In early days, Facebook reportedly played fast and loose with privacy

Employee No. 51 talks about the social network's former practice of letting staffers access any user's account with a master password.

Jennifer Van Grove Former Senior Writer / News
Jennifer Van Grove covered the social beat for CNET. She loves Boo the dog, CrossFit, and eating vegan. Her jokes are often in poor taste, but her articles are not.
Jennifer Van Grove
2 min read

Facebook was allegedly reckless with member privacy during its earliest days, according to the tales of Katherine Losse, an early Facebook employee who eventually became Mark Zuckerberg's speechwriter.

Losse, who joined Facebook as a customer support staffer in 2005, told the Guardian that employees had access to member data including passwords at the time. Though Facebook would soon add more secure systems for helping members regain access to their accounts, it initially provided support staff with a master password that enabled workers to log in to any account -- Facebook had less than 5 million members at the time -- and access messages and other data, she said.

When reached for comment, a Facebook spokesperson declined to remark on Losse's retelling of the alleged events that took place eight years ago, but said that employees do not have access to passwords.

"An audit by the Irish Data Protection Commission included a detailed review of the level of access to user data that employees have at Facebook and found that we have an appropriate framework in place. Facebook employees do not have access to users' passwords," the spokesperson said.

Losse, employee No. 51 at Facebook, left the social network in 2010 and soon became persona non grata after writing "The Boy Kings," a book that details her time at Facebook and sheds light on some of the more unflattering practices in the company's earliest days, including the master password privacy disaster.

Her latest statements to the Guardian echo claims made in the book. "Jake introduced us to the hanky application through which users' e-mails to Facebook flowed. Once we learned how the software worked, Jake taught us, without batting an eyelid, the master password by which we could log in as any Facebook user and access all their messages and data," Losse wrote in "The Boy Kings." "I experienced a brief moment of stunned disbelief: They just hand over the password with no background check to make sure I am not a crazed stalker?"

Facebook is now heavily regulated, but Losse wants users to be in the know.

"Users of social networks generally assume that they are the only ones that can access the information they input, and in most cases at most companies that is most likely not true, because at least some of the staff need to have access to user accounts in order to do their jobs," Losse told the Guardian. "There has to be a way for the staff to manage and repair user account issues, and for this reason user data within most startups, especially when they are young, is never completely locked up from company staff."

Update, 2:14 p.m. PT: With additional context.

Update #2, 5:00 p.m. PT: With statement from Facebook.