> I used to work at FB and they have a team that tries to catch employees selling access like this.
For folks who aren't familiar with FB, maxrmk is absolutely right. But some more color would probably help:
When one of the privacy teams discovers a violation of this kind, the employee is generally called into a meeting with HR and fired the very next day.
A friend of mine did this inadvertently - just trying to help a real personal friend with an account issue, and inadvertently accessed a system in a way he didn't realized was a privacy violation. Months later, he was investigating data for a project, which triggered an audit. They walked him out the door the next day after finding it.
> and inadvertently accessed a system in a way he didn't realized was a privacy violation
Sounds like they need better controls, there shouldn't be ways to inadvertently access personal data and violate someone's privacy. Particularly not at such a mature company.
I don't work there but I imagine when this happens it's because the employee needs access to the resource for some legit reasons, but accessing it for illegitimate reason is what amounts to the violation. So access controls here would amount to reviewing the reasons for the access.
Solution would then be to ask for and log the reason for the access. Possibly with an approval needed by a second person. You can still lie about why you need access, but at least it is logged then.
The controls have gotten better / more explicit over time. They flash you up a pretty explicit clickthrough wall now. And there's pretty explicit training that you hand off issues for friends/family to a 3rd party engineer to handle rather than accessing user/friend data yourself.
When I worked at Google it was literally impossible to access personal data like this in most roles, even for my own account. So it seems like meta leaves something to be desired if it's a click through and a policy.
For folks who aren't familiar with FB, maxrmk is absolutely right. But some more color would probably help:
When one of the privacy teams discovers a violation of this kind, the employee is generally called into a meeting with HR and fired the very next day.
A friend of mine did this inadvertently - just trying to help a real personal friend with an account issue, and inadvertently accessed a system in a way he didn't realized was a privacy violation. Months later, he was investigating data for a project, which triggered an audit. They walked him out the door the next day after finding it.
So: yeah. This is not a very good business idea.