European Users Overwhelm Facebook With Data Requests 214
An anonymous reader writes "If you've ever wondered how much personal data Facebook holds about you then prepare to be surprised. Using European data privacy laws, it's possible to request the data Facebook has stored about you. The document can total 800 pages covering everything from the expected name, address, and date of birth, right through to every event you've attended, every message you've deleted, and your political and religious views."
The best part is that Facebook has to send a physical disc containing the data. This has been exploited by a number of users, completely overwhelming Facebook's ability to make the discs.
Link to the original img (Score:4, Informative)
Re: (Score:3)
50+ Pages? Really? (Score:2)
Hundreds of pages of tracking and logging every single user in that kind of detail?
And that's why I use Facebook as little as possible.
Re:50+ Pages? Really? (Score:4, Insightful)
But you use Google, right?
Re:50+ Pages? Really? (Score:5, Funny)
oh no, I would never use google or facebook for those reasons. I only trust the integrity of Microsoft web services
Re: (Score:2)
I know you didn't mention Google+, but alas, here's a thought: Google was very wise when designing Google+, in that they wanted to make it easy for the user to collect their data from Google+.
Re: (Score:2)
and you use Slashdot (Score:2)
Anyone know if it's possible to do this for Slashdot? Every single post read, every login, every IP address, perhaps supposedly anonymous posts, every moderation, etc. And with Slashdot, there isn't the ability to even delete anything. The only saving grace is that most people don't attach their real names to their accounts.
Re: (Score:3)
And that's why I use Facebook as little as possible.
Re: (Score:2)
Re:50+ Pages? Really? (Score:4, Insightful)
It's that surprising? Most people's status updates alone would take up dozens of pages.
Then of course you have your photos, videos, notes, message history, chat history, comments you've posted, tags you've received, events you've been invited to, groups you've joined, everything you've ever "liked"...
I imagine most people would be shocked to find out how many groups they're in, or how many posts, pages, or links they've "liked".
Re: (Score:2)
Precisely. The stuff folks want to hide (probable politics, sexuality, religion, financial status, etc...) can all fit on a single page. The rest is just the raw data. They're probably being scared by the word "compiled" and thinking there is much more than there is.
I thought.. (Score:2)
I thought there was a built-in option to download everything you ever said/did/uploaded in a zip? I remember seeing it, but never actually used it.
Re: (Score:3)
Well, the point is that the law requires them to send you a physical copy.
they could agree to send by non-CD (Score:4, Interesting)
What if my purpose in requesting the data about me isn't to help DDoS Facebook with a deluge of requests, but because I actually want to know what data Facebook's compiled on me. That is, after all, why the law exists in the first place, and it's not at all strange that someone might want to know that information.
If Facebook finds it expensive and inconvenient to mail out physical CDs, they could agree to allow at least optional delivery by other means, such as over the internet.
Re:they could agree to send by non-CD (Score:5, Insightful)
Mailing a physical CD (Score:3)
There might be a more nefarious reason for the physical mailings. You see, they might only have your expected name and address. Physical mailings will allow FaceBook to add your EXACT name and address to their database. If they didn't have it before, they surely have it now!
Re: (Score:2)
That is in fact the reason why rebates are mail-in, but it's not as nefarious as you make it out to be. Take what happened with the HP Touchpad blowout as an example. HP decided to price the Touchpad far below its fair market value. That resulted in demand which far outstripped supply. Many people who wanted it got one at a great price. But huge quan
Re: (Score:2)
It is as simple as filling out a web for for you, but Facebook then use the postal service. My guess is that for legal liability reasons they won't to risk sending massive amounts of personal data to to an email account. I bet they don't encrypt the data on the CDs though, could be fun if yours goes missing...
Re:they could agree to send by non-CD (Score:5, Insightful)
Hopefully there's some follow up from the people who have requested their data. It will be interesting to see how much stuff Facebook stores and all of the things that it knows that people would rather prefer it didn't.
Re:they could agree to send by non-CD (Score:4, Informative)
Wrong, by an order of magnitude or several (Score:5, Informative)
There is another means: https://www.facebook.com/settings [facebook.com] Click "Download a copy of your Facebook data." and follow the instructions.
Except that that only gives you the information that's currently accessible to you and other facebook users. It does not include the photos and posts you've "deleted" (but which facebook still stores). It certainly does not include the history of sites you've visited while logged into facebook, or any other tracking history which facebook has gathered and associated with your name. Think about it: facebook has at least an order of magnitude more information on you personally than you appear to think. All of it is used for customizing sales of your identity and your interests and so forth to facebook's customers (you're the merchandise, not a customer).
Re: (Score:2)
If this process requires a manual review by an employee which leads to a several day delay, it keeps someone from harvesting complete data on another person through a compromised account. The employee who assembles the data could make an effort to verify that the person requesting the data actually owns the profile and that the mailing (or email if they add some digital delivery option) address seems to correspond with the owner.
Re: (Score:2)
Basically the zip gives you the sanitized version for public consumption, the legal data request gives you absolutely everything. I think it also includes a right to have data altered if it's inaccurate (intended to let you fix mistakes in their data that could be harmful to you, especially bad with companies like those who give credit ratings).
Re:they could agree to send by non-CD (Score:5, Insightful)
If Facebook finds it expensive and inconvenient to mail out physical CDs, they could agree to allow at least optional delivery by other means, such as over the internet.
If Facebook finds it expensive and inconvenient to mail out physical CDs, they could agree to simply not collect and store all that data.
There - fixed that for you!
Re: (Score:2)
If Facebook finds it expensive and inconvenient to mail out physical CDs, they could agree to simply have the law changed.
FTFY to accord more with reality.
Re: (Score:2)
Re: (Score:2)
The issue discussed was that while you can access CURRENT data with the 'copy all your data' function, facebook also stores everything you've deleted. This data is ONLY available if you get the physical copy type deal.
Your comment doesnt really apply to the deleted data :)
Re: (Score:2)
There is also the argument that
Re: (Score:3)
Everyone would use Facebook the exact same way they do now if Facebook did NOT store all those photos and status messages that you deleted.
Don't store things that no one sees. Delete things that users want deleted.
Problem solved.
I want some of my info to be available to friends, but if I delete a file, I mean it.
Spoiled Children...... (Score:2, Insightful)
Re:Spoiled Children...... (Score:5, Insightful)
Don't assume that because you didn't create a profile yourself that Facebook doesn't have one anyway.
Re: (Score:3)
Completely correct.
The same thing goes for Google: you may not have an account with them, but chances are they have a lot of your e-mail (people you correspond with use Google Mail). Use Google's search engine? They have your queries. If you post to Usenet, they have those posts, too. And I am sure they collect data through ads on non-Google sites, too. It is their stated mission [google.com] to "Googleâ(TM)s mission is to organize the worldâs information and make it universally accessible", and they're very g
Re: (Score:2)
you can't be tagged if you don't have a facebook profile.
I am sure you can put people's names in(that arent on facebook) but its not proper tagging as its not unique.
Re: (Score:2)
Re: (Score:2)
This is a freedom that people have always had. You can't stop other people from talking about you, and you shouldn't be ABLE to stop them.
Re: (Score:2)
So?
This is a freedom that people have always had. You can't stop other people from talking about you, and you shouldn't be ABLE to stop them.
And a "freedom" (if one wants to call it that) that we've had in Europe since various points in the 20th century is that a company shouldn't be able to store or process personal data without the individual's consent, or store the data for longer than necessary, or store more data than strictly necessary, or prevent an individual from updating incorrect information or requiring the deletion of the information.
I can't stop people talking about me, but if they give my email address to ACME Ltd I can stop them
Re: (Score:2)
They usually don't have the right to post pictures of you online but they'll do it anyway and there's nothing you can do about that once the image has been posted, no matter how damaging it could be (remember that perfectly normal activities in private life can still be damaging if shown e.g. to prospective employers).
Re: (Score:2)
Re:Spoiled Children...... (Score:5, Insightful)
This may not be a popular viewpoint, but I think it's a very relevant issue, and I do not use Facebook. I believe its very existence is an ethical issue though. Facebook represents a truly evil company, not in the unethical-business-practices sense, but a whole different order of that, I'd say they're rapidly approaching Gestapo-evil. Facebook stores enough information to learn a lot about specific individuals, and Facebook is conditioning people to give up their privacy. It might just be one of the most useful tools for an oppressive government or unethical intelligence organization to blackmail someone or, better, ruin their public image.
Facebook is not run by idiots. Those people know what they're doing, they know they're storing even "deleted" data and they know they're building very detailed profiles on every user. They also, unlike most of actual Facebook users, probably have the intelligence and foresight to imagine how it all may be used for horrible things, so there's no way I can see them as morally innocent.
Re: (Score:2)
> Those people know what they're doing, they know they're storing even "deleted" data and they know they're building very detailed profiles on every user.
Kind of makes you wonder what happens if Facebook hires a Scientologist.
OMG your're right. (Score:3)
"Those people know what they're doing, they know they're storing even "deleted" data and they know they're building very detailed profiles on every user. They also, unlike most of actual Facebook users, probably have the intelligence and foresight to imagine how it all may be used for horrible things"
OMG.
Zuckerberg's ambition isn't limited to being CEO of Facebook, bitch.
Zuckerberg will run for Governor and then President. Information is power. Personal information is personal power.
Re: (Score:2)
I'd say they're rapidly approaching Gestapo-evil.
They are about to start killing and torturing people?
Re: (Score:2)
I know the example of Gestapo is somewhat exaggerated/controversial, but I still believe it to be an apt comparison. I said Gestapo and not the SS or somesuch because I actually see similarities - Gestapo, especially before the war, wasn't only a torture and murder organization. They were an organization where incriminating information about citizens was delivered, and it's scary how many Germans were perfectly willing to inform on others. The Gestapo didn't really come across information by itself so often
What if you don't have a facebook account? (Score:3)
Is it possible to request it? After all, if a user requests all the info that facebook as on them, and all they give them is the information that they posted, that is - to be kind - a very incomplete version of the data set.
Re: (Score:2)
I know, it is hard to fathom that anyone would not have an account, but I have intentionally avoided it myself. However since I do appear to be the only person left in the world who doesn't have one, there is bound to be something that someone who knows me has posted that relates to me. Is it possible to request it? After all, if a user requests all the info that facebook as on them, and all they give them is the information that they posted, that is - to be kind - a very incomplete version of the data set.
How do you know which person you are getting the information on, without the unique login? So they can only give information on the person's userid and anywhere they are mentioned uniquely. tagged photos etc.. come to mind. Imagine trying to code the logic for anything else and make it correct.
Re: (Score:2)
They can refuse to provide the information under a couple of circumstances, but none of them are "we don't want to" or "it's hard" (mostly "We've already published this or are about to" or "This would require disclosure of company/government secrets"). They can also charge you a nominal fee if it would take an excessive amount of time and/or effort to fulfil your request.
Re:What if you don't have a facebook account? (Score:5, Interesting)
Complaint 02 [europe-v-facebook.org] is about shadow profiles for non-users.
I don't see why you couldn't request it, except that you (going by your journal) are American, so the Irish/European data protection laws don't apply.
(It's interesting that the data is provided for free. British companies are allowed to make a "reasonable charge" for providing the personal data, which is almost always £10.)
Re: (Score:2)
British companies are allowed to make a "reasonable charge" for providing the personal data, which is almost always £10.)
This is because the maximum charge IS in fact 10 pounds. Though some companies make it as difficult as possible to request your personal data, for example the Bank of Scotland insist you must send a written request to some unusual location and the ONLY method of payment they will accept is a cheque made payable to some other obscure name. They leave a lot of margin for you to make a mistake and will try to take as close to 40 days to remind you of this and ask you to resend the request hoping for some oth
Re: (Score:2)
Perhaps, and I'm just guessing here, but maybe the Bank of Scotland uses a third-party to process those requests? Or a subsidiary company?
That would explain the unusual address, payable name, and lack of payment options.
Re: (Score:2)
Perhaps, and I'm just guessing here, but maybe the Bank of Scotland uses a third-party to process those requests? Or a subsidiary company?
Maybe a subsidiary, but demanding payment only by cheque is a pain, especially considering most people don't use cheques any more (I had to wait 28 days and convert my account just to get them). But I am fairly sure that passing your details to other companies is a breach of the data protection act.
Re: (Score:2)
You are correct, in the UK the fee is "up to £10". See here [ico.gov.uk].
Re:What if you don't have a facebook account? (Score:5, Informative)
The provinces that have enacted similar enabling information also allow for you to request the data. In Quebec, for example, they have to *print it out*. That could get VERY expensive to print and send by mail. When the Journal de Montreal ran a full-page "coupon" that people could clip out, fill in and email to the federal govt requesting a copy of the Fed's "all-in-one-consolidate-all-govt-data-on-U" HRDC database, 29,000 people made the request, and HRDC ended up having to delete the database instead.
Re: (Score:2)
Brilliant (Score:2)
Step One: Use free service that you are in no way obligated to use.
Step Two: Complain about how the service records your usage of said free site
Step Three: Request a compilation of all data that you agreed to put on said free site
Step Four: ????
Step Five: UnProfit (for Facebook)
Re: (Score:3)
You should add to Step One: "Use free servide that you are in no way obligated to use to track communication by you and your friends
And reword Step Two: "Complain about how the service records your communications on said free site
Re: (Score:2)
And in what way is that relevant?
Re: (Score:2)
Sorry, should have been clearer - the 'suggested' changes were to underscore that the point of facebook is to enable users to communicate in an asynchronus fashion, and the only way to do that is to record your communication, then to point out that when users complain about facebook storing all their communications they are actually complaining about the very purpose of facebook.
I meant to build on your thought, not tear it down - sory if my inartful approach offended.
(It's like a user uploading all their p
Re: (Score:2)
Ah, thanks for the clarification. I'm easily confused :)
Re: (Score:2)
Facebook tracks you even if you never create an account or go to their site. Just load some pages with the Likeâ button and check your facebook.com cookies.
Before the outrage gets too loud... (Score:2)
Just remember everything, I mean EVERYTHING Facebook knows about you, those 800 pages of details, was input by either you or one of your "friends" - if you didn't want Facebook to have the info, you shouldn't have given it to them in the first place.
Re: (Score:2)
This could well be the case, but are you sure? Can you say with certainty that Facebook does not use other data-collection methods? In the interest of micro-targeting ads, I could see them looking to external sources in order to piece together a more robust profile. You word your statement with a little too much authority.
Re: (Score:2)
Perhaps, but all facebook "knows" is your email address - nothing else is verified. Sure, facebook could try and build a dossier from external sources based on your email address, but what value would that really hold when compared with the cost/effort involved.
The more likely answer is for facebook to track and analyze the data you and your friends enter - you/they gave it freely, and it is already on their servers.
I'll concede the wording issue - I was going for dramatic effect/hyperbole.
Re: (Score:2)
Just remember everything, I mean EVERYTHING Facebook knows about you, those 800 pages of details, was input by either you or one of your "friends" - if you didn't want Facebook to have the info, you shouldn't have given it to them in the first place.
Did I really "input" the information, if all I did was open a webpage containing a Facebook "Like" button?
Does a reasonable person think they're leaving Facebook information when they "Delete" a message or "Remove" an event invitation?
When a friend chooses to "Import contacts/friends from Hotmail" (or whatever), and I reject the invitation to Facebook, should Facebook keep a record of that?
If I buy a cinema ticket online, from a company with Facebook integration, should Facebook store that data? What if I'
Re: (Score:3)
if you didn't want Facebook to have the info, you shouldn't have given it to them in the first place.
To your friends? ;-)
That's easy enough on Slashdot
Yeah, just post it in an article, no one will read it. ;)
Well... (Score:2)
Facebook is actualliy gaining from this.. (Score:2)
Re: (Score:3)
Please upload a government-issued ID with signature to this report and ensure that your full name, date of birth, and photo are clear. You should also black out any personal information that is not needed to verify your identity (e.g., social security number). We will permanently delete your ID from our servers once we have used it for verification purposes.
Does the law really require that you have to provide this information in order to see your records.?
Re: (Score:2)
The law requires you to verify your identity (Imagine if they allowed random people to request your personal information!). Facebook are however legally required to delete the information after they've processed the request.
Re: (Score:2)
Does the law really require that you have to provide this information in order to see your records.?
Maybe not, but I imagine the law would really come down on them for releasing records to the wrong people. I see requesting government-issued ID as ass-coverage; if they release the wrong records to the wrong people now they can prove they made a reasonable effort to prevent it.
Re: (Score:2)
Using the UK data protection act is easy, but it does cost a single pound for admin costs. I wouldn't be suprised if these requests were rejected for that alone.
Get someone else to sign the cheque too. Agencies have been know to take your signature, scan it, then print it back on a consumer credit agreement form.
Are you sure about that? (Score:2)
every message you've deleted,
Are you sure this is legal in the EU?
Re: (Score:2)
If they still have a copy of it, they're required to include it.
Databases often do a "lazy delete" - mark a single "deleted" bit that prevents it from showing up anymore. Only periodically will they compact the database, removing all the records that are marked for deletion. If they have plenty of storage they may never compact due to the required downtime during the process.
So if it's "deleted", but it's not really gone, they still have to give you a copy of it.
Grow up, people (Score:5, Insightful)
It takes a woefully naive person to use a service like Facebook for free and not expect that Facebook is collecting your data and somehow profiting from it.
Re: (Score:2)
Most people know, they simply don't care.
Re: (Score:2)
It takes a woefully naive person to expect Facebook to only collect data if you use their service, when they have Like buttons loading their scripts all over the web.
Re: (Score:2)
Re: (Score:3)
Yes they would, as in order to do business in teh EU they would be required to follow DP laws - and exporting data outside of the EEA requires an equivalent DP law in the country, or youre not allowed to export it.
I don't think doing this is a good thing (Score:2)
Re: (Score:2)
Unlikely to happen, at least in Germany. Informational self-determination [wikipedia.org] has been a constitutional right since 1983. And today, in a speech [abendblatt.de] celebrating the 60th birthday of the constitutional court, the director of the court said that privacy and self-determination with regard to private actors (as opposed to the state) will become even more important in the future. These are significant hurdles for any law-maker or lobbying group to overcome.
Re: (Score:2)
But Facebook isn't incorporated in Germany, why would they have to abide by German law? They have to abide by EU law because they're in Ireland.
Re: (Score:2)
But Facebook isn't incorporated in Germany, why would they have to abide by German law?
Well, I guess they could ignore it if the managers don't mind being arrested and sent to Germany if they ever travel to the EU.
Re: (Score:2)
But Facebook isn't incorporated in Germany, why would they have to abide by German law?
Well, I guess they could ignore it if the managers don't mind being arrested and sent to Germany if they ever travel to the EU.
There's even a 0.0001% chance that the extradition treaty the US uses all the time to bring people to the USA might work the other way round.
Yesh! (Score:2)
I really enjoyed reading the blurb for this thread. Go Euros!
To all the "get lost and don't use it" smart-asses (Score:2)
I don't have an account on FB and never will.
But I'm tempted to fill out that form.
It's going to take them some time (Score:5, Informative)
After making a request under the DPA I received the following :
Hi,
We have received your subject access request (the "Request").
Due to the volume of personal data access requests that we have recently received, we are experiencing significant delay in processing such requests. We therefore are unlikely to respond within 40 days of your initial request. We appreciate your patience and will respond as soon as possible.
We are presently refining our request response processes and approach to align the present high volume of access requests with the resources available to process these requests. We appreciate your patience and will respond as soon as possible.
Please be aware as well that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.
Again, we appreciate your patience and we will respond as soon as possible.
Thanks for contacting Facebook,
Facebook User Operations - Data Access Request Team
Re: (Score:2)
Please be aware as well that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.
So this gives them an obligation to only send at most one CD per user. Not such a big deal I would say.
And they get your postal address in return for it.
Re: (Score:2)
There's no 'you must comply within 40 days unless you're just too busy' exemption in the DPA, is there?
Re: (Score:2)
ok, so under that law what's the penalty for non-compliance? I'm sure they could petition for a waiver if they are demonstrating good will and intent to get all the info out. and many laws have some stipulation about unduly burdensome requests...
NowFacebook gets your postal address too? (Score:3)
What a great idea. About the only bit of personal information that most Facebook users haven't already given to Facebook is their postal address. Yet this process does just that.
Wouldn't surprise me if this "Annoy Facebook" thing was actually started by Facebook to harvest postal addresses. :-)
Manchurian Candidatesa (Score:2)
We are going to see political campaigns that are precisely targeted down to individual voters.
The next time you respond to a political pollster, you need to wonder whether or not the information it is seeking is individually targeted at you in an attempt to refine their database pertaining to you. Commercial and social data is just one more source of political information. The more detail the number-crunchers get, the more they will be able to predict your vote.
The candidates will then model their behavio
The Directive (Score:2)
There is no requirement that the data be sent on a CD.
Article 12
Right of access
Member States shall guarantee every data subject the right to obtain from the controller:
(a) without constraint at reasonable intervals and without excessive delay or expense:
- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
- comm
Re: (Score:2)
Ok.. so what's your point? They might put it on a flash drive?
You have to send a copy of your ID (Score:3)
Re: (Score:2)
The page also *says* that they will delete the image, once your identity has been verified. Until there is a way to remotely verify that you are who you say you are, and that I am not you, and vice versa... that's what they're working with.
What sort of proof would you want that the person requesting YOUR information is anybody but you? It is a serious question, because I am looking for a fool-proof, better method.
You're worried about your "private" information, yet are irritated that you must prove, beyon
What am I being surprised by? (Score:2)
Are people really surprised that FB is storing the info that shows up in their profiles? Or that FB stores their list of friends and the stuff they post?
How do they imagine Facebook works? Magic?
(also, measuring structured, relational data in PDF "pages" is about as useful as measuring it in Volkswagens
How to save the USPS (Score:3)
Step 1: Pass a similar data protection law in the US. Require the requestee to provide the data in a physical format if the requester asks for it.
Step 2: Get lots of users to request their data from Facebook - make sure they insist they want the data on CD.
Step 3: ?????
Save the USPS and annoy Facebook? Sounds like a win-win to me!
Political & Religious Views (Score:2)
give them more data! (Score:2)
So, you just gave them your home address on top...
Re: (Score:2)