Facebook's 'Sauron alert' protects staff against privacy breaches

Regular users don't have the option yet, though.

The news that Facebook fired an engineer who abused his power to stalk women has raised a question: can the social network raise alarm bells if one of its workers accesses private data? The answer appears to be yes -- though you'll currently have to work at Facebook to get a warning. The Wall Street Journal has learned that Facebook has a "Sauron alert" (yes, like Lord of the Rings' oppressive eye) that notifies employees when other staffers access their personal profiles. Everyday users only get notices of unusual login behavior, which could prove worrying if there is a case of abuse. However, Facebook may have a solution in the long run.

A spokesperson told the WSJ that Facebook has talked about offering "something similar" to Sauron for everyone, not just its own workers. The challenge is considering the implications, the company said. It doesn't want to alert "bad actors" or spark "real world harm," such as retaliation from an abusive partner.

The company's internal policies are already designed to curb at least some abuse. Only a handful of employees have access to data without triggering the usual login alert, and those people are "closely monitored," the WSJ's sources said. When they use their powers to access other accounts, they're required to provide a valid reason for looking at a profile (managers inspect those reasons later) and ideally get permission in writing. If a worker ever gets one of those alerts, they can track down the reasoning in a bug report or talk to Facebook's security team. "Multiple" workers have been fired over the years as a result.

There were already clues this system existed. Paavo Siljamäki, part of the trance trio Above & Beyond, noted in 2015 that Facebook didn't need his login details after he gave them permission to access his account. This appears to be the first time outsiders have learned the extent of Facebook's access and its ability to fight abuse, however. And the stalking incident exacerbates things -- there's a clear gap between safeguards for Facebook staff and everyday users, and there are instances where users could benefit from that added protection.