A Facebook engineer abused access to user data to track down woman

I worked at Facebook for most of 2017 and 2018. In the first week, they made it clear that you would be fired instantly for any improper access of user data.<p>They further said that if you need to access any sensitive personal data, or if you need to log in as a user in order to debug a problem, you need to have approval from your manager _before_ the access, not after.<p>Also, you are not allowed to access the data of anyone you know personally for any reason whatsoever. You have to find someone else to do that if it needs to be done.<p>Finally, they really do audit every single access of personal data. I had every reason to believe that if I accessed any data improperly, I would be fired within the week if not the day.<p>I don’t know how much abuse still exists despite all of the above, but I don’t think this article does a good job of explaining how seriously Facebook takes this.

&gt; At the time, more than 16,000 employees had access to users’ private data, according to the book.<p>&gt; Stamos suggested tightening access to fewer than 5,000 employees and fewer than 100 for particularly sensitive information like passwords.<p>I&#x27;m sorry, what?<p>I can tell you the number of legitimate engineers that should have access to user&#x27;s passwords.<p>It&#x27;s a nice, round number.<p>It&#x27;s zero.

This is a pretty widespread issue I&#x27;d imagine, we just don&#x27;t hear about it or people aren&#x27;t caught.<p>I know they&#x27;ve been locked down since I&#x27;ve left, but some of the tools we were allowed to just <i>freely access</i> at Uber were a tad scary, to say the least.<p>I&#x27;m sure every company with a very large userbase, such as Facebook&#x2F;Microsoft&#x2F;Google&#x2F;etc claim they have internal protections&#x2F;checks but have even more holes like this.

Pretty inexcusable by 2015. FB was hardly a new company at that point.<p>Every Googler gets the message that you keep your mitts off private information in logs (or get terminated) drilled into them in their first week of training. Logs access is a) restricted b) audited c) tiered and d) <i>enforced</i>. That was the case in 2011 when I started and it&#x27;s the case now.<p>Not saying Google is perfect, but it&#x27;s not like companies like FB didn&#x27;t have a template for privacy standards that they could have followed.<p>All that said, but back then I just personally assumed that this is how FB was operating :-( I am hoping they&#x27;ve improved since.

In a sane world this would be a company-ending event, or at least seriously impact their stock and C level execs.<p>The idea that:<p>a) User data access is not just allowed but <i>normal</i> (or at least that it was at one point)<p>b) That it&#x27;s allowed at all so widely<p>c) That (a) and (b) are true despite <i>repeated</i> abuse<p>is absolutely insane. &quot;Nearly every month&quot; is insane. It should be criminal, but it isn&#x27;t.<p>Sadly, it&#x27;s all too common for engineers to have way more access than is necessary, though this seems extreme. I see no reason why any engineer, outside of extreme circumstances that should set off alarm bells, should have access to sensitive user data like passwords. It should generally not be the case that direct access of data is needed at all.

Totally unsurprised by this.<p>Where I used to work, user activity&#x2F;transactions data sent to us would be stored on a single giant nfs volume. If you were added to a Linux group you can full, unaudited access to everything. Whenever someone tried to build anything that would restrict and audit access there would be a ton of pushback from engineers and customer support who loved being able to ssh into a machine and have full access to everything.

A lot of the commenters here are rightly not surprised about this. A few years down the line this is going to be a similar thing with voice activated devices like Alexa. Employees, contractors, advertisers will all have access to the voice data of not just the person using these devices but of those who just happen to be in the vicinity. And no one will be surprised about it.

This is so common. Think of any start up you gave way too much info to. They have lots of lower paid employees who can look at that data. It happens a lot.

I was on vacation in Egypt, this year, with a guy who worked at Facebook, along with a fairly large group of us from the States. He would stalk people&#x27;s Facebook profiles in our group to find out information on them and even confront them about it, if they made him upset enough. He even messaged them directly on Facebook to tell them off.<p>As a side note, he was mostly only interested in having hook ups and orgies with Ukrainian tourist women, while in Egypt, made even more bizarre when we found out he has a wife back in the United States, of which, worked at Apple.<p>He was not a well liked guy and he was very rude to the Egyptian natives, especially towards the Bedouins.

At this point, why not just make any of this social media information public? What’s the difference to more than 16 000 people knowing with whom you cheated vs. the whole world knowing?<p>By 6 degrees of Kevin Bacon there surely is a connection to one of these 16000 people in your bubble, hence the secrets are theoretically out, too. Why should they have the advantage over you and potentially blackmail you?<p>&#x2F;s

There is 0% chance this article is correct. No employees at facebook had access to passwords for obvious reasons. Someone is trying to sell a book.

Does anyone remember Uber&#x27;s &quot;god view&quot;. That has privacy violations written all over it, I wonder what happened to it.

While Facebook has a massive pile of data, what about the other massive collectors of data out there?<p>Do similar processes and consequences apply in the worlds of the your banks, credit card company, Experian, Equifax, the NSA, FBI, and other groups, both government and commercial?

So this is just FB. Imagine what other services engineers and employees can abuse to lookup personal information of people they know.

She should sue Facebook. This industry has no will to change. It must be coerced.<p>Ideally, your data should be encrypted and no one at Facebook should not have access to it. Only those people whom you have chosen to then share that data should have access to the degree given (crypto wise, maybe this means you decrypt and broadcast to those people like email). Any reason why a Proton-like model wouldn&#x27;t work for technical reasons? Facebook could still make money off ads, but those ads would be less targeted. Good. We need less targeting.

Heh, so Zuckerberg&#x27;s baby is now enabling predators and stalkers ?<p>I smell lawsuits going for the very deep pocket of Zuck . . . .

Why is there a massive, high resolution, unflattering picture of Zuckerberg at the top of this article? What does he have to do with this?

I would not be surprised if this was common. I simply don&#x27;t have enough faith in society today to believe that most people would understand how wrong this is.

&quot;You don&#x27;t have anything to fear unless you have something to hide...&quot;<p>I bet this is incredibly common, and far more so at lower profile and even shadier surveillance capitalist companies.

&gt; from 2014 to August 2015.<p>Everyone here is unsurprised by this and at this point I expect the social networks to just abuse my user data anyway. They won&#x27;t change and they will never stop this.<p>Who is to say that this is already happening with the other social networks that are scooping up our data but in 5 years time will only admit their actions afterwards.<p>Maybe they are all doing this as we type.<p>To Downvoters: So you think that these social media companies are NOT abusing our data? There&#x27;s tons of evidence of this everywhere, including this confession.<p>There can only be one explanation of why I&#x27;m getting downvoted heavily of an undeniable known fact and it is likely that it is by those working at these companies because they know that I am right and the point still stands regardless of any downvotes (and censoring of the truth).