A group of Austrian students called Europe v. Facebook recently got their hands on their complete Facebook user data files - note, this is not the same file Facebook sends if you request your personal history through the webform in Account Settings.
See, Facebook wants you to feel safe and warm and fuzzy about controlling your own privacy. As we move into the era of the Open Graph and apps that autopost your activities, users are raising serious questions about data collection and privacy.
To help quell these fears, Facebook lets users download their their own data, as they said in an official statement to the Wall Street Journal blog Digits:
“We believe that every Facebook user owns his or her own data and should have simple and easy access to it. That is why we’ve built an easy way for people to download everything they have ever posted on Facebook, including all of their messages, posts, photos, status updates and profile information. People who want a copy of the information they have put on Facebook can click a link located in ‘Account Settings’ and easily get a copy of all of it in a single download. To protect the information, this feature is only available after the person confirms his or her password and answers appropriate security questions.”
Phew, that’s good. But wait... how come the students over at Europe v. Facebook got a different, more complete file when requested through Section 4 DPA + Art. 12 Directive 95/46/EG, a European privacy law? The carefully crafted statement above says they will give you access to everything you’ve put on Facebook - but what about the data Facebook collects without your knowledge?
What You May Not Get in Your Copy of Your Facebook File
On their website, Europe v. Facebook lists their primary objective as transparency, saying, “It is almost impossible for the user to really know what happens to his or her personal data when using facebook. For example ‘removed’ content is not really deleted by Facebook and it is often unclear what Facebook exactly does with our data.”
Indeed, the complete user file they received when requested through Section 4 DPA + Art. 12 Directive 95/46/EG is the same one available to attorneys and law enforcement via court order. It contains more information than the one Facebook sends users through their webform, according to Europe v. Facebook founder and law student Max Schrems, including:
- Every friend request you’ve ever received and how you responded.
- Every poke you’ve exchanged.
- Every event you’ve been invited to through Facebook and how you responded.
- The IP address used each and every time you’ve logged in to Facebook.
- Dates of user name changes and historical privacy settings changes.
- Camera metadata including time stamps and latitude/longitude of picture location, as well as tags from photos - even if you’ve untagged yourself.
- Credit card information, if you’ve ever purchased credits or advertising on Facebook.
- Your last known physical location, with latitude, longitude, time/date, altitude, and more. The report notes that they are unsure how Facebook collects this data.
One of Europe v. Facebook’s chief objections is that Facebook offers “no sufficient way of deleting old junk data.” Many of the complaints they’ve filed with the Irish Data Protection Commissioner* involve Facebook’s continued storage of data users believe they have deleted. Copies of the redacted files received through their requests are published on the Europe v. Facebook website.
Better Hope You’ve Behaved Yourself...
Ever flirted with someone other than your spouse in a Facebook chat? You had better hope your message records don’t end up in the hands of a divorce lawyer, because they can access even the ones you’ve deleted.
That day you called your employer in Chicago and begged off work, as you were sick? You logged in to Facebook from an IP address in Miami. Oops.
A few weeks ago, Australian hacker exposed Facebook’s practice of tracking logged out users and they quickly “fixed” the problem (after trying to defend it, initially). But the extent to which they collect and keep information users may not even realize they are giving Facebook in the first place - or believe they’ve deleted - is worrisome for privacy watchdogs.
The truly questionable thing is, the average user has no idea what their file contains and in North America, at least, have no right to access it. ITWorld’s Dan Tynan requested his, citing the U.S. Constitution, but received only an autoresponse telling him the form is only applicable in certain jurisdictions. In other words, if they’re not required to release your data to you by law, don’t hold your breath.
But then, maybe you’ll be one of the “lucky” ones who will have your activities brought up in court or a police investigation. There will be little left to the imagination, then.
What You Can Do About It
We contacted Max Schrems and asked whether Europe v. Facebook is able to help users, even those in other jurisdictions, to access their personal files. Though they receive emails from around the world, he said, their focus is on the 22 active complaints they currently have registered with the Irish Data Protection Commission. Residents of the European Union can fill out the online form on Facebook’s website (this is not the Account Settings form, but a request for the full file).
Schrems did offer tips for all users who want to curb the amount of information they’re handing over to Facebook from this point forward. “I would frequently check my privacy settings, turn everything to ‘Friends only’ and turn off ‘Platform.’ Users have to realize that you don’t just share with your Friends, but you always share with your Friends AND Facebook.”
Judging by the sheer difference in file sizes, comparing the personally requested vs. legally requested files Schrems and Europe v. Facebook received, there’s a lot of data left on the table. For the same user, the file sizes varied enormously. Schrems described the file obtained through a legal request as a 500MB PDF including data the user thought they had deleted. The one sent through a regular Facebook request was a 150MB HTML file and included video (the PDF did not) but did not have the deleted data.
We reached out to Facebook for comment but had not received a response by the time of publication.
*Europe v. Facebook files their complaints in Ireland, as Facebook’s User Terms list their Ireland office as headquarters for all Facebook affairs outside of Canada and the U.S.