Even if you are not using Facebook, even if none of your friends ever use Facebok or tag you in any content, Facebook is maintaining a shadow profile on you. They have your web browsing habits from the Like button, and in many countries (such as the United States) they have bought data from data brokers such as Datalogix to gain access to your grocery store purchases and other data. They can sell you as an audience on behalf of other sites/apps if they choose (they aren't doing this now, but they could), and they can continue to use third party mechanisms to keep close tabs on you. They might not know you by name, but they definitely know you by many other identifying traits.
I would be very interested to see the results of a European data request by a non-Facebook-user in a country where Facebook has been aggressive in cutting data brokerage deals. Maybe the UK or something. We can get a lot of feel good rhetoric from the company's PR and employees, but nobody really knows what is collected and stored. (Of course, the company could say "we don't have data for anyone with that name," which would be factually correct.)
There is another comment here that is completely wrong in asserting that Facebook only tracks you insomuch as is required to help your friends make use of the site. This fantasy notion might make people feel better about making use of the site -- sort of like how consumers of H&M will reason that "those Bangladeshi girls really needed the job" -- but it isn't the truth.
> Even if you are not using Facebook, even if none of your friends ever use Facebok or tag you in any content, Facebook is maintaining a shadow profile on you.
That's a more general flaw with the current web. Just look at how much 3rd party content is embedded into almost any site. A good chunk of them are user trackers. Facebook is just one among many.
I think we need stronger compartmentalization in the web. The iframe sandboxing + message-channel APIs is a good start to isolate things and minimize information leakage, sadly that doesn't help with libraries loaded from CDNs. Mozilla's contextual identities is another approach[1]
Facebook explicitly deny creating 'shadow profiles' and I'm not aware of any proof that they do so, have I overlooked this somehow?
I was interested in this too, and I'm in Europe and submitted a formal request for data. I've never used Facebook but because I'm active in a number of community groups, my name comes up on the occasional Facebook page and I'm in photos taken at some events.
At the time I was using a catchall email address so I entered facebook@(my-domain-dot-tld) which is all they used to search for a match. Because that wasn't a real email address I wasn't surprised that in their response they claimed to hold none of my personal data, though that seems a bit weaselly.
Here is their email reply from 2013:
Hi,
We've received your request for information about the possible storage of your personal data.
There isn't a Facebook account associated with the email address from which you are writing. This might be because you don't have a Facebook account or because you already deleted your account. In either of these cases, we do not hold any of your personal data.
Please refer to our Privacy Policy (also called “Data Use Policy”) for more information:
It contains a description of:
- The categories of data being processed by Facebook
- The personal data that Facebook receives from Facebook members
- The purpose or purposes of the processing of such data
- The source or sources(s) of the data, if known
- The recipients or categories of recipients to whom Facebook members’ personal data are or may be disclosed
If you're referring to an account associated with another email address, please use that email address to file a new request:
What I find hilarious is that besides this being like the 4th or 5th time Facebook got caught with this sort of tracking [1], and each time claiming it's "only a bug" - which it also did when it got caught in Belgium this spring [2] - it now comes and says "Wait a minute! We've been using this umm...bug...for 5 years! We will appeal the ruling! We want to keep using that...umm, bug." [3]
> The company is “working to minimize any disruption to people’s access to Facebook in Belgium,” she said.
Is that a threat? Why would there be a disruption? The ruling only affects their tracking of non-users. Disruption to the non-users?!
Also, you know how they've also been saying for years that they would never (ever!) use Like button tracking (which is just a - pretty damn persistent - bug when tracking non-users, anyway) for advertising? Yeah, another lie [4].
Thanks for the links! OgleFace not only has our best brains working on getting people to click more ads, said brains are also whirring furiously justifying why OgleFace has gone off the charts on the scale of 0 to creepy. Sad..
"Best brain", that's a very narrow definition. Best in what exactly ? Crunching some numbers ? Doing nice css ? I guess those brains are sub standard when it comes to ethics...
We begin therefore where they are determined not to end, with the question whether any form of democratic self-government, anywhere, is consistent with the kind of massive, pervasive, surveillance into which the Unites States government has led not only us but the world.
This should not actually be a complicated inquiry.
One can see this as one more Belgian eccentricity, and the list is long. But this is bound to generalise. The amount of data collected throught tracking is awfully intrusive. Between google, facebook, linkedin, and the hundreds of ad networks, one can know pretty much anything there is to know on someone: network of friends, political opinions, sexual preferences, health problems, spending habbits, etc. It is bound to become illegal ultimately, when politicians finally get a clue.
I am not sure it would help however. Making something illegal only makes sense if it's enforceable. Making tracking illegal is like making hacking into systems illegal. If the offender is based in another country there is very little one can do anyway. Therefore to me the solution has to be technological. Encryption, strict first party cookies/data/javascript is the only realistic response. The browser as it is is broken.
Yes, LinkedIn is another offender that I'm sure also does this, even more aggressively than Facebook. They blatantly try to download your contact list by directly asking your email password to build shadow profiles and propose new contacts.
And I guess WhatsApp probably also used the same practice to grow their network, using contact lists extracted from phones.
As I understand it, these practices are simply illegal in the EU and always were. Regrettably, the billions that were made this way (mostly by US companies) will probably never be returned.
I think the idea of a shadow account is that you build the information on the person (from disparate data points, like phone contacts) and their connections. Then when they sign up they are presented with a list of people that have them in their contacts. From a UX perspective it can be nice but I can definitely see the privacy concerns.
No, in the "share on Google+" buttons and in "login with Google" buttons, and with captchas, and who knows what else. There are dozens of companies tracking your every move, Google is just one example.
Adsense "users" (website visitors), Google Analytics "users" (website visitors), etc, etc. Its a deep rabbit hole. Imagine a world where Google can't store all of this data.
I was referring to Google collecting non-user data as a practice and strategy. What would it mean to them if they were blocked (legislatively) from doing so?
Are you concerned that they are being unfairly partial by not charging at all the actors at once, or do you feel that addressing Facebook separately is futile for pragmatic reasons?
Blocking third-party cookies breaks some websites, including some bank websites. Then again, Safari on iOS and OS X defaults to only allowing first-party cookies and websites must surely want their services to work on iOS..
Mozilla tried to adopt Safari's cookie policy for Firefox, but backed down when the ad industry turned up the heat:
>Facebook faces a fine of 250,000 euros ($269,000) a day
Facebook's net income in 2014 was US$2.94 billion, according to Wikipedia. I'm not so sure they will care about a fine that low. Especially if they expect to make more money by continuing to store non-users' personal data.
All they need is a simple filter by country of IP. The question is rather they are willing to comply given that this may spread across Europe very quickly.
Basically, if Facebook is really building up profiles of people, then the EU standpoint is clear across the board that you don't even need to be able to actually name the person from the data in order to be governed by the data protection laws, and e.g. details like IP addresses that are not considered personally identifiable by themselves easily becomes so when combined with other data.
It is very unlikely that they are compliant anywhere in the EEA if they're not compliant in Belgium.
Their argument that they're only subject to privacy laws in Ireland is a total non-starter, as it "worst case" for Belgian authorities just means they'll have to go after Facebook in Ireland, and given that all EEA countries have privacy legislation closely modelled after the Data Protection Directive, it's highly unlikely they'll get a better result there (and if they do, it'll get appealed, and if they win an appeal, the law is likely to get changed.
If they are maintaining shadow profiles, then what they do is very, very obviously at odds with the principles the Directive are based on). More likely I'd expect Belgian courts to insist they have jurisdiction on behalf of victims in Belgium.
In either case, as soon as this case is concluded, you can expect a bunch of other EEA states to pile on.
And so far it's only from one nation. Much of Europe shares a stronger belief in things like privacy and data protection than the US, and much of Europe has law in place to defend such things if the political will is there. Facebook can't afford to face fines at significant multiples of that scale, and even if it could, it's just asking for more severe action if it tries to force the issue.
The nightmare scenario for FB is probably losing access to parts of Europe for a while and as a result losing their critical mass of users so a rival social network can gain a foothold. With the digital native generation already far less attached to any one social network than their predecessors, that could become an existential threat to Facebook itself. As such, it seems highly unlikely that they will try to hold their position indefinitely on this one.
Specifically, all of the EEA (EU + Norway and Iceland) has data protection acts that are specifically harmonized to comply with the EU Data Protection Directive.
There are quite few scenarios where they'd be in breach of Belgian data protection legislation without also being in breach of the data protection laws of 29 other EEA countries.
The odds of EU wide action will dramatically rise the moment one or more countries find them in breach.
How about we learn to deal with the fact that they're not storing data that is yours in the sense of ownership, but only in the sense that it's about you? They're not storing data for no reason; They are storing data their customers have provided for the purposes of contacting you. They are storing data about you for the people who, like it or not, you shared your data with.
The nasty 90s database-dump sharing is over; Companies hoard this data and consider it their private treasure, not to mention the nasty and ill-considered privacy laws that have already sprung up around sharing it. Facebook is not selling your info to marketers; They are selling your eyeballs to marketers if you use the service, and using your data to better target it. For all the egregious offenses that Facebook is guilty of, this is not an offense.
I have the right to a little black book. I have a right to a diary that calls you names. I have a right to free speech, and sometimes your name is on my lips.
> I have a right to free speech, and sometimes your name is on my lips.
Except most people don't understand how cookies or like buttons track their behavior. To assume otherwise is disingenuous. The result is the equivalent of bugging someone's car with a GPS tracker and claiming they opted in by virtue of using your parking garage.
> I have the right to a little black book. I have a right to a diary that calls you names.
Yes, you do [1], and that's not relevant to any of these discussions, as it's not been challenged.
> I have a right to free speech, and sometimes your name is on my lips.
If you are speaking as a private individual or you are publishing an article in a newspaper, yes, there are very few limits to your speech in the EU as long as you're not slandering someone.
But if you are operating as a business and telling another company details about me that can be used to identify me, then your rights are strictly limited in the EU, as the right to privacy is seen to trump the right of commercial speech.
[1] With a caveat: If you are using your "little black book" to support commercial activities such as sales, it may be considered a relevant filing system subject to data protection rules in at least some EU countries. But a personal address book would not be affected.
just to add to your point, even before global internet coverage, information ownership was murky.
range, permanence and ease of distribution are much diferent but, take for example, a picture.
if 2 people are in a picture taken by a third party, to what extent can any person excert ownership over that "data".
the photographer, or either of the subjects. I am all for privacy, but I would find it hard to make a compelling case for the above scenario that could be absolute, and applied uniformly.
Expectations of privacy and data protection are going to have to evolve to keep up with technology.
To some extent, that means recognising that some actions enabled by new technology may be reasonable even if they involve personal data being collected, used, or passed on.
In other cases, that means recognising that new technologies pose new threats to privacy and things we could let by before because they posed no real threat are no longer as harmless and therefore potentially no longer as socially acceptable.
For example, I find the idea that you lose any expectation of any sort of privacy the moment you step outside your front door naive and dangerous, but people often claim this is reasonable in privacy debates based on an argument along the lines that anyone could see you walking down the street and it's always been that way.
Personally, I do see a few small differences between walking past someone who doesn't know you from Adam and will forget you within seconds and going for a walk in the view of a comprehensive network of cameras and microphones that allow unknown parties to remotely and systematically observe your every move and sound while you're out, along with those of everyone else nearby, subject you all to gait and voice analysis to identify you and infer information about your mood, interests and relationships, correlate that data with data about you from other sources, record everything permanently, and make it easy to search for information about you and everyone else who went out that day in order to make decisions about arbitrary and unknown criteria from what to offer you as an insurance premium next year to how to embarrass you out of running for office at the next election.
Clearly there is going to be a scale with many of these issues and we will need to find a socially acceptable balance and set reasonable expectations accordingly. It's also pretty clear that damage is being done by the dramatic erosion of privacy in the digital age because so far the capabilities of new technologies have far out-stripped the social and regulatory debates around it. Unfortunately, a big part of the problem is that many people have little idea of what is happening with personal data about them and even less understanding of the potential consequences unless they've been the unlucky one who really was a victim of, say, identity theft. Consequently the opinion polls tend to show most people not being that bothered by organisations like Facebook, even though when fully informed or after widely reported leaks with many victims potentially affected you tend to see quite different opinions being expressed.
How about we learn to deal with the fact that they're not storing data that is yours in the sense of ownership, but only in the sense that it's about you?
We have learned to deal with it. In Europe, we have for the most part decided that allowing large organisations to compile personal data without either the data subject's consent or some other acceptable reason is not a good thing, and we have passed laws that forbid it.
I have the right to a little black book.
Sure you do, but in Europe you don't have the automatic right to keep personal data about me and millions of other people in it, and if you do then we might punish you for it.
I have a right to free speech, and sometimes your name is on my lips.
Not in Europe, you don't. In fact, legally speaking you don't have that absolute right anywhere else in the world that I know about either.
> They are storing data about you for the people who, like it or not, you shared your data with.
Exactly.
I'll add that on a technical level, you aren't being tracked like a hunter would track prey; your machine is being periodically asked to provide identifying information, and you have it configured to automatically comply.
I get that most consumers of the web don't understand this, but it is the truth.
This is what I find vexing about the EU cookie disclaimer law. Every individual website owner has to add a message to their site letting you know that they are going to request that your browser store some information on their behalf.
It makes me think about all of the manhours that could have been saved if the law had instead required major browser vendors to include a feature enabled by default that would prompt the user before storing cookies.
>It makes me think about all of the manhours that could have been saved if the law had instead required major browser vendors to include a feature enabled by default that would prompt the user before storing cookies.
You only need a disclaimer for a permanent cookie, which should only be used when you are logged into an account (and the disclaimer could just be part of the ToS when you create the account). I blame the websites for using permanent cookies when session cookies or no cookies would do the job.
> your machine is being periodically asked to provide identifying information, and you have it configured to automatically comply.
That is true for cookies, but trackers also use active and passive fingerprinting that does not provide a way to configure whether your machine automatically "provides identifying information".
Good. But, I expect something unfortunate to happen to a high profile Belgian company or official in the near future.
Of course, there's going to be no way for anyone to prove cause and effect either way. If I'm wrong about the reason, my confirmation bias will convince me otherwise.
Even if you are not using Facebook, even if none of your friends ever use Facebok or tag you in any content, Facebook is maintaining a shadow profile on you. They have your web browsing habits from the Like button, and in many countries (such as the United States) they have bought data from data brokers such as Datalogix to gain access to your grocery store purchases and other data. They can sell you as an audience on behalf of other sites/apps if they choose (they aren't doing this now, but they could), and they can continue to use third party mechanisms to keep close tabs on you. They might not know you by name, but they definitely know you by many other identifying traits.
I would be very interested to see the results of a European data request by a non-Facebook-user in a country where Facebook has been aggressive in cutting data brokerage deals. Maybe the UK or something. We can get a lot of feel good rhetoric from the company's PR and employees, but nobody really knows what is collected and stored. (Of course, the company could say "we don't have data for anyone with that name," which would be factually correct.)
There is another comment here that is completely wrong in asserting that Facebook only tracks you insomuch as is required to help your friends make use of the site. This fantasy notion might make people feel better about making use of the site -- sort of like how consumers of H&M will reason that "those Bangladeshi girls really needed the job" -- but it isn't the truth.