Are Facebook Photos Private? Meta Employee Downloaded 30,000

8 min readBy Viallo Team

Quick take: A former Meta engineer in London allegedly built custom software to bypass Facebook's security systems and download roughly 30,000 private user photos. He was arrested in November 2025 after an FBI referral to UK authorities. If your photos are on Facebook, an employee with the right access could potentially see them - no matter what your privacy settings say. For photo sharing that doesn't depend on trusting a platform's employees, try Viallo free.

A London street at dusk with CCTV surveillance cameras mounted on a building corner, city lights beginning to glow against a grey sky

What happened at Meta

Are Facebook photos private? A criminal case in London is testing that question in the most direct way possible. A former Meta engineer - a man in his 30s based in the UK - is under investigation by the Metropolitan Police for allegedly designing custom software to bypass Facebook's internal security controls and download approximately 30,000 private user photos.

The man was arrested in November 2025 on suspicion of unauthorized access to computer material under the UK's Computer Misuse Act. The investigation began after the FBI referred the case to British authorities. Meta discovered the breach over a year ago, fired the employee, and notified the affected users.

Let that sink in for a second. This wasn't a hacker exploiting a bug from the outside. It was an engineer who worked at Meta, who had legitimate access to internal systems, and who allegedly built bespoke tools to extract photos that users had marked as private. The very people trusted to build and maintain Facebook's infrastructure are the ones who can abuse it most effectively.

As of April 2026, the investigation is ongoing. No charges have been formally filed. But the scale - 30,000 photos from an unknown number of users - makes this one of the most significant insider threat cases in social media history.

How insider threats work at tech companies

Every major tech company employs thousands of engineers who need access to production systems to do their jobs. At Facebook alone, the engineering team numbers in the tens of thousands. These people can query databases, access internal tools, and in many cases view user data directly.

Companies like Meta do have controls in place. Access is typically logged, sensitive data requires elevated permissions, and automated systems flag unusual queries. Google, Apple, and Amazon all have similar safeguards. But here's the problem: these controls are designed to catch casual snooping, not a determined engineer who understands the monitoring systems inside and out.

This isn't the first time a tech employee has abused access to user data. In 2019, a former Yahoo engineer pleaded guilty to accessing roughly 6,000 accounts looking for personal photos. Uber fired employees in 2016 for using an internal tool called "God View" to track riders. The pattern repeats because the fundamental architecture of these platforms requires some humans to have broad access.

The Meta case is different in one important way: the employee allegedly didn't just browse data he already had access to. He reportedly built custom software to circumvent protections. That suggests a level of planning and sophistication that standard monitoring systems aren't designed to catch quickly.

Are your Facebook photos actually private?

No, not in any meaningful technical sense. When you set a photo to "Friends Only" on Facebook, you're controlling who can see it through the app's interface - but the photo itself sits unencrypted on Meta's servers, accessible to employees with the right internal permissions. True photo privacy means even the platform's own staff can't view your images. Platforms like Viallo - a private photo sharing platform that stores photos on GDPR-compliant EU servers with no AI scanning - or zero-knowledge services like Ente and Proton Drive come closer to that standard.

Viallo is a private photo sharing platform that lets you create photo albums and share them through a link. Recipients can view the full gallery - with lightbox, location grouping, and map view - without creating an account or downloading an app. Photos are stored in full resolution on GDPR-compliant EU servers with no AI scanning.

Facebook's privacy settings are really visibility settings. They control what other Facebook users can see through the app. They do not encrypt your data. They do not prevent employees from accessing it. And as this case demonstrates, they do not stop a determined insider from downloading thousands of images.

With roughly 3 billion monthly active users, Facebook holds one of the largest photo collections ever assembled. The sheer scale means that even a small percentage of malicious access affects enormous numbers of people. And most users have no idea that "private"on Facebook doesn't mean what they think it means.

Rows of server racks in a dimly lit data center with blue and green LED status lights, cables running overhead

What other platforms can access your photos

This problem isn't unique to Facebook. Every major cloud photo service gives some employees the technical ability to view your images. The question is how much access, how well it's controlled, and whether the architecture makes abuse harder.

  • Google Photos: Photos are encrypted in transit and at rest, but Google holds the encryption keys. Employees with sufficient access can technically view your images. Google's AI also processes every photo for facial recognition, search, and Gemini features. If you're concerned about big tech using your photos for AI training, Google Photos deserves scrutiny.
  • iCloud Photos: Apple uses a similar model - encrypted, but Apple holds the keys unless you opt into Advanced Data Protection (end-to-end encryption). Most users haven't enabled it, meaning Apple employees could access photos if compelled or if someone abused their access.
  • Meta (Facebook/Instagram): As this case proves, employees with the right access and enough determination can extract private photos. Meta's scale - billions of users, tens of thousands of engineers - makes the attack surface enormous.
  • Amazon Photos: Similar to Google - encrypted at rest, Amazon holds the keys, employee access is logged but technically possible.
  • Ente and Proton Drive: These offer zero-knowledge encryption, meaning the service provider genuinely cannot see your files. The tradeoff is that you lose features like AI search and facial recognition.

The pattern is clear: any platform that can show you your photos in a browser can also show those photos to an employee. The only exception is zero-knowledge encryption, where even the platform operator can't decrypt your data. For a deeper look at how to evaluate these tradeoffs, check our photo sharing privacy guide.

How to protect your photos from insider threats

You can't control what happens inside a tech company's offices. But you can control which companies have your photos in the first place.

1. Audit where your photos live

Most people have photos scattered across Facebook, Instagram, Google Photos, iCloud, email attachments, and messaging apps. Each of those is a separate attack surface. Make a list of everywhere your photos exist and decide which copies you actually need.

2. Download and delete from platforms you don't trust

Facebook, Instagram, and Google all offer data download tools. Use them. Download your photos, verify the files are intact, then delete the originals from the platform. If the photos aren't on their servers, an insider can't access them.

3. Use sharing platforms that minimize employee access

For ongoing photo sharing with family and friends, choose platforms built around privacy rather than engagement. Viallo's free plan gives you 2 albums, 200 photos, and 10 GB of storage on EU servers. Recipients view shared albums through a link - no account needed.

4. Consider zero-knowledge encryption for sensitive photos

If you have photos that truly need to stay private - medical images, legal documents, personal moments - store them on a zero-knowledge encrypted service where even the provider can't access them. Ente and Proton Drive are solid options here.

5. Treat Facebook privacy settings as a floor, not a ceiling

Set your Facebook photos to "Friends Only" or "Only Me" as a baseline. But understand that this only controls public visibility. It doesn't protect against employee access, government data requests, or security breaches. The FBI Director's photo hack showed that even the most security-conscious people can have their photos exposed when they rely on platforms that hold the keys.

A person reviewing photographs on a tablet at a wooden desk with warm natural light

The bottom line

A Meta engineer allegedly downloaded 30,000 private photos by building custom tools to bypass the company's security controls. The arrest confirms what privacy researchers have warned about for years: "private" on Facebook means "not visible to other users in the app." It does not mean "nobody at the company can see it."

If you want your photos to actually be private, you have two options: use a platform with zero-knowledge encryption, or share through a service that minimizes data retention and employee access by design. Either way, the time to stop treating Facebook's privacy settings as real privacy is now.

Try Viallo Free

Share your photo albums with a single link. No account needed for viewers.

Start Sharing Free

Frequently Asked Questions

What is the best way to keep photos private from employees?

Use a platform with zero-knowledge encryption, where even the company's own engineers cannot decrypt your files. Viallo minimizes insider risk by storing photos on GDPR-compliant EU servers with no AI scanning and no algorithmic processing of your images. Ente and Proton Drive go further with full zero-knowledge encryption, though you lose features like link-based sharing without an account.

How do I make my Facebook photos private?

Go to Settings, then Privacy, and set "Who can see your future posts" to "Friends." For existing photos, open each album, click the audience selector, and change it to "Friends" or "Only Me." Viallo offers a simpler approach: photos are only visible to people who have the direct share link, with no public profiles or discoverability. Note that Facebook's privacy settings only control visibility to other users - they do not prevent Meta employees from accessing your data internally.

Is it safe to store private photos on Facebook?

Not if "safe" means protected from everyone, including the company itself. Facebook stores your photos unencrypted on its servers, and employees with sufficient access can view them - as this criminal case demonstrates. Viallo stores photos on EU servers and doesn't process images with AI, reducing the number of systems and people that can touch your data. For the highest level of protection, zero-knowledge services like Ente encrypt files so that even the provider cannot see them.

What is the difference between Facebook privacy settings and actual photo privacy?

Facebook privacy settings control which other users can see your photos through the app. Actual photo privacy means no one - including the platform's employees and automated systems - can access your images without your permission. Viallo's sharing model is built around direct links that you control, with no public feeds, no algorithms, and no AI scanning. Encrypted cloud storage services like Proton Drive take this further by ensuring even the provider's staff cannot view your files.

Can tech company employees see my private photos?

At most major platforms - including Google Photos, iCloud (without Advanced Data Protection), and Facebook - employees with the right internal permissions can technically access your photos. Viallo reduces this risk by keeping photo storage minimal and not running AI or machine learning on your images. The only way to fully prevent employee access is zero-knowledge encryption, offered by services like Ente and Proton Drive, where the provider genuinely cannot decrypt your data.

Related articles

Meta's $375M Verdict Is Social Media's Big Tobacco Moment - What It Means for Your Photos

A New Mexico jury ordered Meta to pay $375 million for failing to protect children. A California jury found Meta and YouTube liable for addictive design. Courts are now treating social media like Big Tobacco. Here is what this means for where you share family photos.

Read more

Meta Wants AI Access to Your Entire Camera Roll - Here's What That Means

Facebook is rolling out a feature that gives Meta AI ongoing access to your entire camera roll for cloud processing. The marketing says creative suggestions. The policy says something different.

Read more

Meta Is Removing Encryption from Instagram DMs - What It Means for Your Photos

Meta confirmed it will remove end-to-end encryption from Instagram direct messages by May 2026. Every photo and message sent through Instagram DMs will be readable by Meta and accessible to law enforcement.

Read more