Facebook tracks users it thinks may harm its employees

Have you ever been so enraged at Facebook that you’ve messaged CEO Mark Zuckerberg and told him to f— off? …or maybe you simply left that type of comment in a post somewhere on Facebook or one of its apps?

If so, you might well have been inducted into what CNBC reports is the company’s BOLO watch list. That’s an acronym for Be On Lookout: a list of hundreds of people who have threatened Facebook or its staff, sulked over losing a contract, or gotten fired, be it with or without sulking or emotional outbursts.

Keeping a list like that is not, in itself, unusual. Lots of companies keep similar lists, according to CNBC’s sources, which include former security staff from Facebook who are familiar with its program and at least one expert from the physical security field: Tim Bradley, senior consultant with Incident Management Group, a corporate security consulting firm that deals with employee safety issues.

What’s unique about Facebook’s approach to BOLOs is that it doesn’t just disseminate a list of names to security staff. Facebook also mines its platform for threatening posts. Sometimes, Facebook goes so far as to use its apps to discern the whereabouts of people whom it finds threatening, to determine whether they pose a credible threat.

CNBC talked to more than a dozen former Facebook security employees, some of whom questioned the ethics of Facebook’s security strategies. One former security staffer called the tactics “very Big Brother-esque.”

‘Tomorrow everyone is going to pay’

CNBC reported on a number of examples of when Facebook uses its own geolocation tracking or knowledge about a user’s location to figure out how much of a threat the person might be. One such: early last year, a Facebook user threatened one of the company’s European offices in a public post.

Facebook picked up on it and checked into where he was. It turned out that the user was in the same country as the office he was targeting. Facebook notified the authorities about the threat and instructed its security officers to be on the lookout for the user.

CNBC quoted a former Facebook security employee:

He made a veiled threat that ‘Tomorrow everyone is going to pay’ or something to that effect.

Facebook has a lot of enemies

While some former security staffers question the ethics, the attitude of others is hey, who can blame the company? As CNBC points out, Facebook, with 2.7 billion users across all its services, has a massive reach, and it’s got a tendency to inspire strong emotions. From CNBC:

If just 0.01 percent of users make a threat, Facebook is still dealing with 270,000 potential security risks.

Bradley told the news outlet the most important thing is for Facebook to protect its employees. How it does so is “secondary” to that duty:

If they know there’s a threat against them, they have to take steps. How they got the information is secondary to the fact that they have a duty to protect employees.

Facebook provided this statement:

Our physical security team exists to keep Facebook employees safe. They use industry-standard measures to assess and address credible threats of violence against our employees and our company, and refer these threats to law enforcement when necessary.

A Facebook spokesman told CNBC that people are only added to the BOLO list after a “rigorous review to determine the validity of the threat.”

We have strict processes designed to protect people’s privacy and adhere to all data privacy laws and Facebook’s terms of service. Any suggestion our onsite physical security team has overstepped is absolutely false.

But some former employees dispute this description of Facebook’s criteria for making the BOLO list, saying that the bar can be pretty low. From CNBC:

While some users end up on the list after repeated appearances on company property or long email threats, others might find themselves on the BOLO list for saying something as simple as ‘F— you, Mark,’ ‘F— Facebook’ or ‘I’m gonna go kick your a–,” according to a former employee who worked with the executive protection team.

A different former employee who was on the company’s security team said there were no clearly communicated standards to determine what kinds of actions could land somebody on the list, and that decisions were often made on a case-by-case basis.

Ex-Facebookers often become new BOLO-ers

You can see how some employees would make it onto the BOLO list after being shown the door – those who steal from the company, for example. But former Facebook employees say that in many cases, they wind up on the BOLO sheet without any reason being listed. CNBC says that three people told the news outlet that almost every Facebook employee who gets fired is added to the list, with one calling the process “really subjective.” Yet another said that contractors are added “if they get emotional when their contracts are not extended.”

The Facebook spokesman denied this:

Former employees are only added under very specific circumstances, after review by legal and HR, including threats of violence or harassment.

How Facebook uses location data to track BOLOs

Facebook has numerous ways to track our location: it can tap into that data via the mobile Facebook app or by our IP address, which is picked up by the online version.

Once it picks up a credible threat – for example, one with specific details about an attack location and timing, or a threat coming from somebody who regularly shows up at shareholders’ meetings or other company events – its global security operations center and the global security intelligence and investigations units put in a request to the company’s information security team, which can track users’ location information.

Facebook in some cases determines that threats lack credibility, such as if a user makes a threat about a specific location but is themselves located nowhere near that location. But if the BOLO user is in fact nearby, Facebook can continue to monitor their location and keep their security teams on the lookout. Depending on the threat, Facebook’s security teams might also station security guards, escort a BOLO user off campus or alert law enforcement.

Some threats are quite real

While its tactics might seem like overreach, you can’t deny that Facebook faces real threats. For example, one of its execs got swatted in January. The Facebook exec wasn’t harmed. However, he was handcuffed during questioning following his Palo Alto, California, house having been swarmed by police, fire department and public safety agents who responded to a hoax call from a man claiming to be him who said he’d shot his wife with an assault rifle, tied up his kids, put “pipe bombs all over the place,” and that he’d kill police or anyone else if they came near.

Another recent incident: in December, Facebook evacuated buildings at its headquarters in Menlo Park following a bomb threat. Fortunately, no bomb was found.