Hacker News new | ask | show | jobs
by billjings 751 days ago
> I used to work at FB and they have a team that tries to catch employees selling access like this.

For folks who aren't familiar with FB, maxrmk is absolutely right. But some more color would probably help:

When one of the privacy teams discovers a violation of this kind, the employee is generally called into a meeting with HR and fired the very next day.

A friend of mine did this inadvertently - just trying to help a real personal friend with an account issue, and inadvertently accessed a system in a way he didn't realized was a privacy violation. Months later, he was investigating data for a project, which triggered an audit. They walked him out the door the next day after finding it.

So: yeah. This is not a very good business idea.
2 comments
tdeck 751 days ago
> and inadvertently accessed a system in a way he didn't realized was a privacy violation

Sounds like they need better controls, there shouldn't be ways to inadvertently access personal data and violate someone's privacy. Particularly not at such a mature company.

link
jasonfarnon 751 days ago
I don't work there but I imagine when this happens it's because the employee needs access to the resource for some legit reasons, but accessing it for illegitimate reason is what amounts to the violation. So access controls here would amount to reviewing the reasons for the access.
link
leokennis 750 days ago
Solution would then be to ask for and log the reason for the access. Possibly with an approval needed by a second person. You can still lie about why you need access, but at least it is logged then.
link
jasonfarnon 748 days ago
I'm sure they do this--but the rogue employee still gets access and OP was saying access should be prevented in the first instance.
link
loeg 750 days ago
Meta does this.
link
loeg 751 days ago
The controls have gotten better / more explicit over time. They flash you up a pretty explicit clickthrough wall now. And there's pretty explicit training that you hand off issues for friends/family to a 3rd party engineer to handle rather than accessing user/friend data yourself.
link
tdeck 750 days ago
When I worked at Google it was literally impossible to access personal data like this in most roles, even for my own account. So it seems like meta leaves something to be desired if it's a click through and a policy.
link
loeg 750 days ago
Maybe? I don't think engineers are likely to "inadvertently" access data inappropriately with either policy.
link
itissid 751 days ago
That two letter tool at meta for profile access?
link