CSA Unit 8 Lesson 9
Name(s) __________________________________________________ Period _______ Date _____________________
Activity Guide - Data, Privacy, and Security
Think from the perspective of a software engineer. For the data collected in each of the scenarios - Home,
School, and Hobbies, what can you do with that data? What are the risks of collecting that data?
Excerpts
Partner A should read Excerpt A and answer the questions. Partner B should read Excerpt B and answer the
questions. If you finish before your partner, start reading the other excerpt. Then, share with your partner what
you learned.
Excerpt A
Excerpted from the New York Times article "Uber Agrees to Privacy Audits in Settlement With F.T.C."
Uber has agreed to two decades of privacy and security audits to settle federal accusations that it did not keep promises
to protect customer data.
The Federal Trade Commission announced the settlement with Uber, a ride-sharing company, on Tuesday, ending an
investigation that began in 2014 when the company promised to strengthen its privacy and security. The promises were
made after a public outcry over reports that Uber employees were peering into the travel logs of customers.
The company will not face financial penalties from the deal, its second settlement with the commission this year. In
January, Uber agreed to pay the commission $20 million over accusations that it deceived drivers by exaggerating
potential earnings. The company has also been under investigation by the Department of Justice on suspicion of using a
tool to evade law enforcement.
“This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your
privacy and security promises,” said Maureen K. Ohlhausen, the acting chairwoman of the F.T.C.
In the privacy case, the F.T.C. accused Uber of two violations. The first stemmed from the company’s announcement in
2014 that it had developed an automated system to monitor employee access to consumer personal information.
The extra privacy measures were announced in response to news reports that some Uber employees were using a tool
known as “God View” to track trips taken by users. On its website and in a statement, Uber announced that it had “a strict
policy prohibiting all employees at every level from accessing a rider or driver’s data.” It said, “The only exception to this
policy is for a limited set of legitimate business purposes.”
But the commission said it found that the company did not live up to that promise. In its complaint, the commission said
that Uber stopped using its automated system of monitoring employee access to information less than a year after it was
announced and that when it was in place, the company rarely monitored it.
1
�“The system was not designed or staffed to effectively handle ongoing review of access to data,” the commission said.
2
�Excerpt A Questions
What were the impacts on personal privacy and security?
What was the cause?
Compare this scenario to the Open Source Bugs. What are the differences?
When your partner has finished reading their excerpt, share with them what you learned.
3
�Excerpt B
Excerpted from the Vice article "Sources: Facebook Has Fired Multiple Employees for Snooping on Users"
On Tuesday, Facebook fired an employee who had allegedly used their privileged data access to stalk women online.
Now, multiple former Facebook employees and people familiar with the company describe to Motherboard parts of the
social media giant’s data access policies. This includes how those in the security team, which the fired employee was
allegedly a part of, have less oversight on their access than others.
The news emphasizes something that typical users may forget when scrolling through a Silicon Valley company’s service
or site: although safeguards against abuse may be in place, there are people who have the power to see information you
believe to be private, and sometimes they may look at that data.
Motherboard granted the sources in this story anonymity to speak more candidly about Facebook’s policies and
procedures. One source specifically mentioned Facebook’s strict non-disclosure agreement.
One former Facebook worker said when they joined the company multiple people had been terminated for abusing access
to user data, including for stalking exes.
Another former Facebook employee said that they know of three cases where people were fired because they mishandled
data, one of which included stalking. Typically, these incidents are not publicly reported.
As with many other businesses, data access is distributed depending on an employee’s role in a company. One source
familiar with Facebook employees’ data access told Motherboard that different teams have varying levels of access, and
that they can request additional access if required. The person added that the security team is more trusted than other
departments, and abuse there is more difficult to detect. The employee Facebook recently fired for allegedly stalking
women was a security engineer, according to Jackie Stokes, founder of Spyglass Security, who originally flagged the case
earlier this week. Engineers are trained specifically on data access policies when they join the company, according to
Facebook.
Several sources did not specify the sort of data that different types of Facebook employees could access (such as
whether certain Facebook employees can read private messages or "friends only" wall posts.) But in 2015, a Finnish
music producer and DJ visited Facebook’s L.A. campus and watched as an engineer accessed his Facebook account
without a password. In March, a Facebook employee told The Guardian “When you first get to Facebook you are shocked
at the level of transparency. You are trusted with a lot of stuff you don’t need access to.”
It’s not only full time staff who can access some non-public user data. Although certainly not the most sensitive data
potentially available to workers, a former contractor explained to Motherboard how they were able to see which users
were the administrators of Facebook Pages. While employed by Facebook, the contractor showed Motherboard he could
access this data seemingly for any page by providing non-public data for several test pages Motherboard controlled.
Facebook data is not a free-for-all though, with employees just able to grab whatever they desire without consequence,
according to one of the former employees. When accessing non-public information about a particular user—including a
log of a user’s activity—the former employee faced a pop-up asking if they were authorised to view the data and whether
they were using the tool for work purposes. The source emphasized that their access was nothing special for a Facebook
employee at that time. When a worker attempts to access sensitive data, they see a warning that reminds the worker of
Facebook's policies, and which requires them to confirm they need the requested access, according to Facebook. The
social network also has automated systems in place designed to detect and prevent any abuse, Facebook said.
“They make it very clear to you: if you go one step too far, you’ll have big problems,” the former employee told
Motherboard. Multiple sources praised the security mechanisms in place.
In a statement provided to Motherboard Tuesday, Alex Stamos, Facebook’s chief information security officer, said
“Employees who abuse these controls will be fired.”
4
�“It’s important that people’s information is kept secure and private when they use Facebook. It’s why we have strict policy
controls and technical restrictions so employees only access the data they need to do their jobs—for example to fix bugs,
manage customer support issues or respond to valid legal requests,” Stamos said.
Facebook declined to answer a list of specific questions on how many or what percentage of employees have access to
sensitive user data.
Excerpt B Questions
What were the impacts on personal privacy and security?
What was the cause?
Compare this scenario to the Open Source Bugs. What are the differences?
When your partner has finished reading their excerpt, share with them what you learned.
