Get access to Protocol
As companies around the tech industry start to make plans to return to the office, or to embrace a remote future, they're being forced to evaluate their work tools and processes all over again. Some companies are eager to get back to the way things were, but Patrick Stokes, the head of platform at Salesforce, said that's not the norm. "I think most are seeing this as a moment in time when it's good to be really introspective," he said, "and say, 'Are we as efficient as we possibly could have been?'"
Stokes and Salesforce have a tricky role in that process: to allow for lots of possibilities and solutions in the era of hybrid work, while also helping companies make the best possible decisions as quickly as possible. Salesforce has invested heavily in its Work.com platform, which offers a number of tools meant to help customers navigate what's next: managing vaccine status, simplifying HR and IT workflows, monitoring well-being and much more.
As more companies start to make their plans for the next phase of pandemic and post-pandemic life, Stokes jumped on Zoom with me to talk about the questions he's getting from customers, what employees want as offices reopen — or don't — and what it's like to build a product for a future absolutely nobody understands yet.
This interview was edited for length and clarity.
Do you feel like you have a responsibility to have answers? Because part of the truth of this moment is, like, nobody knows anything, and the answers are going to be different for everybody. But at the same time, you're Work.com, and a lot of people look to you to know how some of this stuff is supposed to work and where it's all headed. What's your sense of how correct you have to be in this moment?
I think we have to be partially correct. And what I mean by that is, we have to have a suite of technology that enables an organization, first and foremost, as opposed to prescribing the organization. To your point, every single business operates completely differently. Even within businesses, they have businesses that work that operate differently, different geos, different brands, whatever it is. And so what we've been able to do at Salesforce over the last 20 years is provide a customer-focused platform for defining how you want your customers to experience your company. And we're doing the same thing for employees, but we're doing it in a platform-centric way. In other words, we're offering capability, we're offering tools and productized solutions like wellness, talent dev and IT service, but we're doing it on the backbone of this platform, which means that anybody can extend it to set it up based on how they want their employees to come back.
So you feel like there's a base level that we can start to understand pretty quickly, and then your job is just to give people tons of flexibility on top of that basic infrastructure.
Yeah. We need to make it easy for them to get started is I think a simple way to put it.
Many brands have really not spent much time even thinking about their employee experience. You buy a bunch of stuff that you know you need: you buy your SSO, you buy your Workday, you buy your Concur, you buy your Salesforce, you buy all of these things. And we've never really had to think about, "OK, we've got these things now, what is the experience that sits on top?" And so what we're trying to do with Salesforce is make it really easy to bring those things, and to get started thinking about it in an extensible and low-code way, so that somebody in your organization can actually realistically start tinkering and thinking through what this experience looks like, based on some preconfigured templates and workflows that can be extended from there. You got to give them that entry point, though. Otherwise, it's really hard to build from scratch.
It also seems like you and the rest of the industry are thinking about the surface area of those questions in a broader way than anybody has before. I've never had company CEOs talk to me about work-life balance and burnout in the way that they are now.
Look at Harvard Business Review, which is saying three in four executives are thinking about employee experience right now, and that six in 10 employees are talking about burnout. It's become critical.
There are three main things. First, there's going to be a war for talent, and I think younger and younger talent, one of the criteria that they'll evaluate companies on is the experience that they'll have within that company. Where can they work? What tools do they have? Are these archaic tools, or are these tools that help me collaborate and interact with my employees the same way I do on Facebook or Instagram today?
The second is overall customer satisfaction. We know that happy employees equal happy customers. And then the third reason is basically revenue growth: With customer satisfaction comes faster revenue growth. So I think for CEOs, the pandemic really, really highlighted that. Suddenly when all of your employees have to work from home, and your physical storefront needs to physically change as well, all of that software, all of that technology comes into light. And you realize, boy, this is all connected, we really need to think through what this all looks like.
It's one thing to say, "We value this stuff, it's important," but especially with things like well-being and burnout, they're hard to measure and hard to build tools to fight against. It's easy to say, "How do we get people to work more hours?" It's hard to say, "How do I measure people's feelings?" So where are we on that front?
You're right, it is hard to measure well-being. I think the way a lot of companies used to do it is they used to have physical town halls. They would go and they would do a Q&A, and you could read the room of how your people are doing. You can also rely on, you know, manager to employee one-on-ones.
When everybody's suddenly very distributed, we need to rely more on technology to do that. So for well-being, for example, if we can bring in really proactive ways to go out and ask people how they're doing, not requiring them necessarily to go sign up for some new service and fill out a form, but we can just send them periodic reminders over email or over Slack eventually, and things like that. So just giving them, the HR teams and the CIO teams, literally just handing them the tools and saying, "Here's how you do it. We already have many of your employees on Salesforce, so you can just put this into place and you're off and running."
Salesforce has had a lot of this technology for a long time. Almost every product in our Work.com suite is based on some internal piece of technology that we built to run our own organization. The difference now is companies are suddenly showing up at our door saying, "Hey, you guys have been the customer company forever. What do you have on the employee side, because we're really concerned about this?" We know that this is important. We're seeing the stats, we're seeing it within our own organization. So yeah, we have attention now. They're showing up and asking us, and that's a good place to be.
How has your sense changed as far as what Work.com can and should be? We're in this messy middle period, where hybrid work is the thing but nobody quite knows what that means. How big should the purview of Salesforce in general and Work.com specifically be in this space?
I think the purview is very wide. You can get into real estate apps, you can get into IT service apps, you can get into HR service apps, you can go really, really broad. I think our strategy, as has been the strategy for Salesforce for 20 years on the customer experience side, is to really focus on the platform and the connectivity. That's really what we're learning: You cannot just go all in and say, "We are going to own 100% of the employee experience." But what we can do is connect it all together, and try to build an overall really coherent system, and then eventually connect that back into the customer experience side as well.
That's what's really changed for us: At the beginning of the pandemic, we noticed some things like, we can't hold town halls anymore; how do we know if our customers are good? A whole bunch of brands were suddenly showing up at our door going, "Hey, we use you for customer service, can we use you for IT service? We've suddenly got to requisition 20,000 more laptops to get our employees home that we didn't plan for." There were these tactical moments. And the main thing that's changed is now they're asking us to piece it all together. You know, how does an employee show up, open their laptop in the morning and start working seamlessly across all of these different systems?
It literally is the word "experience," right? Which can be a very broad word. But that's what they're asking us to think through: "What is the experience?" Not, "What are the individual applications that you're going to provide?"
What specific things are customers asking you for? Vaccine trackers seems top of mind for everybody. What else?
They want new ways to kind of enable their employees to collaborate with each other. We saw when everybody moved home, the way you hold meetings and things like that, you move into a much more asynchronous way of working. And so I think we're starting to see customers really gravitate towards that asynchronous way of working, and asking us for ways to bring that type of capability into both their employee experience, and their customer experience as well.
They're also asking us for a lot of automation. We're seeing a tremendous push towards automation. And this means automation that the employees themselves get to experience, like maybe interacting with a bot to get quick answers to their questions, but then downstream automation as well. When I need a new laptop, how can we go through automating the provisioning of that laptop all the way down through approvals, getting it from the inventory center and then getting it shipped out?
That requires not just the tools to provide those automations, which we've always had for customer experience, but also a rich inventory of those HR and service templates and workflows. And so that's an area that we've moved into, and we'll continue to scale out.
It sounds like part of what you're thinking about is how to give each employee more agency in how they operate within the organization, making things like IT and HR more self-serve instead of bureaucracies. Is that part of the transition here?
Not just self-serve, but digital. And that's often overlooked. A lot of these things, they either don't exist, or they do exist but in a physical space. You can even look at Salesforce: We have well-being rooms on every floor, kind of famously, right? And that's a good way to provide a capability or a service to employees to manage their well-being.
How do we make that digital? What's our answer to that? How can we replace some of the old, antiquated, very physical systems, or maybe just augment those physical spaces with more digital spaces?
It's kind of bound to what I said earlier, that the number one reason you should care is your talent. You'll have employees leave because they get frustrated with systems. And you'll have talent who decides not to come because of what they hear about the systems that you have in place. And so yeah, we need to care about it. And we need to recognize that folks that are coming out of college now, they've only ever known really great digital systems, and companies that have been really focused on consumer experience. That's what they're used to, and when they get to work and they don't find that? They'll go somewhere where they can.
It missed chances to be PayPal, Square and Stripe — so is this its chance to miss being Coinbase, too?
Owen Thomas is a senior editor at Protocol overseeing venture capital and financial technology coverage. He was previously business editor at the San Francisco Chronicle and before that editor-in-chief at ReadWrite, a technology news site. You're probably going to remind him that he was managing editor at Valleywag, Gawker Media's Silicon Valley gossip rag. He lives in San Francisco with his husband and Ramona the Love Terrier, whom you should follow on Instagram.
The news that Amazon was hiring a lead for a new digital currency and blockchain initiative sent the price of bitcoin soaring. But there's another way to look at the news that's less bullish on bitcoin and bearish on Amazon: 13 years after Satoshi Nakamoto's whitepaper appeared on the internet, Amazon is just discovering cryptocurrency?
That may be a bit unkind, but the truth is sometimes unkind. And the reality is that Amazon has a long history of stumbles and missed opportunities in payments, which goes back more than two decades to the company's purchase of internet payments startup Accept.com.
It's hard to remember how crude payments were in those days. Early Amazon employee Shel Kaphan recalled for Forbes how the website let customers who were afraid of inputting a full credit-card number online could phone or fax in the digits, which he or Jeff Bezos or another employee would match up with their order.
It worked well enough, but it wasn't designed for third-party sellers. Amazon had eBay in its sights, so it snapped up Accept.com for $175 million, even as eBay had been courting the startup. Amazon zShops launched a few months later. It was mostly a flop, but it laid the groundwork for Amazon's third-party seller marketplace.
The problem was that Accept.com got swept up into the bowels of Amazon's infrastructure. The service its founders had envisioned — pay anyone, for anything, anywhere online — fell by the wayside. Meanwhile, Elon Musk, Peter Thiel and Max Levchin were working on their payments startups, which would soon merge to become PayPal and leverage eBay's auctions to become the first real fintech giant. EBay bought PayPal in 2002 for $1.5 billion.
Amazon had plenty of its own payments problems to solve, like fraud. An Accept.com employee, Jaya Kolhatkar, took charge of that effort, and got Amazon's fraud rate down to a reasonable level. And its 1-Click payments was a genuine innovation. But all that payments wizardry — including the boost it got from Accept.com — remained captive inside Amazon for years. It wasn't until 2013 that Amazon created a "Pay With Amazon" button for non-Amazon storefronts — the innovation that catapulted PayPal to internet ubiquity in 1999. Amazon Pay is still struggling for market share.
The pattern repeated in mobile payments. Amazon bought technology and hired a team from GoPago, the maker of a point-of-sale system that was challenging Square's iPad-based system for space on cafe counters, in 2013. Blink and you may have missed Amazon Local Register, which launched in 2014 and shuttered a year later. Amazon's person-to-person payment system, WebPay, had almost as short a life.
In the business of back-end payments — the domain of Stripe and PayPal's Braintree — Amazon has also seen reversals. Kickstarter, a marquee customer for Amazon Payments, dropped it in 2015 in favor of Stripe after Amazon discontinued its Flexible Payments Service.
Amazon could have been PayPal, Square or Stripe. But its payments services didn't become any of those things. (An Amazon spokesperson did not respond to a request for comment on its payments efforts.)
Here's a counter-argument to all of this: Adding Accept.com to Amazon was a huge win, even if it never became PayPal, because Amazon now handles a gigantic volume of payments, and even slight improvements add up. Adding anything to Amazon makes it big, because Amazon is big.
That worked as Amazon went from books to music to electronics. But payments isn't a line of business: It's a complex, interconnected web of services that all have to work together, and it's crucial to other functions like security, customer support and marketing. One of the hardest things for Amazon is convincing other retailers that it won't screw them over, which is why Microsoft Azure and Google Cloud are actively wooing internet sellers, and why PayPal has thrived since it split off from eBay.
So now Amazon wants to hire someone to lead its crypto efforts. It sounds like a fun job, and a good way to learn a lot. Accept.com alumni have done well: Kolhatkar is now the executive vice president for data in Disney's direct-to-consumer business, and co-founders Erich Ringewald and Mark Britto are in top roles at PayPal. If the past is prologue, look for Amazon's crypto payments chief to be changing the world of commerce … somewhere else, after they leave.
Over the last year, financial institutions have experienced unprecedented demand from their customers for exposure to cryptocurrency, and we've seen an inflow of institutional dollars driving bitcoin and other cryptocurrencies to record prices. Some banks have already launched cryptocurrency programs, but many more are evaluating the market.
That's why we've created the Crypto Maturity Model: an iterative roadmap for cryptocurrency product rollout, enabling financial institutions to evaluate market opportunities while addressing compliance requirements.
The crypto maturity model
Level 1: Open for business
The first step for banks is to train staff so that they understand which cryptocurrency businesses their customers are most likely to interact with and the varying amounts of risk those businesses would introduce.
Crypto-friendly banks can also begin taking on cryptocurrency businesses as clients. Silvergate Bank became one of the first banks to work with cryptocurrency businesses in 2013 and, since then, has onboarded over 900 cryptocurrency businesses as clients. In 2018, the bank rolled out the Silvergate Exchange Network, which allows institutional investors to buy cryptocurrency assets from several different exchanges. The bank's stock price has risen over 1,500% in the last year as bitcoin and other crypto assets have rallied.
Financial institutions are also now able to offer many more products and services to cryptocurrency firms. We've recently seen banks like Citi, JPMorgan Chase and Goldman Sachs offer M&A services and advise on IPOs. Many cryptocurrency businesses now also need foreign exchange services and more robust global settlement mechanisms.
Banks can tap into a huge opportunity by taking on cryptocurrency businesses as clients, but only if they do it safely. Luckily, risk assessment in cryptocurrency is actually easier than in most other industries due to the inherent transparency of most blockchain-based assets. Unlike with fiat currency, most cryptocurrency transactions are recorded on a public ledger. That means that with the right tools, banks can monitor cryptocurrency businesses' transactions, ensuring every client they take on fits into their desired risk profile.
Banks can tap into a huge opportunity by taking on cryptocurrency businesses as clients, but only if they do it safely.
Level 2: Synthetic cryptocurrency products
Once a financial institution has become comfortable working with cryptocurrency businesses, it may want to help both retail and institutional customers get exposure to cryptocurrency markets. That doesn't mean they have to enable direct trading of cryptocurrency. Instead, they can offer synthetic, cryptocurrency-based investment products that allow customers to capture some of cryptocurrency's upside without setting up custody infrastructure.
Asset management firm BlackRock recently invested in bitcoin futures, a useful way to test the cryptocurrency market and attract potential clients interested in crypto assets. Firms like Grayscale Bitcoin Trust allow investors to trade shares the same way they would any other public asset.
Long considered a possible game changer in the industry, no cryptocurrency ETFs have received SEC approval yet, though Canadian investment firm Purpose Invest recently launched North America's first ever bitcoin ETF. And asset manager VanEck recently launched an alternative ETF that holds shares in cryptocurrency infrastructure providers like exchanges, miners and storage providers.
Level 3: Custodial services
Custodial services represent the biggest chasm for banks to cross in their cryptocurrency journey, and only a few traditional financial institutions have rolled out such offerings.
However, those that have begun work on cryptocurrency custodial services offer a helpful model for others. BNY Mellon announced plans to launch a custodial platform in partnership with Fireblocks, a cryptocurrency custodial services provider, and digital asset custody company Northern Trust and Standard Chartered Bank announced plans to partner on a similar solution called Zodia Custody. Asset manager Fidelity took a different approach, using its early start to build its own custodial platform from scratch.
So far, traditional financial institutions have mostly steered clear of offering custodial services for retail customers, but fintech platforms offer an example of how they might do so. Square launched its cryptocurrency custody solution in 2018 by building its own cryptocurrency custody platform called Subzero, allowing its customers to buy over $4.5 billion worth of cryptocurrency in 2020.
The key lesson: While Square and Fidelity show that it's possible to go it alone, many financial institutions are partnering with companies that already have deep cryptocurrency expertise to launch their custodial services. That allows them to test a radical new offering with fewer resources invested, while also drawing on outside cryptocurrency expertise.
Level 4: Beyond custody
Very few financial institutions have gone beyond custodial services in their adoption of cryptocurrency. Fidelity recently announced plans to provide institutional clients the ability to pledge bitcoin as collateral in DeFi-based loans in partnership with BlockFi.
Payments are another place traditional financial institutions can incorporate cryptocurrency. Visa recently partnered with BlockFi to roll out the first ever credit card to give customers bitcoin rewards on all purchases they make, and has a partnership with Crypto.com to release a debit card that allows customers to use their cryptocurrency holdings for purchases.
Cryptocurrency trading is the next service we expect to see mainstream financial institutions offer. Goldman Sachs has already made some cryptocurrency trading possible for institutional clients through its cryptocurrency trading desk. But with the success of exchanges like Coinbase, we expect financial institutions to offer these services to retail clients as well.
Good times ahead
With cryptocurrency becoming increasingly mainstream, banks are no longer viewing it as money for criminals or looking for ways to ban it. Instead, they're recognizing the ways it can help their customers while driving revenue and trying to incorporate it into their larger strategies.
Want to learn more about how funds move around the cryptocurrency ecosystem? Check out Chainalysis Market Intel for real-time metrics to inform investment decisions and improve your understanding of the industry landscape. Sign up for the Market Intel Report and get our latest data and analysis delivered straight to your inbox every week.
Under the new Google Enterprise APIs policy, the company is making a promise that its services will remain available and stable far into the future.
Tom Krazit ( @tomkrazit) is Protocol's enterprise editor, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire, and served as executive editor of Gigaom and Structure.
Google Cloud issued a promise Monday to current and potential customers that it's safe to build a business around its core technologies, another step in its transformation from an engineering playground to a true enterprise tech vendor.
Starting Monday, Google will designate a subset of APIs across the company as Google Enterprise APIs, including APIs from Google Cloud, Google Workspace and Google Maps. APIs selected for this category — which will include "a majority" of Google Cloud APIs according to Kripa Krishnan, vice president at Google Cloud — will be subject to strict guidelines regarding any changes that could affect customer software built around those APIs.
"It is built on the principle that no feature may be removed or changed in a way that is backwards incompatible for as long as customers are actively using it," Krishnan said. "If a deprecation or breaking change of an API is unavoidable, then we are saying that the burden is on us to make the experience as effortless and painless as possible to our customers."
The announcement is clear recognition of widespread feedback from Google Cloud customers and outright derision in several corners of the internet regarding Google's historic reputation for ending support for its APIs without sufficient notice or foresight. The canonical example was probably the company's decision to shutter Google Reader in 2013 with just a couple of months' notice, which led to a torrent of criticism that persists today.
But while it's one thing to discontinue free consumer-facing services like Reader that Google thinks aren't used widely enough to justify ongoing support, it's quite another to adopt that stance with paying business customers. Even if they're one of only a few customers using a particular service, cloud customers need to know that service will be available and stable far into the future.
"We're striving to leave no dead ends in our products and leave no customer behind, even if this adds significant costs to us," Krishnan said.
"It was pretty apparent to us from many sources on the internet that we were not doing well," she allowed.
Over the last several years, Google Cloud has been trying to shed a well-earned reputation as an engineering-driven organization that considered itself the foremost authority on web-scale infrastructure computing, regardless of what its customers actually wanted to do with its tools. That mindset — bordering on arrogance — really stood out against competitors like AWS, which won the trust of developers and CIOs with its early commitment to cloud customers, and Microsoft, which has nurtured business relationships with nearly every company on the planet over the last several decades.
This mentality began to change in early 2019 after CEO Thomas Kurian was brought in from Oracle to teach Google Cloud how to be an enterprise tech vendor. Kurian hired legions of enterprise salespeople to develop closer relationships with cloud buyers, and also began to steer Google Cloud's product-development culture into a more humble posture.
"Pride is a trap for the unwary, and it has ensnared many a Google team into thinking that their decisions are always right, and that correctness (by some vague fuzzy definition) is more important than customer focus," wrote Steve Yegge, a former software engineer at both Google and Amazon, in an epic post last August excoriating Google's approach to supporting its tools.
Google Cloud has heard that feedback loud and clear, Krishnan said.
"It was not that we didn't have [a deprecation] policy before, it just didn't work for us at scale. It worked much better when you were small, and you have contained customer units or users that you interact with daily," she said. "It absolutely did not work at the scale of cloud, so we had to rethink it."
Under the new Google Enterprise API policy, the company is promising that it won't kill or alter APIs that are being "actively used" by its customers, although it's not exactly clear how "active use" is defined. Should Google decide it needs to deprecate or make a change that will force customers to make substantial alterations to their own software, it will give at least one year's notice of the impending change.
Safe for business
The new program should remove some objections that cloud buyers might have had about Google, but the frequency at which Google makes changes to its APIs under this program will be scrutinized against similar decisions at AWS and Microsoft. Industry watchers believe the two leading cloud providers have made far fewer changes to their services over the past several years compared to Google.
Cloud infrastructure computing is in the late-majority phase of the adoption cycle, and the companies that frantically purchased cloud services amid the pandemic last year are companies that tend to be more risk averse than cloud early adopters. The new API policy will also give current Google Cloud customers a little more assurance that they won't have to repeat all the work it took to move to the cloud a few years down the road if Google decided it no longer wanted to support a service that was critically important to their business.
"These tenets are a much deeper construct that really strikes at the root of how we do work in Google Cloud," Krishnan said. "It's really a shift in the mindset of the organization as we pivot more and more towards doing right by our customers."
More details on the Google Enterprise API policy are available here.
The news sparked a rally in the values of bitcoin and other cryptocurrencies.
Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at firstname.lastname@example.org or via Signal at (510)731-8429.
Amazon is looking to hire a digital currency and blockchain expert suggesting a plan to let customers accept cryptocurrencies as payments.
The tech giant's job opening says Amazon is looking for "an experienced product leader" to help develop the company's "digital currency and blockchain strategy and roadmap" Amazon is looking for product leader with expertise in blockchain, distributed ledger, central bank digital currencies and cryptocurrency.
The news sparked a rally in the values of bitcoin and other cryptocurrencies. Bitcoin and Dogecoin were up about 12% late Monday morning, while Ether was up 10%, according to CoinMarketCap.
The Global Internet Forum to Counter Terrorism announced a series of narrow steps it's taking that underscore just how fraught the job of classifying terror online really is.
Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.
A little over a month after the Jan. 6 riot, the tech industry's leading anti-terrorism alliance — a group founded by Facebook, YouTube, Microsoft and Twitter — announced it was seeking ideas for how it could expand its definition of terrorism, which had for years been more or less synonymous with Islamic terrorism. The group, called the Global Internet Forum to Counter Terrorism or GIFCT, had been considering such a shift for at least a year, but the rising threat of domestic extremism, punctuated by the Capitol uprising, made it all the more clear something needed to change.
But after months of interviewing member companies, months of considering academic proposals and months spent mulling the impact of tech platforms on this and other violent events around the world, the group's policies have barely budged. On Monday, in a 177-page report, GIFCT released the first details of its plan, and, well, a radical rethinking of online extremism it is not. Instead, the report lays out a series of narrow steps that underscore just how fraught the job of classifying terror online really is.
Since it was founded in 2017, GIFCT has operated a database that includes known terrorist images and videos, hashed in such a way that member companies can automatically prohibit their users from sharing them. But that database has almost exclusively included content related to terrorist organizations like ISIS and al-Qaeda that have been formally designated as such by the United Nations, creating a massive blind spot for almost all non-Islamic extremism.
Now, GIFCT says it is expanding that database to also include a small, albeit broader, subset of content. That includes hashed PDFs of violent extremist and terrorist manifestos, hashed PDFs of branded terrorist publications and hashed URLs related to terrorist content, which are already being collected by the group Tech Against Terrorism.
Far from a total rewrite of the rules, these changes are admittedly limited, said Erin Saltman, GIFCT's director of programming. "This is incremental, so it can continue to expand from here," Saltman said. "But we also need to expand in ways that we can be transparent, and define it in a way that tech companies can apply it."
Before joining GIFCT, Saltman worked as Facebook's head of counterterrorism and dangerous organizations policy for Europe, the Middle East and Africa. She left the company in January, the same week as the Capitol riot. One month later, GIFCT announced this expansion effort.
Saltman spoke with Protocol about how GIFCT members responded to the group's call to action, what these modest changes can accomplish, and what they can't.
This interview has been lightly edited and condensed.
When I heard that GIFCT was expanding its hashed database, particularly so soon after the Jan. 6 riot, I sort of expected you all to come back with a big list of new additions, including a lot of the extremist organizations and ideologies that have already been banned by big platforms but still aren't recognized by GIFCT. I'm thinking groups like the Oath Keepers or the Boogaloo Bois. Was that naive on my part, or did you also expect there would be a broader set of reforms at the end of this period?
I think that we went in pretty open-minded to ways we could approach expansion, but it had to be first and foremost based off the feedback from our tech company members, because you could say, "I'm going to expand to this," and then if no members actually utilize it, all that hard work, tech and taxonomy that you put towards it means nothing.
Secondly, we really needed multi-stakeholder feedback, because there are polarizing voices in this space. On the one hand, it is very easy to look at the current taxonomy and say, "Having a list-based approach focused on the U.N. has government bias, and it has Islamist extremist terrorist bias." On the other end of the spectrum, you have human rights and civil society activists saying, "Whoa, there is no agreed-upon definition of other forms of terrorism and violent extremism. We do not trust tech to define it, nor do we trust them not to over-censor in this space." There is what lots of people call "lawful, but awful" content out there.
This is not the goal of GIFCT, so we had to navigate those pillars quite heavily. We could do a lot, but it needs to be of utility. You can take two different approaches: You can either lean into list-based approaches — the U.N. list or, to your point, GIFCT could be a list master in and of itself — or you lean into behavior-based approaches. We wanted to expand, seeing where it could be more list-based and where it could be more behavior-based.
You mentioned Oath Keepers and Boogaloo, and gosh, Boogaloo, where do you put it on a spectrum? You could say it's been tied to real-world violence, but some of the Boogaloo movement is ideologically aligned with Black Lives Matter and some of the Boogaloo movement aligns very much with white supremacy and white-power groups. So without that hate-based ideological core, similar to QAnon, some of these groups are very hard to define, and have very loose membership and affiliation structures.
But how important is it to define their ideology as long as you are defining the threat of violence?
Violence and incitement is very broad. GIFCT also wants to ensure we're not going into too much scope creep territory. There are groups where maybe they are extreme and the fringe part of those groups are violent, and it's a big question as to whether or not the violence is core to the group. There are a lot of groups that have violence attached. So there's a lot of concern of over-censorship, especially when there are such close ties to politics. America has the highest free-speech values of any country I can think of.
But if there's an attack, and there's a manifesto tied to any one of those groups, that would go in [the database]. If they have branded content that has violence and incitement associated, and we see xenophobic tropes attached, that's all going in. But it would be hard to say Boogaloo as a whole is a terrorist group or a violent extremist group. You'd get a lot of pushback from that.
You mentioned the need to get buy-in from these tech companies because utilizing GIFCT's database is voluntary, and if you don't have buy-in, then nobody's going to implement whatever you guys come up with. When you were talking to these companies, how much appetite was there among them to have GIFCT broaden its approach and come up with a new set of rules, or are they sort of content to write their own rules?
There's no homogenous internet, so when we say, "the internet" or "platforms," there's a huge amount of diversity. We still want companies to maintain their own terms of service, their own policies and practices. Their visibility of what bad actors look like and feel like on their platforms is going to be very different. It looks very different if I talked to some of our end-to-end encrypted platforms. They have metadata signals. They have some content, if you look at profile pictures or group pictures, but they do not have the content of chats. So that's one side of the spectrum, versus some of our bigger social media platforms that are meant to be public, meant to be loudspeakers, if you will.
Also, lots of our platforms increasingly aren't about user-generated content. So, emails are not explicitly MailChimp user-generated content. Airbnb is not user-generated content focused, so what this looks like to them will look different.
This is part of the reason we went towards hashing URLs, because you might not post content, but people share content that's hosted on third-party platforms quite often. You don't have that source of content, so if you can surface [the URL] as a known signal, it leads you to review and say: "Hey, maybe this is something I need to look more closely at."
But we want to really maintain that this is not a cartel. Everyone has their independent policies and practices, some have more human resources than others. And so what we need to do is constantly have frameworks where they can plug and play in a way that works best for them.
But was there any overt opposition to expanding?
There was no opposition to the concept of expansion, but there's definitely a lot of concern for tech companies that if we expand, they want to make sure they can actually apply what we're expanding to.
In your paper, you said GIFCT needs to consider the size, the manpower, the expertise of its member companies. My understanding of GIFCT has been that it is this entity that combines the expertise of the industry and hashes the content so that then you make that sophistication available to all of the companies in the group. So why would the smallness of any of your members stand in the way of you giving them more to work with?
Giving them more to work with means a couple different things. Giving them more could mean more types of content that we hash, or giving them more could mean different types of technology for them to integrate with. That can be overwhelming, especially the latter. Part of this is about taking hashing as a concept, which is traditionally just focused on images and videos, and realizing that when we look at how the threat is manifesting, we need to go beyond just our lens of image and video. So we've asked about some training for the companies, so that when we give them this bright shiny new thing, they know what to do with it and they feel comfortable with it.
We are going to have to think through: What's the next phase? Are we looking at things like logo detection? Are we looking at better ways to share language translation and language processing? Especially for smaller companies, a lot of the content is not necessarily in English or the one or two languages they do have covered.
I could understand how the technical integration might be challenging, but behind that tool is the definition of the content that you're going to hash. So I guess I'm not totally grasping why the definitional part of it is tougher for a small company.
I think a lot of tech platforms, especially when they are smaller, lean in on what is illegal content. Nation-states everywhere in the world have similar or slightly varying definitions, and they also hold lists. So a company knows: When I take this down, I have the legal backing from a government entity for why this is terrorism and this should be removed.
As soon as you go above and beyond that — and some of the bigger companies have — that is a big task, and a lot of smaller companies don't feel comfortable. One of the immediate things that ends up happening is a question of: Are you over-censoring? So that's why, when we're incrementally building out, we're tying it to overt real-world harm, overt ways that violent extremism manifests. That's not wishy-washy.
So it's more of a comfort-level thing than an ability thing.
We see companies criticized all the time for over-censorship and political bias, even if they say "this was pure hate speech" or "this was purely against our policies." Especially smaller companies maybe don't have the money towards legal fees if they get sued, or don't have the in-house expertise.
When I joined Facebook I was the second hire on the dangerous organizations policy team. That took a big company quite a long time. So if you're a company of 50, your 51st or 100th or even 1,000th hire is usually not a counterterrorism expert. So there's also that discomfort of, if we don't know exactly what we're talking about in-house, we are going to need a big amount of help.
It could be the case in the future that GIFCT decides to be a list-maker, in and of itself, but we would need more staff for that. There are a lot of things to think about, although that would be exciting.
So getting to the actual substance of what you're adding to the database: manifestos, hashed URLs, branded terrorist publications. I think a lot of people would probably be shocked to find out that that's not already part of the database. So, having worked at Facebook, can you give a sense of how widespread that specific type of content was, or how helpful this expansion is going to be to addressing the overall problem with violent extremism online, which obviously extends far beyond manifestos and official publications?
The URLs are a really interesting one. We have tested URL-sharing before. URLs are inherently tied to personally-identifiable information. We're very wary of sharing private data. But when you hash something, it can act as a signal.
The bad content is usually not hosted on Facebook or Twitter. It is shared via a URL, and you are not psychic as a tech company. You do not inherently know what that URL links to. A lot of moderation teams are told to avoid click-throughs, because you don't know if malware is attached, and you don't have the time and scale to monitor third-party platforms. So by hashing URLs, we're giving them a wider net. That's a big deal, especially for the less-social media sites, or even things like comments. You might have benign pictures in a post, and then all of a sudden, it's the comments underneath it that leads you down a rabbit hole and are sharing URLs that lead you off-platform.
As for the more controversial or illegal content on manifestos, this is very much getting at the pointy edge of the subcultures. It is increasingly trendy for certain attackers to release lengthy manifestos just before carrying out an attack. There are huge issues around those going viral within supportive subcultures, and they are coveted by certain groups and pointed to and referenced. The Christchurch attacker, his manifesto was referenced elsewhere by individuals that then went and carried out violence. So we know manifestos are a problem. It also, a lot of times, get us to the white supremacy and neo-Nazi groups. So if you're using that as a signal, it often leads you to, who is posting that?
And then branded content: We can start with a U.N. list, but Siege and other forms of neo-Nazi zines are very much in the subcultures online, and that's something that we can work with experts and researchers on to add and incorporate in a public way to this database.
So it might not be about the fringy "lawful, but awful" content. But it really homes in on how these core members of violent extremist groups manifest and share online.
Do you think that these changes get us any further from the bias that you guys write about toward Islamic terrorism that has dominated this field and certainly dominated the database for a while? Do these changes equalize it, or not quite?
I don't think it'll really be called equal. It gets us out of a list-based approach, in some respects, and looks at the behavior. And I think that's important. Government definitions of terrorism in theory are agnostic to any one religion or ideology. It's about the violence. It's about the target and the motive. And yet, the lists don't manifest that way. The lists are quite biased. And that's not just the U.S., that's all over the world. So this allows us to take a more holistic and behavior-based approach.
In all these different academic proposals that you guys collected, one that I thought was interesting was the idea that GIFCT should use its convening power to try to get member companies to standardize their terms of service and create some kind of unified list. The researchers basically said, "We don't propose this lightly." It would definitely cause some reputational and legal and security risks, but the other risks are greater. So I wonder what you think about that idea.
That's something for us to consider in the long term, for sure, but again, it can't be done without the right staffing and due diligence behind the scenes.
I think that there's a big difference between having standardized terms of service versus having GIFCT hold a list that goes above and beyond government lists. Standardized terms of service is like asking governments to have a formal approved definition of terrorism. One reason the United Nations does not have an agreed-upon definition of terrorism is because governments couldn't decide whether or not a government could be a terrorist entity. So even at the U.N. level, you could not have an agreed-upon definition of terrorism, although they do still have frameworks and designation lists. We're seeing companies being held to the same standard or above, being asked to go above and beyond what governments are able to do, which makes companies a little wary to be that powerful gatekeeper.
I think the list-based approach is something that we need to consider, but it has to be done in a way that is definable, scaleable and explainable. We can't just say: "Oh, we're expanding this just because of trends in the U.S. or trends in a couple Western countries."
That means there's a lot of consideration behind the scenes, there's some weird groups out there. I highly recommend looking at the Mongolian Nazi Party green movement. It's a strange one. The founder owns a lingerie shop. It's weird. So when you do open that door, you need to not have geographic biases when we're meant to be a global entity.
One of the things you wrote that was interesting was that the rise of live audio platforms was going to make a lot of this harder. Facebook is just coming out with one. Twitter is, too. Obviously, there's Clubhouse. Do you think it's irresponsible for these companies to be forging ahead with this technology, knowing what they know about how other mediums have been abused? I mean, it's all well and good for Mark Zuckerberg to say, "I'd never expected this to happen when I started Facebook," but now you know what's going to happen. So is this irresponsible?
My job has always been to work with tech companies when they say, "We created this bright, shiny new thing," and my job has always been to say: "Here's 101 ways that that's going to be used horribly." And that does not mean it shouldn't be done. It really depends on what you think you're solving for and if you have a safety-by-design approach. Everything could be misappropriated or re-appropriated for bad. And if you're always solving for that low-prevalence, high-risk, we would have zero innovation.
Your last week at Facebook was the week of the Jan. 6 riot. That was a real turning point in how people in the U.S. at least were talking about and understanding the amount that had been done to thwart domestic extremism versus foreign extremism, and obviously there's been tons of attention in the court cases around what the platforms missed and what the FBI missed. So from your perspective at Facebook, where did the companies' defenses fall short? Where were the biggest blind spots, and do you think any of these changes will do anything to address those shortcomings?
There is an interesting nexus between what we call terrorism and violent extremism versus what we start calling inauthentic coordinated behavior or purely violence and incitement. So you see this overlap diagram of different harm types coming to the fold. Sometimes it's not as much about being able to clearly say, "This is a violent extremist group," as saying, "OK, we're now seeing violence and incitement in language and in certain chat threads, and that's a different type of risk."
Government [calls] it "left of boom." It's very hard for governments to accurately get at entities "left of boom" before there is real-world violence. Just like Charlottesville, on Jan. 6, there was a huge push to do more. Before that, there's usually a huge push to do less, and criticism of over-censorship and going above and beyond [the] government.
Most governments are not good at designating domestic entities, that's not just the U.S. And so tech companies are still kind of saying: "OK, well for the individuals that carried out violence, am I focused on the violent individuals, or am I taking a group stance which goes way above and beyond what the government is willing to do?" And that still remains an issue, but there are turning points.
I think a lot changed after the Christchurch attacks. Before that, I think a lot changed with Anders Behring [Breivik] and the Norway attacks, of which we have the anniversary right now. When I was tracking the Norway attacks, before they knew who the attacker was, all the headlines globally said: "Norway's 9/11," "Al Qaeda attack in Norway," and assumed terrorism. As soon as they realized it was a white individual, not linked to Islamist extremist terrorism, all the language changed to "lone gunman," and very few outlets called it terrorism.
It was terrorism. So we also, globally, have an issue of typecasting what it is to be a terrorist. And that is not just a tech company issue. That's something that society needs to come to terms with. We're much better at labeling terrorism when it is an othering process. It's difficult to label terrorism when it is us.