Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Facebook explains when and why it peeps at your account

03 Mar 2015 12 Facebook, Privacy
Facebook explains when and why it peeps at your account

Post navigation

Previous: Is this the ultimate spam fail?
Next: Venmo mobile payment service under fire for security carelessness
by Lisa Vaas

Girl on laptop image courtesy of ShutterstockFacebook user Paavo Siljamäki recently posted a story about popping in to Facebook offices in Los Angeles to get some input as to how to better use the site.

A Facebook engineer asked if it would be OK to take a look at his profile.

“Sure”, Siljamäki said, and without even asking for a password, the engineer logged in directly as Siljamäki, viewing all of his private content.

It made him wonder: how many Facebook employees can do this?

Just made me wonder how many of Facebook's staff have this kind of 'master' access to anyone's account? What are the rules on who and when they can access our private content and how would we know if someone did? (My facebook did not notify me that someone else accessed my private profile).

He wasn’t the only one left wondering.

Venture Beat, who spotted Siljamäki’s post, reached out to Facebook to find out when, exactly, employees can access a user’s account without entering their login credentials.

A Facebook spokesperson sent this answer:

We have rigorous administrative, physical, and technical controls in place to restrict employee access to user data. Our controls have been evaluated by independent third parties and confirmed multiple times by the Irish Data Protection Commissioner's Office as part of their audit of our practices.

Access is tiered and limited by job function, and designated employees may only access the amount of information that's necessary to carry out their job responsibilities, such as responding to bug reports or account support inquiries. Two separate systems are in place to detect suspicious patterns of behavior, and these systems produce reports once per week which are reviewed by two independent security teams.

We have a zero tolerance approach to abuse, and improper behavior results in termination.

Regarding Facebook’s “zero tolerance approach to abuse”, it’s understandable that there might be skepticism about that.

In light of the recent trouble that Uber’s gotten into over its “God View” – a privacy-invading display of passengers’ real-time movements that it projected onto a screen for entertainment at a company party – it’s valid to question how well companies actually enforce policies against abusing access to user accounts.

Tales of trampling on privacy in the early years of Facebook are rife, including allegations that Mark Zuckerberg broke into a user’s private email account.

Zuckerberg pulled the alleged email hack in the very earliest days of Facebook, before it even had a privacy policy.

Fast-forward to today, and Facebook is a far more mature company.

It has the tools to grant select employees access to a user’s account, but according to Facebook’s statement, that access is heavily monitored and controlled and can only be executed under specific circumstances, including when users themselves initiate support or in the case of bug reports.

Siljamäki’s request is an example of a user coming to Facebook with a specific issue.

The engineer requested and received permission to resolve that issue by accessing his account.

Does that mean we shouldn’t worry about what we post on Facebook or other social media networks?

No. We should worry.

But when it comes to Facebook employees running amok in our private data, it doesn’t sound worth worrying about.

After all, that’s what the company has big data-crunching analytics for.

To paraphrase the Big Bad Wolf when Little Red Riding Hood asked about those humongous chompers: the better to market at you, my dear!

Image of girl on laptop courtesy of Shutterstock.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Home

Sophos Home

Protect personal PCs and Macs
Hitman Pro

Hitman Pro

Find and remove malware
Sophos Intercept X for Mobile

Intercept X for Mobile

Protect Android devices

Post navigation

Previous: Is this the ultimate spam fail?
Next: Venmo mobile payment service under fire for security carelessness

12 comments on “Facebook explains when and why it peeps at your account”

  1. Richard "Skavenger" Wall says:
    March 3, 2015 at 12:11 pm

    I have an issue with the statement that says “private profile” if everyone just accepted the fact that NOTHING online is “Private” and not to share anything that should be private then there wouldn’t be as big an issue.

    Reply
  2. Jeff says:
    March 3, 2015 at 2:02 pm

    Again, nothing posted to the Internet in any way should be considered absolutely private, with the possible exception of something that you’ve securely encrypted yourself.

    Reply
    • Mang says:
      March 4, 2015 at 2:00 pm

      Even than, encrypted stuff can at best be considered probably private-ish.
      If someone *really really* wanted to get at it, there is a chance they can.
      (Which I am sure you know, but it’s worth pointing out!)

      Reply
  3. LonerVamp says:
    March 3, 2015 at 2:20 pm

    It’s the rare person that asks the question Siljamäki asks, and more people need to ask it of more things, whether they’re concerned about their own personal information or the information they manage in their daily job. (Of course, security people tend to ask these questions, but amongst others it seems to be rare…)

    I get constant incredulous looks whenever my employees want to use Dropbox, and I say sure, as long as the powers that be in this company accept the risk of disclosed data due to unknown admin access (and several other key reasons). The tactic trust for these services is annoying, at best, when consumers try to manage corporate IT.

    Reply
    • Scott M says:
      March 3, 2015 at 9:28 pm

      I have the same issue. I had a user install DropBox on a non-company owned iPad so they could work on their documents from it. They didn’t realize I had DropBox blocked on the computers. 🙂

      Reply
    • mrG says:
      March 4, 2015 at 2:43 pm

      fwiw, one of the pitches copy.com gives is that they pledge not to invade your files, for any reason. this is probably said to distinguish them from the known copyright-violation-bans Dropbox has levied.

      Reply
  4. Steve Phillips says:
    March 3, 2015 at 2:49 pm

    If you want something to be private don’t put it on the internet!

    Reply
  5. mryeah says:
    March 3, 2015 at 3:37 pm

    How could an employer protect private user data from admins who have access to the database?
    There is some level of trust you have to give developers so they do their job. Extern monitoring systems seems to me the only feasible way to check that this trust doesn’t get abused by individuals.

    That said, I am worried about these cases because they are not untrustworthy individuals but untrustworthy companies. Especially Uber’s philosophy is totally broken in case of privacy and respect.

    Reply
  6. Laurence Marks says:
    March 3, 2015 at 8:03 pm

    Mr Yeah asked “How could an employer protect private user data from admins who have access to the database?”

    Simple. You encrypt the data before you put it into the database. Ever hear of Mega, successor to Megaupload? That’s how it works.

    Where’s Kim Dotcom when you need him?

    Reply
    • mryeah says:
      March 4, 2015 at 2:27 pm

      How should that be possible for a social network where you easily want to share stuff with others?

      Let’s say your stuff on Facebook is encrypted. Your Facebook friends need the key to decrypt it. How could they get the key automatically without a way for Facebook getting that key, too?
      Mega works because you share the encryption key to your data outside of Mega.

      Reply
    • mrG says:
      March 4, 2015 at 2:44 pm

      which, according to Mr Snowden, is still only private-ish.

      Reply
  7. raywells says:
    March 5, 2015 at 12:35 am

    The more complex our security becomes, the more complex our enemy’s efforts must be. The more we seek to shut him out, the better he must learn to become at breaking in. Each new level of security that we manage becomes no more than a stepping stone for him who would surpass us, for he bases his next assault upon our best defences.

    Reply

What do you think? Cancel reply

Recommended reads

Apr16
by Paul Ducklin
2

S3 Ep28.5: Hacking back – is attack an acceptable form of defence? [Podcast]

Mar02
by Paul Ducklin
9

Search crimes – how the Gootkit gang poisons Google searches

Feb15
by Paul Ducklin
0

Egregor ransomware criminals allegedly busted in Ukraine

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2021 Sophos Ltd. All rights reserved. Powered by WordPress VIP