Skip to content
Naked Security Naked Security

Facebook tracks users it thinks may harm its employees

Threat makers are sometimes geolocated to determine how credible their threats are, as in, are they near enough to really attack?

Have you ever been so enraged at Facebook that you’ve messaged CEO Mark Zuckerberg and told him to f— off? …or maybe you simply left that type of comment in a post somewhere on Facebook or one of its apps?

If so, you might well have been inducted into what CNBC reports is the company’s BOLO watch list. That’s an acronym for Be On Lookout: a list of hundreds of people who have threatened Facebook or its staff, sulked over losing a contract, or gotten fired, be it with or without sulking or emotional outbursts.

Keeping a list like that is not, in itself, unusual. Lots of companies keep similar lists, according to CNBC’s sources, which include former security staff from Facebook who are familiar with its program and at least one expert from the physical security field: Tim Bradley, senior consultant with Incident Management Group, a corporate security consulting firm that deals with employee safety issues.

What’s unique about Facebook’s approach to BOLOs is that it doesn’t just disseminate a list of names to security staff. Facebook also mines its platform for threatening posts. Sometimes, Facebook goes so far as to use its apps to discern the whereabouts of people whom it finds threatening, to determine whether they pose a credible threat.

CNBC talked to more than a dozen former Facebook security employees, some of whom questioned the ethics of Facebook’s security strategies. One former security staffer called the tactics “very Big Brother-esque.”

‘Tomorrow everyone is going to pay’

CNBC reported on a number of examples of when Facebook uses its own geolocation tracking or knowledge about a user’s location to figure out how much of a threat the person might be. One such: early last year, a Facebook user threatened one of the company’s European offices in a public post.

Facebook picked up on it and checked into where he was. It turned out that the user was in the same country as the office he was targeting. Facebook notified the authorities about the threat and instructed its security officers to be on the lookout for the user.

CNBC quoted a former Facebook security employee:

He made a veiled threat that ‘Tomorrow everyone is going to pay’ or something to that effect.

Facebook has a lot of enemies

While some former security staffers question the ethics, the attitude of others is hey, who can blame the company? As CNBC points out, Facebook, with 2.7 billion users across all its services, has a massive reach, and it’s got a tendency to inspire strong emotions. From CNBC:

If just 0.01 percent of users make a threat, Facebook is still dealing with 270,000 potential security risks.

Bradley told the news outlet the most important thing is for Facebook to protect its employees. How it does so is “secondary” to that duty:

If they know there’s a threat against them, they have to take steps. How they got the information is secondary to the fact that they have a duty to protect employees.

Facebook provided this statement:

Our physical security team exists to keep Facebook employees safe. They use industry-standard measures to assess and address credible threats of violence against our employees and our company, and refer these threats to law enforcement when necessary.

A Facebook spokesman told CNBC that people are only added to the BOLO list after a “rigorous review to determine the validity of the threat.”

We have strict processes designed to protect people’s privacy and adhere to all data privacy laws and Facebook’s terms of service. Any suggestion our onsite physical security team has overstepped is absolutely false.

But some former employees dispute this description of Facebook’s criteria for making the BOLO list, saying that the bar can be pretty low. From CNBC:

While some users end up on the list after repeated appearances on company property or long email threats, others might find themselves on the BOLO list for saying something as simple as ‘F— you, Mark,’ ‘F— Facebook’ or ‘I’m gonna go kick your a–,” according to a former employee who worked with the executive protection team.

A different former employee who was on the company’s security team said there were no clearly communicated standards to determine what kinds of actions could land somebody on the list, and that decisions were often made on a case-by-case basis.

Ex-Facebookers often become new BOLO-ers

You can see how some employees would make it onto the BOLO list after being shown the door – those who steal from the company, for example. But former Facebook employees say that in many cases, they wind up on the BOLO sheet without any reason being listed. CNBC says that three people told the news outlet that almost every Facebook employee who gets fired is added to the list, with one calling the process “really subjective.” Yet another said that contractors are added “if they get emotional when their contracts are not extended.”

The Facebook spokesman denied this:

Former employees are only added under very specific circumstances, after review by legal and HR, including threats of violence or harassment.

How Facebook uses location data to track BOLOs

Facebook has numerous ways to track our location: it can tap into that data via the mobile Facebook app or by our IP address, which is picked up by the online version.

Once it picks up a credible threat – for example, one with specific details about an attack location and timing, or a threat coming from somebody who regularly shows up at shareholders’ meetings or other company events – its global security operations center and the global security intelligence and investigations units put in a request to the company’s information security team, which can track users’ location information.

Facebook in some cases determines that threats lack credibility, such as if a user makes a threat about a specific location but is themselves located nowhere near that location. But if the BOLO user is in fact nearby, Facebook can continue to monitor their location and keep their security teams on the lookout. Depending on the threat, Facebook’s security teams might also station security guards, escort a BOLO user off campus or alert law enforcement.

Some threats are quite real

While its tactics might seem like overreach, you can’t deny that Facebook faces real threats. For example, one of its execs got swatted in January. The Facebook exec wasn’t harmed. However, he was handcuffed during questioning following his Palo Alto, California, house having been swarmed by police, fire department and public safety agents who responded to a hoax call from a man claiming to be him who said he’d shot his wife with an assault rifle, tied up his kids, put “pipe bombs all over the place,” and that he’d kill police or anyone else if they came near.

Another recent incident: in December, Facebook evacuated buildings at its headquarters in Menlo Park following a bomb threat. Fortunately, no bomb was found.


So if you complain, or work for FB and get another job later, you are added to the FB terrorist watch list. Which no doubt is shared with government agencies, interesting. I know I’m on that list, I’ve complained about to many features making it a pain to use, and reported political pages as being scams.


Sorry Mahhn; you’re wrong. Proof is in the article:

> We have strict processes designed to protect people’s privacy and adhere to all data privacy laws and Facebook’s terms of service.

I emailed Zuck and asked if FB was tracking me or retaining my info. He replied
“who is this?”
That proves they’re telling the truth–clueless dude didn’t even know who I was.


Really dude? you think cause you complained about features you are on the list? We have a bad a$$ here. I think you need to do a bit more than complain about a feature to get on this list.

You are one bad dude!


If you prefer not to be blacklisted – don’t say things that can be construed as a threat. Everyone is entitled to have an opinion, not every opinion should be shared publicly. In particular, do not make disparaging comments about a company that knows how many squares of toilet paper you use for each wipe.


Good point, dhunter. Then again, there’s a sizeable difference between
“this feature change is annoying”
“I’m gonna email corporate a fragile jar of anthrax.“


Yeah, I have never made a “threat”, If so I’d expect to have my doors busted in as helicopters drop people on the roof, someone shooting everything on the floor the size of a dog while yelling “he’s coming right at me” (hah, I don’t’ have a dog) and all within 5 min.


Is that a threat? : ‘If you prefer not to be blacklisted – don’t say things that can be construed as a threat.” : )


Funny that it gives all sorts of excuses as to why it cannot protect users or its customers but somehow can do it for its own staff. OK, it might be a lot more work, but it repeatedly claims it is not possible to do anything. Double Standards, methinks!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!