Home / News & Analysis / Zuckerberg won’t give a straight answer on data downloads

Zuckerberg won’t give a straight answer on data downloads

What does Facebook know about you? Clearly a whole lot more than it’s comfortable letting on.

Today, during testimony in front of the House Energy & Commerce committee, CEO Mark Zuckerberg was pressed by congressman Jerry McNerney on whether Facebook lets users download all their information — and he ended up appearing to contract its own cookies policy, which — if you go and actually read it — states pretty clearly that Facebook harvests users’ browsing data.

See, for e.g.:

We use cookies if you have a Facebook account, use the Facebook Products, including our website and apps, or visit other websites and apps that use the Facebook Products (including the Like button or other Facebook Technologies). Cookies enable Facebook to offer the Facebook Products to you and to understand the information we receive about you, including information about your use of other websites and apps, whether or not you are registered or logged in.

Yet you won’t find your browsing data included in the copy of the information you can request from Facebook. Nor will you find a complete list of all the advertisers that have told Facebook they can target you with ads. Nor will you find lots of other pieces of personal information like images that Facebook knows you’re in but which were uploaded by other users, or a phone number you declined to share with it but which was uploaded anyway because one of your friends synced their contacts with its apps, thereby handing your digits over without your say so.

And that’s just to name a few of the missing pieces of information that Facebook knows and holds about you — won’t tell you about if you ask it for a copy of “your information”.

Here’s the key exchange — which is worth reading in full to see how carefully Zuckerberg worded his replies:

McNerney: “Is there currently a place that I can download all of the Facebook information about me including the websites that I have visited?”

Zuckerberg: “Yes congressman. We have a download your information tool, we’ve had it for years, you can go to it in your settings and download all of the content that you have on Facebook.”

McNerney: “Well my staff, just this morning, downloaded their information and their browsing history is not in it. So are you saying that Facebook does not have browsing history?”

Zuckerberg: “Congressman that would be correct. If we don’t have content in there then that means that you don’t have it on Facebook. Or you haven’t put it there.”

McNerney: “I’m not quite on board with this. Is there any other information that Facebook has obtained about me whether Facebook collected it or obtained it from a third party that would not be included in the download?”

Zuckerberg: “Congressman, my understanding is that all of your information is included in download your information.”

McNerney: “I’m going to follow up with this afterwards.”

If you read Zuckerberg’s answers carefully you’ll see that each time he reframes the question to only refer to information that Facebook users have themselves put on Facebook.

What he is absolutely not talking about is the much more voluminous — and almost entirely unseen — supermassive blackhole’s worth of data the company itself amasses about users (and indeed, non-users) via a variety of on and offsite tracking mechanisms, including — outside its walled garden — cookies, pixels and social plug-ins embedded on third party websites.

According to pro-privacy search engine DuckDuckGo, Facebook’s trackers are on almost a quarter of the top million websites — meaning that anyone browsing popular websites can have their activity recorded by Facebook, linked to their Facebook identity, and stored by the company in its vast but unseen individual profiling databases.

This background surveillance has got Facebook into legal hot water with multiple European data protection agencies. Albeit it hasn’t — thus far — stopped the company tracking Internet users’ habits.

The key disconnect evident in Zuckerberg’s testimony is that Facebook thinks of this type of information (metadata if you prefer) as belonging to it — rather than to the individuals whose identity is linked to it (linking also conducted by Facebook).

Hence the tool Zuckerberg flagged in front of Congress is very deliberately called “download your information” [emphasis mine].

With that wording Facebook does not promise to give users a copy of any of the information it has pervasively collected on them. (Doing so would clearly be far more expensive, for one thing.)

Although given that McNerney pressed Zuckerberg in his follow up for a specific answer on “any other information that Facebook has obtained about me” — and the CEO still equivocated, it’s hardly a good look.

Transparency and plain dealing from Facebook? Quite the opposite on this front.

The myth that web tracking data is tied to an anonymous browser user profile needs to be preserved at all costs. Otherwise they need to admit they have data on non account holders, virtually everyone.

— Eerke Boiten (@EerkeBoiten) April 11, 2018

Facebook has faced more pressure on its lack of transparency about the information it holds on users in Europe where existing privacy regulations can mandate that organizations must respond to so called ‘subject access requests’ — by providing individuals who make a request with a copy of the information they hold about them; as well as (if they make a small payment) telling them whether any personal data is being processed; giving them a description of the personal data, the reasons it is being processed, and whether it will be given to any other organizations or people.

So, in other words, subject access requests are a world away from Facebook’s current ‘download your information tool’ — which just shows users only the information they have personally volunteered to give it.

Even so, Facebook has not been meeting the full disclosure obligations set out in EU privacy law — instead pursuing legal avenues to avoid fulsome compliance.

Case in point: Late last month Paul-Olivier Dehaye, the co-founder of PersonalData.IO, told a UK parliamentary committee — which has also been calling for Zuckerberg to testify (so far unsuccessfully) — how he’s spent “years” trying to obtain all his personal information from Facebook.

Because of his efforts he said Facebook built a tool that now shows some information about advertisers. But this still only provides an eight-week snapshot of advertisers on its platform which have told it they have an individual’s consent to process their information. So still a very far cry from what individuals are supposed to be able to request under EU law.

“Facebook is invoking an exception in Irish law in the data protection law — involving, ‘disproportionate effort’. So they’re saying it’s too much of an effort to give me access to this data,” Dehaye told the committee. “I find that quite intriguing because they’re making essentially a technical and a business argument for why I shouldn’t be given access to this data — and in the technical argument they’re in a way shooting themselves in the foot. Because what they’re saying is they’re so big that there’s no way they could provide me with this information. The cost would be too large.”

“They don’t price the cost itself,” he added. “They don’t say it would cost us this much [to comply with the data request]. If they were starting to put a cost on getting your data out of Facebook — you know, every tiny point of data — that would be very interesting to have to compare with smaller companies, smaller social networks. If you think about how antitrust laws work, that’s the starting point for those laws. So it’s kind of mindboggling that they don’t see their argumentation, how it’s going to hurt them at some point.”

With the incoming GDPR update to the bloc’s data protection laws — which beefs up enforcement with a new regime of supersized fines — the legal liabilities of shirking regulatory compliance will step up sharply in just over a month’s time. But it remains to be seen whether Facebook — or indeed any of the other ad-tech giants whose business models rely on pervasive tracking of web users (ehem Google ehem) — will finally reveal all the information held on users, rather than just giving up a few selective snapshots.

Check Also

Facebook hit with defamation lawsuit over fake ads

In an interesting twist, Facebook is being sued in the UK for defamation by consumer advice personality, Martin Lewis, who says his face and name have been repeatedly used on fake adverts distributed on the social media giant’s platform. Lewis, who founded the popular MoneySavingExpert.com tips website, says Facebook has failed to stop the fake ads despite repeat complaints and action on his part, thereby — he contends — tarnishing his reputation and causing victims to be lured into costly scams. “It is consistent, it is repeated. Other companies such as Outbrain who have run these adverts have taken them down. What is particularly pernicious about Facebook is that it says the onus is on me, so I have spent time and effort and stress repeatedly to have them taken down,” Lewis told The Guardian. “It is facilitating scams on a constant basis in a morally repugnant way. If Mark Zuckerburg wants to be the champion of moral causes, then he needs to stop its company doing this.” In a blog post Lewis also argues it should not be difficult for Facebook — “a leader in face and text recognition” — to prevent scammers from misappropriating his image. “I don’t do adverts. I’ve told Facebook that. Any ad with my picture or name in is without my permission. I’ve asked it not to publish them, or at least to check their legitimacy with me before publishing. This shouldn’t be difficult,” he writes. “Yet it simply continues to repeatedly publish these adverts and then relies on me to report them, once the damage has been done.” “Enough is enough. I’ve been fighting for over a year to stop Facebook letting scammers use my name and face to rip off vulnerable people – yet it continues. I feel sick each time I hear of another victim being conned because of trust they wrongly thought they were placing in me. One lady had over £100,000 taken from her,” he adds. Some of the fake ads appear to be related to cryptocurrency scams — linking through to fake news articles promising “revolutionary Bitcoin home-based opportunity”. So the scammers look to be using the same playbook as the Macedonian teens who, in 2016, concocted fake news stories about US politics to generate a mint in ad clicks — also relying on Facebook’s platform to distribute their fakes and scale the scam. In January Facebook revised its ads policy to specifically ban cryptocurrency, binary options and initial coin offerings. But as Lewis’ samples show, the scammers are circumventing this prohibition with ease — using Lewis’ image to drive unwitting clicks to a secondary offsite layer of fake news articles that directly push people towards crypto scams. It would appear that Facebook does nothing to verify the sites to which ads on its platform are directing its users, just as it does not appear to proactive police whether ad creative is legal — at least unless nudity is involved. Here’s one sample fake ad that Lewis highlights: And here’s the fake news article it links to — touting a “revolutionary” Bitcoin opportunity, in a news article style mocked up to look like the Daily Mirror newspaper… The lawsuit is a personal action by Lewis who is seeking exemplary damages in the high court. He says he’s not looking to profit himself — saying he would donate any winnings to charities that aim to combat fraud. Rather he says he’s taking the action in the hopes the publicity will spotlight the problem and force Facebook to stamp out fake ads. In a statement, Mark Lewis of the law firm Seddons, which Lewis has engaged for the action, said: “Facebook is not above the law – it cannot hide outside the UK and think that it is untouchable. Exemplary damages are being sought. This means we will ask the court to ensure they are substantial enough that Facebook can’t simply see paying out damages as just the ‘cost of business’ and carry on regardless. It needs to be shown that the price of causing misery is very high.” In a response statement to the suit, a Facebook spokesperson told us: “We do not allow adverts which are misleading or false on Facebook and have explained to Martin Lewis that he should report any adverts that infringe his rights and they will be removed. We are in direct contact with his team, offering to help and promptly investigating their requests, and only last week confirmed that several adverts and accounts that violated our Advertising Policies had been taken down.” Facebook’s ad guidelines do indeed prohibit ads that contain “deceptive, false, or misleading content, including deceptive claims, offers, or business practices” — and, as noted above, they also specifically prohibit cryptocurrency-related ads. But, as is increasingly evident where big tech platforms are concerned, meaningful enforcement of existing policies is what’s sorely lacking. The social behemoth claims to have invested significant resources in its ad review program — which includes both automated and manual review of ads. Though it also relies on users reporting problem content, thereby shifting the burden of actively policing content its systems are algorithmically distributing and monetizing (at massive scale) onto individual users (who are, by the by, not being paid for all this content review labor… hmmm… ). In Lewis’ case the burden is clearly also highly personal, given the fake ads are not just dodgy content but are directly misappropriating his image and name in an attempt to sell a scam. “On a personal note, as well as the huge amount of time, stress and effort it takes to continually combat these scams, this whole episode has been extremely depressing – to see my reputation besmirched by such a big company, out of an unending greed to keep raking in its ad cash,” he also writes. The sheer scale of Facebook’s platform — which now has more than 2BN active users globally — contrasts awkwardly with the far smaller number of people the company employs for content moderation tasks. And unsurprisingly, given that huge discrepancy, Facebook has been facing increasing pressure over various types of problem content in recent years — from Kremlin propaganda to hate speech in Myanmar. Last year it told US lawmakers it would be increasing the number of staff working on safety and security issues from 10,000 to 20,000 by the end of this year. Which is still a tiny drop in the ocean of content distributed daily on its platform. We’ve asked how many people work in Facebook’s ad review team specifically and will update this post with any response. Given the sheer scale of content continuously generated by a 2BN+ user-base, combined with a platform structure that typically allows for instant uploads, a truly robust enforcement of Facebook’s own policies is going to require legislative intervention. And, in the meanwhile, Facebook operating a policy that’s essentially unenforceable risks looking intentional — given how much profit the company continues to generate by being able to claim it’s just a platform, rather than be ruled like a publisher.

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.