Incident: Facebook Moderation Software Bug Exposes Moderators to Terrorist Threats

Published Date: 2017-06-16

Postmortem Analysis
Timeline 1. The software failure incident happened in November 2016. [60133]
System 1. Facebook's moderation software [60133]
Responsible Organization 1. Facebook's moderation software was responsible for causing the software failure incident [60133].
Impacted Organization 1. Content moderators at Facebook [60133]
Software Causes 1. A bug in the software that resulted in personal profiles of content moderators automatically appearing as notifications in the activity log of Facebook groups [60133]. 2. The bug was not fixed for two weeks after its discovery, allowing the glitch to be active for a month [60133]. 3. The software flaw was retroactively exposing the personal profiles of moderators who had censored accounts as far back as August 2016 [60133].
Non-software Causes 1. Lack of proper training and preparation for content moderators, including inadequate training duration and the requirement to use personal Facebook accounts for moderation tasks [60133]. 2. Inadequate security measures in place to protect the personal information of content moderators, leading to a breach that exposed their identities to potential threats [60133]. 3. Insufficient support and response from Facebook and the outsourcing company, Cpl, in addressing the concerns and ensuring the safety of the affected moderators [60133].
Impacts 1. Personal details of over 1,000 Facebook content moderators were exposed to suspected terrorist users due to a bug in the moderation software [60133]. 2. Around 40 moderators in a counter-terrorism unit were assessed as "high priority" victims after their personal profiles were likely viewed by potential terrorists [60133]. 3. One moderator fled Ireland and went into hiding out of fear for his and his family's safety after discovering that individuals associated with a suspected terrorist group had viewed his personal profile [60133]. 4. The moderator who fled experienced psychological damage, anxiety, and had to rely on antidepressants, impacting his mental health [60133]. 5. Facebook offered security measures such as home alarm monitoring systems and counseling, but the affected moderators felt unsatisfied with the assurances provided [60133]. 6. The incident highlighted the controversial and grueling work carried out by low-paid content moderators, exposing them to disturbing content without adequate support or training [60133].
Preventions 1. Implementing thorough security testing procedures before deploying any software updates or changes could have prevented the software failure incident [60133]. 2. Providing proper training and awareness to employees and contractors about potential risks and security measures when handling sensitive information within the software system could have helped prevent the incident [60133]. 3. Enforcing strict access control measures within the software to ensure that personal profiles and sensitive information are not inadvertently exposed to unauthorized users could have mitigated the risk of such a security breach [60133]. 4. Utilizing administrative accounts that are not linked to personal profiles for moderation tasks could have reduced the likelihood of personal information exposure in case of software bugs or glitches [60133].
Fixes 1. Implementing technical changes to better detect and prevent similar issues from occurring in the future [60133] 2. Installing a home alarm monitoring system and providing transport to and from work for those in the high-risk group [60133] 3. Offering counseling through Facebook’s employee assistance program [60133] 4. Testing the use of administrative accounts that are not linked to personal profiles for moderation teams [60133]
References 1. Facebook spokesperson 2. Craig D’Souza, Facebook’s head of global investigations 3. Internal emails seen by the Guardian 4. The affected moderator who fled Ireland 5. Facebook's statement provided to the Guardian 6. The moderator who filed a legal claim against Facebook and Cpl with the Injuries Board in Dublin 7. The Guardian's investigation and reporting 8. The moderator who worked for the specialist team investigating reports of terrorist activity on Facebook 9. Facebook's policies and practices regarding content moderation and training 10. The Injuries Board in Dublin [60133]

Software Taxonomy of Faults

Category Option Rationale
Recurring unknown (a) The software failure incident related to the exposure of personal details of Facebook content moderators to suspected terrorist users was a unique incident within Facebook itself. There is no mention in the articles of a similar incident happening again within the same organization. (b) The incident involving the exposure of personal details of Facebook content moderators to suspected terrorist users does not have any direct mention of a similar incident happening at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident in the article was primarily due to a design flaw. The incident occurred because of a bug in the software that resulted in the personal profiles of content moderators automatically appearing as notifications in the activity log of Facebook groups [60133]. This design flaw exposed the personal details of the moderators to potentially dangerous individuals, including suspected terrorists, compromising their safety. (b) Additionally, the software failure incident also had elements related to operation. The moderators who were affected by the security breach started receiving friend requests from people affiliated with terrorist organizations they were scrutinizing, indicating a potential operational impact of the software failure on the moderators' interactions within the platform [60133].
Boundary (Internal/External) within_system (a) The software failure incident reported in the articles is primarily within_system. The failure was caused by a bug in Facebook's moderation software that resulted in the personal profiles of content moderators being exposed to suspected terrorist users on the platform [60133]. The bug within the system led to the personal details of moderators appearing in the activity logs of Facebook groups, making them viewable to potentially dangerous individuals. Additionally, the incident involved a security lapse within Facebook's software that compromised the safety of the content moderators [60133].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the Facebook moderation software was primarily due to a bug, which was a non-human action. The bug resulted in the personal profiles of content moderators automatically appearing as notifications in the activity log of Facebook groups, exposing their personal details to suspected terrorist users [60133]. (b) Human actions also played a role in exacerbating the situation. For example, the moderator who fled Ireland mentioned that contracted staff were not treated as equals to Facebook employees and were paid low wages for the challenging work they had to do, which included reviewing disturbing content related to terrorism [60133]. Additionally, the moderator highlighted the lack of warning about the risks associated with using personal Facebook accounts for moderation purposes, indicating a potential oversight in training and policy implementation [60133].
Dimension (Hardware/Software) software (a) The software failure incident in the provided article was primarily due to contributing factors originating in software. The incident was caused by a bug in Facebook's moderation software that resulted in the personal profiles of content moderators being exposed to suspected terrorist users of the social network [60133]. The bug in the software automatically displayed the personal profiles of moderators in the activity logs of Facebook groups, leading to the exposure of their personal details to potentially dangerous individuals. Additionally, the bug was not fixed for two weeks after its discovery, allowing it to be active for a significant period [60133]. (b) There is no specific mention in the articles of the software failure incident being caused by contributing factors originating in hardware.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in the articles is classified as malicious. The incident involved a bug in Facebook's moderation software that inadvertently exposed the personal details of content moderators to suspected terrorist users of the social network. This exposure put the safety of the moderators at risk, with some moderators being assessed as "high priority" victims of the mistake after their personal profiles were likely viewed by potential terrorists [60133]. The incident led to one moderator fleeing Ireland and going into hiding out of fear for his and his family's safety, highlighting the malicious nature of the software failure incident. Additionally, the moderator who fled Ireland filed a legal claim against Facebook and the contracting company seeking compensation for the psychological damage caused by the leak [60133]. (b) The software failure incident cannot be classified as non-malicious as the exposure of personal details to suspected terrorist users was not intentional and posed a significant risk to the safety of the affected moderators.
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The software failure incident involving Facebook's moderation software exposing personal details of content moderators to suspected terrorist users was primarily due to poor decisions made in the design and implementation of the software. The incident was a result of a bug in the software that automatically displayed the personal profiles of moderators in the activity logs of Facebook groups, leading to the exposure of their information to potentially dangerous individuals [60133]. Additionally, moderators were required to use their personal Facebook accounts to log into the moderation system, which further contributed to the vulnerability of their personal information [60133]. (b) The software failure incident can also be attributed to accidental decisions or unintended consequences. The exposure of moderators' personal details was not intentional but rather a result of a technical glitch in the software that was discovered late and remained active for a significant period before being fixed [60133]. The incident was not planned or deliberate but rather a consequence of the software flaw and lack of foresight in preventing such a breach of privacy and security.
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in the Facebook moderation software was primarily due to development incompetence. A bug in the software, discovered late in 2016, led to the personal profiles of content moderators being exposed to suspected terrorist users of the platform [60133]. The incident occurred because of a technical flaw that automatically displayed the personal details of moderators in the activity logs of Facebook groups, potentially endangering their safety [60133]. (b) Additionally, the incident can also be categorized as accidental, as it was not intentional for the personal profiles of moderators to be exposed to extremist groups. The leak was identified in November 2016, and Facebook took immediate action to address the issue and investigate the extent of the exposure [60133]. The company made technical changes to prevent such incidents from occurring in the future, indicating that the exposure was unintentional and a result of a software bug [60133].
Duration temporary The software failure incident reported in the articles was temporary. The incident was caused by a bug in the software that resulted in the personal profiles of content moderators being exposed to suspected terrorist users of Facebook. This bug was discovered in late November 2016 and was fixed on November 16, 2016, after being active for about a month [60133].
Behaviour crash, omission, value, other (a) crash: The incident involving Facebook's moderation software can be categorized as a crash. The software bug led to a situation where the personal profiles of content moderators were automatically appearing as notifications in the activity log of Facebook groups, exposing their personal details to suspected terrorist users [60133]. (b) omission: The software failure incident can also be categorized as an omission. The bug in the software resulted in the omission of the intended function to protect the personal details of content moderators, leading to their exposure to potential threats [60133]. (c) timing: The timing of the software failure incident can be considered as a factor. The bug in the software was active for a month before being fixed, and it was also retroactively exposing the personal profiles of moderators who had censored accounts as far back as August 2016 [60133]. (d) value: The incident can be categorized as a failure related to the system performing its intended functions incorrectly. The software bug led to the incorrect display of personal profiles of content moderators to unauthorized users, putting their safety at risk [60133]. (e) byzantine: The software failure incident does not align with a byzantine behavior as described in the articles. (f) other: The software failure incident can also be described as a failure related to privacy breach and security vulnerability. The bug in the software resulted in a significant breach of privacy, exposing the personal details of content moderators to potential threats and terrorist groups [60133].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident at Facebook resulted in the personal profiles of content moderators being exposed to suspected terrorist users of the social network. This exposure of personal details, including names and profiles, posed a significant risk to the affected moderators. As a result, one moderator fled Ireland and went into hiding out of fear for his and his family's safety [60133]. Additionally, the moderator who fled Ireland filed a legal claim against Facebook and Cpl seeking compensation for the psychological damage caused by the leak, indicating a tangible impact on the individuals' well-being and potentially their financial situation [60133].
Domain information, finance, other (a) The failed system was intended to support the information industry, specifically in the context of content moderation on Facebook. The incident involved a bug in Facebook's moderation software that exposed the personal details of content moderators to suspected terrorist users of the social network [60133]. The affected workers were responsible for reviewing and removing inappropriate content from the platform, including sexual material, hate speech, and terrorist propaganda. (h) The incident also had implications for the finance industry as it involved the personal profiles of content moderators being exposed, potentially putting them at risk of retaliation from extremist groups. One of the moderators who fled Ireland was seeking compensation for the psychological damage caused by the leak, indicating a financial impact on the individuals affected [60133]. (m) The incident could also be related to the "other" industry category as it involved the security breach of personal profiles of content moderators working on Facebook's platform, which doesn't fit directly into the traditional industry classifications mentioned in the options (a to l) [60133].

Sources

Back to List