Earlier this week, Facebook fired an employee who was accused of abusing their access to users' profiles to stalk women. Had that employee's alleged victims worked at Facebook, they would have been alerted by a special internal tool, according to a new report. The rest of us, however, get no such protection.
Screenshot: New Line Cinema
According to The Wall Street Journal, sources familiar with the matter say the tool was originally called the "Sauron Alert", but its name was changed to the more innocuous "Security Watchdog" in 2015. Still, the reference to the evil all-seeing eye from The Lord of the Rings reportedly persists as a common name used internally. And let's face it, that's an appropriate name.
A small group of people is said to have access to users' accounts, including non-public photos and posts, as well as unencrypted private messages. These people primarily work on the security side of the platform, and current and former employees told the Journal that their access is "closely monitored".
Of course, it took a security consultant publicly calling out the company for an investigation into the stalker employee to be launched earlier this week. So, as with so many things involving Facebook, it all comes down to the social network saying, "trust us."
From the report:
Employees with such permission can access others' accounts to diagnose technical errors, test new features or investigate possible criminal behaviour in response to a legal request, according to Facebook officials and former employees.
When using the internal software, Facebook employees must give a legitimate reason for accessing the profile; the explanations are read by managers later. It is considered best to have written permission, former employees said.
Multiple Facebook employees have been fired for improperly accessing user profiles over the years, according to former employees.
Gizmodo reached out to Facebook for confirmation of the report and we received the following statement:
The name for the tool you are referring to is Security Watchdog. That was noted in the Journal article but it was not clear. It is not referred to as Sauron or a Sauron alert. That name was retired in 2015.
On the record, we are always looking at opportunities for new features, and we have had discussions about this very idea prior to this incident. Our existing tool focuses on our employees because engineers frequently test unreleased products and features with other employees, and they need access to those accounts to be able to quickly and thoroughly troubleshoot bugs and other issues. In thinking about how we could do something similar for everyone, there are a number of important considerations that come into play — for example, how we can avoid tipping off bad actors or hindering our work to prevent real world harm in cases of bullying, abuse or other sensitive situations. It's also important to remember that anyone can get alerts about unrecognised logins from other users and check for suspicious activity.
A spokesperson for Facebook told the Journal that the company has considered expanding the tool to alert average users when their account has been accessed, but it's difficult to pull off without notifying bad actors who are being investigated.
While that explanation sounds relatively reasonable, it does call attention to the fact that Facebook is problematic to its core. One company having access to the data of more than two billion users and scooping up the data of non-users around the web places far too much power into the hands of a few people who operate in near-total secrecy.
Since the Cambridge Analytica scandal broke, Facebook has been rolling out more tools for users to control their data and even says that it's developing a feature that will let you see the data it collects from the apps and websites. New data policies have been enacted and its terms of service have been re-written.
But all-in-all, Facebook needs that data to fuel the advertising business that brought in $US41 billion ($54 billion) last year.
One idea that's been increasingly mentioned in recent months is the notion that Facebook could offer a subscription option that would relieve its thirst for data. On Friday, Bloomberg reported that it's currently doing market research to study whether that's a viable option. The report claims that internal teams are trying "to determine whether an ad-free version paid by subscriptions would spur more people to join the social network."
Both the notion of giving users access to the Sauron Alert and the idea of subscriptions illustrate the way that Facebook has become a prisoner of its own design. Its data collection is creepy, and its service necessitates that security teams sometimes need to check out what users are doing. Notifying users that employees have been pilfering around in their accounts would be extra creepy.
Likewise, an ad-free subscription model should guarantee users that their data is completely scrubbed and that they aren't being tracked around the web. When you consider Facebook's practice of creating shadow profiles for non-users, that model would quickly begin to look like extortion. It would amount to the company saying, "if you don't want your data collected, pay us."
Ultimately, the choices Facebook makes will be the ones that are most profitable. And if its most recent earnings are any indication, it will just continue with the status quo.