Polish town highlights oddities in Facebook's personal data disclosures
Facebook holds back some personal data when responding to a user access request, but reveals curious ad-targeting data
IDG News Service - Facebook's store of data about its users holds some surprises, and not just in the sheer quantity of data it is sitting on. Among the surprises it held for me was SBupsk.
One of 47 topics about which Facebook thinks I am interested in seeing advertisements, SBupsk is a Polish town with about 100,000 citizens and a beautiful church. Another of those topics is Bomen, a town in New South Wales, Australia. I don't remember ever seeing an ad, or indeed anything, related to the towns while hanging around on Facebook -- or anywhere else for that matter.
In fact, the first I heard of either place was when I requested dumps of all the data Facebook holds about me, to evaluate how the company is responding to criticism of its data storage practices by the Data Protection Commissioner of Ireland. That's where Facebook's international headquarters is, making the company subject to Irish (and European Union) data protection laws -- and also to Ireland's advantageous rate of corporation tax.
Under European Union law, Facebook is required to provide users with personal data it holds about them on request, and in a December review of Facebook's data handling, the data protection commissioner recommended that the company provide users with access to more of their personal data. It gave the company until July to change its policies, and is currently reviewing the changes made. It expects to publish a new audit in early October, said senior investigations officer Catriona Holohan.
Facebook is required to respond to data access requests within 40 days. After sending out wads of paper and CDs in response to early requests, the company now offers a self-service tool allowing users to download two bundles of their personal data. The basic bundle contains timeline information including shared posts, messages and photos, and in my case was ready in about 3.5 hours. An extended archive with details of logins, cookies, deleted friends and the curious "ads topics" was ready in 90 minutes. Other data can be consulted online in a searchable Activity Log on Facebook's website.
Facebook now seems to be providing all the categories of data the commissioner asked for. In April it added login and logout information, unconfirmed friendship requests and information about pokes, among other categories requested by the authority.
As a user, it's not easy to check Facebook's compliance with all the commissioner's recommendations, however.
For example, Facebook agreed to anonymize all search data on the site within six months. According to the online help center, anything you've searched for should appear in the Activity Log. However, my searches do not appear on the drop-down list of activity categories, nor do they appear in other categories.
Told that its indefinite retention of ad-click data was unacceptable, Facebook agreed to retain such data for no more than two years, and seems to be keeping it for less time. In a data dump downloaded on Aug. 10, the first referenced ad-click stored by Facebook is dated July 2, while in one downloaded on Sept. 10, the first mentioned ad-click is dated July 20. The earliest two ad-clicks from the first data dump don't appear in the second, suggesting Facebook is retaining the data for about two months. That, of course, assumes that Facebook provides its users with all their personal data -- and that is not always easy to believe.
In my downloaded data, for instance, part of my private message history is missing. Facebook's online history of my conversation with one of my friends dates back to July 9, 2011, with hundreds of messages shared, but the data dump only contained the messages shared on Sept. 1, 2012. Another conversation, started on Aug. 19, 2010, only appeared in the data dump as of July 6, 2011. Other, older messages were also missing.
Max Schrems, an Austrian law student who runs Europe vs. Facebook, a group pushing the company to respect privacy laws, doubts that Facebook sends users all the data it holds about them. He was among the first to ask Facebook to send him a copy of his personal data. A year ago, the company sent him a raw file of data consisting of a stack of papers and a CD that together contained far more information than is available for download today.
Pictures he had uploaded to Facebook, for instance, were accompanied by metadata such as the GPS location, the IP address used to upload the photo and the camera make and model, he said. But with Facebook's download tool today, he only gets the raw picture without the metadata.
"Then there are other things. For example: if you delete messages on Facebook they still hold them, and in the download tool you don't get the deleted messages," said Schrems, who added that the deleted messages did appear in his raw data file a year ago. Likewise, "If you delete friends, or if friends delete you, they'll still store it but you don't get the deleted friend information all the time," he said.
In addition, the information provided by Facebook is scattered across different places, which makes it hard to track if all the information is there, Schrems said.
Besides the two data downloads and the online activity log that Facebook highlights, other personal information can be found in the account settings, Schrems said. "A normal user is entitled to get everything from Facebook. Today, users have to hunt all over Facebook to get it."
The way the download tool and the extended archive work make it hard to check if all the information Facebook has is made available to the user, said Schrems. "Right now, Facebook is just gathering some information from the raw format and transfers it into some HTML download thing," he said. "Facebook is just not including the data that is a problem for them."
Schrems estimated that Facebook now only provides him with half of his personal data via the download tools, compared to the earlier raw file he and other early requesters received. "Only we can prove that the other half is not there because we have the original raw format," he said.
Facebook declined to discuss the missing data or the Irish commissioner's forthcoming audit.
"We believe that every Facebook user owns his or her own data and should have simple and easy access to it," a company representative said in an emailed statement, adding that is why the company has built a way for users to "download everything."
"People who want a copy of the information they have put on Facebook can click a link located in 'Account Settings' and easily get a copy of all of it in a single download," the statement said.
Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org
- SBIC: Transforming Information Security This report combines perspectives on technologies with experience in strategy to help security teams navigate complex decisions regarding technology deployments while maximizing investments.
- HP ArcSight ESM Solution Helps Finansbank to Combat Fraud and Increase Customer Satisfaction In this report, learn how one organization was able to use HP ArcSight ESM to reduce false positives by 90% and the time...
- 3 Big Data Security Analytics Techniques You Can Apply Now to Catch Advanced Persistent Threats This technical white paper demonstrates how to use Big Data security analytics techniques to detect advanced persistent threat (APT) cyber attacks, and it...
- Guard data in government environments by implementing continuous diagnostics and mitigation IBM Security offerings can help federal organizations employ a continuous diagnostics and mitigation approach to enhance and automate continuous network monitoring capabilities. Read...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed in recent years, and it continues to escalate. All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!