Facebook's Download-Your-Data Tool Is Incomplete

Privacy International has the details:

Key facts:

  • Despite Facebook claim, "Download Your Information" doesn't provide users with a list of all advertisers who uploaded a list with their personal data.
  • As a user this means you can't exercise your rights under GDPR because you don't know which companies have uploaded data to Facebook.
  • Information provided about the advertisers is also very limited (just a name and no contact details), preventing users from effectively exercising their rights.
  • Recently announced Off-Facebook feature comes with similar issues, giving little insight into how advertisers collect your personal data and how to prevent such data collection.

When I teach cybersecurity tech and policy at the Harvard Kennedy School, one of the assignments is to download your Facebook and Google data and look at it. Many are surprised at what the companies know about them.

Posted on March 2, 2020 at 6:28 AM • 15 Comments

Comments

SayItMarch 2, 2020 7:06 AM

These companies are like online governments. They have a great deal of influence over very many persons, and can affect their lives substantially. But they are not democracies. They are totalitarian, with one person at the head of the company able to make many powerful decisions unilaterally, if he wishes. (And, yes, almost all these leaders are men.) Giving you some control over your data does not change the fact that these are essentially digital dictatorships.

SeanMarch 2, 2020 7:37 AM

@SayIt - All points well made.

I don't think anyone expected this to be complete, it'll clearly take external pressure to bring Facebook in-line.

Rj BrownMarch 2, 2020 9:37 AM

I solved this problem for myself before it ever even began. Long ago I decided that the potential to get infected (in the computer malware sense) was going to be greater when large numbers of persons could post virtually anything the liked (no pun intended) to a common web server. That was the reason I never became a facebook (or any other social network) user. I have occasionally visited a social network page, usually when doing a search, but never registered a username or logged in as a user.

Now it turns out that was a good decision for more reasons than I realized. I always felt that these sites were for people who did not have the ability to set up their own web presence. I had a website and ran the server, both hardware and software, before social networking existed.

I realize they still are able to collect a fair amount of information on me by means of 1-pixel images, cookies, etc. but not as much as if I was a registered user.

RealFakeNewsMarch 2, 2020 11:19 AM

Something I've practiced since day 1 of having internet access - never post real information, anywhere.

I'd be very interested in how Facebook could figure out who I actually am (allowing for them looking at my IP address/ISP). I don't mean this question naïvely, either.

AnonMarch 2, 2020 11:31 AM

Rj Brown, the biggest danger for those of us who are non-users of Facebook is that our family, friends, and acquaintances will upload details and photos OF US to Facebook's data banks, something of which we have limited or no control.
It does help, of course, to never sign up personally. And fortunately there are browser add-ons for Firefox, Pale Moon, etc., that can completely disable social media trackers, UBlock Origin or Privacy Badger, for example.
One thing I find very disturbing is the presence of Facebook trackers on the websites of financial institutions. It doesn't exactly inspire confidence.
I also have to disallow remote content in incoming emails (a good idea anyway), due to all the rampant Facebook links in commercial communications.
It's time that businesses (at least) stopped promoting Facebook interaction with their customers as if it's the most normal and harmless thing in the world. I don't trust any business that tries to send me to that cesspool.

lurkerMarch 2, 2020 12:50 PM

There is still a significant portion of the web population who believe "Download your Data" means a parcel of data leaves FB or wherever, and comes to your computer, and no longer remains at FB or. These people include bankers and lawyers. It still happens that when documents are sent mistakenly to a wrong recipient, a followup will advise to "return" those documents[1]. These people are all over FB.

@Anon

One thing I find very disturbing is the presence of Facebook trackers on the websites of financial institutions....
It's time that businesses (at least) stopped promoting Facebook interaction with their customers...
In spite of its time-wasting triviality, Ebeneezer Scrooge would have loved FB for the economical customer database it maintains for him.

[1] AFAIK the futility of this advice has not been tested in the courts…

Rj BrownMarch 2, 2020 3:24 PM

Despite the lawyersand bankers not understanding the technical workings of social networking sites, the *DO* understand that they probably get paid for those trackers. :-(

kiwanoMarch 2, 2020 3:27 PM

Interestingly, I made a request for exactly the sort of information that is described in this post, when I deleted my account (shortly after requesting a copy of my personal data). I am a citizen of an EU country, and would gladly join any class-action suit around this (and provide my unanswered request as evidence), were such a suit to be initiated. I sincerely hope that one is initiated, and that if it is, I can find out about it in a subsequent post.

TRXMarch 2, 2020 5:39 PM

> I'd be very interested in how Facebook could figure out who I actually am (allowing for them looking at my IP address/ISP)
---
Easy enough to automate. Facebook has a myriad of URLs that don't sound Fakebookish, plus their "partners", wholly-owned subsidiaries, and so forth. You might have given Facebook your information yourself, unknowningly.

Then there are the trackers; the trackers set cookies in your browser, and eventually you'll probably hit a site that you provide information to, and an applet on the other end will match it to a Facebook cookie, and then they'll know every place on the web you've been since you got the first cookie.

In some cases, they can get your ID right from your ISP, from various "partnership" agreements, up to and including co-locating their own servers with those of your ISP.

The Internet is basically one huge tracking and surveillance system nowadays.

PhaeteMarch 2, 2020 10:44 PM

After looking to buy a new pc online, i browsed through their privacy policy and found the following:

"We may provide your order reference number, currency, total order price, order quantity and some aspects of the specification you have ordered such as the processor and graphics card to Google, Facebook, Bing and Hatch B.V. This is used for the purposes of sales tracking."

I'm not sure what it says about your company if you need those companies to track your own sales. But then they never say they need it for themselves to track their sales, they just say for they need it for tracking purposes (of those other companies)

So be careful where you order online, your order might be plastered around the internet without you ever registering to any social site.

65535March 2, 2020 11:57 PM

"... I teach cybersecurity tech and policy at the Harvard Kennedy School..."- Bruce S.

I have some questions about Colleges or University mandating the use of Google or Facebook.

1] Does Harvard require the use of either Google or Facebook?

2] What is your opinion on colleges who mandatorily require the use of Google Gmail for students and their communication?

3] What can be done to mitigate the risk of Gmail forced use in colleges?

smJohnMarch 3, 2020 1:17 AM

I also wonder if there is another bit of info that is missing from the downloads Facebook makes available: the settings that users were forced to change over the years from when FB first started out. In the early days the social media giant had privacy settings such as being able to hide your list of friends from others' view and being able to grey out "friend this person" as an option on one's profile.
Over the years these were taken away bit by bit, with FB stating at the time that the number of users with these settings was so very small it made no sense to keep them; well I had set them and I'd be interested to know when the company took them away for all sorts of reasons. I have downloaded my own data but haven't gone through it in more than cursory fashion, so don't know for sure such a detail isn't in there.

L'Homme de KabulMarch 8, 2020 12:39 PM

RealFakeNews,


I'd be very interested in how Facebook could figure out who I actually am (allowing for them looking at my IP address/ISP). I don't mean this question naïvely, either.

Just consider the amount of data that can be nicked from the mobiles of your less confidentiality-savvy friends and acquaintances.

Not mentioning possible buy-outs of various data from third parties.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.