Skip to main content

Facebook caught an office intruder using the controversial surveillance tool it just blocked

Facebook caught an office intruder using the controversial surveillance tool it just blocked

/

When it was revealed that police used Geofeedia to track protesters, Facebook cut off access to its data. But Facebook was a Geofeedia customer too.

Share this story

When it was revealed last week that police used a social media monitoring program to track protestors, it inspired outrage, and major tech companies immediately cut off API access for the tool. But at least one of those companies had prior opportunity to know what the tool, Geofeedia, was capable of. According to three former Geofeedia employees who spoke with The Verge, Facebook itself used the tool for corporate security. Facebook, according to two of the sources, even used Geofeedia to catch an intruder in Mark Zuckerberg's office.

A blog post describes a "trespasser" in the office of a major social media company CEO

Geofeedia has touted itself as a security and marketing tool, allowing law enforcement or private companies to aggregate and search event- or location-related posts across services, including Facebook, Twitter, Instagram, and YouTube. Its use by law enforcement has proven the most controversial: police went so far as to use the tool with facial recognition to identify protesters with outstanding warrants.

In an April 2015 blog post, Geofeedia described a success story from one of its corporate clients. "A major social media company used Geofeedia in its GSOC [Global Security Operations Center] to identify a trespasser in its CEO's office," the post reads. "The trespasser had been taking photographs in the office and uploading them via his mobile phone while in the office. The security team saw the post, and were able to confront trespasser in the office minutes after the photo was posted."

According to two of the former Geofeedia employees, that CEO was Mark Zuckerberg.

"When talking about the social media sources Geofeedia had, they would say we have Facebook as a source as well as a customer," one former employee said. "They would kind of imply that we had a special relationship with Facebook because they were a customer."

"They would kind of imply that we had a special relationship with Facebook because they were a customer."

Last week's ACLU report focused on Geofeedia's use by law enforcement agencies, which was widespread; in emails obtained by the ACLU, the company boasted it had more than 500 such clients. After being contacted by the ACLU, Facebook revoked Geofeedia's access to the APIs for both Facebook and Instagram.

"Last month, we terminated Geofeedia's access to our APIs because it was using these APIs in ways that were not authorized and which violated our policies," a Facebook spokesperson said in a statement to The Verge. "Specifically, Geofeedia is required to get our approval before giving new clients access to our data." The company directed The Verge to its Platform Policy, which says no developer may "sell, license, or purchase any data obtained from us or our services" or "put Facebook data in a search engine or directory" without permission.

Facebook cited its terms against reselling data without permission

Facebook confirmed it was a Geofeedia customer, but declined to make any comment about the trespassing incident. Geofeedia directed questions to Facebook.

One former Geofeedia employee said of Facebook's response that "it was funny when they acted as if they had no idea." The source said C-suite executives from Geofeedia met personally with Facebook. When the executives returned, the source recalled, they had new ideas on how to remodel the office, inspired by Facebook's decor.

Geofeedia also drew on information from Google-owned YouTube, as well as Picasa, which Google acquired in 2004 before discontinuing support this year. YouTube revoked Geofeedia's access after first being contacted by The Verge last week. After being contacted by The Verge, Yahoo said that "upon becoming aware of Geofeedia's practices, we immediately discontinued their access to the Flickr API."

In some cases, Geofeedia seems to have collected data without an API agreement. In January of this year, Geofeedia added capabilities for Twitter-owned services Vine and Periscope, according to a document obtained by the ACLU. Reached by The Verge, Twitter confirmed that there is no public or paid API access to either service. It's unclear how Geofeedia collected its Periscope and Vine data, although it's possible unauthorized "scraping" was involved. Last week, Twitter demanded Geofeedia stop collecting data from its services on penalty of legal action, and subsequently cut off access to the company's database of public tweets.

The revelation raises more questions about how Facebook used the tool

As a Geofeedia customer, it's clear that Facebook had plenty of opportunity to know how the company was using Facebook's data. And questions remain about how exactly Facebook used Geofeedia. The tool allows customers to record and search posts within a perimeter. If Zuckerberg's office was in that perimeter, did the tool's search area expand to include posts from Facebook employees as well?

But more importantly, if Facebook wasn't aware of Geofeedia's law enforcement contracts until being contacted by the ACLU — even while contracting the company's services itself — it raises real questions about how closely the company is guarding its users' data.

Update, 10:38 AM ET: Includes confirmation from Facebook spokesperson that the company was a Geofeedia customer.