Facebook user Paavo Siljamäki recently posted a story about popping in to Facebook offices in Los Angeles to get some input as to how to better use the site.
A Facebook engineer asked if it would be OK to take a look at his profile.
“Sure”, Siljamäki said, and without even asking for a password, the engineer logged in directly as Siljamäki, viewing all of his private content.
It made him wonder: how many Facebook employees can do this?
Just made me wonder how many of Facebook's staff have this kind of 'master' access to anyone's account? What are the rules on who and when they can access our private content and how would we know if someone did? (My facebook did not notify me that someone else accessed my private profile).
He wasn’t the only one left wondering.
Venture Beat, who spotted Siljamäki’s post, reached out to Facebook to find out when, exactly, employees can access a user’s account without entering their login credentials.
A Facebook spokesperson sent this answer:
We have rigorous administrative, physical, and technical controls in place to restrict employee access to user data. Our controls have been evaluated by independent third parties and confirmed multiple times by the Irish Data Protection Commissioner's Office as part of their audit of our practices.
Access is tiered and limited by job function, and designated employees may only access the amount of information that's necessary to carry out their job responsibilities, such as responding to bug reports or account support inquiries. Two separate systems are in place to detect suspicious patterns of behavior, and these systems produce reports once per week which are reviewed by two independent security teams.
We have a zero tolerance approach to abuse, and improper behavior results in termination.
Regarding Facebook’s “zero tolerance approach to abuse”, it’s understandable that there might be skepticism about that.
In light of the recent trouble that Uber’s gotten into over its “God View” – a privacy-invading display of passengers’ real-time movements that it projected onto a screen for entertainment at a company party – it’s valid to question how well companies actually enforce policies against abusing access to user accounts.
Fast-forward to today, and Facebook is a far more mature company.
It has the tools to grant select employees access to a user’s account, but according to Facebook’s statement, that access is heavily monitored and controlled and can only be executed under specific circumstances, including when users themselves initiate support or in the case of bug reports.
Siljamäki’s request is an example of a user coming to Facebook with a specific issue.
The engineer requested and received permission to resolve that issue by accessing his account.
Does that mean we shouldn’t worry about what we post on Facebook or other social media networks?
No. We should worry.
But when it comes to Facebook employees running amok in our private data, it doesn’t sound worth worrying about.
After all, that’s what the company has big data-crunching analytics for.
To paraphrase the Big Bad Wolf when Little Red Riding Hood asked about those humongous chompers: the better to market at you, my dear!