Security & Privacy

📖 2 min read 📄 Part 9 of 10

Design Facebook Newsfeed - Security and Privacy

Authentication and Authorization

User Authentication

  • OAuth 2.0 + JWT tokens
  • Multi-factor authentication (2FA)
  • Password hashing: bcrypt (cost factor 12)
  • Session management: Redis with TTL

Authorization

  • Role-based access control (RBAC)
  • Privacy settings per post
  • Friend-based visibility
  • Custom audience lists

Data Encryption

Encryption at Rest

  • AES-256 for all data
  • Transparent Data Encryption (TDE)
  • Encrypted backups
  • Key rotation every 90 days

Encryption in Transit

  • TLS 1.3 for all connections
  • Perfect Forward Secrecy (PFS)
  • Certificate pinning for mobile apps
  • HSTS enabled

Privacy Compliance

GDPR Compliance

  • Right to access: Data export in JSON
  • Right to deletion: Delete account and data
  • Right to portability: Machine-readable export
  • Consent management: Explicit consent
  • Data retention: 30-day grace period

CCPA Compliance

  • Right to know: Disclose data collection
  • Right to delete: Delete personal information
  • Right to opt-out: Opt-out of data sale
  • Non-discrimination: Same service quality

Content Moderation

Automated Moderation

  • ML-based detection:
    • Hate speech detection
    • NSFW content detection
    • Spam detection
    • Misinformation detection
  • Real-time scanning on upload
  • Queue flagged content for review

Human Moderation

  • Review dashboard for moderators
  • Context information (user history)
  • Action buttons (remove, warn, suspend)
  • Appeal process for users

User Safety

  • Blocking and muting
  • Reporting system
  • Privacy controls
  • Content filters

API Security

Rate Limiting

  • Token bucket algorithm
  • Per-user and per-IP limits
  • Graceful degradation (429 response)

Input Validation

  • Server-side validation
  • Whitelist allowed characters
  • Sanitize HTML/SQL
  • File type validation

API Authentication

  • OAuth 2.0 flow
  • Access tokens (1 hour)
  • Refresh tokens (30 days)
  • Scopes: read, write, admin

Security Monitoring

Monitoring Metrics

  • Failed login attempts
  • Unusual API usage
  • Suspicious account activity
  • Data access patterns

Incident Response

  • Detection: Automated alerts
  • Triage: Assess severity
  • Containment: Isolate systems
  • Investigation: Root cause analysis
  • Remediation: Fix vulnerability
  • Recovery: Restore operations

Vulnerability Management

  • Regular security audits
  • Penetration testing (quarterly)
  • Bug bounty program
  • Dependency scanning
  • Security training

This security and privacy framework ensures Facebook protects user data and complies with regulations.