By Deepa Seetharaman
A small group of Facebook Inc. employees have permission to
access users' profiles without the users finding out.
Yet the company's employees get protection from such internal
snooping into their Facebook accounts.
When colleagues access their personal profiles, Facebook
employees are notified through what is often referred to within the
company as a "Sauron alert" -- a reference to the all-seeing eye in
the The Lord of the Rings trilogy, people familiar with the matter
say.
Similar protections don't exist for Facebook's two billion-plus
users every month who don't work for the company, the people
said.
The dual standard for employees versus regular users is a window
on Facebook's struggle over how much to disclose to users about how
their data is handled -- an issue Facebook has recently tried to
address with a raft of changes to the platform.
A Facebook spokesman said the company has had discussions about
issuing these types of alerts to all users. "In thinking about how
we could do something similar for everyone, there are a number of
important considerations that come into play -- for example, how we
can avoid tipping off bad actors or hindering our work to prevent
real world harm in cases of abuse or other sensitive situations,"
the spokesman added.
The system can be abused: Earlier this week, Facebook fired a
security engineer who had bragged to a woman he met on a dating app
about his access to private user information, according to a person
familiar with the matter.
"Employees who abuse these controls will be fired," Chief
Security Officer Alex Stamos said of this week's incident.
Facebook alerts users if they've been hacked by outsiders but
doesn't inform them about employees' access. "Anyone can get alerts
about unrecognized logins from other users and check for suspicious
activity." the FB spokesman said.
The ability to log into Facebook as a user without needing that
person's password is limited to a small group of security personnel
and other employees. Their actions are closely monitored, current
and former employees say.
The privilege entitles these personnel to view information that
users typically consider private, such as pictures and posts they
have shared only with friends, or unencrypted private messages, one
of the people said.
Employees with such permission can access others' accounts to
diagnose technical errors, test new features or investigate
possible criminal behavior in response to a legal request,
according to Facebook officials and former employees.
When using the internal software, Facebook employees must give a
legitimate reason for accessing the profile; the explanations are
read by managers later. It is considered best to have written
permission, former employees said.
Multiple Facebook employees have been fired for improperly
accessing user profiles over the years, according to former
employees. Unauthorized access of others' profiles, even if the
spouse or minor child of an employee, is a fireable offense, one of
the people said.
Employees, though, are always notified when Facebook engineers
access their accounts, even when the company is investigating a
possible crime or wrongdoing, the person said.
The internal alert system was created because Facebook engineers
were routinely testing future products or fixing technical issues
using employee profiles, the person said. The official name of the
tool was changed in 2015 to "Security Watchdog," but the Sauron
name is still widely used, the person added.
The Sauron notification for Facebook employees has been
available for years, the people familiar with the matter said.
Employees typically get an email or a notice to their Facebook
account. Once notified, employees can often uncover the reasons for
that access through an internal bug report or by flagging it to
Facebook's security team.
Lawmakers, Facebook users and others have voiced concern about
the company's sometimes lax policies for controlling the vast
stores of information it collects on people.
Partly in response to those concerns, Facebook has provided
users with more information about the kind of data it tracks as
well as more options to remove that data. It redesigned its app and
tried make it simpler for users to examine and change some of the
data Facebook tracks. This week, Chief Executive Mark Zuckerberg
announced that the company would provide a way for users to see and
delete web activity that Facebook tracked.
But there remains a large gulf between what Facebook knows about
its users and what many of them understand about the company's
capabilities.
Three years ago, Paavo Siljamäki, a director at the record label
Anjunabeats and part of the dance music group Above & Beyond,
said in a Facebook post that an engineer for Facebook had accessed
his account during his visit to the company's Los Angeles office.
Mr. Siljamäki said he had given his permission, but not his login
credentials.
"A Facebook engineer can then log in directly as me on Facebook
seeing all my private content without asking me for the password,"
Mr. Siljamäki wrote. "Just made me wonder how many of Facebook's
staff have this kind of 'master' access to anyone's account?"
At the time, Facebook responded by explaining the controls were
in place to prevent abuse. Mr. Siljamäki didn't respond to a
request for comment this week.
The latest incident in which the Facebook employee was fired was
surfaced publicly in a tweet Sunday by security consultant Jackie
Stokes that included a photo of what appeared to be a text exchange
between the woman from the dating site and the engineer.
The engineer told her his job involved tracking hackers and
finding their identities, according to an apparent transcript of
the conversation posted on Twitter by Ms. Stokes.
Ms. Stokes said in an interview that the woman told her, "I'm
terrified. I think he has things on me."
The woman, asked via Ms. Stokes, declined to be interviewed.
After Ms. Stokes's tweets, Facebook employees including Mr.
Stamos contacted her about the episode.
--Robert McMillan contributed to this article.
Write to Deepa Seetharaman at Deepa.Seetharaman@wsj.com
(END) Dow Jones Newswires
May 03, 2018 17:59 ET (21:59 GMT)
Copyright (c) 2018 Dow Jones & Company, Inc.
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From Mar 2024 to Apr 2024
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From Apr 2023 to Apr 2024
