An anonymous whistleblower tip sent to Facebook last year contains a slew of accusations mirroring many of those found in an ongoing federal lawsuit facing Meta and OnlyFans. The anonymous tip, according to a copy provided to Gizmodo, was submitted more than six months before the lawsuit began.
The report, which makes allegations of bribery and deferential treatment toward OnlyFans content, was sent to Meta’s investigations team in Washington D.C. in August 2021 by a person claiming to work for the company in London. Beyond their location, the report offers few clues about the alleged employee’s duties, other than implying a close knowledge of Meta’s integrity operations.
“Certain employees are taking bribes to protect OnlyFans on the platform. This has been going on for months if not years,” the report states.
Similarly, a class-action suit, brought by attorney David Azar and three adult-entertainer clients in a California federal court this February, lays out an outrageous scheme involving multiple top executives accused of taking bribes to shield OnlyFans creators from Instagram and Facebook’s pornography-banning algorithms. What’s more, the suit says, Meta employees strove to blacklist OnlyFans rivals across the adult entertainment industry by, allegedly, submitting content they published to threat-detection databases used by major internet companies.
Meta, which had previously couched its denials around its legal arguments, firmly denied the allegations in the complaint for the first time on Wednesday, while also condemning Gizmodo’s decision to report on the whistleblower tip. Gizmodo deemed the allegations in the report newsworthy because they mirror the California federal court case and two other cases filed by Azar on behalf of adult industry clients in California and Florida state courts.
“These claims are false, there is not a shred of evidence to back them up, and reporting out these claims that lack any evidence is irresponsible,” a Meta spokesperson said. (Meta also reached out to a Gizmodo editor Monday night to raise concerns about assertions in the story.)
Azar is currently pursuing discovery against both Meta and OnlyFans, as well as its owner Leonid Radvinsky. Azar has asked the presiding U.S. district judge, William Alsup, to force Meta to turn over records that, he says, may shed light on whether the allegations are true — that Meta employees, as he alleges, secretly placed his clients and other entertainers on confidential lists typically reserved for entities suspected of cybercrime and terrorism.
Azar, a partner at the law firm Milberg Coleman Bryson Phillips Grossman, which is currently pursuing a number of privacy-related cases against major U.S. companies such as Walmart and Zillow, filed an amended complaint in the Meta lawsuit last month. In it, he noted something new; that he and his clients had been informed by a source that a company whistleblower had filed a report to Facebook “that overlaps with some of the allegations alleged herein.”
In response this month, Meta’s lawyers made no effort to dispute the existence of any whistleblower. Rather, they attacked the lack of specificity with which Azar had described the supposed report. “Plaintiffs do not explain how, when, or by whom they were ‘informed’ of the alleged existence of a ‘whistleblower’ report or what the report says,” Meta’s lawyers said.
Gizmodo was provided with a copy of an anonymous whistleblower report last week that appears, at least on face, to fit the bill. “This a widespread problem and is occuring at both EMEA and in the main Menlo Park office,” the report says, referring collectively to Meta’s Europe, Middle East, and Africa markets and its California HQ, respectively. “Just look at the emails between OnlyFans people and FB employees and you’ll see the truth plain as day. I have seen copies.”
A spokesperson for Azar declined to comment, saying the suit filed against Meta and OnlyFans speaks for itself. “This case is about a corrupt business gaining an enormous advantage over its competitors by wrongfully manipulating behind-the-scenes databases, and in the process, harming thousands of small entrepreneurs who rely on social media to earn a living,” his complaint says.
Gizmodo was unable to independently verify the identity of the alleged whistleblower, but otherwise took steps to ensure the report had not been photoshopped, while confirming that it did, in fact, originate from Facebook’s whistleblower system. That system, known internally as “SpeakUp @ Facebook,” is operated by EQS Group, a company specializing in “anonymous whistleblowing software.”
Across many industries, third-party whistleblower systems are common. They are designed to engender trust among workers by granting whistleblowers added protection from employers who might otherwise try to unmask them.
Gizmodo provided Meta with a copy of the whistleblower’s report last Friday, including a unique reference number that could be used to call it up in the system. A company spokesperson declined to dispute the report’s authenticity during several exchanges. Instead, the spokesperson pointed to the fact that SpeakUp’s web portal is open to public, while attempting to cast doubt on whether the filer is an real employee. (Not requiring employees to login is another feature of whistleblower systems designed to encourage reporting.)
Anyone could have, technically, filed the whistleblower report; however, they’d first need to know that the system exists and that it’s publicly accessible. Finally, they have to be able to find it. Cursory searches online suggest the web address has never been tweeted or posted publicly on Facebook, nor on any other mainstream platforms. While a Meta “about” page today identifies the system by its own name, SpeakUp @ Facebook, as of last summer, internet archives show that wasn’t the case. Gizmodo was only able to locate the system’s address on a single corporate document, which can be publicly located, but only on a handful of sites.
While many details supplied by this alleged whistleblower comport with allegations already raised by Azar, they also includes some not previously made public. They claim, for example, that the purported bribes paid out by OnlyFans to Facebook executives were not one-off payments, but rather a rolling “revenue share” of OnlyFans’s growth paid out surreptitiously over time.
What’s more, rather than solely implicating Facebook employees in blacklisting OnlyFans competitors, they describe a seemingly more effortless graft — whitelisting the accounts of OnlyFans creators, guarding them against enforcement actions that, based on Meta’s own policies, would’ve automatically targeted rival businesses’ content. Executives had, the report alleges, potentially as far back as 2018, started “favoring OnlyFans within the content moderation algorithms and not flagging it as outright pornography.”
Asked by the whistleblower system how they became aware of the misconduct, the self-proclaimed employee wrote, “I observed it.”
Like the whistleblower report itself, Azar’s case hinges in no small part on information stemming from a range of anonymous sources. Two of them spoke to the BBC in February, for example: A pseudonymous adult creator who regularly posed in bikini shots on Instagram and witnessed her revenue drastically slashed. And the owner of an adult business who told reporters his top performers could do little but watch as lucrative referrals from their Instagram accounts simultaneously plummeted over time.
Other claims brought by Azar are likewise based on anonymous tips or attributed to sources who are as-of-yet unnamed. One is a lawyer, said to have reviewed “more than 200 pages of internal Facebook documents” provided by the same or another whistleblower, which describe potential abuses of a Meta-designed database known as GIFCT, a tool for combating terrorist content. Another is a tipster who’s said to have passed along details of alleged wire transfers bearing Facebook executives’ names, all destined for trusts in the Philippines, home to one the world’s most secretive banking systems.
Meta moderation in focus
Controversies surrounding Facebook’s use of whitelists are well reported and substantiated by numerous documents leaked last year by the Facebook whistleblower Frances Haugen. Rampant misuse of whitelists — which can either excuse policy violations detected by Facebook and Instagram’s algorithms or render accounts invisible to detection entirely — is a topic candidly discussed by employees over the course of several years, the documents show.
Leaked records reveal that after employees began flagging widespread misuse of internal whitelists, Meta leadership ordered a cleaning up of the problem beginning with a series of audits in 2019. Much of the focus was on the XCheck system, which was launched, in short, to protect high-profile users, such as politicians and celebrities, from enforcement based on “false positives.”
The XCheck system was subject to, as one employee put it, “common misuse,” according to documents reviewed by Gizmodo. The Wall Street Journal first reported last year that Facebook employees had at one point “shielded” — in Facebook parlance — 5.8 million users from its content policies and standards. The auditing process found, on the whole, that processes for adding accounts to XCheck and other whitelists was rarely, if ever, subject to review. It was, in effect, a free-for-all. Whitelists at Facebook, employees said, were “scattered throughout the company, without clear governance or ownership.”
As Meta began to tighten the reins, one employee raised specific concerns about how the repeal of certain whitelists “would affect nudity content” already being shielded at the time, records show. “We routinely see content deletions protected by XCheck even though we don’t know how the entity was XChecked,” they wrote.
Leaked enforcement statistics from 2020 reveal that Facebook, over the course of a single quarter, spent nearly a million man-hours enforcing violations of its nudity and pornography policy. Not all who violated that policy were punished, however. When, in 2019, the Brazilian soccer star Neymar was accused of rape, (in a case later dropped by authorities citing a lack of evidence) he took to Facebook and Instagram to mount a defense, posting a video that named his accuser and included nude photos purportedly of her.
Publishing revenge porn is in clear violation of Meta’s rules, yet Neymar was shielded by the XCheck program. Privately, Meta employees noted that his video had been shared more than 6,000 times by supporters, people who had also sought to harass and bully his accuser. The leaks revealed that Meta leadership decided to ignored their own “one-strike” policy for revenge porn cases, and allow Neymar to keep his accounts.
As it turned out, XCheck was not the only means of shielding users purposely violating Meta’s rules. Another document shows that as many as 45 out of 60 Facebook integrity teams had devised their own unique whitelists. Eight of them, it says, existed “upstream,” rendering the accounts invisible to moderation systems. Lists by 22 teams, meanwhile, were designed to block any automated enforcement against violators “without any further review or mitigation.”
Another document goes on to state that the auditing process, then still ongoing, had turned up more than a million accounts added to “ad-hoc” whitelists, some “hard-coded” into the platform using “custom config files.” Another stated that whitelisting could be performed using no more than a user ID.
According to one employee, the problem was “pervasive, touching almost every area of the company.” The leaked document trail describing Meta’s sweeping efforts to rein in what the employee called “the whitelist problem” ends abruptly in 2021.
That same fall, OnlyFans announced a ban on what it called sexually-explicit content. “In order to ensure the long-term sustainability of the platform, and to continue to host an inclusive community of creators and fans, we must evolve our content guidelines,” the company told Gizmodo in August 2021. Days later, however, with a creator strike apparently looming, OnlyFans backed down, telling reporters the changes were no longer necessary, citing assurances from banking partners.
Around that same time, Meta’s investigation team, based in Washington D.C., was eagerly trying to set up a meeting with the elusive whistleblower accusing OnlyFans of bribery. In their report, they wrote: “They created this legal fiction and are even taking official stances that OnlyFans isn’t a porn site. It’s such a joke.” They further confessed to being motivated to step forward, at least in part, due to personal financial interests. “I want my stock options to stay valuable,” they told the company, “and provide for my children.”
“As a whistleblower, you are entitled to protections,” the investigations team wrote in response. “I will meet with you if my anonymity is protected,” they were told. A meeting was quickly set up using video conferencing software and scheduled for the following day. But when the hour arrived, for reasons unknown, the purported whistleblower failed to appear.
OnlyFans, which is currently running around 150 ads across Facebook, has said only that the allegations against the company and its owner are “meritless.” Reached by Gizmodo on Tuesday, a company spokesperson said it had nothing more to say at this time.