Even if you are not using Facebook, even if none of your friends ever use Facebok or tag you in any content, Facebook is maintaining a shadow profile on you. They have your web browsing habits from the Like button, and in many countries (such as the United States) they have bought data from data brokers such as Datalogix to gain access to your grocery store purchases and other data. They can sell you as an audience on behalf of other sites/apps if they choose (they aren't doing this now, but they could), and they can continue to use third party mechanisms to keep close tabs on you. They might not know you by name, but they definitely know you by many other identifying traits.
I would be very interested to see the results of a European data request by a non-Facebook-user in a country where Facebook has been aggressive in cutting data brokerage deals. Maybe the UK or something. We can get a lot of feel good rhetoric from the company's PR and employees, but nobody really knows what is collected and stored. (Of course, the company could say "we don't have data for anyone with that name," which would be factually correct.)
There is another comment here that is completely wrong in asserting that Facebook only tracks you insomuch as is required to help your friends make use of the site. This fantasy notion might make people feel better about making use of the site -- sort of like how consumers of H&M will reason that "those Bangladeshi girls really needed the job" -- but it isn't the truth.
That's a more general flaw with the current web. Just look at how much 3rd party content is embedded into almost any site. A good chunk of them are user trackers. Facebook is just one among many.
I think we need stronger compartmentalization in the web. The iframe sandboxing + message-channel APIs is a good start to isolate things and minimize information leakage, sadly that doesn't help with libraries loaded from CDNs. Mozilla's contextual identities is another approach[1]
[1] https://wiki.mozilla.org/Security/Contextual_Identity_Projec...
http://www.npr.org/sections/money/2013/12/03/247360855/two-s...
The whole series on the making of tshirts is amazing: http://www.npr.org/shirt
I was interested in this too, and I'm in Europe and submitted a formal request for data. I've never used Facebook but because I'm active in a number of community groups, my name comes up on the occasional Facebook page and I'm in photos taken at some events.
At the time I was using a catchall email address so I entered facebook@(my-domain-dot-tld) which is all they used to search for a match. Because that wasn't a real email address I wasn't surprised that in their response they claimed to hold none of my personal data, though that seems a bit weaselly.
Here is their email reply from 2013:
Hi,
We've received your request for information about the possible storage of your personal data.
There isn't a Facebook account associated with the email address from which you are writing. This might be because you don't have a Facebook account or because you already deleted your account. In either of these cases, we do not hold any of your personal data.
Please refer to our Privacy Policy (also called “Data Use Policy”) for more information:
https://www.facebook.com/about/privacy
It contains a description of: - The categories of data being processed by Facebook - The personal data that Facebook receives from Facebook members - The purpose or purposes of the processing of such data - The source or sources(s) of the data, if known - The recipients or categories of recipients to whom Facebook members’ personal data are or may be disclosed
If you're referring to an account associated with another email address, please use that email address to file a new request:
https://www.facebook.com/help/contact/?id=166828260073047
Once we receive your request, we'll take further steps to assist you.
Thanks, The Facebook Team
And I think there's a bunch of information that the EU does think is personal that Facebook thinks is not personal.
We probably need some researchers to send a bunch of requests in for different types of data.
> The company is “working to minimize any disruption to people’s access to Facebook in Belgium,” she said.
Is that a threat? Why would there be a disruption? The ruling only affects their tracking of non-users. Disruption to the non-users?!
Also, you know how they've also been saying for years that they would never (ever!) use Like button tracking (which is just a - pretty damn persistent - bug when tracking non-users, anyway) for advertising? Yeah, another lie [4].
[1] https://www.propublica.org/article/its-complicated-facebooks...
[2] http://www.itpro.co.uk/security/24324/facebook-okay-were-tra...
[3] http://www.reuters.com/article/2015/11/09/us-facebook-belgiu...
[4] http://www.technologyreview.com/news/541351/facebooks-like-b...
This should not actually be a complicated inquiry.
https://archive.org/details/EbenMoglen-WhyFreedomOfThoughtRe...
https://benjamin.sonntag.fr/Moglen-at-Re-Publica-Freedom-of-...
Surveillance is not an end toward totalitarianism, it is totalitarianism itself.
I am not sure it would help however. Making something illegal only makes sense if it's enforceable. Making tracking illegal is like making hacking into systems illegal. If the offender is based in another country there is very little one can do anyway. Therefore to me the solution has to be technological. Encryption, strict first party cookies/data/javascript is the only realistic response. The browser as it is is broken.
And I guess WhatsApp probably also used the same practice to grow their network, using contact lists extracted from phones.
As I understand it, these practices are simply illegal in the EU and always were. Regrettably, the billions that were made this way (mostly by US companies) will probably never be returned.
> And I guess WhatsApp probably also used the same
> practice to grow their network
Mozilla tried to adopt Safari's cookie policy for Firefox, but backed down when the ad industry turned up the heat:
https://blog.mozilla.org/privacy/2013/02/25/firefox-getting-...
http://www.computerworld.com/article/2495739/internet/ad-ind...
Facebook's net income in 2014 was US$2.94 billion, according to Wikipedia. I'm not so sure they will care about a fine that low. Especially if they expect to make more money by continuing to store non-users' personal data.
And so far it's only from one nation. Much of Europe shares a stronger belief in things like privacy and data protection than the US, and much of Europe has law in place to defend such things if the political will is there. Facebook can't afford to face fines at significant multiples of that scale, and even if it could, it's just asking for more severe action if it tries to force the issue.
The nightmare scenario for FB is probably losing access to parts of Europe for a while and as a result losing their critical mass of users so a rival social network can gain a foothold. With the digital native generation already far less attached to any one social network than their predecessors, that could become an existential threat to Facebook itself. As such, it seems highly unlikely that they will try to hold their position indefinitely on this one.
The nasty 90s database-dump sharing is over; Companies hoard this data and consider it their private treasure, not to mention the nasty and ill-considered privacy laws that have already sprung up around sharing it. Facebook is not selling your info to marketers; They are selling your eyeballs to marketers if you use the service, and using your data to better target it. For all the egregious offenses that Facebook is guilty of, this is not an offense.
I have the right to a little black book. I have a right to a diary that calls you names. I have a right to free speech, and sometimes your name is on my lips.
Except most people don't understand how cookies or like buttons track their behavior. To assume otherwise is disingenuous. The result is the equivalent of bugging someone's car with a GPS tracker and claiming they opted in by virtue of using your parking garage.
Yes, you do [1], and that's not relevant to any of these discussions, as it's not been challenged.
> I have a right to free speech, and sometimes your name is on my lips.
If you are speaking as a private individual or you are publishing an article in a newspaper, yes, there are very few limits to your speech in the EU as long as you're not slandering someone.
But if you are operating as a business and telling another company details about me that can be used to identify me, then your rights are strictly limited in the EU, as the right to privacy is seen to trump the right of commercial speech.
[1] With a caveat: If you are using your "little black book" to support commercial activities such as sales, it may be considered a relevant filing system subject to data protection rules in at least some EU countries. But a personal address book would not be affected.
Not in Europe. Another overly self-important piece of parallel structure prose ruined by Americocentrism!
range, permanence and ease of distribution are much diferent but, take for example, a picture.
if 2 people are in a picture taken by a third party, to what extent can any person excert ownership over that "data".
the photographer, or either of the subjects. I am all for privacy, but I would find it hard to make a compelling case for the above scenario that could be absolute, and applied uniformly.
To some extent, that means recognising that some actions enabled by new technology may be reasonable even if they involve personal data being collected, used, or passed on.
In other cases, that means recognising that new technologies pose new threats to privacy and things we could let by before because they posed no real threat are no longer as harmless and therefore potentially no longer as socially acceptable.
For example, I find the idea that you lose any expectation of any sort of privacy the moment you step outside your front door naive and dangerous, but people often claim this is reasonable in privacy debates based on an argument along the lines that anyone could see you walking down the street and it's always been that way.
Personally, I do see a few small differences between walking past someone who doesn't know you from Adam and will forget you within seconds and going for a walk in the view of a comprehensive network of cameras and microphones that allow unknown parties to remotely and systematically observe your every move and sound while you're out, along with those of everyone else nearby, subject you all to gait and voice analysis to identify you and infer information about your mood, interests and relationships, correlate that data with data about you from other sources, record everything permanently, and make it easy to search for information about you and everyone else who went out that day in order to make decisions about arbitrary and unknown criteria from what to offer you as an insurance premium next year to how to embarrass you out of running for office at the next election.
Clearly there is going to be a scale with many of these issues and we will need to find a socially acceptable balance and set reasonable expectations accordingly. It's also pretty clear that damage is being done by the dramatic erosion of privacy in the digital age because so far the capabilities of new technologies have far out-stripped the social and regulatory debates around it. Unfortunately, a big part of the problem is that many people have little idea of what is happening with personal data about them and even less understanding of the potential consequences unless they've been the unlucky one who really was a victim of, say, identity theft. Consequently the opinion polls tend to show most people not being that bothered by organisations like Facebook, even though when fully informed or after widely reported leaks with many victims potentially affected you tend to see quite different opinions being expressed.
We have learned to deal with it. In Europe, we have for the most part decided that allowing large organisations to compile personal data without either the data subject's consent or some other acceptable reason is not a good thing, and we have passed laws that forbid it.
I have the right to a little black book.
Sure you do, but in Europe you don't have the automatic right to keep personal data about me and millions of other people in it, and if you do then we might punish you for it.
I have a right to free speech, and sometimes your name is on my lips.
Not in Europe, you don't. In fact, legally speaking you don't have that absolute right anywhere else in the world that I know about either.
Exactly.
I'll add that on a technical level, you aren't being tracked like a hunter would track prey; your machine is being periodically asked to provide identifying information, and you have it configured to automatically comply.
I get that most consumers of the web don't understand this, but it is the truth.
This is what I find vexing about the EU cookie disclaimer law. Every individual website owner has to add a message to their site letting you know that they are going to request that your browser store some information on their behalf.
It makes me think about all of the manhours that could have been saved if the law had instead required major browser vendors to include a feature enabled by default that would prompt the user before storing cookies.
You only need a disclaimer for a permanent cookie, which should only be used when you are logged into an account (and the disclaimer could just be part of the ToS when you create the account). I blame the websites for using permanent cookies when session cookies or no cookies would do the job.
That is true for cookies, but trackers also use active and passive fingerprinting that does not provide a way to configure whether your machine automatically "provides identifying information".
Of course, there's going to be no way for anyone to prove cause and effect either way. If I'm wrong about the reason, my confirmation bias will convince me otherwise.