Facebook engineers have no idea what happens with user data

As one of the biggest online destinations, Meta has a duty of care for Facebook users to maintain and securely store their data. However, it seems that that task is too much for any one engineer working for the company to undertake.

During a discovery hearing in March that was previously sealed, a pair of Facebook engineers admitted that the task of working out where user data ends up throughout the company would have to be a team effort due to the broad scope of the task.

The hearing, part of a long-running lawsuit concerning the Cambridge Analytica scandal, was led by "Discovery Special Master" Daniel Garrie. The Special Master had the task of working out whether Facebook needed to produce more documents for the case.

The transcript of the hearing was released as part of an unsealed court document, as first reported by The Intercept and continued by Vice. The two engineers were Facebook engineering director Eugene Zarashow and software engineer manager Steven Elia.

"It would take multiple teams on the ad side to track down exactly where the data flows, Zarashow told the hearing. "I would be surprised if there's even a single person that can answer that narrow conclusively."

This is in part due to Facebook's open border policy for data collection, and its use of 55 different subsystems.

Zarashow noted the "strange engineering culture" that didn't "generate a lot of artifacts" in creating code, and that the code is "its own design document," which initially he found "terrifying."

The comments of the hearing confirm the legitimacy of a leaked internal document that surfaced in April 2022, that also stated that engineers had no real way to keep track of any data the company collects.

The open border systems gather and consolidate data from a wide array of first- and third-party sources, but then there's no way to work out what data is sourced specifically by Facebook, the document revealed.

"We do not have an adequate level of control and explainability over how our systems use data, and thus we can't confidently make controlled policy changes or external commitments such as "we will not use X data for Y purpose," the internal report stated. "And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation."

In a statement several hours after the report, a meta spokesperson responded to the claims.

"Our systems are sophisticated and it shouldn't be a surprise that no single company engineer can answer every question about where each piece of user information is stored," Facebook spokesperson Dina El-Kassaby told us. "We've built one of the most comprehensive privacy programs to oversee data use across our operations and to carefully manage and protect people's data. We have made — and continue making — significant investments to meet our privacy commitments and obligations, including extensive data controls."