What does Facebook know about you? Clearly a whole lot more than it’s comfortable letting on.
Today, during testimony in front of the House Energy & Commerce committee, CEO Mark Zuckerberg was pressed by congressman Jerry McNerney on whether Facebook lets users download all their information — and he ended up appearing to contradict its own cookies policy, which — if you go and actually read it — states pretty clearly that Facebook harvests users’ browsing data.
See, for e.g.:
Yet you won’t find your browsing data included in the copy of the information you can request from Facebook. Nor will you find a complete list of all the advertisers that have told Facebook they can target you with ads. Nor will you find lots of other pieces of personal information like images that Facebook knows you’re in but which were uploaded by other users, or a phone number you declined to share with it but which was uploaded anyway because one of your friends synced their contacts with its apps, thereby handing your digits over without your say so.
And that’s just to name a few of the missing pieces of information that Facebook knows and holds about you — and won’t tell you about if you ask it for a copy of “your information”.
Here’s the key exchange — which is worth reading in full to see how carefully Zuckerberg worded his replies:
McNerney: “Is there currently a place that I can download all of the Facebook information about me including the websites that I have visited?”
Zuckerberg: “Yes congressman. We have a ‘Download your information’ tool, we’ve had it for years, you can go to it in your settings and download all of the content that you have on Facebook.”
McNerney: “Well my staff, just this morning, downloaded their information and their browsing history is not in it. So are you saying that Facebook does not have browsing history?”
Zuckerberg: “Congressman that would be correct. If we don’t have content in there then that means that you don’t have it on Facebook. Or you haven’t put it there.”
McNerney: “I’m not quite on board with this. Is there any other information that Facebook has obtained about me whether Facebook collected it or obtained it from a third party that would not be included in the download?”
Zuckerberg: “Congressman, my understanding is that all of your information is included in download your information.”
McNerney: “I’m going to follow up with this afterwards.”
If you read Zuckerberg’s answers carefully you’ll see that each time he reframes the question to only refer to information that Facebook users have themselves put on Facebook.
What he is absolutely not talking about is the much more voluminous — and almost entirely unseen — supermassive blackhole’s worth of data the company itself amasses about users (and indeed, non-users) via a variety of on and offsite tracking mechanisms, including — outside its walled garden — cookies, pixels and social plug-ins embedded on third party websites.
According to pro-privacy search engine DuckDuckGo, Facebook’s trackers are on almost a quarter of the top million websites — meaning that anyone browsing popular websites can have their activity recorded by Facebook, linked to their Facebook identity, and stored by the company in its vast but unseen individual profiling databases.
This background surveillance has got Facebook into legal hot water with multiple European data protection agencies. Albeit it hasn’t — thus far — stopped the company tracking Internet users’ habits.
Facebook also buys data from third party data brokers to further flesh out what it knows about people.
The key disconnect evident in Zuckerberg’s testimony is that Facebook thinks of this type of information (metadata if you prefer) as belonging to it — rather than to the individuals whose identity is linked to it (linking also conducted by Facebook).
Hence the tool Zuckerberg flagged in front of Congress is very deliberately called “download your information” [emphasis mine].
With that wording Facebook does not promise to give users a copy of any of the information it has pervasively collected on them. (Doing so would clearly be far more expensive, for one thing.)
Although given that McNerney pressed Zuckerberg in his follow up for a specific answer on “any other information that Facebook has obtained about me” — and the CEO still equivocated, it’s hardly a good look.
Transparency and plain dealing from Facebook? Quite the opposite on this front.
Facebook has faced more pressure on its lack of transparency about the information it holds on users in Europe where existing privacy regulations can mandate that organizations must respond to so-called ‘subject access requests’ — by providing individuals who make a request with a copy of the information they hold about them; as well as (if they make a small payment) telling them whether any personal data is being processed; giving them a description of the personal data, the reasons it is being processed, and whether it will be given to any other organizations or people.
So, in other words, subject access requests are a world away from Facebook’s current ‘download your information tool’ — which mostly just shows users only the information they have personally volunteered to give it.
Even so, Facebook has not been meeting the full disclosure obligations set out in EU privacy law — instead pursuing legal avenues to avoid fulsome compliance.
Case in point: Late last month Paul-Olivier Dehaye, the co-founder of PersonalData.IO, told a UK parliamentary committee — which has also been calling for Zuckerberg to testify (so far unsuccessfully) — how he’s spent “years” trying to obtain all his personal information from Facebook.
Because of his efforts he said Facebook built a tool that now shows some information about advertisers. But this still only provides an eight-week snapshot of advertisers on its platform that have told it they have the user’s consent to process their information. So still a very far cry from what individuals are supposed to be able to request under EU law.
“Facebook is invoking an exception in Irish law in the data protection law — involving, ‘disproportionate effort’. So they’re saying it’s too much of an effort to give me access to this data,” Dehaye told the committee. “I find that quite intriguing because they’re making essentially a technical and a business argument for why I shouldn’t be given access to this data — and in the technical argument they’re in a way shooting themselves in the foot. Because what they’re saying is they’re so big that there’s no way they could provide me with this information. The cost would be too large.”
“They don’t price the cost itself,” he added. “They don’t say it would cost us this much [to comply with the data request]. If they were starting to put a cost on getting your data out of Facebook… that would be very interesting to have to compare with smaller companies, smaller social networks. If you think about how antitrust laws work, that’s the starting point for those laws. So it’s kind of mindboggling that they don’t see their argumentation, how it’s going to hurt them at some point.”
With the incoming GDPR update to the bloc’s data protection laws — which beefs up enforcement in the European Union with a new regime of supersized fines — the legal liabilities of shirking regulatory compliance will step up sharply in just over a month’s time. But it remains to be seen whether Facebook — or indeed any of the other ad-tech giants whose business models rely on pervasive tracking of web users (ehem Google ehem) — will finally reveal all the information held on users, rather than just giving up a few selective snapshots.
Update: After a break in the committee hearing, Zuckerberg later revisited his comments about what information is and is not contained in Facebook’s download your data feature — saying he’d clarified with his team that “weblogs are not in ‘Download your Information’.”
“We only store them temporarily and we convert the weblogs into a set of ad interests that you might be interested in those ads,” he claimed. “And we put that in “Download your Information” instead and you have complete control over that.”