24 year old student lights match: Europe versus Facebook[Privacy]

Kim Cameron’s Identity Weblog ^ | 13 Oct 2011 | Kim Cameron

[FritzG]

If you are interested in social networks, don’t miss the slick video about Max Schrems’ David and Goliath struggle with Facebook over the way they are treating his personal information.  Click on the red “CC” in the lower right-hand corner to see the English subtitles.

Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues.  In Europe there is a requirement that entities with data about individuals make it available to them if they request it.  That’s how Max ended up with a personalized CD from Facebook that he printed out on a stack of paper more than a thousand pages thick (see image below). Analysing it, he came to the conclusion that Facebook is engineered to break many of the requirements of European data protection.  He argues that the record Facebook provided him finds them to be in flagrante delicto.  

The logical next step was a series of 22 lucid and well-reasoned complaints that he submitted to the Irish Data Protection Commissioner (Facebook states that European users have a relationship with the Irish Facebook subsidiary).  This was followed by another perfectly executed move:  setting up a web site called Europe versus Facebook that does everything right in terms using web technology to mount a campaign against a commercial enterprise that depends on its public relations to succeed.

Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel.  As part of the documentation, they publicised the procedure Max used to get his personal CD.  Somehow this recipe found its way to reddit  where it ended up on a couple of top ten lists.  So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement that it provide the information within a 40 day period.

If that seems to be enough, it’s not all.  As Max studied what had been revealed to him, he noticed that important information was missing and asked for the rest of it.  The response ratchets the battle up one more notch: 

Dear Mr. Schrems:

We refer to our previous correspondence and in particular your subject access request dated July 11, 2011 (the Request).

To date, we have disclosed all personal data to which you are entitled pursuant to Section 4 of the Irish Data Protection Acts 1988 and 2003 (the Acts).

Please note that certain categories of personal data are exempted from subject access requests.
Pursuant to Section 4(9) of the Acts, personal data which is impossible to furnish or which can only be furnished after disproportionate effort is exempt from the scope of a subject access request. We have not furnished personal data which cannot be extracted from our platform in the absence of is proportionate effort.

Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.

Please be aware that we have complied with your subject access request, and that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.

Thanks for contacting Facebook,
Facebook User Operations Data Access Request Team

What a spotlight

This throws intense light on some amazingly important issues. 

For example, as I wrote here (and Max describes here), Facebook’s “Like” button collects information every time an Internet user views a page containing the button, and a Facebook cookie associates that page with all the other pages with “Like” buttons visited by the user in the last 3 months. 

If you use Facebook, records of all these visits are linked, through cookies, to your Facebook profile - even if you never click the “like” button.  These long lists of pages visited, tied in Facebook’s systems to your “Real Name identity”, were not included on Max’s CD. 

Is Facebook prepared to argue that it need not reveal this stored information about your personal data because doing so would adversely affect its “intellectual property”? 

It will be absolutely amazing to watch how this issue plays out, and see just what someone with Max’s media talent is able to do with the answers once they become public. 

The result may well impact the whole industry for a long time to come.

Meanwhile, students of these matters would do well to look at Max’s many complaints:

no	date	topic	status	files
	01	18-AUG-2011	Pokes. Pokes are kept even after the user “removes” them.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
02	18-AUG-2011		Shadow Profiles. Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
03	18-AUG-2011	Tagging. Tags are used without the specific consent of the user. Users have to “untag” themselves (opt-out). Info: Facebook announced changes.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
04		18-AUG-2011	Synchronizing. Facebook is gathering personal data e.g. via its iPhone-App or the “friend finder”. This data is used by Facebook without the consent of the data subjects.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
05	18-AUG-2011	Deleted Postings. Postings that have been deleted showed up in the set of data that was received from Facebook.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
06		18-AUG-2011	Postings on other Users’ Pages. Users cannot see the settings under which content is distributed that they post on other’s pages.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
07	18-AUG-2011	Messages. Messages (incl. Chat-Messages) are stored by Facebook even after the user “deleted” them. This means that all direct communication on Facebook can never be deleted.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
08		18-AUG-2011	Privacy Policy and Consent. The privacy policy is vague, unclear and contradictory. If European and Irish standards are applied, the consent to the privacy policy is not valid.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
09	18-AUG-2011	Face Recognition. The new face recognition feature is an inproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
10		18-AUG-2011	Access Request. Access Requests have not been answered fully. Many categories of information are missing.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
11	18-AUG-2011	Deleted Tags. Tags that were “removed” by the user, are only deactivated but saved by Facebook.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
12		18-AUG-2011	Data Security. In its terms, Facebook says that it does not guarantee any level of data security.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
13	18-AUG-2011	Applications. Applications of “friends” can access data of the user. There is no guarantee that these applications are following European privacy standards.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
14		18-AUG-2011	Deleted Friends. All removed friends are stored by Facebook.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
15	18-AUG-2011	Excessive processing of Data. Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes. It seems Facebook is a prime example of illegal “excessive processing”.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
	16	18-AUG-2011	Opt-Out. Facebook is running an opt-out system instead of an opt-in system, which is required by European law.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
	24-AUG-2011	Letter from the Irish DPC.		Letter (PDF)
	15-SEPT-2011	Letter to the Irish DPC concerning the new privacy policy and new settings on Facebook.		Letter (PDF)
17	19-SEPT-2011	Like Button. The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
18	19-SEPT-2011	Obligations as Processor. Facebook has certain obligations as a provider of a “cloud service” (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
19		19-SEPT-2011	Picture Privacy Settings. The privacy settings only regulate who can see the link to a picture. The picture itself is “public” on the internet. This makes it easy to circumvent the settings.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
20	19-SEPT-2011	Deleted Pictures. Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
21		19-SEPT-2011	Groups. Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)
22	19-SEPT-2011	New Policies. The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.	Filed with the Irish DPC	Complaint (PDF) Attachments (ZIP)

[FritzG]

Sorry about that last format, one can work around the formatting.

Overall, one does leave a large footprint out there, while surfing.

[Inyo-Mono]

BTTT.

[freedumb2003]

>>Overall, one does leave a large footprint out there, while surfing.<<

Not if one ensures one’s profile is as thin on details as possible. 99% of my surfing is 100% under non de plume inlinkable to RL. The other 1% is FB (for family and close friends only — I reject most requests for Friending) and the only info on there is my RL name — no DOB, no sex, no nothing.

[packrat35]

Not for those of us who never signed up or go to Facebook.

[MrEdd]

not exactly part of usual ping lists, but of note.

[Conservative4Life]

Not for those of us who never signed up or go to Facebook.

My sentiments exactly, I don’t do internet social networking, I do it the old fashioned way... Face to Face

[VeniVidiVici]

Wow! Imagine that! Stuff you post on the internet stays on the internet!

[Little Pig]

Less than 3 weeks until “Anonymous” allegedly will hack Facebook (Nov 5). As a matter of interest, Facebook was built using a MySQL database (a free implementation of SQL). MySQL was never intended to be used for such a gargantuan volume of data, so Facebook had to break their database into a bunch of interlocking segments that are (apparently) constantly on the verge of collapse. There’s no way Facebook could cleanly migrate off of MySQL to any other database implementation, since they would essentially have to build the new structure from scratch, then populate it with the data from the old system. Further, pretty much the only database systems capable of realistically handling Facebook are Oracle and MS-SQL, and you can imagine the ass-rape Facebook would suffer in licensing costs for going with either of those, so expect Facebook to get more and more unstable, and more disorganized (and more impossible to get the data people like this guy are requesting) as time goes on. Eventually, it will collapse under its own weight; that’s inevitable at this point.