someone who looks and acts a lot like me?

Alex Stamos

Literally to you. It’s usually by phone number or email address.

From my perspective, the most dangerous component is the data upload, for two reasons.

One, it motivates political actors to build humongous databases on users. From my perspective, the real Cambridge Analytica scandal is not data being stolen from Facebook. That’s an issue, but there’s been a bunch of data breaches that have been much more important that people will never talk about. The part of Cambridge Analytica that is truly concerning is the ability to use data that you get through a variety of means to microtarget ads.

There are effectively dozens of Cambridge Analytica[s] that still exist. They’re just not dumb enough to steal data from Facebook. They just buy it from Acxiom, and they apparently buy it from the California DMV. There are a ton of data brokers that know a bunch about people.

So one, we probably don’t want to create these companies whose entire job is to figure out how to manipulate people.

But the second is it allows political actors — that’s campaigns, PACs, parties — to have messages that are extremely finely targeted to a very small number of people. Therefore they can be somebody different to everybody. So to 100 people in northern Michigan, they can look different to 200 women in Manhattan, and look different to 100 African American voters in Atlanta. We don’t want our politicians to be different people to everybody.

It also makes it much harder to call them out on lies. If you allow people to show an ad to just 100 folks, and then you run tens of thousands of ads, then it makes it extremely difficult for your political opponent and the print media to call you out.

Peter Kafka

Are you opposed to that kind of advertising, period? Is that acceptable if it’s for Toyota or Nike, as opposed to Donald Trump?

Alex Stamos

When it comes to other advertising, I think the way to handle it is through comprehensive private privacy legislation. Because there’s really a supply of data that is gathered up and used to microtarget people. And then there’s the demand of the advertising.

Peter Kafka

One of the arguments you hear in favor of ad targeting is that we’ve had targeting forever. There’s direct mail, and this is another version of it. Yes, computers are now involved. And yes, it’s happening at scale. But if you thought it was okay to mail me something to my house, why can’t you target me on my laptop?

Alex Stamos

I think the direct mail argument is why we should be making moral arguments against ad targeting. I think the practical issue is that online ad targeting is so much cheaper, and so it’s just not cost-effective to generate 10,000 different direct mail advertisements, and then see how it impacts people.

Peter Kafka

You’ve been calling on Facebook to change their approach to political ads for a while. Twitter and Google have agreed to do it in varying degrees. Do you think it’s particularly challenging for Facebook to make a decision on this? They’ve been sending out mixed messaging.

Alex Stamos

Google and Twitter are interesting because they have very different responses. I think the Twitter response is not the right one. I think completely banning political ads puts them in a very difficult situation because you’re not creating a speed bump. So if you look at what we did before the 2018 midterms, all three of those companies created speed bumps for political ads, where you had to verify who you are. And even with the fact that all you have to do is submit a driver’s license, the media was full of complaints from people who said they’re being censored because they had to verify their accounts. And that was just for a little bit of an inconvenience.

Twitter is completely banning political ads, which motivates all kinds of political actors to run to the media immediately and say that they are being oppressed. Which is also a really powerful message. The Warren campaign has used this really effectively by intentionally violating Facebook’s rules, getting ads banned, and then turning around and for $100 worth of advertising, getting millions of dollars in free media.

The other [approach] is what Google used to not do, which Google is going to do now and Twitter is [also] doing now: defining political ads as issue ads. The problem is, in 2019, everything’s political. Right? And so that’s the other challenge that Twitter’s going to have: Is a Nike ad with Colin Kaepernick political? Is Exxon running an ad that kind of gently hints that they’re doing everything they can about global warming, is that a political ad? And in those decisions, you will have lots of unconscious bias amid the people who are making those decisions and that’s going to be something that’s fought over.

Peter Kafka

But Google did agree to some kind of limits on targeting.

Alex Stamos

Right. I think the Google approach is a smarter one. Creating a political ad/issue ad standard, and then limiting targeting is exactly what I’d like to see Facebook do. Because at least it’s much less oppressive to people to say, “Okay, well, you can’t do a data upload.”

And also, for the most part, like if you’ve got some little anti-global warming NGO, they’re not running a massive campaign. I mean, they’re not running a super complex data upload campaign. And so you’re actually kind of evening the playing field a little bit between the small actors and the large actors. Banning them totally, I think, actually pushes the power to the large actors, because Exxon can afford TV ads; they can afford full-page ads in the New York Times. And the little NGOs can’t.

Peter Kafka

But you have some political actors on the left who have relatively small war chests, saying, “This is going to hurt us.”

Alex Stamos

The Democratic Party has made a huge mistake in making a big deal of [calling for Facebook to restrict political ads], because Donald Trump has something like 67 million Twitter followers; he has 24 million “Likes” on his Facebook page. Breitbart, Fox News — he’s got this massive, free media ecosystem that is pushing all of his stuff without paying for it.

So to cut off the Democratic challenger — who is going to come out of the bruising primary — they’re going to have to pivot to the main to get their message out. [And]to do so against Donald Trump’s organic reach, which is both people who do it intentionally and then everybody in the media — that every time he tweets something crazy, ends up covering the controversy — one of the ways you can try to even that out is through much more economically efficient online ads.

So I think there is a trade-off here. I think there’s a reasonable trade-off in limiting the targeting. But I don’t think we should get rid of political ads overall. I think that pushes power back to the people who had power, back when radio and TV ads were most effective. Online advertising gives a huge amount of power to nonincumbents, NGOs, small organizations, unions. It empowers people that have less money because the entry cost of running an ad is not hundreds of thousand dollars of production cost like it is for TV.

Peter Kafka

Back to Facebook. I’m assuming at some point they’re going to come out and say, “Here is what we have decreed.” But they’ve been spending weeks not deciding something. Do you think there’s something about the proposals that you and others are calling for that are more difficult for Facebook to grapple with?

Alex Stamos

There [are] two things going on. The first is there seems to be massive conflict at the highest levels of Facebook over this policy. You can see this because somebody will say something onstage and then a different executive will say something totally different. They also all seem to be leaking to the media.

So I think what you’re seeing is there’s a conflict at the highest levels, and they’re deadlocked. And that is Zuckerberg’s job. I think this is a leadership failure.

Peter Kafka

Do you think there’s any reason why this would be trickier for Facebook than it would be for Google?

Alex Stamos

I think Facebook is the most afraid. Facebook has the best ad targeting on the planet. It is better than Google’s, it is better than Twitter’s. And so I think there is a fear that opening the conversation about custom audiences and lookalike audiences, which is the other thing that I think should be limited — is existential.

Peter Kafka

Explain what a lookalike audience is.

Alex Stamos

A lookalike audience often starts with a custom audience. So, back to the Toyota example, let’s say you take everybody who bought a Toyota Tundra in the last six months [and] you upload them to Facebook. Those people have already bought trucks, you don’t want to advertise to them.

But you ask Facebook: “Go and find people who are like these 10,000 people who bought my product.” And then the Facebook AI goes and crunches and it says, “What is special about these 10,000 people versus the 2 billion other people on Facebook?” and then it creates an audience that’s a lot like that.

Nobody can really explain what it’s looking for. It’s AI. Not super explainable. But it’s incredibly, incredibly effective at finding special aspects about those people that apparently makes them want to buy trucks. So that’s another tool that the political advertisers like.

Peter Kafka

And that allows Facebook to put targeted ads in front of [their users]. And they’re saying this is aggregated and anonymous, but still, it is showing up in front of you and not someone else.

Alex Stamos

Right. The advertisers don’t find out who the people are, right? So the privacy of the individual is protected. But this is really powerful for political ads. You take your donor list and you upload it, and tell Facebook to find everybody else who might want to be my donor. And then it automatically blows it out to everybody who looks like, demographically, the people that have already given to you, and then you ask those people for donations — that can be incredibly powerful.

Peter Kafka

If Facebook does what you want them to do and institutes some kind of targeting limits, what immediate effects do we see in this campaign?

Alex Stamos

The Trump campaign will have to change their tactics. The kind of automated generation, the A/B testing, they’re utilizing it much more [than other campaigns]. I think it will affect [Michael] Bloomberg, because clearly his model is, he’s gonna throw a huge amount of money into it. I expect it will completely change how he’ll have to campaign.

You’ll probably see campaigns spend more money on higher-quality content and then show it to the same number of people, but it’ll be less targeted.

And it will reduce the value of these big data [databases]. And so you’ll see a bunch of consulting companies lose those contracts. I think the campaigns will still advertise as much online. The truth is — let’s say you limited targeting to 10,000 people or even a congressional district, 600,000 — that’s still much more effective targeting than you can get through almost any other medium.

Peter Kafka

What problems do limits on ad targeting not solve?

Alex Stamos

Well, it doesn’t solve whether or not people lie in their ads. It doesn’t solve whether or not your ads are negative. Now, there’s some interesting research that shows that some online ads are not necessarily more negative than offline ads, that negative ads have been a problem the whole time. It doesn’t all of a sudden make Donald Trump honest. But I don’t think there’s anything that companies can do around that.

Another thing I’d like to see from Facebook is a policy on accurate claims about your opponent. Where they don’t want to go on the truthfulness issues is that they don’t want to be the arbiter of political claims. So if Elizabeth Warren says “I can give everybody Medicare-for-all without raising middle-class taxes,” they don’t want other Democrats or Donald Trump arguing, well, “here’s an economic study that says it’s not true.” That’s politics, arguing over that kind of stuff.

Peter Kafka

No, Mexico’s not going to pay for the wall.

Alex Stamos

Yeah, exactly. Or Donald Trump saying the US economy has never been better. Well, Paul Krugman says it isn’t and therefore Facebook has to decide what is a political statement. We don’t want the companies making those decisions. That would be crazy to have these companies make those decisions.

What I think they could have a standard on, though, is claims about opponents.

So if you make a factual claim about your opponent, then that can get that checked. So, “economy’s never been better” does not get fact-checked. “Joe Biden is about to be arrested in the Ukraine” does get fact-checked.

That’s what I’d like to see from Facebook. I’d like to see the ad targeting limit. And I’d like to see that really basic rule, which is not that hard to enforce because it’s not really an operational issue. The amount of organic content massively outstrips by tens of thousands of times how many ads are running. And so they’re already doing a bunch of work around checking ads to see whether or not they’re suppressing the vote and such. I don’t think it’d be that hard to add that statement, especially if they did the ad targeting limit, because there would be way fewer ads to review.

Peter Kafka

Maybe this is just so obvious that no one else is talking about it, but I’m curious why we’re not bringing up the fact that Donald Trump can say all sorts of untrue things on his official Twitter feed or on his official Facebook post, and that can be widely distributed. And it’s not a paid ad.

Do you think the problem of targeted ads or misleading ads is a much bigger problem than that stuff that’s organic, or do you think these are all things you need to solve?

Alex Stamos

I think there are two big differences with ads. First: you’re trading money for reach. I think there’s something we have for a long time recognized in the United States, that there’s a difference around paid speech versus organic speech. Second: Ads are one of the only ways you can put content in front of people who have not asked to see it. You’re able to insert yourself into somebody else’s day, who has never demonstrated that they want to see your content.

For organic content, if you’re seeing stuff in your News Feed, it’s either because you followed one of those pages or you’re friends with somebody who’s sharing. You have lots of tools, that if you don’t want to see that content anymore, you can [stop it]. With ads, people are inserting themselves into your life.

I think there is a fundamental difference in how we treat free versus paid speech, to be sure.

Peter Kafka

After the 2016 election, there was initially a lot of focus, and rightfully so, on Russian interference in the election, and then other state actors. That was sort of your focus, I believe, at Facebook. Now, we’re having this discussion on political advertising, and no one is connecting this to Russia or any other international actors. Is that because it really isn’t an issue now?

Alex Stamos

Even in 2016, the number of Russian ads was minuscule versus the spending by US political parties. Just in the last couple of days, there’s been new quantitative research that shows that the ability for the Russian Internet Research Agency [the government unit accused of illegal interference in the 2016 presidential elections, known as IRA], which is the side that uses advertising to affect people’s political positions, is actually incredibly limited. So the quantitative evidence is that Russian interference in the form of trolling and ads was probably not bad.

The most effective component of Russian interference was most likely the [Russian military intelligence agency known as the] GRU campaign, which we just released a big report on, which was the breaking in, stealing of email, creating narratives, and then pushing those narratives via WikiLeaks, DC leaks, and then friendly media outlets.

That totally changed the conversation people are having about Hillary Clinton. Whereas the IRA stuff — if you’re part of the Secure Borders Facebook group, you’re not a swing voter. The truth is, the amount of political content of that type that is pushed by Americans vastly outstrips what the Russians push.

And I think that’s part of the discussion. Part of it is also that three companies have made changes here on online advertising. So really we only have a handful of companies that are doing any verification of who’s running political ads out of the thousands of other companies in the ad tech ecosystem. They’re doing pretty much nothing. And so there is the possibility of foreign ads, but I think just the size is so much smaller than what Americans are spending on it — it’s hard to argue that that’s the big deal versus the GRU activity which we are still very vulnerable to in 2020.

Peter Kafka

You mentioned Cambridge Analytica, sort of dismissively. You’ve mentioned this in the past — that you think we’ve sort of overblown, overstated, and misunderstood Cambridge Analytica. Can you explain in simple English to our readers, what we should and shouldn’t care about when it comes to that?

Alex Stamos

I think what we should care about Cambridge Analytica is whether or not we allow political manipulation to be targeted with personal information. The actual leak of data is minuscule compared to a number of other things that have happened since then, that nobody ever talks about anymore.

Peter Kafka

Facebook paid a $5 billion fine for its failings around Cambridge Analytica. So when you say there are bigger data leaks, what kind of things are you talking about?

Alex Stamos

For example, most of the major American telephone companies were caught selling people’s fine GPS location. That was a story for a week?

Peter Kafka

Yeah. Vice had that.

Alex Stamos

So it looks like people might have died because of that. That data was being sold to bounty hunters, who are using it to track folks down, right? Fine GPS location is about the most sensitive data you can possibly get from somebody’s phone. That’s never leaked, as far as I know, from Facebook or Google or any other major tech company. But if it comes from the phone companies, nobody talks about it.

The Equifax breach was a massive, massive issue and it now means that the data of hundreds of millions of Americans is in the hands of probably the Ministry of State Security of the People’s Republic of China. And we’ve all kind of moved on.

So it’s that versus what pages you “Liked” on Facebook. There’s just no qualitative or quantitative model where those breaches are not more important. Yet people don’t talk about this anymore.

The importance of Cambridge Analytica is the political ad targeting. Because it turns out, you can run a company that’s much more effective than Cambridge Analytica, buying data from data brokers. And nobody seems to talk about that, which I think is a problem.

Peter Kafka

Can you offer advice for consumers, who aren’t tech-savvy, for responding to data issues and privacy scandals and breaches? Is there a practical way for people to think about this stuff when they’re trying to make decisions in their lives?

Alex Stamos

The No. 1 thing people should be worried about is their own personal accounts being taken over and used. The amount of damage to them of their password being stolen from a site and then reused to take over their entire digital life way outstrips any damage from any of the massive data breaches. Or in situations where it is a mass password breach, that is the practical effect.

So going to Have I Been Pwned and putting in your email account; using a password manager; having different passwords on everything; that should be an individual’s focus. Because the truth is the media does not properly contextualize data breaches, because they do so based upon which companies they dislike much more than the actual practical effect.

There’s way more impact on individuals when passwords get leaked, and then their accounts are taken over because then they end up sending financial fraudulent scams to their family members; they end up with ACH [automated clearing house] transfers being initiated from their accounts; they end up with their credit cards being stolen.

Those are the people who have a real humongous impact, when their passwords are stolen. That’s what I think most people can work on. There’s not much they can do about the Chinese having Equifax, but they can prevent organized crime from taking over their entire lives.

Open Sourced is made possible by the Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.