Start by keeping the primary copy of the user's data on the user's own device so that the developers never have access to it to begin with. Then, if you ever have to hold a copy of the user's data, make sure it's encrypted by the client and your servers are never in possession of the plaintext.
To access the user's data, your developers should have to intentionally crack the user's password. And if they attempt to do that they should be fired.
Obviously this is not how Facebook works, but ideally it's how the thing that replaces Facebook will work.
There should be a name for this sort of software design. It's not just encrypted/privacy-oriented or whatever. It's a software design with a clear contract on who owns the data: the user.
E.g. Google Drive, which claims to take privacy seriously and also encrypts your data. But the data is not encrypted with a secret unknown to the server. How should my family members differentiate between the encryption Google claims it has and client-side encryption? For them it's all the same.
Maybe we need some commonly understandable name that a regular user can look at and know that this software is data-agnostic.
I don't think you need a board to stop this specific case. It's pretty obvious that what they were doing is unacceptable. The problem must have been a pervasive culture of lack of respect for privacy at Facebook, not a single engineer who somehow just didn't know any better.
Situations can get complicated. There might have been some side show reason to do this or that. Without oversight, some things will fall through the cracks.
A review board would a) give clear direction b) catch problems and c) put accountability where it belongs.
> It's an organizational policy, procedural, ethics and legal question - not a technical one.
Not really. You have to fall back to those things when a good technical solution isn't available, but sometimes it is.
Suppose you have a car, and four children. You can enact all the laws and policies and procedures you like, you can lecture the kids not to misbehave a thousand times. But the most important thing you can do, if you really don't want them out joyriding in the street, is to not give them the keys to the car.
The Engineers at FB should be given product direction, and should not even be making decisions as to what information to ask users for. That's for Product.
Part of product management will involve legal review, risk management. Clearly, FB has a few other concerns that should be thrown in there as well.
This issue basically has nothing to do with technology.
The way Facebook works is that they have all your data on their servers. That is the underlying flaw.
You want to have your data, you want the people you share it with to have it, but there is no reason for Facebook to ever have it. When you share it, it should be encrypted by you and decrypted by the end recipient(s).
You don't need to worry much about policies for accessing data that you shouldn't, and don't, ever actually have.
To access the user's data, your developers should have to intentionally crack the user's password. And if they attempt to do that they should be fired.
Obviously this is not how Facebook works, but ideally it's how the thing that replaces Facebook will work.