In early 2018, a Facebook user made a public threat on the social network against one of the company’s offices in Europe.
Facebook picked up the threat, pulled the user’s data and determined he was in the same country as the office he was targeting. The company informed the authorities about the threat and directed its security officers to be on the lookout for the user.
“He made a veiled threat that ‘Tomorrow everyone is going to pay’ or something to that effect,” a former Facebook security employee told CNBC.
The incident is representative of the steps Facebook takes to keep its offices, executives and employees protected, according to more than a dozen former Facebook employees who spoke with CNBC. The company mines its social network for threatening comments, and in some cases uses its products to track the location of people it believes present a credible threat.
Several of the former employees questioned the ethics of Facebook’s security strategies, with one of them calling the tactics “very Big Brother-esque.”
Other former employees argue these security measures are justified by Facebook’s reach and the intense emotions it can inspire. The company has 2.7 billion users across its services. That means that if just 0.01 percent of users make a threat, Facebook is still dealing with 270,000 potential security risks.
“Our physical security team exists to keep Facebook employees safe,” a Facebook spokesman said in a statement. “They use industry-standard measures to assess and address credible threats of violence against our employees and our company, and refer these threats to law enforcement when necessary. We have strict processes designed to protect people’s privacy and adhere to all data privacy laws and Facebook’s terms of service. Any suggestion our onsite physical security team has overstepped is absolutely false.”
Facebook is unique in the way it uses its own product to mine data for threats and locations of potentially dangerous individuals, said Tim Bradley, senior consultant with Incident Management Group, a corporate security consulting firm that deals with employee safety issues. However, the Occupational Safety and Health Administration’s general duty clause says that companies have to provide their employees with a workplace free of hazards that could cause death or serious physical harm, Bradley said.
“If they know there’s a threat against them, they have to take steps,” Bradley said. “How they got the information is secondary to the fact that they have a duty to protect employees.”
Making the list
One of the tools Facebook uses to monitor threats is a “be on lookout” or “BOLO” list, which is updated approximately once a week. The list was created in 2008, an early employee in Facebook’s physical security group told CNBC. It now contains hundreds of people, according to four former Facebook security employees who have left the company since 2016.
Facebook notifies its security professionals anytime a new person is added to the BOLO list, sending out a report that includes information about the person, such as their name, photo, their general location and a short description of why they were added.
In recent years, the security team even had a large monitor that displayed the faces of people on the list, according to a photo CNBC has seen and two people familiar, although Facebook says it no longer operates this monitor.
Other companies keep similar lists of threats, Bradley and other sources said. But Facebook is unique because it can use its own products to identify these threats and track the location of people on the list.
Users who publicly threaten the company, its offices or employees – including posting threatening comments in response to posts from executives like CEO Mark Zuckerberg and COO Sheryl Sandberg – are often added to the list. These users are typically described as making “improper communication” or “threatening communication,” according to former employees.
The bar can be pretty low. While some users end up on the list after repeated appearances on company property or long email threats, others might find themselves on the BOLO list for saying something as simple as “F— you, Mark,” “F— Facebook” or “I’m gonna go kick your a–,” according to a former employee who worked with the executive protection team. A different former employee who was on the company’s security team said there were no clearly communicated standards to determine what kinds of actions could land somebody on the list, and that decisions were often made on a case-by-case basis.
The Facebook spokesman disputed this, saying that people were only added after a “rigorous review to determine the validity of the threat.”
Most people on the list do not know they’re on it. This sometimes leads to tense situations.
Several years ago, one Facebook user discovered he was on the BOLO list when he showed up to Facebook’s Menlo Park campus for lunch with a friend who worked there, according to a former employee who witnessed the incident.
The user checked in with security to register as a guest. His name popped up right away, alerting security. He was on the list. His issue had to do with messages he had sent to Zuckerberg, according to a person familiar with the circumstances.
Soon, more security guards showed up in the entrance area where the guest had tried to register. No one grabbed the individual, but security guards stood at his sides and at each of the doors leading in and out of that entrance area.
Eventually, the employee showed up mad and demanded that his friend be removed from the BOLO list. After the employee met with Facebook’s global security intelligence and investigations team, the friend was removed from the list – a rare occurrence.
“No person would be on BOLO without credible cause,” the Facebook spokesman said in regard to this incident.
© Noah Berger | Reuters
The Facebook campus in Menlo Park, California.It’s not just users who find themselves on Facebook’s BOLO list. Many of the people on the list are former Facebook employees and contractors, whose colleagues ask to add them when they leave the company.
Some former employees are listed for having a track record of poor behavior, such as stealing company equipment. But in many cases, there is no reason listed on the BOLO description. Three people familiar said that almost every Facebook employee who gets fired is added to the list, and one called the process “really subjective.” Another said that contractors are added if they get emotional when their contracts are not extended.
The Facebook spokesman countered that the process is more rigorous than these people claim. “Former employees are only added under very specific circumstances, after review by legal and HR, including threats of violence or harassment.”
The practice of adding former employees to the BOLO list has occasionally created awkward situations for the company’s recruiters, who often reach out to former employees to fill openings. Ex-employees have showed up for job interviews only to find out that they couldn’t enter because they were on the BOLO list, said a former security employee who left the company last year.
“It becomes a whole big embarrassing situation,” this person said.
Tracked by special request
Facebook has the capability to track BOLO users’ whereabouts by using their smartphone’s location data collected through the Facebook app, or their IP address collected through the company’s website.
Facebook only tracks BOLO-listed users when their threats are deemed credible, according to a former employee with firsthand knowledge of the company’s security procedures. This could include a detailed threat with an exact location and timing of an attack, or a threat from an individual who makes a habit of attending company events, such as the Facebook shareholders’ meeting. This former employee emphasized Facebook could not look up users’ locations without cause.
When a credible threat is detected, the global security operations center and the global security intelligence and investigations units make a special request to the company’s information security team, which has the capabilities to track users’ location information. In some cases, the tracking doesn’t go very far — for instance, if a BOLO user made a threat about a specific location but their current location shows them nowhere close, the tracking might end there.
But if the BOLO user is nearby, the information security team can continue to monitor their location periodically and keep other security teams on alert.
Depending on the threat, Facebook’s security teams can take other actions, such as stationing security guards, escorting a BOLO user off campus or alerting law enforcement.
Street sign reading ‘Hacker Way’ is seen in the parking lot of the Facebook headquarters in Menlo Park, California.Facebook’s information security team has tracked users’ locations in other safety-related instances, too.
In 2017, a Facebook manager alerted the company’s security teams when a group of interns she was managing did not log into the company’s systems to work from home. They had been on a camping trip, according to a former Facebook security employee, and the manager was concerned about their safety.
Facebook’s information security team became involved in the situation and used the interns’ location data to try and find out if they were safe. “They call it ‘pinging them’, pinging their Facebook accounts,” the former security employee recalled.
After the location data did not turn up anything useful, the information security team then kept digging and learned that the interns had exchanged messages suggesting they never intended to come into work that day – essentially, they had lied to the manager. The information security team gave the manager a summary of what they had found.
“There was legit concern about the safety of these individuals,” the Facebook spokesman said. “In each isolated case, these employees were unresponsive on all communication channels. There’s a set of protocols guiding when and how we access employee data when an employee goes missing.”
While the company is aggressive about dealing with potential threats, the risks are real. Just in recent weeks, Facebook had to deal with a bomb threat against the company’s Menlo Park campus and with an employee getting “swatted” — that’s when an attacker calls in a false emergency to get police to send an armed SWAT team to somebody’s home, a prank with potentially fatal results.
One person pointed to an incident in 2015 where the BOLO list was essential. Facebook’s security teams recognized the license plate of a suspicious car that was loitering on the company’s campus, said a former Facebook physical security employee who left the company in 2016.
The Facebook security guards kept watch on the individual until Menlo Park Police Department officers showed up, the former employee said.
They eventually arrested the driver on charges of indecent exposure for public masturbation, according to a public records request confirming the incident.