Amidst the hailstorm of news yesterday afternoon, Facebook dropped the latest installment of its laughably-named blog series, Hard Questions: “What Data Does Facebook Collect When I’m Not Using Facebook, and Why?” In the post, Facebook’s Product Management Director, David Baser, set himself up to answer questions that were neither hard nor related to the most pressing issues facing the company, much like the testimony given by Facebook CEO Mark Zuckerberg last week. The post also avoided completely the topic of the data that it doesn’t give out in its “download all your data” feature — yes, there is some — which is still being closely guarded by the company even in Europe, where heavier privacy regulations are about to go into effect.
Though there were some undeniably juicy quotes — “When you visit a site or app that uses our services, we receive information even if you’re logged out or don’t have a Facebook account,” or “if you visit a lot of sports sites that use our services, you might see sports-related stories higher up in your News Feed” — very little in the post was new. It was mostly just a restatement of Facebook’s recently updated Terms and Data Policy, which was required by EU law, but still went into zero detail about the full complement of data Facebook actually captures and uses to target ads and marketing. That data, which is not part of the packet that Facebook lets any user download, is becoming a bigger and bigger flashpoint for personal privacy regulations, and deserves more attention from our own government.
Though Baser identified himself as the leader of “a team focused on privacy and data use, including GDPR [the EU’s General Data Protection Regulation] compliance and the tools people can use to control and download their information” in the opening paragraph, he somehow failed to mention any of the key details relevant to the contentious ongoing debate surrounding GDPR. Even GDPR, so far, has failed to help users lay their hands on their own most valuable data.
GDPR becomes “enforceable” on May 25, and requires that all companies that process user data be able to provide the user with all of the information it has on them, which turns out to be a bit of a problem when you’re a company the size of Facebook that makes most of its money by knowing people better than they know themselves. Most modern apps and sites — but social media platforms especially — basically fund their operations using the data they glean about users to market and advertise to them. Facebook, with over two billion users and a fleet of other apps like Instagram and WhatsApp, collects a remarkable amount of data on basically everyone with an online presence (even those without a Facebook account). Facebook uses this giant data pool to lure in advertisers, who pay to use Facebook’s own tools to micro-target ads, get audience information, and whatnot.
Facebook has fought tooth-and-nail against full compliance, despite the fact that doing so carries the risk of huge fines (anywhere from 2 to 4 percent of its overall global revenue). Though Facebook CEO Mark Zuckerberg spent a considerable amount of time assuring congresspeople that all user data is easily available for download on Facebook dot com (so long as you have an account, wink-wink), his own privacy ops team has admitted the opposite is true.
For example, mathematician and co-founder of PersonalData.IO Paul-Olivier Dehaye has been trying to get his hands on his complete Facebook user data file for over a year with no luck. Dehaye has particularly asked for the stuff advertisers pay to get access to: the tracking Pixel and Custom Audience tools. “My hope is that by accessing such data, I could retroactively figure out on which webpages I was tracked, who was working with whom, etc,” wrote Dehaye in a March 8 email to the U.K. Parliament. “On top, presumably, this would open the possibility for any other Facebook user to do the same.”
But Facebook wouldn’t budge, claiming that it would just be too hard for it to sift through its warehouses full of data just to find Dehaye’s. “Facebook receives over a million DYI requests per month and under Irish data protection law it must comply with access requests within 40 days,” wrote Facebook’s privacy ops team in an email to Dehaye. “In that context, retrieving Hive data” — a more technical name for the data we’ve been talking about thus far — “for all users making access requests would be technically impossible. The required computer processing power would greatly exceed that available to the Facebook group.”
Of course, none of this mysterious “unreportable” data was mentioned in “Hard Questions: What Data Does Facebook Collect When I’m Not Using Facebook, and Why?” Instead, Facebook just continued to restate its favorite talking points: Everyone else does this too! Look at our shiny new policy! We definitely don’t sell your data! It was defensive, exhausting, and only further reinforced the fact that — despite all of Zuckerberg’s apologies and Congressional appearances — nothing has changed.