In a move called “very Big Brother-esque” even for a company that has come to embody Big Brother, Facebook is tracking both users and ex-employees it considers “threats” to its staff via a “BOLO” threat list – and their phones.
The social media giant “mines” its network for threatening comments, according to CNBC, which spoke to more than 12 former employees about how the company deals with perceived threats. Then, Facebook uses location data from apps installed on the phones of those users whose threats it finds credible to track those users.
Any user who publicly threatens Facebook – by showing up repeatedly on company property, penning long email threats, or even posting “improper” comments in response to public missives from CEO Mark Zuckerberg or COO Sheryl Sandberg – can end up on Facebook’s “BOLO” (“be on the lookout”) list, where hundreds languish in secrecy.
What constitutes a threat? “F*ck you, Mark,” “F*ck Facebook,” or “I’m gonna go kick your a*s” are sufficient, according to one former executive protection team employee, though another said decisions were made on a case-by-case basis and there were no hard-and-fast guidelines. Facebook claims no one is added without a “rigorous review” to determine the threat’s seriousness, but former employees agree “the bar can be pretty low.”
More ominous are the former employees who end up on the list, reported and tracked by their former colleagues. “Almost every Facebook employee who gets fired” is added to the list, according to some former employees, who characterized the process as “really subjective.” Even contractors are added to the list if they get “emotional” when their contracts end. While Facebook claims ex-employees are only added for good cause, like threatening violence or harassment, former employees asked back to interview for other positions have been denied entry due to BOLOing – and why would Facebook want to rehire someone who had threatened violence or harassed co-workers?
Facebook uses location data collected through its own app and IP addresses collected through its website in order to track BOLO-listed users, though one former employee claimed they only deployed this capability when threats were deemed “credible,” stressing users’ locations were never triangulated without reason. Still, the BOLO list included hundreds of people, as of 2016, including names, photos, locations, and a brief description of what they did to get on the list.
Facebook denied it was doing anything out of the ordinary, claiming it used “industry-standard measures to assess and address credible threats of violence against our employees and our company, and refer these threats to law enforcement when necessary” – though with Facebook’s sheer size, personal data access and tracking capabilities, it is arguably capable of setting its own “industry standards.”
“We have strict processes designed to protect people’s privacy and adhere to all data privacy laws and Facebook’s terms of service. Any suggestion our onsite physical security team has overstepped is absolutely false,” a Facebook spokesperson told CNBC – a statement bound to be taken skeptically by anyone watching the company’s track record on privacy.