life in pixels

Does Facebook Have a Leaks Problem?

Photo: Amy Osborne/AFP/Getty Images

What mastermind created the infamous, slowed-down video of Nancy Pelosi — the one intended to make her sound drunk that went viral across right-wing media two weeks ago? Was it the product of Chinese meddling? Dastardly Russian dezinformatsiya? Had a paid army of trolls disseminated the “shallowfake” to undermine American democracy? Over the weekend, in an article in the Daily Beast, security journalist Kevin Poulsen unmasked the mastermind whose dastardly propaganda techniques had fooled even a man of such sound judgment as Rudy Giuliani — and found “a Donald Trump superfan and occasional sports blogger from the Bronx” named Shawn Brooks. Brooks had posted the video to two Facebook politics pages he was an administrator of, earning himself “nearly $1,000 in shared ad revenue.”

Brooks himself may have been a narratively disappointing supervillain (trolls and operators always are). But there was one striking detail to the article: Poulsen had confirmed Brooks’s identity with the help of an anonymous “Facebook official.” Someone inside Facebook had, it seems, accessed Brooks’s theoretically private user activity and used it to confirm Poulsen’s story.

Poulsen was first able to identify Brooks through a donation link attached to one of the Facebook pages that originally posted the manipulated video. But when contacted, Brooks denied being the person who’d posted the video to the page, blaming it instead on one of six other administrators. Because posts to a Facebook page by an administrator appear to users under the name of the page — without public attribution to a specific administrator — there’s no way to tell from the outside whether Brooks was telling the truth.

Unless you have a source inside Facebook. Which Poulsen apparently did. “A Facebook official,” Poulsen writes, “said the video was first posted on Politics WatchDog directly from Brooks’ personal Facebook account.” (The other administrators, according to the same official, didn’t even exist.) Remember, users can’t tell from the outside which administrator posted what posts to the page, so in order to confirm that Brooks was using his personal account, the Facebook official would need some kind of access to user activity — user activity that is, at least nominally, private. (Poulsen declined to comment on his sourcing to me; Facebook hasn’t responded to requests for comment.)

Who has this kind of privileged access to Facebook user data? It would be nice to think that only a small number of highly qualified and deeply vetted senior Facebook employees, possibly using some kind of missile-silo dual-key technology, could access “private” data. But at large companies like Facebook, which deal with users in the hundreds of million, or billions, low-level access privileges tend to get granted fairly widely. (Remember the Twitter customer-service employee who disabled Donald Trump’s Twitter account?) As Vice has reported, even many contract employees at Facebook have access to some user information — specifically, the ability “to see which users were the administrators of Facebook Pages.” (Sound familiar?)

It’s not that every employee can see every bit of user activity. Privileges are different depending on the needs of a department, and Facebook closely tracks which employees are accessing which information — and warns them with pop-ups when they do access the info. As one employee put it to The Guardian, “The counterbalance to giving you this huge trusting environment is if anyone steps out of line, they’ll squash you like a bug.” I trust the vast majority of workers at Facebook and Google to be decent human beings (as well as upstanding employees) who will respect the understanding of privacy that most users maintain. The leak of private user data, in addition to getting employees fired, would probably be prosecutable under the broad Computer Fraud and Abuse Act. In some cases, it’s a moot point anyway; if Facebook moves all of its private messaging under the protection of end-to-end encryption, as Mark Zuckerberg has suggested it will, snooping on private messages by individual Facebook employees will become all but impossible.

But privileged access is widespread enough that abuse is a familiar phenomenon at Facebook or at any large tech company. Last year, a Facebook employee was fired for stalking women online using information he’d obtained using his access privileges; according to a Vice report, multiple people at the company have been fired for “snooping” on exes or other transgressions. Google, for its part, has fired employees for similar abuses, including one engineer who accessed Gchat conversations between a group of teenagers. Uber famously had an internal “God Mode” used by its employees to see rides taken by celebrities and politicians.

And yet it’s still exceedingly rare (to say the least) to see reporting based on Facebook employees’ privileged access to user data. On Twitter, the reporter Caroline Orr wondered if Facebook was using “its own internal data to help publicly identify a private citizen”:

Based on the wording in the article, though, it doesn’t seem like Facebook was making an official, institutional decision to confirm Brooks’s identity — rather, it seems like Poulsen had a very good source inside the company. (My guess is that Facebook’s internal security team is combing through access logs right now trying to identify all the individuals who recently took a look at the activity of Brooks or his page.)

It seems likely, in fact, that Poulsen was working with a politically motivated source — a Facebook employee or contractor willing to break access rules for the sake of quashing what they believed to be harmful misinformation. Most of the examples of privileged-access abuse we’re aware of are nonideological, involving individuals stalking or spying on other individuals for “personal,” albeit violating, reasons. The Twitter contractor who deleted Trump’s account notwithstanding, “political” abuse of privileged access — say, for tactical leaking to journalists — is much less common. For now.

Over the last few years, reporting has documented increasingly sharp political divisions at companies like Facebook and Google. Employees on both the right and the left seem to feel, with varying degrees of legitimacy, that the rich and powerful companies they work for are failing at upholding the responsibilities of their power. Heated debates about global politics routinely play out, sometimes to the point of disciplinary action, on company message boards — among employees who likely have some level of privileged access to information that users assume to be private. We know those internal debates exist because employees have been willing to provide private message board threads to journalists. How long until committed, radicalized, or just plain angry employees decide to provide private user data — of politicians, or activists, or political groups — to journalists as well? WikiLeaks was forced to rely on hackers phishing for credentials. It would be much easier to walk in and out of the front door.

Does Facebook Have a Leaks Problem?