It happened again last month. An employee at a big tech company—this time Facebook—got caught rifling through users’ personal profiles for his own amusement. The incident was doubly creepy because he used his access to stalk women, and even bragged about it to a potential Tinder date.
Facebook fired the unnamed engineer after his would-be date shared his texts with a security researcher who deduced his identity and reported him to the company.
The case of the creepy Facebook engineer is reminiscent of an earlier scandal at Uber in which employees boasted about “God View,” their name for a setting that let them watch customer movement in real time. The Uber workers liked to flaunt “God View” at parties, or use it to track ex-girlfriends or celebrities like Beyoncé.
While Facebook doesn’t use the term “God View,” its workers do employ a megalomaniacal phrase of their own—”Sauron alerts”—to describe a tool that lets them know when another employee looks at their profile. As the Wall Street Journal reports:
[A]ny time a Facebook employee accesses a colleague’s personal profile, the colleague is notified through what is often referred to within the company as a Sauron alert—a reference to the all-seeing eye in the The Lord of the Rings trilogy, people familiar with the matter say.
Similar protections don’t exist for the two billion-plus Facebook users who don’t work for the company, the people said.
As the Journal article points out, the stalking incident underscores a stark difference in the privacy protections afforded to those who work for services like Facebook and those who are mere customers. More broadly, the situation raises questions about whether regulators and lawmakers should do more to address the “God View” problem.
Who gets access to your account?
Tech companies like Facebook and Google have long taken a tough stance when it comes to letting outside parties see a customer’s account. In the name of privacy, the companies regularly rebuff requests from law enforcement and even family members (in the case of deceased users) to turn over data. This is understandable given the deeply personal information, including photographs and direct messages, such accounts contain.
Less clear is how vigilant these tech companies are at keeping their own employees away from private information. In case of Uber, the answer was not at all under former CEO Travis Kalanik, who fostered a notorious bro-culture at the company.
Facebook, though, likely provides a more typical example. According to an executive, the company takes pains to prevent employees from abusing customer data:
“[W]e have strict policy controls and technical restrictions so employees only access the data they need to do their jobs – for example to fix bugs, manage customer support issues or respond to valid legal requests. Employees who abuse these controls will be fired,” Facebook’s soon-to-depart security chief Alex Stamos told TechCrunch.
Other companies have similar policies to restrict employee snooping. Nonetheless, it’s hard to tell how well such policies work. Is Google able to prevent every employee from spying on the searches of Taylor Swift or LeBron James? Can Amazon ensure all of its workers don’t snoop on customers’ purchases? We just don’t know.
And, as the example of the creepy Facebook engineer shows, the policies that exist are hardly airtight. This raises the question of whether new laws are needed to address a potentially gaping privacy hole.
“Employee Peeking” and the law
In the era of Facebook and Uber, the ability of rogue employees to dig into the lives of ordinary people is unprecedented. But the problem is hardly new. William McGeveran, a privacy expert at University of Minnesota law school, cites a 1998 case in which a Wal-Mart photo employee copied a customer’s nude pictures, and shared them around town. The customer successfully sued for invasion of privacy, but a court ruled she could only seek damages from the employee not Wal-Mart—an outcome that basically left her empty-handed since the employee had little money.
The Wal-Mart case was decided under state law, however, and it’s unclear if it would be relevant to the case of the Facebook engineer.
A different type of legal response to “God View” or “Sauron” situations could come in the form of criminal law.
“This is the sort of situation in which federal prosecutors have sometimes turned to the criminal provisions of the Computer Fraud and Abuse Act,” said McGeveran. “An employee who went “beyond authorized access” as in the Facebook and Uber cases could be prosecuted criminally for it under the CFAA. I bet we could see a prosecutor try that in one of these ’employee peeking’ cases.”
He added, however, that he is uncomfortable with such an approach given that prosecutors have repeatedly been heavy-handed in their use of the law in question. Other possible options, he says, include state criminal laws such as the one Missouri prosecutors are using against the state’s governor, who allegedly took explicit picture of his mistress without her consent.
Andrew Crocker, an attorney at the Electronic Frontier Foundation, said a CFAA case would be difficult, in part because the law is premised on unauthorized access to information—and some courts have ruled that workers who have access to data for one purpose (such as security) do not breach the CFAA if they use that access for another purpose (like spying).
Crocker adds that Congress, in the wake of the recent Cambridge Analytica scandal, is exploring new measures to protect consumer data, and that some of these measures could limit employee access to data.
Any legal measure, however, still depends on people finding out about the “employee peeking” in the first place. And right now, there appears to be little incentives for companies to go public when they discover such misdeeds.
One solution could be for the government to introduce whistleblower rewards for those who expose employee spying. Such awards, which give the whistleblower a cut of any fines imposed upon a company, regularly serve to expose wrongdoing in the pharmaceutical and financial industries. But in the absence of a specific law directed at abuse of data by employees, such whistleblowing is unlikely to expand to the tech industry anytime soon.
The bottom line, for now, is consumers can do little more than hope that tech company employees are benevolent in their use of God View.
