24 year old student lights match: Europe versus Facebook

If you are interested in social networks, don't miss the slick video about Max Schrems’ David and Goliath struggle with Facebook over the way they are treating his personal information.  Click on the red “CC” in the lower right-hand corner to see the English subtitles.

Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues.  In Europe there is a requirement that entities with data about individuals make it available to them if they request it.  That's how Max ended up with a personalized CD from Facebook that he printed out on a stack of paper more than a thousand pages thick (see image below). Analysing it, he came to the conclusion that Facebook is engineered to break many of the requirements of European data protection.  He argues that the record Facebook provided him finds them to be in flagrante delicto.  

The logical next step was a series of 22 lucid and well-reasoned complaints that he submitted to the Irish Data Protection Commissioner (Facebook states that European users have a relationship with the Irish Facebook subsidiary).  This was followed by another perfectly executed move:  setting up a web site called Europe versus Facebook that does everything right in terms using web technology to mount a campaign against a commercial enterprise that depends on its public relations to succeed.

Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel.  As part of the documentation, they publicised the procedure Max used to get his personal CD.  Somehow this recipe found its way to reddit  where it ended up on a couple of top ten lists.  So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement that it provide the information within a 40 day period.

If that seems to be enough, it's not all.  As Max studied what had been revealed to him, he noticed that important information was missing and asked for the rest of it.  The response ratchets the battle up one more notch: 

Dear Mr. Schrems:

We refer to our previous correspondence and in particular your subject access request dated July 11, 2011 (the Request).

To date, we have disclosed all personal data to which you are entitled pursuant to Section 4 of the Irish Data Protection Acts 1988 and 2003 (the Acts).

Please note that certain categories of personal data are exempted from subject access requests.
Pursuant to Section 4(9) of the Acts, personal data which is impossible to furnish or which can only be furnished after disproportionate effort is exempt from the scope of a subject access request. We have not furnished personal data which cannot be extracted from our platform in the absence of is proportionate effort.

Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.

Please be aware that we have complied with your subject access request, and that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.

Thanks for contacting Facebook,
Facebook User Operations Data Access Request Team

What a spotlight

This throws intense light on some amazingly important issues. 

For example, as I wrote here (and Max describes here), Facebook's “Like” button collects information every time an Internet user views a page containing the button, and a Facebook cookie associates that page with all the other pages with “Like” buttons visited by the user in the last 3 months. 

If you use Facebook, records of all these visits are linked, through cookies, to your Facebook profile – even if you never click the “like” button.  These long lists of pages visited, tied in Facebook's systems to your “Real Name identity”, were not included on Max's CD. 

Is Facebook prepared to argue that it need not reveal this stored information about your personal data because doing so would adversely affect its “intellectual property”? 

It will be absolutely amazing to watch how this issue plays out, and see just what someone with Max's media talent is able to do with the answers once they become public. 

The result may well impact the whole industry for a long time to come.

Meanwhile, students of these matters would do well to look at Max's many complaints:

no

date

topic

status

files

01

18-AUG-2011

Pokes.
Pokes are kept even after the user “removes” them.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

02

18-AUG-2011

Shadow Profiles.
Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

03

18-AUG-2011

Tagging.
Tags are used without the specific consent of the user. Users have to “untag” themselves (opt-out).
Info: Facebook announced changes.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

04

18-AUG-2011

Synchronizing.
Facebook is gathering personal data e.g. via its iPhone-App or the “friend finder”. This data is used by Facebook without the consent of the data subjects.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

05

18-AUG-2011

Deleted Postings.
Postings that have been deleted showed up in the set of data that was received from Facebook.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

06

18-AUG-2011

Postings on other Users’ Pages.
Users cannot see the settings under which content is distributed that they post on other’s pages.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

07

18-AUG-2011

Messages.
Messages (incl. Chat-Messages) are stored by Facebook even after the user “deleted” them. This means that all direct communication on Facebook can never be deleted.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

08

18-AUG-2011

Privacy Policy and Consent.
The privacy policy is vague, unclear and contradictory. If European and Irish standards are applied, the consent to the privacy policy is not valid.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

09

18-AUG-2011

Face Recognition.
The new face recognition feature is an inproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

10

18-AUG-2011

Access Request.
Access Requests have not been answered fully. Many categories of information are missing.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

11

18-AUG-2011

Deleted Tags.
Tags that were “removed” by the user, are only deactivated but saved by Facebook.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

12

18-AUG-2011

Data Security.
In its terms, Facebook says that it does not guarantee any level of data security.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

13

18-AUG-2011

Applications.
Applications of “friends” can access data of the user. There is no guarantee that these applications are following European privacy standards.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

14

18-AUG-2011

Deleted Friends.
All removed friends are stored by Facebook.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

15

18-AUG-2011

Excessive processing of Data.
Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes.
It seems Facebook is a prime example of illegal “excessive processing”.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

16

18-AUG-2011

Opt-Out.
Facebook is running an opt-out system instead of an opt-in system, which is required by European law.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

 

24-AUG-2011

Letter from the Irish DPC.

 

Letter (PDF)

 

15-SEPT-2011

Letter to the Irish DPC concerning the new privacy policy and new settings on Facebook.

 

Letter (PDF)

17

19-SEPT-2011

Like Button.
The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

18

19-SEPT-2011

Obligations as Processor.
Facebook has certain obligations as a provider of a “cloud service” (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

19

19-SEPT-2011

Picture Privacy Settings.
The privacy settings only regulate who can see the link to a picture. The picture itself is “public” on the internet. This makes it easy to circumvent the settings.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

20

19-SEPT-2011

Deleted Pictures.
Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

21

19-SEPT-2011

Groups.
Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

22

19-SEPT-2011

New Policies.
The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.

Filed with the Irish DPC

Complaint (PDF)
Attachments (ZIP)

 

Published by

Kim Cameron

Work on identity.

10 thoughts on “24 year old student lights match: Europe versus Facebook”

  1. This is crazy. Well done Max on raising these issues. As a former law student I can't help but think in 20 or 30 years time if this data were to get into the public domain it could cause absolute chaos in a whole host of ways.

  2. IT systems are designed using certain assumptions, namely that the systems are going to be used in an opt-out environment. European law requires opt-in. Opt out is clearly the preferred privacy regime.

  3. Regarding the “Like” button: the advertising and audience metrics industries have been able to track user behavior in great details across most sites they visit for well over a decade. It's even sneakier because with those, there's no “manifestation” of what they're doing, aside from, for example, seeing an ad on a site that is related to the previous site you were on ( http://www.fetchback.com/ ). At least with facebook, all you have to do is not create an account with them, although they could, in theory still track you. If you're creating an account you are indeed “opting-in” to this sort of tracking which is again, more control over your privacy than you'll ever have with the advertising/audience metrics industries.

    But one could persist on arguing that you don't have to create an account with facebook to be tracked via that “Like” button, because they could indeed in theory still cookie you and track your browsing behavior across sites even if they don't exactly know who you are. But if you start assuming this, then you should probably assume that Google's “Analytics” platform could be doing the same: Just about every site in the World has GA tags on their pages to track their traffic metrics. While GA “reports” are tied to a specific “Site ID”, *technically* they *could* track individual users across all sites they visit.

    And while we're at it then, Google's “+1” button has the same theoretical capabilities as Facebook's “Like Button”.

    But let's just not stop here. Think of every “site add-on” out there, that is popular on many sites and gives you some sort of “extra”, such as social bookmarking buttons, widgets, apps, any popular “site add-on” platform is in a prime position to track incredible amounts of data about every user out there. Twitter's “tweet this” buttons are in the same boat.

    Facebook's “Like” just has more visibility right now.

    So if Max is going to be serious about this privacy battle, he's got thousands more CDs to request.

  4. Adele Pace commented that “Opt out is clearly the preferred privacy regime”. How so? Maybe we have different definitions, but I believe the standard meaning of “Opt In” is that by default users do not participate in a program: they must expressly elect to participate. All things being equal, Opt-In is the preferred privacy regime because it does not presume to know the user's preference.
    With care, Opt-out can be made privacy-friendly, by taking special steps to anonymise data and to safeguard it against inappropriate secondary re-use etc. I published a paper on this with some privacy advocates some years ago; see http://lockstep.com.au/library/ehealth/patient_privacy_and_security_.html. We argued that the best net benefits of electronic health records probably depend on an Opt-out model (for better completeness of data collection) and we suggested some technological means to help safeguard privacy under what most advocates would say is not the preferred consent model.

  5. Another interesting point in Schrem's case is that Facebook is claiming confidentiality of the biometric templates it collects. FB's argument seems tenuous, unless they're fighting to keep absolute secrecy around their algorithms (security by obscurity?).
    In any case, an interesting legal development in Australia will pull the rug from beneath them. The Australian Law Reform Commission has recommended legislative changes to classify biometric data and templates as Sensitive Personal Information. Sensitive PI means free and informed consent needs to be obtained prior to collection. Facebook will no longer have the luxury of keeping tags until users object (and even then they don;t necessarily delete the template).
    And they will have to be more transparent about exactly what it is that they do with retained facial recogniton templates. At present their Privacy Policy is entirely silent on the matter, referring only to the overtly visible tags – just the tip of the iceberg. But given their track record in pillaging personal information, Facebook's longer term strategic interest in facial recognition is clearly that it provides them with new x-ray vision into all those hitherto anonymous photo albums, and automatic surveillance of what everyone is doing, when and where and with whom.

  6. Most of those are things any decent web business does to improve the user experience and through that maximize revenue. All data is useful, drive space is cheap, and the data is usually only seen by algorithms so why delete it. People are way to paranoid. I like having the web intelligently react to me and show me things I'm interested in instead of not, help me locate things faster, etc.

    If you don't like it then browse anonymously and never post anything. Otherwise you're basically going into their place of business, handing them your photos, messages, etc and then complaining because they have the material you handed them.

  7. I cannot but admire the sheer irony of a site that picks a privacy fight with Facebook that uses a comments system that requires a logon process by other questionable entities (enabling tracking again). About the only sensible one in the list is OpenID; but here your privacy and quality of your logon protection depends on which OpenID provider you choose.

    But I digress. Regarding Opt-Out, that is never going to be an acceptable option because it forces the user into a game of whack-a-mole the moment their data has leaked. Your email address is sold many, many times over by organisations – it takes one (1, uno) website to be a tad creative in its interpretation of what permission means and you'll be unsubscribing forever. This is also why the Californian “do not email” law is total copout.

    As example, I was spammed by Oracle. I used the unsubscribe link – no result. I punt a complaint into a department that I knew to have lawyers, and someone took this personally and went on a hunt as to why this was happening (AFAIK it's also a violation of the above law). Turns out an outsourced email marketeer was not updating their “do not call” list as often as they should, and it took a total of 6 people a week's worth of work to find this out. It's taken care of now, but this was with a company that actually has a policy in place (but, btw, failed to explain why I was on their list in the first place) and with someone who turned into an internal champion for me because he hated this himself. You as lone user stand no chance at all.

    Anyway, I have one final question for y'all: who has read the Google Terms of Service? I recommend you do – even if you read nothing else I suggest you pay attention to clause 11. Might be a wake up call.

  8. Adele Pace: You have that backwards. Opt-in is preferred by the company, not by the individual.

    Michael McGlothlin: You're arguing that one must choose to give up anonymity in all cases if they want to use the web? This is not what any of this technology was built on. And anyone wishing to give their info to Facebook is fine to do so. I use it myself. But what gives Facebook the right to track every site I visit because the site owner thinks that 500 “likes” means diddly to their website? The Like button plastered all over does nothing but allow Facebook to track each user's browsing habit–without their opting in–and in fact, without an option to opt out. But saying “it works for me, so it should for you too” is ridiculous.

    My Evil: mild irony, perhaps, but I think perhaps you're mixing up anonymity and privacy. Anyone running a website with a comment form knows that requiring some form of authentication reduces or eliminates spam. But the issue at hand with Facebook is far from them allowing you to be anonymous, it's that you have no expectation of privacy with anything you give them–or anything given to them by anyone else. The rest of your comment is spot-on. One of the biggest sources of issues like this is the fact that the legislators here in the US are unwilling to declare a right to privacy for individuals and allow opt-out as a cop-out.

Comments are closed.