An Ugly Truth: Inside Facebook’s Battle for Domination is a behind-the-scenes exposé by journalists Sheera Frenkel and Cecilia Kang that offers the definitive account of Facebook’s fall from grace. In this exclusive extract, they show how engineers would access users’ private information – including women they were dating – for over a decade
It was late at night, hours after his colleagues at Menlo Park had left the office, when the Facebook engineer felt pulled back to his laptop. He had enjoyed a few beers. Part of the reason, he thought, that his resolve was crumbling. He knew that with just a few taps at his keyboard, he could access the Facebook profile of a woman he had gone on a date with a few days ago. The date had gone well, in his opinion, but she had stopped answering his messages 24 hours after they parted ways. All he wanted to do was peek at her Facebook page to satisfy his curiosity, to see if maybe she had gotten sick, gone on vacation, or lost her dog – anything that would explain why she was not interested in a second date.
He logged on to his laptop and, using his access to Facebook’s stream of data on all its users, searched for his date. He knew enough details – first and last name, place of birth, and university – that finding her took only a few minutes. Facebook’s internal systems had a rich repository of information, including years of private conversations with friends over Facebook Messenger, events attended, photographs uploaded (including those she had deleted), and posts she had commented or clicked on. He saw the categories in which Facebook had placed her for advertisers: the company had decided that she was in her thirties, was politically left of centre, and led an active lifestyle. She had a wide range of interests, from a love of dogs to holidays in Southeast Asia. And through the Facebook app that she had installed on her phone, he saw her real-time location. It was more information than the engineer could possibly have gotten over the course of a dozen dinners.
Facebook’s managers stressed to their employees that anyone discovered taking advantage of their access to data for personal means, to look up a friend’s account or that of a family member, would be immediately fired. But the managers also knew there were no safeguards in place. The system had been designed to be open, transparent, and accessible to all employees. It was part of Zuckerberg’s founding ethos to cut away the red tape that slowed down engineers and prevented them from producing fast, independent work. This rule had been put in place when Facebook had fewer than one hundred employees. Yet, years later, with thousands of engineers across the company, nobody had revisited the practice. There was nothing but the goodwill of the employees themselves to stop them from abusing their access to users’ private information.
During a period spanning January 2014 to August 2015, the engineer who looked up his onetime date was just one of 52 Facebook employees fired for exploiting their access to user data. Men who looked up the Facebook profiles of women they were interested in made up the vast majority of engineers who abused their privileges. Most did little more than look up users’ information. But a few took it much further. One engineer used the data to confront a woman who had travelled with him on a European holiday; the two had gotten into a fight during the trip, and the engineer tracked her to her new hotel after she left the room they had been sharing. Another engineer accessed a woman’s Facebook page before they had even gone on a first date. He saw that she regularly visited Dolores Park, in San Francisco, and he found her there one day, enjoying the sun with her friends.
The fired engineers had used work laptops to look up specific accounts, and this unusual activity had triggered Facebook’s systems and alerted the engineers’ managers to their transgressions. Those employees were the ones who were found out after the fact. It was unknown how many others had gone undetected.
The problem was brought to Mark Zuckerberg’s attention for the first time in September 2015, three months after the arrival of Alex Stamos, Facebook’s new chief security officer. Gathered in the CEO’s conference room, “the Aquarium”, Zuckerberg’s top executives had braced themselves for potentially bad news: Stamos had a reputation for blunt speech and high standards. One of the first objectives he had set out when he was hired that summer was a comprehensive evaluation of Facebook’s current state of security. It would be the first such assessment ever completed by an outsider.
Among themselves, the executives whispered that it was impossible to make a thorough assessment within such a short period of time and that whatever report Stamos delivered would surely flag superficial problems and give the new head of security some easy wins at the start of his tenure. Everyone’s life would be easier if Stamos assumed the posture of boundless optimism that pervaded Facebook’s top ranks. The company had never been doing better, with ads recently expanded on Instagram and a new milestone of a billion users logging on to the platform every day.
Instead, Stamos had come armed with a presentation that detailed problems across Facebook’s core products, workforce, and company structure. The organisation was devoting too much of its security efforts to protecting its website, while its apps, including Instagram and WhatsApp, were being largely ignored, he told the group. Facebook had not made headway on its promises to encrypt user data at its centres – unlike Yahoo, Stamos’s previous employer. Facebook’s security responsibilities were scattered across the company, and according to the report Stamos presented, the company was “not technically or culturally prepared to play against” its current level of adversary.
Worst of all, Stamos told them, was that despite firing dozens of employees over the last eighteen months for abusing their access, Facebook was doing nothing to solve or prevent what was clearly a systemic problem. In a chart, he highlighted how nearly every month, engineers had exploited the tools designed to give them easy access to data for building new products, to violate the privacy of Facebook users and infiltrate their lives. If the public knew about these transgressions, they would be outraged: for over a decade, thousands of Facebook’s engineers had been freely accessing users’ private data. The cases Stamos highlighted were only the ones the company knew about. Hundreds more may have slipped under the radar, he warned.
Zuckerberg was clearly taken aback by the figures, and upset that the issue had not been brought to his attention sooner. “Everybody in engineering management knew there were incidents where employees had inappropriately managed data. Nobody had pulled it into one place, and they were surprised at the volume of engineers who had abused data,” Stamos recalled. Why hadn’t anyone thought to reassess the system that gave engineers access to user data, Zuckerberg asked. No one in the room pointed out that it was a system that he himself had designed and implemented. Over the years, his employees had suggested alternative ways of structuring data retention, to no avail. “At various times in Facebook’s history there were paths we could have taken, decisions we could have made, which would have limited, or even cut back on, the user data we were collecting,” said one longtime employee. “But that was antithetical to Mark’s DNA. Even before we took those options to him, we knew it wasn’t a path he would choose.”
One executive was noticeably absent from the September 2015 meeting. Only four months had passed since the death of Sheryl Sandberg’s husband. Security was Sandberg’s responsibility, and Stamos technically fell under her purview. But she had never suggested, nor been consulted about, the sweeping changes he was proposing. Stamos prevailed that day, but he made several powerful enemies.
*Read an interview with the authors here
This exclusive extract is from An Ugly Truth: Inside Facebook’s Battle for Domination by Sheera Frankel and Cecilia Kang (The Bridge Street Press). RRP £20. Buy now for £16.99 at books.telegraph.co.uk or call 0844 871 1514