[BigBubbleButt]

This is completely unethical and unreasonable. It's like arguing that police don't need more accountability because it makes it harder for them to do their jobs, and most of them aren't bad people, so who cares about a few bad apples?

Yeah it sucks, but it's part of the job. Start thinking about the people you're supposedly serving instead of yourself first. I'm pretty sure that the overwhelming majority of facebook users want to hear about tighter privacy protections at facebook, not fewer.

[LanceH]

They are well audited already. Does every step possible need to be taken to ensure that no data can be leaked ever? No.

You can walk out your door right now and hop on a bus. That driver has a CDL, a good first step. But how do we know that the driver isn't drunk? Through threat of possible audit (breathalyzer) after any incident. We don't test them before handing them the keys every day.

We trust people all the time with things far more critical than a facebook user's data, and we audit them far more loosely, if at all.

"completely unethical and unreasonable" > This seems to be influenced by the belief that tech is some utopia where everything is solvable and the world will be a better place. There is room for good enough in trust.

There is a big difference between throwing guardrails up so people don't do wrong and beating them down with requests for permission over and over all day during their work, driving home the point they can't be trusted. Eight hours a day of being told you can't be trusted is about more than the worker's convenience -- it's about their morale at least and possibly their mental health. It also instills the attitude of "if I can do it, it's legal, because otherwise they would have stopped me from doing it."

[Arainach]

This isn't beating anyone up. In any mature development environment, you should almost never have to touch production. When writing new features, you should be running against a test environment without real user data. When investigating and trying to repro bugs, you should be trying against a test environment. If the repro is tricky, the errors returned should have enough information to not need to access prod. And so on and so on.

I work at a competitor to Facebook in a user-facing service and have these kind of restrictions in place (must request access with justification, otherwise I literally don't have ACLs to see the data). It's a non-issue because I run into it at most 1-2 times a month, usually far less.

[_jal]

> Does every step possible need to be taken to ensure that no data can be leaked ever? No.

Which person you're replying to demanded perfect security?

> This seems to be influenced by the belief that tech is some utopia where everything is solvable and the world will be a better place.

I am not the person you're replying to, but the claim has nothing to do with utopianism. It has to do with the claim that reasonable safeguards and auditing when dealing with sensitive data is possible, so that users can have (some degree of) confidence in the operation while workers go about their authorized jobs. This is hardly rocket surgery. Or novel.

What some people seem to be taking issue with is that their company might not trust them as much as they think they should be trusted. My advice to them would be to stay in small companies - if you're below the Dunbar number, you can personally evaluate each other and develop trust that way. In larger orgs, you need policy and enforcement, it is just how people are wired.

[cycomanic]

If we take your argument further all engineers should be given the root password to all production servers and we should simply trust them (and keep logs) to not use the password?

Access control is something so central to IT systems that I'm frankly dumbstruck that someone would argue against them on HN.

[LanceH]

If you don't need access, you shouldn't have it.

If you do need it to do your job, you shouldn't have to run to your manager several times a day to make a request to do it. You should have root or whatever is necessary and it can be audited.

I'm not arguing against access control. I'm arguing for those with responsibility to work to be given the commensurate authority to do their work -- with auditing even.

[Arainach]

Who are these hypothetical employees who need to access customer data multiple times per day? If there are more than 5 of them in your O(1000) organization you have serious issues.

For 99.9% of employees, accessing customer data should absolutely be a "talk to your manager" level of occurrence, and each time it happens the manager should ask why it was necessary and what logging you need to add such that you don't need to do it again.