Earlier this week, Paavo Siljamäki, director at the record label Anjunabeats, told a very interesting story about an interaction with a Facebook engineer logging into his account without entering his account credentials. We got in touch with Facebook to learn when exactly the company’s employees can perform such actions.
Here is Siljamäki’s account of what happened:
Today’s thought provoking story; Popped to Facebook offices in LA, the nice people there were giving us good advice on how to use Facebook better. I was then asked if i’m ok for them to look at my profile, i said ‘sure’. A Facebook engineer can then log in directly as me on Facebook seeing all my private content without asking me for the password.
Just made me wonder how many of Facebook’s staff have this kind of ‘master’ access to anyone’s account? What are the rules on who and when they can access our private content and how would we know if someone did? (My facebook did not notify me that someone else accessed my private profile).
In short, Siljamäki says he was asked if a Facebook employee could “look” at his profile, to which he gave permission. The engineer then accessed the account without entering Siljamäki’s password.
A Facebook spokesperson gave us the following statement:
We have rigorous administrative, physical, and technical controls in place to restrict employee access to user data. Our controls have been evaluated by independent third parties and confirmed multiple times by the Irish Data Protection Commissioner’s Office as part of their audit of our practices.
Access is tiered and limited by job function, and designated employees may only access the amount of information that’s necessary to carry out their job responsibilities, such as responding to bug reports or account support inquiries. Two separate systems are in place to detect suspicious patterns of behavior, and these systems produce reports once per week which are reviewed by two independent security teams.
We have a zero tolerance approach to abuse, and improper behavior results in termination.
In short, Facebook has a customer service tool that can grant access to a user’s account. That said, it is apparently heavily monitored and controlled, requires consent from the user, and can only be used in specific cases by a select group of employees.
If you are among those Facebook employees whose job responsibilities require you to use this tool, you’re given a stern warning when you’re hired. In layman’s terms, the easiest way to get fired is to abuse this tool. Abuses of power are always possible, however, and that’s why Facebook says it keeps a tight lid on this tool.
As for the case above, the Facebook employee in question was responding to a specific problem Siljamäki had and got permission to resolve the issue. In other words, unless you’re asking Facebook for help with something and have given permission, you probably don’t need to worry about a Facebook employee accessing your account.
On the flipside, Facebook is a service that resides on the web. As such, all Internet rules apply to Facebook, including: If you’re worried about keeping something completely private, don’t put it online.