Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Facebook Privacy

European Users Overwhelm Facebook With Data Requests 214

An anonymous reader writes "If you've ever wondered how much personal data Facebook holds about you then prepare to be surprised. Using European data privacy laws, it's possible to request the data Facebook has stored about you. The document can total 800 pages covering everything from the expected name, address, and date of birth, right through to every event you've attended, every message you've deleted, and your political and religious views." The best part is that Facebook has to send a physical disc containing the data. This has been exploited by a number of users, completely overwhelming Facebook's ability to make the discs.
This discussion has been archived. No new comments can be posted.

European Users Overwhelm Facebook With Data Requests

Comments Filter:
  • by AndyAndyAndyAndy ( 967043 ) <afaciniNO@SPAMgmail.com> on Wednesday September 28, 2011 @09:23AM (#37539458)
    From the Reddit post they discussed: http://www.damnlol.com/watermarked/ea83e08059fd271293365560edd6d795.jpg [damnlol.com]
  • by Commontwist ( 2452418 ) on Wednesday September 28, 2011 @09:23AM (#37539470)

    Hundreds of pages of tracking and logging every single user in that kind of detail?
    And that's why I use Facebook as little as possible.

  • by somersault ( 912633 ) on Wednesday September 28, 2011 @09:24AM (#37539482) Homepage Journal

    I thought there was a built-in option to download everything you ever said/did/uploaded in a zip? I remember seeing it, but never actually used it.

  • by Trepidity ( 597 ) <delirium-slashdot.hackish@org> on Wednesday September 28, 2011 @09:26AM (#37539500)

    What if my purpose in requesting the data about me isn't to help DDoS Facebook with a deluge of requests, but because I actually want to know what data Facebook's compiled on me. That is, after all, why the law exists in the first place, and it's not at all strange that someone might want to know that information.

    If Facebook finds it expensive and inconvenient to mail out physical CDs, they could agree to allow at least optional delivery by other means, such as over the internet.

    • by DJLuc1d ( 1010987 ) on Wednesday September 28, 2011 @09:31AM (#37539582)
      I'm pretty sure they do it this way for the same reason most rebates are still mail-in. They don't expect the user to actually do it out of inconvenience. If it was as simple as clicking a button on the internet, more people would be aware of how much data they actually collect.
      • by wfstanle ( 1188751 ) on Wednesday September 28, 2011 @10:42AM (#37540522)

        There might be a more nefarious reason for the physical mailings. You see, they might only have your expected name and address. Physical mailings will allow FaceBook to add your EXACT name and address to their database. If they didn't have it before, they surely have it now!

      • by Solandri ( 704621 ) on Wednesday September 28, 2011 @12:19PM (#37541980)

        I'm pretty sure they do it this way for the same reason most rebates are still mail-in. They don't expect the user to actually do it out of inconvenience.

        That is in fact the reason why rebates are mail-in, but it's not as nefarious as you make it out to be. Take what happened with the HP Touchpad blowout as an example. HP decided to price the Touchpad far below its fair market value. That resulted in demand which far outstripped supply. Many people who wanted it got one at a great price. But huge quantities were also scooped up by middlemen who resold them at a huge profit at closer to fair market value.

        So how can a manufacturer discount its product below fair market value, without giving middlemen an opportunity to buy it up and resell it at a profit? You offer a rebate, but you have to make it just annoying enough and the terms restrictive enough that a middleman can't apply for all those rebates himself. What is a 15 minute annoyance for the end-buyer becomes hours of work for a middleman trying to flip dozens of the item for a profit. Consequently it's no longer worth his time, which leaves more of the rebate-discounted item for purchase by real end-users.

      • It is as simple as filling out a web for for you, but Facebook then use the postal service. My guess is that for legal liability reasons they won't to risk sending massive amounts of personal data to to an email account. I bet they don't encrypt the data on the CDs though, could be fun if yours goes missing...

    • by alvinrod ( 889928 ) on Wednesday September 28, 2011 @09:37AM (#37539678)
      Which is really awesome up until someone manages to pretend they're you and get all of your data. At least shipping it on a disc to a physical address adds a few extra layers of inconvenience for the people who might otherwise attempt to do this. Considering how much information Facebook has on some people, that data falling into the wrong hands could do some serious damage to a person's life.

      Hopefully there's some follow up from the people who have requested their data. It will be interesting to see how much stuff Facebook stores and all of the things that it knows that people would rather prefer it didn't.
    • by admdrew ( 782761 ) on Wednesday September 28, 2011 @10:01AM (#37539982) Homepage
      There is another means: https://www.facebook.com/settings [facebook.com] Click "Download a copy of your Facebook data." and follow the instructions.
      • by AliasMarlowe ( 1042386 ) on Wednesday September 28, 2011 @10:22AM (#37540238) Journal

        There is another means: https://www.facebook.com/settings [facebook.com] Click "Download a copy of your Facebook data." and follow the instructions.

        Except that that only gives you the information that's currently accessible to you and other facebook users. It does not include the photos and posts you've "deleted" (but which facebook still stores). It certainly does not include the history of sites you've visited while logged into facebook, or any other tracking history which facebook has gathered and associated with your name. Think about it: facebook has at least an order of magnitude more information on you personally than you appear to think. All of it is used for customizing sales of your identity and your interests and so forth to facebook's customers (you're the merchandise, not a customer).

        • by ottothecow ( 600101 ) on Wednesday September 28, 2011 @11:49AM (#37541542) Homepage
          This might be a good thing though.

          If this process requires a manual review by an employee which leads to a several day delay, it keeps someone from harvesting complete data on another person through a compromised account. The employee who assembles the data could make an effort to verify that the person requesting the data actually owns the profile and that the mailing (or email if they add some digital delivery option) address seems to correspond with the owner.

        • by KDR_11k ( 778916 ) on Wednesday September 28, 2011 @03:28PM (#37545364)

          Basically the zip gives you the sanitized version for public consumption, the legal data request gives you absolutely everything. I think it also includes a right to have data altered if it's inaccurate (intended to let you fix mistakes in their data that could be harmful to you, especially bad with companies like those who give credit ratings).

    • by jenningsthecat ( 1525947 ) on Wednesday September 28, 2011 @10:09AM (#37540074)

      If Facebook finds it expensive and inconvenient to mail out physical CDs, they could agree to allow at least optional delivery by other means, such as over the internet.

      If Facebook finds it expensive and inconvenient to mail out physical CDs, they could agree to simply not collect and store all that data.

      There - fixed that for you!

      • by Baloroth ( 2370816 ) on Wednesday September 28, 2011 @11:02AM (#37540780)

        If Facebook finds it expensive and inconvenient to mail out physical CDs, they could agree to simply have the law changed.

        FTFY to accord more with reality.

      • by A. B3ttik ( 1344591 ) on Wednesday September 28, 2011 @12:05PM (#37541792)
        That would completely undermine the capabilities and services of Facebook that everyone uses and loves. No one would use Facebook if it did not store all of your photos and status messages, because then no one could access them.
        • by omglolbah ( 731566 ) on Wednesday September 28, 2011 @12:21PM (#37542018)

          The issue discussed was that while you can access CURRENT data with the 'copy all your data' function, facebook also stores everything you've deleted. This data is ONLY available if you get the physical copy type deal.

          Your comment doesnt really apply to the deleted data :)

          • by A. B3ttik ( 1344591 ) on Wednesday September 28, 2011 @02:35PM (#37544394)
            Perhaps, but that STILL wouldn't stop this bunch of 4chaners from abusing this retarded law and requesting physical copies of all the crap they _haven't_ deleted. I mean, seriously, how much stuff have you _really_ deleted on Facebook? I know I haven't deleted very much, and sometimes I do like to go back and look at my comments from years ago. If you think Facebook should perma-delete everything that you delete, that's fine, but that's also a different issue than this one.

            There is also the argument that Facebook definitely keeps multiple redundant copies of their data across many servers in different areas... in fact, they likely even keep backup drives in closets somewhere just in case ALL the servers fail and they actually need to use them... should Facebook not be allowed to keep backups of their data in closets? Every time you hit delete, should they be forced to walk through manspace and delete stuff off of their backup-backup drives?

            And what if make a crawler that accesses all of my friends' pages constantly and saves their data to my hard drive? Google does this already. Should I not be allowed to do this? Should Google not be allowed to do this? If someone deletes something on Facebook, do I have to delete it on my local box? Does Google?

            Personally, I think not. You post something on Facebook, you understand that Facebook now knows that information and they're going to have it forever. You can't untell a secret to a friend or unshow someone an embarrassing photo. If you have something you want to hide, don't put it up to begin with. If you make a mistake, you can "delete" it and hope for security through anonymity that Facebook will do the best they can to keep that Photo from showing up anywhere, but you can never be sure that one of your friends didn't save the image or that there isn't some backup somewhere.
        • by phoenix321 ( 734987 ) on Wednesday September 28, 2011 @02:07PM (#37543910)

          Everyone would use Facebook the exact same way they do now if Facebook did NOT store all those photos and status messages that you deleted.

          Don't store things that no one sees. Delete things that users want deleted.

          Problem solved.

          I want some of my info to be available to friends, but if I delete a file, I mean it.

  • by ZiakII ( 829432 ) on Wednesday September 28, 2011 @09:27AM (#37539520)
    I just don't get this new attitude of spending the entire day complaining about Facebook. Personally, I don't use the site and last time I checked no was forcing these people to use the site either. From how that article is written they seem to be acting like a bunch of children who are just complaining just because they can.
    • by L4t3r4lu5 ( 1216702 ) on Wednesday September 28, 2011 @09:31AM (#37539586)
      You may not use Facebook, but that doesn't mean you're not on it. You may be in a picture, or mentioned in a comment somewhere by a friend. You can be tagged, at which point it's your full name, picture, (time-dependent) location, the activity you were engaged in (therefore hobbies or social activities), you are linked with others tagged in that photo and their hobbies, religions, political affiliations, relationships. Someone could mention that you were at the office party, at which point they know you work for the same company as $FBuser.

      Don't assume that because you didn't create a profile yourself that Facebook doesn't have one anyway.
      • by inglorion_on_the_net ( 1965514 ) on Wednesday September 28, 2011 @10:28AM (#37540320) Homepage

        Completely correct.

        The same thing goes for Google: you may not have an account with them, but chances are they have a lot of your e-mail (people you correspond with use Google Mail). Use Google's search engine? They have your queries. If you post to Usenet, they have those posts, too. And I am sure they collect data through ads on non-Google sites, too. It is their stated mission [google.com] to "Googleâ(TM)s mission is to organize the worldâs information and make it universally accessible", and they're very good at it.

        A lot of people don't realize, or vaguely know but don't quite grasp just how much of what they consider private is collected by companies like Google and Facebook. Asking for a copy of what they know about you and receiving several hundred pages in return really drives the point home.

    • by ACS Solver ( 1068112 ) on Wednesday September 28, 2011 @10:44AM (#37540554)

      This may not be a popular viewpoint, but I think it's a very relevant issue, and I do not use Facebook. I believe its very existence is an ethical issue though. Facebook represents a truly evil company, not in the unethical-business-practices sense, but a whole different order of that, I'd say they're rapidly approaching Gestapo-evil. Facebook stores enough information to learn a lot about specific individuals, and Facebook is conditioning people to give up their privacy. It might just be one of the most useful tools for an oppressive government or unethical intelligence organization to blackmail someone or, better, ruin their public image.

      Facebook is not run by idiots. Those people know what they're doing, they know they're storing even "deleted" data and they know they're building very detailed profiles on every user. They also, unlike most of actual Facebook users, probably have the intelligence and foresight to imagine how it all may be used for horrible things, so there's no way I can see them as morally innocent.

      • by SmurfButcher Bob ( 313810 ) on Wednesday September 28, 2011 @02:17PM (#37544090) Journal

        > Those people know what they're doing, they know they're storing even "deleted" data and they know they're building very detailed profiles on every user.

        Kind of makes you wonder what happens if Facebook hires a Scientologist.

      • by mbkennel ( 97636 ) on Wednesday September 28, 2011 @02:53PM (#37544682)

        "Those people know what they're doing, they know they're storing even "deleted" data and they know they're building very detailed profiles on every user. They also, unlike most of actual Facebook users, probably have the intelligence and foresight to imagine how it all may be used for horrible things"

        OMG.

        Zuckerberg's ambition isn't limited to being CEO of Facebook, bitch.

        Zuckerberg will run for Governor and then President. Information is power. Personal information is personal power.

      • by shutdown -p now ( 807394 ) on Wednesday September 28, 2011 @03:28PM (#37545360) Journal

        I'd say they're rapidly approaching Gestapo-evil.

        They are about to start killing and torturing people?

        • by ACS Solver ( 1068112 ) on Wednesday September 28, 2011 @04:08PM (#37546036)

          I know the example of Gestapo is somewhat exaggerated/controversial, but I still believe it to be an apt comparison. I said Gestapo and not the SS or somesuch because I actually see similarities - Gestapo, especially before the war, wasn't only a torture and murder organization. They were an organization where incriminating information about citizens was delivered, and it's scary how many Germans were perfectly willing to inform on others. The Gestapo didn't really come across information by itself so often, it was mostly thriving on tipoffs.

          Of course Facebook does not kill and torture, and won't, but there are similarities in the information-gathering sense. And I would not be surprised at all if Facebook cooperates with governments or government agencies that have plans more sinister than targeted advertising.

  • I know, it is hard to fathom that anyone would not have an account, but I have intentionally avoided it myself. However since I do appear to be the only person left in the world who doesn't have one, there is bound to be something that someone who knows me has posted that relates to me.

    Is it possible to request it? After all, if a user requests all the info that facebook as on them, and all they give them is the information that they posted, that is - to be kind - a very incomplete version of the data set.
    • by dredwerker ( 757816 ) on Wednesday September 28, 2011 @09:30AM (#37539572)

      I know, it is hard to fathom that anyone would not have an account, but I have intentionally avoided it myself. However since I do appear to be the only person left in the world who doesn't have one, there is bound to be something that someone who knows me has posted that relates to me. Is it possible to request it? After all, if a user requests all the info that facebook as on them, and all they give them is the information that they posted, that is - to be kind - a very incomplete version of the data set.

      How do you know which person you are getting the information on, without the unique login? So they can only give information on the person's userid and anywhere they are mentioned uniquely. tagged photos etc.. come to mind. Imagine trying to code the logic for anything else and make it correct.

    • by xaxa ( 988988 ) on Wednesday September 28, 2011 @09:54AM (#37539908)

      Complaint 02 [europe-v-facebook.org] is about shadow profiles for non-users.

      I don't see why you couldn't request it, except that you (going by your journal) are American, so the Irish/European data protection laws don't apply.

      (It's interesting that the data is provided for free. British companies are allowed to make a "reasonable charge" for providing the personal data, which is almost always £10.)

  • by MyLongNickName ( 822545 ) on Wednesday September 28, 2011 @09:30AM (#37539564) Journal

    Step One: Use free service that you are in no way obligated to use.
    Step Two: Complain about how the service records your usage of said free site
    Step Three: Request a compilation of all data that you agreed to put on said free site
    Step Four: ????
    Step Five: UnProfit (for Facebook)

  • by kenh ( 9056 ) on Wednesday September 28, 2011 @09:34AM (#37539634) Homepage Journal

    Just remember everything, I mean EVERYTHING Facebook knows about you, those 800 pages of details, was input by either you or one of your "friends" - if you didn't want Facebook to have the info, you shouldn't have given it to them in the first place.

    • by dmomo ( 256005 ) on Wednesday September 28, 2011 @10:11AM (#37540106)

      This could well be the case, but are you sure? Can you say with certainty that Facebook does not use other data-collection methods? In the interest of micro-targeting ads, I could see them looking to external sources in order to piece together a more robust profile. You word your statement with a little too much authority.

      • by kenh ( 9056 ) on Wednesday September 28, 2011 @10:47AM (#37540598) Homepage Journal

        Perhaps, but all facebook "knows" is your email address - nothing else is verified. Sure, facebook could try and build a dossier from external sources based on your email address, but what value would that really hold when compared with the cost/effort involved.

        The more likely answer is for facebook to track and analyze the data you and your friends enter - you/they gave it freely, and it is already on their servers.

        I'll concede the wording issue - I was going for dramatic effect/hyperbole.

    • by xaxa ( 988988 ) on Wednesday September 28, 2011 @12:04PM (#37541780)

      Just remember everything, I mean EVERYTHING Facebook knows about you, those 800 pages of details, was input by either you or one of your "friends" - if you didn't want Facebook to have the info, you shouldn't have given it to them in the first place.

      Did I really "input" the information, if all I did was open a webpage containing a Facebook "Like" button?

      Does a reasonable person think they're leaving Facebook information when they "Delete" a message or "Remove" an event invitation?

      When a friend chooses to "Import contacts/friends from Hotmail" (or whatever), and I reject the invitation to Facebook, should Facebook keep a record of that?

      If I buy a cinema ticket online, from a company with Facebook integration, should Facebook store that data? What if I've ticked the box to prevent this -- does it really prevent it, or does it just hide it from me?

  • by cjcela ( 1539859 ) on Wednesday September 28, 2011 @09:35AM (#37539646)
    Maybe it is time to have something like this in the U.S.A. as well - a physical disk, or a printout is a good idea, since it involves some effort from the company stalking your online life. Data is money, people, and most of us are way liberal and generous with our own data. I would be curious about what information Google has on me. Facebook.... nah, I've figured them years ago and closed my account before it was late.
  • by ghn ( 2469034 ) on Wednesday September 28, 2011 @09:39AM (#37539688)
    Funny how the Personal data request form actually collects even MORE personal information about requesters, such as (real) birth date, personal phone numbers and of course full mailing address, all information many people do not enter in their profile..
  • by AftanGustur ( 7715 ) on Wednesday September 28, 2011 @09:46AM (#37539794) Homepage

    every message you've deleted,

    Are you sure this is legal in the EU?

    • by _0xd0ad ( 1974778 ) on Wednesday September 28, 2011 @10:14AM (#37540148) Journal

      If they still have a copy of it, they're required to include it.

      Databases often do a "lazy delete" - mark a single "deleted" bit that prevents it from showing up anymore. Only periodically will they compact the database, removing all the records that are marked for deletion. If they have plenty of storage they may never compact due to the required downtime during the process.

      So if it's "deleted", but it's not really gone, they still have to give you a copy of it.

  • Grow up, people (Score:5, Insightful)

    by davmoo ( 63521 ) on Wednesday September 28, 2011 @09:52AM (#37539876)

    It takes a woefully naive person to use a service like Facebook for free and not expect that Facebook is collecting your data and somehow profiting from it.

  • by Chrisq ( 894406 ) on Wednesday September 28, 2011 @09:54AM (#37539912)
    I don't think doing this is a good thing. A likely result is that companies will lobby for dilution of the law, probably something like having a legitimate need for the data. When companies really have something to hide they will use this, meaning that someone will have to use the old expensive procedure of going to court to show that they did have a legitimate need. The cost will put most people off and it will certainly delay all cases.
  • by assertation ( 1255714 ) on Wednesday September 28, 2011 @09:59AM (#37539966)

    I really enjoyed reading the blurb for this thread. Go Euros!

  • by rainer_d ( 115765 ) on Wednesday September 28, 2011 @10:24AM (#37540264) Homepage
    I got tons of "Connect to ... on Facebook" mails from people I don't even know because some friend/customer synced his addressbook with FB - with my address etc. in there.

    I don't have an account on FB and never will.
    But I'm tempted to fill out that form.

  • by andy.ruddock ( 821066 ) on Wednesday September 28, 2011 @10:27AM (#37540304) Homepage

    After making a request under the DPA I received the following :

    Hi,

    We have received your subject access request (the "Request").

    Due to the volume of personal data access requests that we have recently received, we are experiencing significant delay in processing such requests. We therefore are unlikely to respond within 40 days of your initial request. We appreciate your patience and will respond as soon as possible.

    We are presently refining our request response processes and approach to align the present high volume of access requests with the resources available to process these requests. We appreciate your patience and will respond as soon as possible.

    Please be aware as well that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.

    Again, we appreciate your patience and we will respond as soon as possible.

    Thanks for contacting Facebook,
    Facebook User Operations - Data Access Request Team

  • by daveewart ( 66895 ) on Wednesday September 28, 2011 @10:32AM (#37540372)

    What a great idea. About the only bit of personal information that most Facebook users haven't already given to Facebook is their postal address. Yet this process does just that.

    Wouldn't surprise me if this "Annoy Facebook" thing was actually started by Facebook to harvest postal addresses. :-)

  • by MarkvW ( 1037596 ) on Wednesday September 28, 2011 @10:54AM (#37540686)

    We are going to see political campaigns that are precisely targeted down to individual voters.

    The next time you respond to a political pollster, you need to wonder whether or not the information it is seeking is individually targeted at you in an attempt to refine their database pertaining to you. Commercial and social data is just one more source of political information. The more detail the number-crunchers get, the more they will be able to predict your vote.

    The candidates will then model their behavior on the data model that gets them sufficient votes to win.

  • by Pinky3 ( 22411 ) on Wednesday September 28, 2011 @10:57AM (#37540726) Homepage

    There is no requirement that the data be sent on a CD.

    Article 12
    Right of access
    Member States shall guarantee every data subject the right to obtain from the controller:
    (a) without constraint at reasonable intervals and without excessive delay or expense:
    - confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
    - communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
    - knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1);
    (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
    (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

  • by kiwix ( 1810960 ) on Wednesday September 28, 2011 @11:09AM (#37540886)
    So, if I want to use this form [facebook.com] to request the information they have about me, I have to give them a postal address, a phone number, and a copy of a state issued ID. I'm not sure I'm willing to give them even more information, just to know that they store about me...
    • by SeeSp0tRun ( 1270464 ) on Wednesday September 28, 2011 @02:42PM (#37544516) Journal

      The page also *says* that they will delete the image, once your identity has been verified. Until there is a way to remotely verify that you are who you say you are, and that I am not you, and vice versa... that's what they're working with.

      What sort of proof would you want that the person requesting YOUR information is anybody but you? It is a serious question, because I am looking for a fool-proof, better method.

      You're worried about your "private" information, yet are irritated that you must prove, beyond a reasonable doubt, that you are, indeed, you.

  • by glwtta ( 532858 ) on Wednesday September 28, 2011 @11:32AM (#37541262) Homepage
    I'm not sure what all the indignation is about. The data shown is about 80% of the bare minimum needed for core Facebook functionality (I imagine there's lots more involved in the fancier features).

    Are people really surprised that FB is storing the info that shows up in their profiles? Or that FB stores their list of friends and the stuff they post?

    How do they imagine Facebook works? Magic?

    (also, measuring structured, relational data in PDF "pages" is about as useful as measuring it in Volkswagens)
  • by wjousts ( 1529427 ) on Wednesday September 28, 2011 @11:36AM (#37541302)

    Step 1: Pass a similar data protection law in the US. Require the requestee to provide the data in a physical format if the requester asks for it.

    Step 2: Get lots of users to request their data from Facebook - make sure they insist they want the data on CD.

    Step 3: ?????

    Save the USPS and annoy Facebook? Sounds like a win-win to me!

  • by kevinNCSU ( 1531307 ) on Wednesday September 28, 2011 @11:42AM (#37541398)
    I love how the summary says they store your religious and political views like they aren't boxes literally labeled religious and political view that your purposely decided to fill out and display publicly on your profile info page. My God, they're probably even storing your facebook NAME and profile PICTURE somewhere on their SCARE SERVERS!!!!
  • by KZigurs ( 638781 ) on Wednesday September 28, 2011 @05:13PM (#37546788)

    So, you just gave them your home address on top...

Genetics explains why you look like your father, and if you don't, why you should.

Working...