On Tuesday, Facebook fired an employee who had allegedly used their privileged data access to stalk women online. Now, multiple former Facebook employees and people familiar with the company describe to Motherboard parts of the social media giant’s data access policies. This includes how those in the security team, which the fired employee was allegedly a part of, have less oversight on their access than others.
The news emphasizes something that typical users may forget when scrolling through a Silicon Valley company’s service or site: although safeguards against abuse may be in place, there are people who have the power to see information you believe to be private, and sometimes they may look at that data.
Motherboard granted the sources in this story anonymity to speak more candidly about Facebook’s policies and procedures. One source specifically mentioned Facebook’s strict non-disclosure agreement.
One former Facebook worker said when they joined the company multiple people had been terminated for abusing access to user data, including for stalking exes.
Another former Facebook employee said that they know of three cases where people were fired because they mishandled data, one of which included stalking. Typically, these incidents are not publicly reported.
As with many other businesses, data access is distributed depending on an employee’s role in a company. One source familiar with Facebook employees’ data access told Motherboard that different teams have varying levels of access, and that they can request additional access if required. The person added that the security team is more trusted than other departments, and abuse there is more difficult to detect. The employee Facebook recently fired for allegedly stalking women was a security engineer, according to Jackie Stokes, founder of Spyglass Security, who originally flagged the case earlier this week. Engineers are trained specifically on data access policies when they join the company, according to Facebook.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
Several sources did not specify the sort of data that different types of Facebook employees could access (such as whether certain Facebook employees can read private messages or "friends only" wall posts.) But in 2015, a Finnish music producer and DJ visited Facebook’s L.A. campus and watched as an engineer accessed his Facebook account without a password. In March, a Facebook employee told The Guardian “When you first get to Facebook you are shocked at the level of transparency. You are trusted with a lot of stuff you don’t need access to.”
It’s not only full time staff who can access some non-public user data. Although certainly not the most sensitive data potentially available to workers, a former contractor explained to Motherboard how they were able to see which users were the administrators of Facebook Pages. While employed by Facebook, the contractor showed Motherboard he could access this data seemingly for any page by providing non-public data for several test pages Motherboard controlled.
Facebook data is not a free-for-all though, with employees just able to grab whatever they desire without consequence, according to one of the former employees. When accessing non-public information about a particular user—including a log of a user’s activity—the former employee faced a pop-up asking if they were authorised to view the data and whether they were using the tool for work purposes. The source emphasized that their access was nothing special for a Facebook employee at that time. When a worker attempts to access sensitive data, they see a warning that reminds the worker of Facebook's policies, and which requires them to confirm they need the requested access, according to Facebook. The social network also has automated systems in place designed to detect and prevent any abuse, Facebook said.
“They make it very clear to you: if you go one step too far, you’ll have big problems,” the former employee told Motherboard. Multiple sources praised the security mechanisms in place.
In a statement provided to Motherboard Tuesday, Alex Stamos, Facebook’s chief information security officer, said “Employees who abuse these controls will be fired.”
“It’s important that people’s information is kept secure and private when they use Facebook. It’s why we have strict policy controls and technical restrictions so employees only access the data they need to do their jobs—for example to fix bugs, manage customer support issues or respond to valid legal requests,” Stamos said.
Facebook declined to answer a list of specific questions on how many or what percentage of employees have access to sensitive user data.
Update: This piece has been updated to include additional information from Facebook.