I find that HN is at least a little bit hypocritical when they go on about the right to be forgotten and not judging people by what they did in years past... and meanwhile judge Zuckerberg harshly for a snide comment supposedly made 14 goddamn years ago.
Facebook's security engineers (and tons of other engineers) have easy access to information. They are however not supposed to use/access information about people for non-work purposes - like finding Tinder dates.
So, the answer to your question is many of them have access by design.
If I had access, "finding dates on Tinder" is amateur hour. You can find out a lot of details about a person if you go through their profile (usually you have to be friends with them, but if you're an admin probably not), and even more creepily, if you go through their messages.
If she says "attending" to an event on FB, you'll know where the person will be at a particular time and date, you can just "randomly" bump into them and mention your love of $MUSIC_GROUP and $TRAVEL_DESTINATION.
And since the mobile app probably logs locations, you could also trawl through that data on the fly to "randomly" bump into them again a few days later. "What a coincidence!".
Guys really should not take dating advice from romantic comedies. In comedy, this is romantic. In real life, this is called stalking, major red-flag since guy who does this before he even has relationship is likely to be controlling and dangerous in relationship.
Yes but.. Facebook is not the employer of its users..
There is no need for anyone at Facebook to have access to users information.
In an honest world, nobody at Facebook should be able to access people's personal data without their explicit permission on a case by case basis.
if it was encrypted in a proper fashion and the work flow was correct, (if Facebook really cared about users rights) there would be no possibility of anyone other than users from accessing user's personal information.
Well, I’ve been out of the company for almost three years now, but somehow, my comments haven’t had the same impact as Snowden’s. I didn’t flee to a new country, so that might be it.
I wonder how many Facebook engineers still use their own messenger for private conversations. I would guess most of them are using iMessage or Telegram or something similar.
I’m personal friends with many former colleagues. We use Messenger (unencrypted) pretty much exclusively, even when talking job satisfaction and moving to a new job.
The bigger issue here is that they reacted to this event, rather than proactively managing it.
From the article, “Access to sensitive data is logged, and the company has automated systems designed to detect and prevent abuse”,but if that were the case surely they would have acted on this before it became public.
In reality they have no incentive to police this kind of behaviour until they are called out on it.
In truth, I would never spend time and effort looking into potential malfeasance myself, as I would be too focused on building out new features and ideas.
I don’t know if a natural incentive exists that would drive the behaviour it seems society expects.
> In reality they have no incentive to police this kind of behaviour until they are called out on it.
Access to personal information of users is "policed" internally, proactively, and you can get fired over it. It's one of the things they hammer into your head the first month of bootcamp after you join. The internal tooling and frameworks have all sorts of built-on heuristics to catch this [1], and there's internal teams who're continuously improving these security measures.
[1] this = accessing information not related to your job duties
For what it’s worth, I believe you. I sincerely believe that people would have been fired for inappropriate use/access of data.
My comment is a deeper one. The incentive in general is to improve value produced, and identifying bad actors is not a short term way to increase value produced. Long term it probably is positive, but because those outcomes are somewhat removed from the immediate here and now I expect them to be disincentivised. I would love to see evidence or reason for why they aren’t, but that’s the thrust of my thinking.
The guy's job was apparently to check out profiles of people that may present a security threat. So if his job was to look at profile data all day, in this specific case his firing would almost have to be reactionary, because his nefarious activities would have looked like normal job activity to any auditing program. We only know his activities were nefarious because he said so. A developer or people in almost any other position for that matter would likely have been caught proactively.
>The bigger issue here is that they reacted to this event, rather than proactively managing it.
If he was bragging about having access, but didn't actually access it in a way that was inappropriate for his role, then there's nothing for the company to have proactively done.
As much as I love dunking on Zuck, it might be difficult to detect all unnessecary data viewing, especially if someone is part of an internal security team whose job description includes looking for hackers on FB's systems.
So basically, if the abuse is not egregious (ex: looking up a celebrity's details), they have to rely on someone making a complaint and then reviewing the employee's logs.
I knew someone who worked for the IRS and they had similar issues - it's harder than you'd think to automatically detect this kind of thing, the best you can do is log so you can punish if it's discovered someone abused credentials.
Firing employees dumb enough to snoop and brag isn't enough to restore user confidence. Facebook needs to take concrete steps to prevent employees from snooping, and it needs to be publicly seen doing so.
I stopped using Facebook years ago because I felt it was just too invasive. I've felt like a technological Luddite ever since, but boy are Zuckerberg & Co. ever doing their level best to make me look prescient!
FB was been and still is what it's always been...a mirror and a magnifier.
What's changing is the tolerance some ppl (e.g., you, me, the HN'er above your comment) have for it's mindless minutia, as well as the privacy issues.
The takeaway for me is simple: the evolution of humans - FB the Big Inc and the masses that feed its bottom line -is greatly exaggerated. Could some of the devo'ing be due to FB? I suppose. But for the most part, the signs have been there all along, FB just made it undeniable.
I agree. It has gotten noticeably worse (for me) every month for several months now, possibly years. The algorithm picks such rubbish for my timeline I'd probably rather see ads.
It's like how more and more people are "cord cutting" their cable TV. Some keep it because one or two features (e.g. live sports) are still worth it to them, but more and more people are finding alternate ways to achieve the things they really want without feeling like they've gone for a swim in a cesspool to get there.
Apparently there isn’t a stick big enough to prevent abuse by employees. What a surprise! This is human nature, plain and simple. The threat of job loss did very little to alter human nature in other settings. How can this go any differently at Facebook?
When a honeypot this big is right there for the taking, there’s no amount of threats that’ll dissuade the bad actors. The solution is refreshingly simple: don’t allow sensitive information to accumulate in such quantities and at such high concentration.
Not allowing accumulations to grow is fine, except when they are needed.
If they exist, need to also implement strong security compartmentalization, logging, oversight, etc. to prevent.
And, the stick needs to be bigger too, not only firing from one job, but blacklisting from others, and prosecution. You do that, you're not only done, you're out of a career, and will be lucky to not find yourself in jail. (I'm no usually that punitive, but that level of casual abuse...)
Why would just the employees face consequences that dire and including prison time? Put the on us on the company and they should figure out how to incentivize people correctly. That's the benefit of capitalism right?
Absolutely -- increase the scope and also go after the managers and execs who design & implement badly secured systems -- you'll get no objection from me.
What makes you think this is the only lever they're playing with to change public perception? This is an easy lever that costs little but is dangerous and risky if not pulled. But the entirety of their strategy obviously consists of many more puzzle pieces than what this article happened to uncover.
It's not a lever at all. The only reason you know about it is that he bragged about it to a stranger who may or may have not pieced together a story based on a few social media comments.
My prediction is this: in the future data will be as regulated as regulated substances are today. Facebook and Google and a few others will be akin to the mass manufacturers of this "controlled substance" and the selling and use of data will be regulated is such a way that private entities cannot willy nilly pay to spy on people. They will however be allowed to buy certain kinds of data for commercial use.
In some regards this will be an improvement, in the sense that it would be harder for actuaries to weaponise your data against you, without your explicit consent. It would make it easier to control the use of the data collected about you.
On the other hand it will legitimize surveillance by state agents and very powerful private entities.
Another prediction is that countries might eventually start considering data a matter of national security and might restrict the transfer of data about their citizens across borders.
To make it more clear: I'm not trying to defend anyone in a case I know nothing about, but if there is further evidence that cannot be made public, a non-exposing description of that evidence must be the central piece of the article, not some screenshot that only stirs emotion because someone used the word "stalker". With that as the focal point, the article makes it all seem like a baseless witchhunt and that can only be harmful to the cause.
You are not. To me it comes off like a misguided attempt to impress someone, not an admission of actual wrongdoing. The guy comes off as a creepy asshole for sure, but it's basically just bragging.
But really, given everything going on with Facebook, why would an employee ever think this was a good idea? That's what is really beyond me.
"Access to sensitive data is logged, and the company has automated systems designed to detect and prevent abuse, Stamos said." Looks like FB failed again to achieve this.
This reminds me of LOVEINT [1] [2], as a somewhat recent example of how available data on people can, and will, be misused. Despite any claimed heuristic software monitoring controls put in place and any instructions hammered in the first month of job orientation, it's undeniable that Facebook is a treasure trove of information on what people like or dislike, what people do, where they go, where they are, what they talk about on Messenger (think it's private), etc.
I see it as a question of when, not if, we'd see more stories of stalking and abuse (including physical violence) perpetrated by those employed by Facebook. The "authentic names" policy only makes this ever so easier to find and follow people. Firing someone after some damage is done is nothing compared to what the victims have suffered and may continue to suffer.
I personally question the ethics of people who even choose to work for a company like Facebook. So my (hyperbolic) view is that this is not something to be shocked about. Not with Facebook!
There is a fairly strong heuristic for measuring who is less likely to be an anti-social maniac like the one in the article -- marriage.
Throughout history and across the world, married men (and women) are universally much less likely to be exhibit anti-social behavior to the point where it is an enduring fixture (if not the enduring fixture) in the civilizing process.
Are you basing this on actual data or is that just your opinion? I'm under the impression that for most of history, marriage status was determined by one's age and social status rather than a choice that would allow conclusions about personality traits.
Without data, your statement is tantamount to discrimination based on marital status which is problematic in the context of a thread regarding employee dismissal.
Off the top of my head, I can think of a number of quite anti-social people (for different values of anti-social) that are married. For example, Joseph James DeAngelo (Golden State Killer) was once married, has adult children, but his anti-social behavior is well documented. [0]
In another example Jennifer Hart and Sarah Hart were married and had many adoptee children. Hardly the stereotype of antisociality. And yet, in their private lives they very likely abused their adoptive children to the point of killing all their children as well as themselves. [1]
Another example is David and Louise Turpin who imprisoned 13 children in their home. [2] In fact, there have been a number of high-profile survivor tales in the last several years of children escaping abusive parents. One news outlet gathers up a number of similar past cases with many of the offenders being married people.
My aim in discussing these cases is neither to provoke nor sustain prurient interest in the antisocial behavior of married people. Nor is my aim to claim that married people are more likely to engage in abusive, antisocial behavior toward children.
My aim is to destabilize your claim that "married men (and women) are universally much less likely to be exhibit anti-social behavior" which claim you make without providing a single shred of proof.
Is there any evidence of any wrongdoing here? His access to personal information is absolutely normal given his job title and frankly, I’m surprised that the other person feels unsafe after hearing this despite the fact she’s apparently a software engineer so the fact he has this access shouldn’t come to her as a surprise, and in her job she has probably the same level of access if not more.
107 comments
[ 3.4 ms ] story [ 113 ms ] threadWasn’t the whole ethos’s of Facebook to aggregate a bunch of data so Zuck could get laid?
Seems like this guy is a mild incarnation.
Ps. “Senator, we don’t sell data!”
I think it's interesting someone would get fired for making a joke that is mild compared things the founder has said / done.
So, the answer to your question is many of them have access by design.
If she says "attending" to an event on FB, you'll know where the person will be at a particular time and date, you can just "randomly" bump into them and mention your love of $MUSIC_GROUP and $TRAVEL_DESTINATION.
And since the mobile app probably logs locations, you could also trawl through that data on the fly to "randomly" bump into them again a few days later. "What a coincidence!".
It's almost like people will tell you what they are interested in you ask them. If they don't tell you, then you never had a shot anyway.
If you rely on artificial serendipity for romance, then you're going to have a bad time.
The biggest cause of relationship challenges is having insecure attachment.
Heal that and no need to stalk.
There is no need for anyone at Facebook to have access to users information.
In an honest world, nobody at Facebook should be able to access people's personal data without their explicit permission on a case by case basis.
if it was encrypted in a proper fashion and the work flow was correct, (if Facebook really cared about users rights) there would be no possibility of anyone other than users from accessing user's personal information.
You can’t commit code to master without an approver. The same should apply for any access to data.
"Well, we've never had any problems" = "One time, I laid in the road"?
From the article, “Access to sensitive data is logged, and the company has automated systems designed to detect and prevent abuse”,but if that were the case surely they would have acted on this before it became public.
In reality they have no incentive to police this kind of behaviour until they are called out on it.
In truth, I would never spend time and effort looking into potential malfeasance myself, as I would be too focused on building out new features and ideas.
I don’t know if a natural incentive exists that would drive the behaviour it seems society expects.
> In reality they have no incentive to police this kind of behaviour until they are called out on it.
Access to personal information of users is "policed" internally, proactively, and you can get fired over it. It's one of the things they hammer into your head the first month of bootcamp after you join. The internal tooling and frameworks have all sorts of built-on heuristics to catch this [1], and there's internal teams who're continuously improving these security measures.
[1] this = accessing information not related to your job duties
Are you saying this person was fired before it became public that they had misused data? Or was it reactionary?
But I know for a fact you can get fired for this without any public/PR issue, by internal triggers/investigation only.
My comment is a deeper one. The incentive in general is to improve value produced, and identifying bad actors is not a short term way to increase value produced. Long term it probably is positive, but because those outcomes are somewhat removed from the immediate here and now I expect them to be disincentivised. I would love to see evidence or reason for why they aren’t, but that’s the thrust of my thinking.
Do they detect and prevent abuse? Who knows but that's what they were designed to do.
It's great (if weasel wordy) copy.
They may well be proactively managing it, but you don't hear about it when those actions are taken?
If he was bragging about having access, but didn't actually access it in a way that was inappropriate for his role, then there's nothing for the company to have proactively done.
So basically, if the abuse is not egregious (ex: looking up a celebrity's details), they have to rely on someone making a complaint and then reviewing the employee's logs.
I knew someone who worked for the IRS and they had similar issues - it's harder than you'd think to automatically detect this kind of thing, the best you can do is log so you can punish if it's discovered someone abused credentials.
I stopped using Facebook years ago because I felt it was just too invasive. I've felt like a technological Luddite ever since, but boy are Zuckerberg & Co. ever doing their level best to make me look prescient!
What's changing is the tolerance some ppl (e.g., you, me, the HN'er above your comment) have for it's mindless minutia, as well as the privacy issues.
The takeaway for me is simple: the evolution of humans - FB the Big Inc and the masses that feed its bottom line -is greatly exaggerated. Could some of the devo'ing be due to FB? I suppose. But for the most part, the signs have been there all along, FB just made it undeniable.
It's a massive collective blindspot.
I mainly use Facebook for the messaging.
perhaps bliss is a better word
When a honeypot this big is right there for the taking, there’s no amount of threats that’ll dissuade the bad actors. The solution is refreshingly simple: don’t allow sensitive information to accumulate in such quantities and at such high concentration.
If they exist, need to also implement strong security compartmentalization, logging, oversight, etc. to prevent.
And, the stick needs to be bigger too, not only firing from one job, but blacklisting from others, and prosecution. You do that, you're not only done, you're out of a career, and will be lucky to not find yourself in jail. (I'm no usually that punitive, but that level of casual abuse...)
Zuck: Just ask.
Zuck: I have over 4,000 emails, pictures, addresses, SNS
[Redacted Friend's Name]: What? How'd you manage that one?
Zuck: People just submitted it.
Zuck: I don't know why.
Zuck: They "trust me"
Zuck: Dumb fucks.
In some regards this will be an improvement, in the sense that it would be harder for actuaries to weaponise your data against you, without your explicit consent. It would make it easier to control the use of the data collected about you.
On the other hand it will legitimize surveillance by state agents and very powerful private entities.
Another prediction is that countries might eventually start considering data a matter of national security and might restrict the transfer of data about their citizens across borders.
But really, given everything going on with Facebook, why would an employee ever think this was a good idea? That's what is really beyond me.
I see it as a question of when, not if, we'd see more stories of stalking and abuse (including physical violence) perpetrated by those employed by Facebook. The "authentic names" policy only makes this ever so easier to find and follow people. Firing someone after some damage is done is nothing compared to what the victims have suffered and may continue to suffer.
I personally question the ethics of people who even choose to work for a company like Facebook. So my (hyperbolic) view is that this is not something to be shocked about. Not with Facebook!
[1]: https://en.wikipedia.org/wiki/LOVEINT
[2]: https://www.washingtonpost.com/news/the-switch/wp/2013/08/24...
Throughout history and across the world, married men (and women) are universally much less likely to be exhibit anti-social behavior to the point where it is an enduring fixture (if not the enduring fixture) in the civilizing process.
http://healthland.time.com/2010/12/07/why-married-men-are-le...
Off the top of my head, I can think of a number of quite anti-social people (for different values of anti-social) that are married. For example, Joseph James DeAngelo (Golden State Killer) was once married, has adult children, but his anti-social behavior is well documented. [0]
In another example Jennifer Hart and Sarah Hart were married and had many adoptee children. Hardly the stereotype of antisociality. And yet, in their private lives they very likely abused their adoptive children to the point of killing all their children as well as themselves. [1]
Another example is David and Louise Turpin who imprisoned 13 children in their home. [2] In fact, there have been a number of high-profile survivor tales in the last several years of children escaping abusive parents. One news outlet gathers up a number of similar past cases with many of the offenders being married people.
My aim in discussing these cases is neither to provoke nor sustain prurient interest in the antisocial behavior of married people. Nor is my aim to claim that married people are more likely to engage in abusive, antisocial behavior toward children.
My aim is to destabilize your claim that "married men (and women) are universally much less likely to be exhibit anti-social behavior" which claim you make without providing a single shred of proof.
[0] https://www.nytimes.com/2018/04/25/us/golden-state-killer-se...
[1] https://www.nytimes.com/2018/04/27/us/hart-family-crash.html
[2] https://www.youtube.com/watch?v=_TnYoss0eiM
[3] https://www.news24.com/World/News/children-held-captive-prev...
EDIT: Recast direct object in second sentence of third paragraph. Recast relative clause in last sentence.
Reminds me of David Viniar's "unfortunate to have that on email" blunder:
https://www.youtube.com/watch?v=ccjZEvBGOuk
ZUCK: yea so if you ever need info about anyone at harvard
ZUCK: just ask
ZUCK: i have over 4000 emails, pictures, addresses, sns