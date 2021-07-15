A new book published by Cecilia Kang and Sheera Frankel, reporters for the New York Times, reveals troubling details about behind the scenes of Facebook’s security. an excerpt from An Ugly Truth: Inside Facebook’s Battle for Domination (An Ugly Truth: Inside the Battle for Facebook Domination in a Free Translation) released by The Telegraph shows that it was common for engineers to access users’ private information.

According to the book, between January 2014 and August 2015, more than 52 engineers on the social network — including the one who spied on their meeting — had their jobs terminated due to data breaches. While most simply looked at the information, one of them accessed location data to find out where the person he shared a trip to Europe with decided to stay after a fight between the two.

In another case, one of the company’s engineers took advantage of his administrator privileges to access the profile of a woman he had dated a few days ago, but who stopped responding to his messages. Among the information that could be easily obtained were dates of birth, all messages sent and received on Facebook Messenger, photos published (and deleted) and the advertising profile assigned by the social network, which includes age group, political inclination and lifestyle , as well as the real-time location of users.

According to the publication, Facebook managers always warned that anyone who accessed sensitive data without permission would be fired immediately. However, there was no mechanism other than employee ethics to prevent them from accessing this information—the rules had been in place when the company had fewer than 100 employees and it was easier to enforce them.

The dismissed professionals were detected by an alarm system present in the work machines supplied by the company. However, there is no record of how many people may have accessed sensitive data on other devices and have gone unnoticed by the company so far.

Problem with cultural origins

The issue was brought to the attention of founder and CEO Mark Zuckerberg in September 2015, when Alex Stamos took over as head of security at Facebook. In Stamos’ analysis, the social network failed to protect the security of its apps (including WhatsApp and Instagram) and to encrypt user data. The company also shared its security activities too much and, in the executive’s words, “was not technically or culturally prepared to deal” with the threats it faced.

The biggest problem that Stamos pointed out, however, was that the company was doing nothing to stop engineers from using internal tools to breach user data. In a graph, he showed that not even the steady layoffs over the past 18 months had stopped such cases from recurring—and that hundreds of violations could have gone unnoticed.

At the meeting, Zuckerberg questioned why no one had warned him about the seriousness of the problems. Former employees report that many of the privacy access issues were caused precisely by “Mark’s DNA,” which had granted unrestricted access to multiple engineers to ensure they could work quickly and independently.

Interviewees assured that many of the issues had been brought up on several occasions, but were ignored. According to them, this was because they could limit or even prevent the social network from collecting data from users who were considered essential for their activities.

Facebook says it has improved its policies

The necessary changes began to be made at the suggestion of Stamos, who at the time ended up becoming an enemy of Sheryl Sandberg. Responsible for Facebook’s security, she was on leave after her husband’s death, and had not been consulted about the proposed changes.

In a statement sent to the Daily Mail, Facebook said it has a zero tolerance policy for employees who use user data for personal purposes. The company says it has strengthened employee training, prevention protocols and detection systems since 2015, in addition to reducing the data access required for engineers to build and support products.