Why Yahoo's Top Security Guy Just Ditched for Facebook

Yahoo's head of security Alex Stamos announced on Friday that he was leaving the relatively old internet giant for Facebook, a younger internet giant.

The 36-year-old security veteran joins the social network as the Chief Security Officer, after spending slightly more than a year heading Yahoo's revamped security efforts. He steps in for Joe Sullivan, who in turn left Facebook for Uber in February.

Stamos' departure might seem surprising, given that he was the vocal and visible leader behind Yahoo's innovative—and much needed—new security projects, including an easy-to-use plugin to send encrypted emails, and an ambitious plan to replace passwords. But the switch actually makes a lot of sense, for both him and Facebook.

When I met him in San Francisco, Stamos struck me as an idealist with lofty goals. He didn't join Yahoo just to improve what is often seen as a declining company, which had a slew of embarrassing security snafus. He joined it because, as he told me, heading a giant that has one billion users gave him a chance to make the internet more secure for "lots of normal people."

That's at the heart of what Stamos wants to do: make the internet safer and more trustworthy for everyone.

For better or worse, depending on your personal opinion of Facebook, the social network is certainly one of the few places where you can really do that, as Stamos himself hinted at that in his announcement. (Stamos declined to comment for this story)

"There is no company in the world that is better positioned to tackle the challenges faced not only by today's Internet users but for the remaining 2/3rds of humanity we have yet to connect," he wrote in his announcement, posted, of course, on his Facebook profile.

Facebook has 1.44 billion active users, according to the company's own data, and it's only going to get bigger, as the more people are on Facebook, the more others will want to be on it too. Mark Zuckerberg's giant is also pushing very hard to enter developing countries, at times positioning itself as the internet itself, thanks to its controversial Internet.org project, which has the goal of bringing a stripped down version of the web to countries in Africa, Asia, and Latin America.

This attempt to create what could be seen as Facebook colonies, countries that only get the internet that Facebook wants them to get, is already under heavy scrutiny. Human rights organizations have accused Internet.org of exacerbating the digital divide, and making dangerous privacy compromises. When Facebook opened up Internet.org for developers, it also restricted the use of HTTPS, which is increasingly becoming the standard on the web (the company later said they would solve this by providing an HTTPS-enabled Android app).

It's unclear if Stamos will have much of a say in Internet.org, but he doesn't like to make compromises that could endanger users. And he's not afraid of speaking up, even if that means confronting the head of the NSA, like he did at a recent event in Washington D.C.

Outside of Internet.org, Facebook has already positioned itself as one of the most innovative companies when it comes to security. It switched to HTTPS by default in the summer of 2013, when it also offered the strong encryption technique known as "Perfect Forward Secrecy."

In October of last year, the social network also launched a .onion domain, making it possible for users to access Facebook through the deep web using Tor. More recently, Facebook offered a new feature for all users to upload their PGP keys to their profile and received encrypted email updates from the social network.

That's why, contrary to what he had to do at Yahoo, Stamos won't have to revamp Facebook's strategy, but simply fine tune it. And he should be more than capable of doing that.

As noted security expert Graham Cluley put it, Facebook "just got a security upgrade."