A spokesperson told the WSJ that Facebook has talked about offering "something similar" to Sauron for everyone, not just its own workers. The challenge is considering the implications, the company said. It doesn't want to alert "bad actors" or spark "real world harm," such as retaliation from an abusive partner.

The company's internal policies are already designed to curb at least some abuse. Only a handful of employees have access to data without triggering the usual login alert, and those people are "closely monitored," the WSJ's sources said. When they use their powers to access other accounts, they're required to provide a valid reason for looking at a profile (managers inspect those reasons later) and ideally get permission in writing. If a worker ever gets one of those alerts, they can track down the reasoning in a bug report or talk to Facebook's security team. "Multiple" workers have been fired over the years as a result.

There were already clues this system existed. Paavo Siljamäki, part of the trance trio Above & Beyond, noted in 2015 that Facebook didn't need his login details after he gave them permission to access his account. This appears to be the first time outsiders have learned the extent of Facebook's access and its ability to fight abuse, however. And the stalking incident exacerbates things -- there's a clear gap between safeguards for Facebook staff and everyday users, and there are instances where users could benefit from that added protection.