In a court hearing, a Facebook engineer said Facebook’s engineering culture is “terrifying.”
Earlier this year, Motherboard reported about an internal Facebook document that said the company has no idea where users’ data goes, and what the company is doing with it. During a previously sealed court hearing in March, two veteran Facebook engineers confirmed what the leaked document revealed.
“It would take multiple teams on the ad side to track down exactly the—where the [user] data flows,” said Eugene Zarashow, a Facebook engineering director who’s worked at the company since 2011, according to his LinkedIn profile.
“I would be surprised if there’s even a single person that can answer that narrow question conclusively,” Zarashow added, referring to the question of exactly where personal data may be stored within 55 Facebook subsystems, which were the subject of the hearing.
The hearing was part of a years-long lawsuit over the Cambridge Analytica scandal. The hearing featured Zarashow and Steven Elia, a software engineer manager who’s also worked at Facebook since 2011, according to his LinkedIn profile. The hearing was led by Daniel Garrie, who was appointed as “Discovery Special Master,” a neutral expert who’s holding hearings to resolve an impasse on whether Facebook has to produce additional documents in the case, according to the court document.
Garrie called the hearing in question with Zarashow and Elia to figure out exactly where personal data may be stored in 55 Facebook subsystems. The two engineers struggled to answer some relatively basic questions, and were surprisingly candid when talking about the results of Facebook’s open culture when it comes to developing software and systems.
“So then where does that data get stored? I mean, there has to be—I remember the SDK [Software Development Kit]. I just don’t know on the back end where it goes,” Garrie said, referring to what Facebook knows about a user’s activity on other platforms like Amazon and Facebook, and where it stores that data. “Do we have a data diagram for that? Like you develop—someone must have a diagram that says this is where this data is stored.”
Zarashow answered saying that “we have a somewhat strange engineering culture compared to most where we don’t generate a lot of artifacts during the engineering process. Effectively the code is its own design document often.”
“For what it’s worth, this is terrifying to me when I first joined as well,” Zarashow added.
A Meta spokesperson said that the company’s “systems are sophisticated and it shouldn’t be a surprise that no single company engineer can answer every question about where each piece of user information is stored.”
“We’ve built one of the most comprehensive privacy programs to oversee data use across our operations and to carefully manage and protect people’s data,” the spokesperson said in an emailed statement. “We have made – and continue making – significant investments to meet our privacy commitments and obligations, including extensive data controls.”
For privacy experts who have followed this lawsuit, the admissions made by the engineers in the hearing are damning.
“The personal data of billions of people has been absorbed into the Facebook machine—similar to a drop of ink in a lake—and the world is dealing with the real-life consequences,” Jason Kint, an outspoken critic of Facebook and CEO of Digital Content Next, a trade organization that represents journalism publishers, told Motherboard.
Kint referred to a metaphor used by a Facebook engineer in the leaked document published by Motherboard.
“We’ve built systems with open borders. The result of these open systems and open culture is well described with an analogy: Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere,” the document read. “How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”
UPDATE, Sept. 7, 4:36 p.m. ET: This article was updated to include the Meta spokesperson’s statement.
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- Online disclosure of 5+ million Twitter users’ stolen information - 30 November 2022
- U.S. Govt. Apps Bundled Russian Code With Ties to Mobile Malware Developer - 29 November 2022
- Researchers Quietly Cracked Zeppelin Ransomware Keys - 23 November 2022