Hacker News new | past | comments | ask | show | jobs | submit login
Facebook's security team tracks posts, location for 'BOLO' threat list (cnbc.com)
102 points by Jerry2 38 days ago | hide | past | web | favorite | 56 comments

>In 2017, a Facebook manager alerted the company's security teams when a group of interns she was managing did not log into the company's systems to work from home. They had been on a camping trip, according to a former Facebook security employee, and the manager was concerned about their safety.

>Facebook's information security team became involved in the situation and used the interns' location data to try and find out if they were safe. "They call it 'pinging them', pinging their Facebook accounts," the former security employee recalled.

>After the location data did not turn up anything useful, the information security team then kept digging and learned that the interns had exchanged messages suggesting they never intended to come into work that day — essentially, they had lied to the manager. The information security team gave the manager a summary of what they had found.

So basically, if a Facebook manager couches their request as concern for your safety, they can track your location on your personal account to uncover where you are? This makes me uneasy.

Maybe I'm naive, but I used to work at Google and I'm 100% certain that back then if someone inside the company had used data in this way they would have been fired unconditionally and immediately.

Now I wonder whether the companies are different or the times are.

>if someone inside the company had used data in this way they would have been fired unconditionally and immediately.

Unless they're an exec, then they might negotiate an exit package or it wouldn't get to that point.

Didn't the Google Exec who was most recently in the news for sexual misconduct misuse data?

>Didn't the Google Exec who was most recently in the news for sexual misconduct misuse data?

I'm not aware of that angle but if you know more info I'd love to read about it.

ive also seen the reverse: a VP makes the request and it is never questioned if you value your job. the answer is always, "yes sir"

Because google is any different from facebook? So sick of the google PR here. Facebook is following in google's footsteps. Anything facebook has done, google has done. Not only that, google has far greater ties to government and a particular political party.

Google's real motto is "Be as evil as I can be". Facebook's motto is "Be like google".

The last line in the comment you responded to is, and I quote:

"Now I wonder whether the companies are different or the times are."

I think that makes it clear that I'm at least asking the question you lead with (but do not appear to have read far enough in what I wrote to see...).

The accusation that I'm affiliated with Google PR is way off base and that should have been superficially obvious from what I wrote above. I suspect and hope, but cannot prove, that your other assertions are similarly wrong.

I answered your question. My assertion is that neither the times nor the companies are different. Google was always evil. And facebook has always followed in google's footsteps.

And I wasn't accusing you of being part of Google's PR team. I'm saying I am sick of the google pr that I see here, especially in relation to facebook. Everytime people bring up facebook, someone always tries to imply google is better.

Although the quote doesn't mention and I don't know for sure, I bet this was via the internal Facebook employee app, not the production Facebook product app. That said, I wouldn't be surprised if they did read production messages afterwards (at least when I worked there it was quite explicit that FB reserved the right to review employee-to-employee conversations on messenger).

There's what the company reserves the right to do (so you can't win civil tort damages in a suit), and then there's what is acceptable behavior by individual employees. Not the same. The company has the right to peek at data they hold, but most individual employees don't.

It's Facebook. Are you surprised in the least?

It’s probably the “safety check” feature here: https://en.m.wikipedia.org/wiki/Workplace_by_Facebook#Workpl...

Those were employees, to be fair.

Employees are not property.

But the employer was monitoring the employee's activities on company-owned infrastructure... (I think the messaging is a different story than the location data)

Personal accounts, especially private chat messages on said accounts should not be dug through at a manager's whim. Sure, an employee should know better than to use a chat platform from their own company when off the clock, but its still scummy of Facebook to trawl PMs.

Five years ago when I worked there, the Messenger interface had a "recording" icon with a tooltip saying "All employee:employee conversation is recorded". You can argue that it's scummy, but they are very up-front about it.

"Private chat messages" are one thing, and I think you may have something because Facebook is so ubiquitous, but for the sake of argument (and I don't know if this is true) assume that the employees were required to have work accounts on the company platform, and using their work accounts... this seems like a boogeyman scenario because Facebook, and we all have Facebook accounts, and love to hate Facebook for their privacy violations, which are real.

But we are talking about employees communicating on the corporate platform.

This gets a lot clearer cut in my opinion if instead of Facebook, we say EvilCorp, and instead of "chat messages" we say we're talking about "company emails."

If I send my coworker at EvilCorp a number of emails on their work account on Tuesday about how we're totally going to get drunk on Wednesday instead of going to work, and they respond in agreement, do you still have a problem with the employer digging through those comms when the employees do a No-Call No-Show on Wednesday?

I mean this seriously; if you're going to coordinate your planned truancy-from-work event with other co-workers and use work email to do it, you should expect to get caught. You might find it scummy, but I don't think there's a court in the world that is going to declare that it was illegal, except maybe in Germany or some other country with super-privacy laws. Educate me for sure, if you know I'm wrong.

And even then, I suspect that there's a language they could include in their Employee Handbook that would make it OK. The company network is for company business. You're not usually entitled to hide your work-product from your boss. More seriously, something in the art of OpSec is lost today. If you work at Facebook and do this, at least use Hangouts.

I got lots of agreement (upvotes) for my comment above, "it's a company platform" with no explanation.

Then I elaborated and said the same thing, but more detail. This comment got one downvote and no replies.

Explain yourself please, whoever downvoted. I want to believe that you aren't just downvoting because you disagree.

Interns might be a special case. They're younger, and the company has something of a duty of care.

They absolutely do not. Interns are adults, not children.

There's a paragraph here where they talk about reviewing private messenger conversations between interns after they didn't show up for work one day.

That feels pretty invasive. Facebook tried to couch it in "genuine concern" for their safety. I'm not sure that holds water with anyone who's familiar with the workplace culture inside Facebook.

On that particular aspect: all Facebook employees (and I believe interns) when they write on Messenger to other employees have an on-screen reminder that their conversations are considered work product and can be monitored or reviewed. At least, that was the case when I was there, I can’t think it has changed. I’m assuming this has to do with a lot of well documented legal reasons (insider trading, sexual harassment, etc.) De facto, hardly any conversation goes through email: salary, pension, that kind of things almost exclusively. Project progress, being cancelled, blockers, all that goes through an internal version of Facebook (now Workplace, when I was there, a subset of the main Facebook). It made sense that all that is deemed work product for the company.

I would be more surprised if they had access to conversation with outsiders.

On the “genuine concern”, I joined several months after Snowden’s revelations. The security team was (and I’m assuming still is) very aware that State agents might try to access employee credentials. Overall, the company is very considerate for employees, typically no matter the cost (e.g. the freezing eggs things) and quite conscious to respect boundaries--but I would expect that a small chance that a hostile Nation state escalated to kidnapping employees is a stretch but not a big one. I’m a little surprised because the company prides itself on not judging, and actually doesn’t care much about time spent in the office. Interns might be given a shorter lead there.

With E2E encryption introduced to Messenger since a lot of that could have changed.

> On that particular aspect: all Facebook employees (and I believe interns) when they write on Messenger to other employees have an on-screen reminder that their conversations are considered work product and can be monitored or reviewed. At least, that was the case when I was there, I can’t think it has changed.

Do Facebook employees have separate Facebook accounts for work? My impression was that they don't, but I could be wrong.

If they're forced to use their "personal" account for work-related functions, I think that raises all kinds of privacy concerns that probably should negate the principle that employer ownership authorizes monitoring.

They do need a FB account to access all internal systems, but that can be a seperate account from their private one

> They do need a FB account to access all internal systems, but that can be a seperate account from their private one

Is there an exception in the TOS for that? It's my understanding that they forbid regular users from creating multiple accounts, though enforcement of the rules is pretty ineffective.


That rule is strictly enforced for employees. It is meant to avoid fake accounts. The work accounts (known as Workplace accounts) are created on a separate service and namespace. They are clearly considered distinct. You can toggle between them when authenticating, not unlike Google and Google for Business.

The particularity of Facebook is that the service emerged from internal use, so Facebook internal (a subset of the main Facebook) was (or is) tied to Facebook Workplace. The technical implementation was… hacky when I was there. I hope it’s cleaner now.

Every company that uses the service has a service that is clearly distinct from Facebook (with black rather than blue branding). I’ve worked for four client companies with their own, including two (subsidiary) at the same time, so I have my own personal account, the Facebook Workplace account is deactivated but my comments are still visible internally; three more deactivated accounts and my current one. I used to have to toggle between three accounts and that was rather seemless.

I doubt it's multiple accounts on the exact same service. I'm guessing fb.com is a near-clone of facebook.com's codebase, personal accounts are facebook.com accounts, and work accounts are fb.com accounts.

Maybe it's a separate database, but cloning the code is a terrible idea.

Employee's != regular users

>On that particular aspect: all Facebook employees (and I believe interns) when they write on Messenger to other employees have an on-screen reminder that their conversations are considered work product and can be monitored or reviewed.

Were they limiting themselves to the internal tools? I got the impression they could have used personal FB accounts.

Hearsay from folks I know at FB - you use your personal account at work. There's no work account/personal account split.

That would be consistent with everything I've seen from them as a developer. One of the most common recurring requests on the Facebook Developers Facebook Group is when someone has all of their privileges for app development on the FB API revoked because Facebook found they were using a second "company account" or "developer account" for managing their app. Facebook sees those as "fake accounts" which are prohibited under their policy/TOS. You get only one account for anything personal or business-related, and doing otherwise risks having everything thrown into the black hole of "everything has been revoked, and no human will tell me why or how to fix it"

This seems insane, how is a large company that has any sort of employee churn supposed to maintain something on Facebook? Your inevitably chasing former employees to get access to stuff your company built for the platform...

The idea is that you don't link your company stuff to an individual user account with a single username/password that gets shared - you link your company stuff to a Page, and list multiple people with their own accounts as Page admins

Sounds like a great way for 1 angry employee to hijack a Facebook page.

This is incorrect, employees have a workplace account for work.

To clarify, it used to be the case that you used your personal account for work, but facebook now uses their enterprise "workplace" version of facebook internally. The accounts are still linked, but silo-ed in such a way that you can't use them interchangeably.

Interesting, I guess I assumed there would be some sort of internal Slack like application for work related communications.

The article (or atleast my reading of it) made it seem like these were straight up standard fb messenger chats.

And here we go again, do you feel surprised that Slack admin can read all private slack messages sent between the members?

When will Facebook bashing stop. It's well within FB right to read their employees evil scheming tricks.

Learn to read mate, I was clearly referring to facebook messenger chats, a product, while used for work at Facebook is used privately by the vast majority of folks.

First thing it made me think of is when the YouTube offices were shot up by a gunwoman who was apparently upset about their changes in monetization policies.

Of all the companies to 'hate', I'd expect FB to be a much larger target than YT.

Did that woman make a specific threat though? Lots of people say Fuck Zuck on the internet, but it sounded like they restricted it to people who got specific or had other reasons (fired employee, contractor who's mad their contract wasn't renewed).

The idea of a blacklist makes me uneasy, but for example I will state on the record I think Mark Zuckerberg is a big doo doo head, but I don't think if someone tied this nym to my real name I'd be banned from FB's campus.

Outside of IG influencers (?), FB doesn't really offer a platform for individuals to make money like they can on YouTube

There's a lot of MLM/self-help type scams that use Facebook to grow their base that I could see as similarly upset if they were banned or otherwise demonetized.

I suspect that the psychology of an activist making money via legit video monetization is different from a black-hat SEO scammer.

Really though, you can't point to logical reasons for a mass attack against strangers. Someone mentally unstable enough to do that could be triggered by anything.

Does FB have an AdSense-like offering?

> "No person would be on BOLO without credible cause," the Facebook spokesman said in regard to this incident.

A bit of backwards logic to justify the list contents, eh?

I'm having trouble making sense of your comment. If your company knew about credible threats ( disgruntled employees, bomb threats, etc ) wouldn't you have a BOLO list? How is that backwards logic at all?

The validity of a list entry is not related to the existence of the list itself, but the reason a person added them to the list.

The article gives an example of an individual who may not have deserved to be on the list. By stating "No person would be on BOLO without credible cause", they are using a circular logical fallacy (begging the question?) to dismiss any possibility that there may be mistakes made in managing that list.

Circular logic is "No person would be on BOLO without credible cause, and the credible cause is that they're on BOLO". What they're saying is that there is a valid reason for each person on the list to be on it. You can take issue with that as a matter of factual accuracy, but there's no tortured use of language happening.

Their justification for spying on these people is that they believe they need to spy on these people.

It’s cool that they’re not just picking people at random, but they are engaging in a level of electronic surveillance that would require a warrant if they were a government agency. Do they share this BOLO list with outside groups? Do they share the surveillance results with law enforcement or other people?

It’s disturbing behavior from an utterly disingenuous corporation. Zuck is like an incompetent Lex Luthor. We should expect him to announce a run for the presidency soon.

First of all, shit like this year after year is why I don't use fb or insta.

That said, if somebody went on one of my websites and commented that they were mad at me and planned to show up at my house and do nefarious things, well, yes I certainly would be on the lookout for that person.

> The company's information security team is capable of tracking these individuals' whereabouts using the location data they provide through Facebook's apps and websites. > But Facebook is unique because it can use its own products to identify these threats and track the location of people on the list.

This is so scary. That the company feels entitled to use that user data in any way they please is horrifying.

I would not be surprised if they are also using internal data to get to spy on spouses or ex, to stalk people, etc. Once the ethics of a company like this are zero, the possibilities are infinite.

This is why more regulation like the GDPR is needed. And also a closer supervision of the big tech companies.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact