The abuse of private data by Facebook employees was pretty much inevitable; the simple act of amassing data tends to lead to corruption. What's sad is how lightly the social network reportedly controls its employees.
- As of a few months ago, Facebook records and archives information on whose profile you view. (Apparently this was already publicly known.)
- Facebook has 200-220 million active users, and more than 300 million total accounts, including disabled accounts and potential fakes.
- At one point, Facebook staff widely used a "master password" that unlocked access to anyone's account. Use of this password has been "deprecated," i.e. discouraged, implying the password might still exist and work. What was the password? "With upper and lower case, symbols, numbers, all of the above, it spelled out ‘Chuck Norris,' more or less. It was pretty fantastic."
- The Facebook employee is aware of at least two coworkers being fired for abusing their access to profiles; the employee herself also inappropriately access profiles.
- Facebook employees can "just query the database" to find your Facebook messages.
The picture that emerges is one of loose internal controls on private data access. Sure, the master password has been replaced by a system in which Facebook staff must log a justification when they view users' private profile data. But the employee said managers aren't "on your ass about it," leaving the door open for situations like this one:
When I first started working there, yes — I used it to view other people's profiles which I didn't have permission to visit. I never manipulated their data in any way; however, I did abuse the profile viewing permission at several initial points when I started at Facebook.
It also sounds like controls are lax on Facebook's backend database:
Your messages are stored in a database, whether deleted or not. So we can just query the database, and easily look at it without every logging into your account. That's what most people don't understand.
It seems safe to assume that if this particular employee obtained unauthorized account data, and knows of two other people who did, the practice has been reasonably widespread at Facebook, recent "crackdown" or not.
Sensitive data hoards inevitably attract attempts at unauthorized access. Whether it's hospital employees peeking at celebrity medical records or federal workers abusing their wiretap access 100 times in two tears (dubiously claiming it was an "accident"), people confronted with a pile of information feel compelled to start digging.
The best protection for a user: Throw as little as possible onto the pile.