How “forgotten” are your deleted internet posts anyway?
That question has come under renewed scrutiny this week thanks to a new lawsuit filed by a fired Meta employee who claims the company set up a “protocol” to pull up certain users’ deleted posts and hand them over to law enforcement. If the former employee’s claims ring true, the practice could call into question Meta’s previous communications about how it accesses certain user data. Going even further, the lawsuit alleges the tool may even violate certain U.S. and EU privacy laws.
Brennan Lawson, the former Meta employee and U.S. Air Force veteran, claims he was hired as a Senior Risk & Response Escalations Specialist in Community Operation on Facebook’s Escalation team back in 2018. According to the complaint obtained by Gizmodo, Lawson said his role regularly saw him view onslaughts of “wildly horrific content,” including beheadings and child rape. His job, similar to that of Meta’s army of underpaid and overworked content moderators, broadly involved determining whether certain posts should be removed.
During an Escalation team meeting in 2018, the suit claims a Facebook manager briefed Lawson on a new tool which, “allowed them to circumvent Facebook’s normal privacy protocols in order to access user-deleted data.” The tool, which the suit described as “back-end protocol” would allegedly let Lawson and his team retrieve deleted data in Meta’s Messenger app, data which was otherwise inaccessible.
That alleged protocol supposedly went live around November 2018 and could be used to access Messenger history for a wide range of users, including children using the Messenger Kids app.
Gizmodo could not independently confirm the claims made in the suit. Meta meanwhile didn’t respond to Gizmodo’s series of questions regarding the alleged protocol and lawsuit but did provide this statement.
“These claims are without merit and we will defend ourselves against them vigorously,” a Meta spokesperson said. Lawson’s attorney did not immediately respond to our request for comment.
The described tools were allegedly created as a type of loophole to access data from Messenger without using Meta’s standard back-end, which the suit claims would normally be prevented from accessing the deleted material. In practice, operators like Lawson would often use the tool to fulfill law enforcement requests. According to the suit, law enforcement officials would submit questions about a supposed suspect, which could include requests for information on who the potential suspect was messaging, when certain messages were sent, and in some cases, even what the messages contained.
“The tool was designed to be a workaround to avoid these rules,” the suit alleges. “In sum, Facebook could now access data that users intended to be permanently destroyed—such as user’s entire history of what were thought to private and deleted messages.”
Lawson allegedly spoke up during one of his team’s meetings and questioned the legality of the tool. In his mind, the description of the tool appeared to violate a 2012 Federal Trade Commission order prohibiting Facebook from misrepresenting the way it handles user data, as well as the European Union’s “Right to be Forgotten” provision within the General Data Protection Regulation. Though the Right to be Forgotten does ensure users can request to delete data, it has explicitly exemption for work being carried out by law enforcement “in the public interest.”
Regardless, Lawson claims he was fired not long after raising his concerns. Officially, Meta fired Lawson for alleged improper use of one of the company’s user admin tools. Lawson obviously disagrees and believes he was fired in retaliation for acting like a whistleblower. Now, the Air Force veteran seeks over $3 million in compensation plus punitive damages.
You can view the lawsuit in its entirety here: