Hot Topics
Analytics & Intelligence Application Security CISO Suite Cloud Security Cyberlaw Cybersecurity Data Security DevOps Featured Governance, Risk & Compliance Identity & Access Incident Response Mobile Security News Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Stalkers: ‘Ugly Truth’ of Facebook Staff Abusing Private Data

by Richi Jennings on July 16, 2021

A new book exposes yet another Facebook failure for the social media firm to apologize for. Engineers have been abusing their free access to all users’ data—including data that’s been “deleted.”

Some were found to be physically stalking their targets. It’s assumed many others weren’t even discovered. And it’s Zuckerberg’s personal responsibility—he designed the system, we’re told.

But nothing’s going to change. Zuck’s PR droid gave a vapid statement making this fact completely clear.

#DeleteFacebook. In today’s SB Blogwatch, we wonder what it will take.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: This happened when ABK was 10.

The Eye of Zuckon

What’s the craic? Sarah Jackson reports—“A Facebook engineer abused access to user data to track down a woman”:

More than 16,000 employees
The company fired 52 employees over exploiting user data for personal means, said an advance copy of “An Ugly Truth: Inside Facebook’s Battle for Domination.” … The engineer, who is unnamed, tapped into the data to “confront” a woman. … He was able to figure out her location.

Another Facebook engineer used his employee access to dig up information on a woman with whom he had gone on a date after she stopped responding to his messages. … He had access to “years of private conversations … events attended, photographs uploaded (including those she had deleted), and posts.” … The engineer was also able to see her location in real time … the book said.

Sheera Frenkel and Cecilia Kang, the book’s authors … added that most of the employees who abused their employee privileges … only looked up information. … Most of the engineers who took advantage … were “men who looked up the Facebook profiles of women they were interested in,” the book said.

Alex Stamos, Facebook’s chief security officer … in September 2015 … said engineers had abused the access “nearly every month,” the book said. … At the time, more than 16,000 employees had access to users’ private data. … But changes that would limit data retention were “antithetical to Mark’s DNA,” one employee told the book’s authors.

Facebook [said] it fired employees found to have accessed user data for nonbusiness purposes: “We’ve always had zero tolerance for abuse and have fired every single employee ever found to be improperly accessing data.”

But how did that happen? Sheera Frenkel and Cecilia Kang tease their tome thuswise—“How Facebook’s engineers spied on women”:

Hundreds moreBook cover: An Ugly Truth by Sheera Frenkel and Cecilia Kang
It was late at night, hours after his colleagues at Menlo Park had left the office, when the Facebook engineer felt pulled back to his laptop. … He knew that with just a few taps at his keyboard, he could access the Facebook profile of a woman he had gone on a date with a few days ago. … She had stopped answering his messages 24 hours after they parted ways. All he wanted to do was peek at … Facebook’s internal systems … to satisfy his curiosity [and] explain why she was not interested in a second date.

Facebook’s managers stressed to their employees that anyone discovered taking advantage of their access to data … would be immediately fired. But the managers also knew there were no safeguards in place. … It was a system that [Zuckerberg] himself had designed and implemented. Over the years, his employees had suggested alternative ways of structuring data retention, to no avail.

Most [of the] 52 Facebook employees fired for exploiting their access … did little more than look up users’ information. But a few took it much further. One engineer … accessed a woman’s Facebook page before they had even gone on a first date. He saw that she regularly visited Dolores Park in San Francisco, and he found her there one day, enjoying the sun with her friends.

Stamos had a reputation for blunt speech and high standards. … Engineers had exploited the tools designed to give them easy access to data for building new products, to violate the privacy of Facebook users and infiltrate their lives. [He said] Facebook was doing nothing to solve or prevent what was clearly a systemic problem. [The 52] employees were the ones who were found out after the fact. … Hundreds more may have slipped under the radar, he warned.

Whoa. Benjamin Din, Emily Birnbaum, Pieter Haeck, John Hendel and/or Mark Scott tag-team to tell—“Inside Facebook”:

Quick to fire back
Haven’t read “An Ugly Truth” yet? … Sheera Frenkel and Cecilia Kang’s much-publicized book … hit stores Tuesday, and its details on Facebook’s rise to dominance contain plenty of grist for lawmakers already eager for a tech crackdown.

It was clear from the book’s title that it wouldn’t offer a flattering portrayal of Facebook, which was quick to fire back: “[This] is not only a rehash of history but relies on anecdotes supplied by mostly unnamed critics,” spokesperson Dani Lever said in a statement. “The authors purposefully left out the perspective of the top executives we made available.” (In the prologue, the reporters wrote that neither Zuckerberg nor Sandberg was willing to participate.)

To which the reaction is mostly along the lines of u/worthyjonsnow’s:

Holy **** what?

ikr. It’s surely illegal? Yes and no, thinks ytene:

Pretty serious
Facebook could become a Criminal Accessory. Not, perhaps, in the United States (yet), but in other parts of the world from which Facebook accepts users, such as the UK.

It is possible that such actions could be breaches of … The Protection from Harassment Act (1997), or the Malicious Communications Act (1988), or the Communications Act (2003), or the Computer Misuse Act (1990), or the Obscene Publications Act (1959), or possibly even the Public Order Act (1986).

If Facebook were to discover … they had an employee in the UK who was using their infrastructure to follow, monitor or harass any other citizen, then Facebook should have had the matter investigated. … If, however, Facebook were to have discovered multiple employees performing similar actions and Facebook have not brought the police in to the matter, then Facebook could very well be a de facto accessory to criminal actions.

Evidence may now show that Facebook have been aware of criminal use of their platforms and have failed to report the criminal acts to the proper authorities. Which would make Facebook an accessory to all of those criminal actions.

Facebook’s legal exposure could, could get real interesting, real quick. … The consequences might be pretty serious. I hope.

Wait. Pause. Why are we worrying about something that happened six years ago? Because it’s probably still happening, thinks geofft:

Entirely justified
Facebook intentionally makes user data accessible to many thousands of employees and relies on measures to audit for inappropriate access after the fact. The concern is not about whether people should get fired or be told it’s a fireable offense … the concern is that the data is so easily available in the first place.

That seems still true: If Facebook has to warn employees against inappropriate access, it means the technical possibility of inappropriate access remains. It seems entirely possible to design systems in a way where access to production data requires live signoff by another employee, etc., and certainly isn’t granted to thousands of employees as a matter of course.

Fifty-two people is a lot! … At my finance employer, insider trading is very much against the rules [and] if we fired 52 people in a year-ish for insider trading, I think you would be entirely justified in asking questions even though they were getting fired. So I think this is entirely reasonable reporting.

Facebook will never change. That’s the feeling of Chuck Hamlin and apoc.famine, who bring you, “Your obligatory reminder”:

dumb ****s
Zuckerberg created it to rate college women.

Zuck: yea so if you ever need info about anyone at harvard
Zuck: just ask
Zuck: i have over 4000 emails, pictures, addresses, sns
Friend: what!? how’d you manage that one?
Zuck: people just submitted it
Zuck: i don’t know why
Zuck: they “trust me”
Zuck: dumb ****s.

tl;dr? Here’s u/RevolutionaryLab3057:

Unchecked capitalism + incel nerds = Facebook empire.

Meanwhile, it’s a business-model failure, thinks jebrick:

If the engineers would have just paid for the data like any customer, all would have been forgiven.

And Finally:

Challenging gender norms

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Harper

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi

Secure Guardrails