Somewhat relevant: A friend took my phone (playfully) and posted this as a status on my profile a while ago. I left it up because I found it funny. Now that it's easier to delete I may actually just do that.

You mean soft delete. I'll eat a sock if FB really deletes all of your history. Another one if they make that the default and you only get the other treatment after opting in.

You try deleting data from a busy Cassandra node. The tombstones, the tombstones!!!

(More than just Cassandra tho, many databases don't actually "delete", at least not immediately. They "mark for deletion", and may or may not _actually ever delete_ anything.)

The later case is different than simply updating the DeletedAt column.

The database not actually deleting is still the application properly deleting it. If the DB eventually carries that out or not is a lesser concern to me, tbh.

The concern here is that facebook doesn't actually tombstone their entries or doesn't even have their DB mark it deleted.

Well, now it'll have to, at least in Europe, GDPR requires that.

I mean, I am sure they will delete one of the copies of your data they have.

I am sure they aren't purging backups of the data.

Actually, to comply with GDPR, they have to (for people affected by GDPR).

Or have a documented retention policy for backups and a procedure to redelete data when those backups are restored.

Not true. You have the right to retain backups and logs etc. as long as they serve their purpose to secure your service for accidental loss of data or other security purposes and they are properly stored and secured.

What if hacker deletes your Facebook account? Under GDPR Facebook has actually obligation to keep your data safe from this scenario. Which means they have to keep logs to investigate what happened and also be able to restore your data.

You should delete backups after certain amount of time and state your policy to users.

Only if you keep them a reasonable time and the backups will gradually be purged.

You can't keep indefinite backups and comply with GDPR.

So if your 5 year old backup, which has no purpose at all, gets stolen, expect a whopping fine for being an idiot. Or your web logs get stolen and it turns out you keep them 2 years, don't expect favourable treatment as that's totally unnecessary data retention.

The backups that you can retain are hard to justify further back than about a year (if you even manage to do that), and if you ever use them you have to make sure the data that was deleted because of a request before is not in there again.

Why do we even use the word "delete" in this forum? We know that (so far) it is NOT deleting anything. It only means "hide from view". Facebook will not forget and will not forgive. Some 10-hour-question-avoiding in front of a committee (irrespective of importance) will not change FB's business model (aka money-maker) overnight.

That's not the sort of thing you can hide. One disgruntled employee would cost FB 100s millions over-night by just reporting it to someone.

Hm. Interesting. How about a 'leak bounty'? Or would that be problematic in the eyes of the law?

I'd happily put down $50 for whoever spilled the beans on what is really going on at Facebook and other companies in that vein.

The SEC does something like that already:

https://www.sec.gov/whistleblower

Nice. Pity they put a lower bound in but I can see why they would do that. Too many small investigations would eat up their time.

We can only hope then..

They'll just delete your user ID field for whatever you posted - so it won't be associated with you any longer, at least on their systems, but they will keep the content for analysis.

That won't work. They also cannot retain data that could be aggregated to identify you as a person. Anonymising by removing an ID is not actually doing that, it's just theater. The GDPR has provisions for that. Bottom line is: if you start fudging things or working around it, you're going to get fined.

If that's true then (1) they're lying and (2) that's not covering it because just a few website visits later they could re-associate your old data with your 'clean' profile because it doesn't take all that many bits to de-anonymize a chunk of data.

"Delete"

He says: " … you'll be able to clear this information from your account. You'll even be able to turn off having this information stored with your account."

"your account".

What do you reckon is the chance of them removing this from their ad targeting data set "account"??? They're just going to give you a tool that shows some of it to you, then hides it from you when you click the [fuck me over more] button (and they'll record _that_ interaction too, and sell you to the "tinfoil" and "headwear" segments.

> What do you reckon is the chance of them removing this from their ad targeting data set "account"???

is there a chance smaller than zero?

Sadly there is no way to issue an FOIA request to a private company. Possibly only route would be, clear data, notice contain tracking, due for disclosure. Probably the best route for moving forward.

I wonder if the GDPR will have sharp enough teeth to force FB to disclose what it's doing with EU citizen's data here?

Unless FB seizes to have offices in the EU and stops having an HQ in the EU and also stops doing monitoring of people in the EU and also stops any regular service for people in the EU, the GDPR has teeth and people in the EU can ask facebook to send them all data they have, then ask them to delete it and revoke any future permission to process their data.

Since the GDPR covers people in the EU that means if you're in the US you can take a vacation to Italy or France or Germany and then pull that stunt on Facebook. (technically)

The classic switcharoo