The Future

Zuckerberg’s testimony contradicted his own privacy ops team

Zuckerberg’s statements to Congress contradict what Facebook’s privacy operations team has told European data authorities.
The Future

Zuckerberg’s testimony contradicted his own privacy ops team

Zuckerberg’s statements to Congress contradict what Facebook’s privacy operations team has told European data authorities.

Facebook claims that you can download a copy of everything it has on you here. Mark Zuckerberg said the same during his testimony to the U.S. House of Representatives yesterday (“Congressman, I believe that all of your information is in that — that file.”). However, according to Facebook’s own Privacy Operations Team, both of these statements are wrong. Even better, Facebook has told users it cannot give out this information because it’s too difficult to access and package into a readable format.

Long before the recent Cambridge Analytica scandal and Mark Zuckerberg’s Terrible, Horrible, No Good, Very Bad Day In Court, mathematician and co-founder of PersonalData.IO, Paul-Olivier Dehaye, was trying to get his hands on his complete Facebook user data file. “These [requests] were for access to personal data collected through their Custom Audiences and tracking Pixel tools,” Dehaye wrote in a March 8 email to the U.K. Parliament. “My hope is that by accessing such data, I could retroactively figure out on which webpages I was tracked, who was working with whom, etc. On top, presumably, this would open the possibility for any other Facebook user to do the same.”

Dehaye was able to request this data thanks to the European Union’s new Global Data Protection Regulation (GDPR), a new set of laws which grants European users the power to request a copy of whatever information companies have on them, among many other things. This idea of a complete personal data file means much more than just your posts, likes, and login history; if companies want to be GDPR-compliant and avoid massive company-ending fines, they have to turn over everything.

Though Dehaye requested this from Facebook, the file he received was noticeably lacking anything beyond the basics: profile archives (posts, photos, activity data), his rudimentary advertiser profile, and not much else. The tracking data collected through Facebook Pixel — not to mention the private info used to power Facebook’s Custom Audiences tool — was missing.

When Dehaye reached out to Facebook about this missing data, the company readily admitted it had been purposefully left out of the file. In a March 7 email to Dehaye, Facebook’s privacy operations team essentially said that because this information is kept in a more difficult to reach area than the basic stuff, it had decided it wasn’t going to include it in the file.

”In both cases, your requests were for information that is not available through our self-service tools which we explained to you (including DYI and Ads Preferences),” wrote Facebook’s Privacy Operations Team. “Instead, this information is stored in ‘Hive’, which is Facebook’s log storage area where data is stored primarily for back-up purposes and data analytics.”

In essence, Facebook’s argument was that because it would just be too hard for it to give users all of their data, it deserved to be above the law. “[R]etrieving Hive data for all users making access requests would be technically impossible,” the company wrote. “The required computer processing power would greatly exceed that available to the Facebook group.”

Yet Zuckerberg made no mention of this quandry to Congress, instead choosing to parrot the standard niceties of total data compliance. When Rep. Gene Green (D-TX) asked him: “[I]f I download my Facebook information, is there other information accessible to you within Facebook that I wouldn't see on that document, such as browsing history or other inferences that Facebook has drawn from users for advertising purposes?” Zuckerberg responded point blank: “Congressman, I believe that all of your information is in that — that file.”

Email Dehaye sent to the Irish DPC.

Email Dehaye sent to the Irish DPC.

Dehaye is pushing back. Earlier today he announced in a tweet that he’s alerting the Irish DPC to the inconsistencies in Zuckerberg’s testimony, writing “I would like to attract your attention to the fact that, during his testimony at the US House of Representatives yesterday, Mark Zuckerberg pretty much contradicted the pronouncements to me over the past year by his own Privacy Operations Team, which led to the current complaint...I feel this issue is now a matter of urgency, especially given the upcoming testimonies by FB staff in front of elected representatives....”