
Belgium Tells Facebook to Stop Storing Personal Data from Non-Users - dedene
http://www.bloomberg.com/news/articles/2015-11-09/facebook-told-to-stop-storing-personal-data-from-belgian-surfers
======
numair
Just so people are clear --

Even if you are not using Facebook, even if none of your friends ever use
Facebok or tag you in any content, Facebook is maintaining a shadow profile on
you. They have your web browsing habits from the Like button, and in many
countries (such as the United States) they have bought data from data brokers
such as Datalogix to gain access to your grocery store purchases and other
data. They can sell you as an audience on behalf of other sites/apps if they
choose (they aren't doing this now, but they could), and they can continue to
use third party mechanisms to keep close tabs on you. They might not know you
by name, but they definitely know you by many other identifying traits.

I would be very interested to see the results of a European data request by a
non-Facebook-user in a country where Facebook has been aggressive in cutting
data brokerage deals. Maybe the UK or something. We can get a lot of feel good
rhetoric from the company's PR and employees, but nobody really knows what is
collected and stored. (Of course, the company could say "we don't have data
for anyone with that name," which would be factually correct.)

There is another comment here that is completely wrong in asserting that
Facebook only tracks you insomuch as is required to help your friends make use
of the site. This fantasy notion might make people feel better about making
use of the site -- sort of like how consumers of H&M will reason that "those
Bangladeshi girls really needed the job" \-- but it isn't the truth.

~~~
tombrossman
Facebook explicitly deny creating 'shadow profiles' and I'm not aware of any
proof that they do so, have I overlooked this somehow?

I was interested in this too, and I'm in Europe and submitted a formal request
for data. I've never used Facebook but because I'm active in a number of
community groups, my name comes up on the occasional Facebook page and I'm in
photos taken at some events.

At the time I was using a catchall email address so I entered facebook@(my-
domain-dot-tld) which is all they used to search for a match. Because that
wasn't a real email address I wasn't surprised that in their response they
claimed to hold none of my personal data, though that seems a bit weaselly.

Here is their email reply from 2013:

Hi,

We've received your request for information about the possible storage of your
personal data.

There isn't a Facebook account associated with the email address from which
you are writing. This might be because you don't have a Facebook account or
because you already deleted your account. In either of these cases, we do not
hold any of your personal data.

Please refer to our Privacy Policy (also called “Data Use Policy”) for more
information:

[https://www.facebook.com/about/privacy](https://www.facebook.com/about/privacy)

It contains a description of: \- The categories of data being processed by
Facebook \- The personal data that Facebook receives from Facebook members \-
The purpose or purposes of the processing of such data \- The source or
sources(s) of the data, if known \- The recipients or categories of recipients
to whom Facebook members’ personal data are or may be disclosed

If you're referring to an account associated with another email address,
please use that email address to file a new request:

[https://www.facebook.com/help/contact/?id=166828260073047](https://www.facebook.com/help/contact/?id=166828260073047)

Once we receive your request, we'll take further steps to assist you.

Thanks, The Facebook Team

~~~
DanBC
I suspect that you need to ask a very specific question to get Facebook to
reveal what they collect about you.

And I think there's a bunch of information that the EU does think is personal
that Facebook thinks is not personal.

We probably need some researchers to send a bunch of requests in for different
types of data.

------
mtgx
What I find hilarious is that besides this being like the 4th or 5th time
Facebook got caught with this sort of tracking [1], and each time claiming
it's "only a bug" \- which it also did when it got caught in Belgium this
spring [2] - it now comes and says "Wait a minute! We've been using this
umm...bug...for 5 years! We will appeal the ruling! We want to keep using
that...umm, bug." [3]

> The company is “working to minimize any disruption to people’s access to
> Facebook in Belgium,” she said.

Is that a threat? Why would there be a disruption? The ruling only affects
their tracking of _non-users_. Disruption to the non-users?!

Also, you know how they've also been saying for years that they would _never_
(ever!) use Like button tracking (which is just a - _pretty damn persistent_
\- bug when tracking non-users, anyway) for advertising? Yeah, another lie
[4].

[1] [https://www.propublica.org/article/its-complicated-
facebooks...](https://www.propublica.org/article/its-complicated-facebooks-
history-of-tracking-you)

[2] [http://www.itpro.co.uk/security/24324/facebook-okay-were-
tra...](http://www.itpro.co.uk/security/24324/facebook-okay-were-tracking-
people-but-its-a-bug)

[3] [http://www.reuters.com/article/2015/11/09/us-facebook-
belgiu...](http://www.reuters.com/article/2015/11/09/us-facebook-belgium-
idUSKCN0SY27220151109)

[4] [http://www.technologyreview.com/news/541351/facebooks-
like-b...](http://www.technologyreview.com/news/541351/facebooks-like-buttons-
will-soon-track-your-web-browsing-to-target-ads/)

~~~
throwaway_1001
Thanks for the links! OgleFace not only has our best brains working on getting
people to click more ads, said brains are also whirring furiously justifying
why OgleFace has gone off the charts on the scale of 0 to creepy. Sad..

~~~
wiz21c
"Best brain", that's a very narrow definition. Best in what exactly ?
Crunching some numbers ? Doing nice css ? I guess those brains are sub
standard when it comes to ethics...

------
Create
We begin therefore where they are determined not to end, with the question
whether any form of democratic self-government, anywhere, is consistent with
the kind of massive, pervasive, surveillance into which the Unites States
government has led not only us but the world.

This should not actually be a complicated inquiry.

[https://archive.org/details/EbenMoglen-
WhyFreedomOfThoughtRe...](https://archive.org/details/EbenMoglen-
WhyFreedomOfThoughtRequiresFreeMediaAndWhyFreeMedia)

[https://benjamin.sonntag.fr/Moglen-at-Re-Publica-Freedom-
of-...](https://benjamin.sonntag.fr/Moglen-at-Re-Publica-Freedom-of-thought-
requires-free-media)

Surveillance is not an end toward totalitarianism, it is totalitarianism
itself.

[http://www.bbc.co.uk/democracylive/europe-24385999](http://www.bbc.co.uk/democracylive/europe-24385999)

------
cm2187
One can see this as one more Belgian eccentricity, and the list is long. But
this is bound to generalise. The amount of data collected throught tracking is
awfully intrusive. Between google, facebook, linkedin, and the hundreds of ad
networks, one can know pretty much anything there is to know on someone:
network of friends, political opinions, sexual preferences, health problems,
spending habbits, etc. It is bound to become illegal ultimately, when
politicians finally get a clue.

I am not sure it would help however. Making something illegal only makes sense
if it's enforceable. Making tracking illegal is like making hacking into
systems illegal. If the offender is based in another country there is very
little one can do anyway. Therefore to me the solution has to be
technological. Encryption, strict first party cookies/data/javascript is the
only realistic response. The browser as it is is broken.

------
melted
How about not singling out FB and forbid the same to Google and others as
well?

~~~
Maarten88
Yes, LinkedIn is another offender that I'm sure also does this, even more
aggressively than Facebook. They blatantly try to download your contact list
by directly asking your email password to build shadow profiles and propose
new contacts.

And I guess WhatsApp probably also used the same practice to grow their
network, using contact lists extracted from phones.

As I understand it, these practices are simply illegal in the EU and always
were. Regrettably, the billions that were made this way (mostly by US
companies) will probably never be returned.

~~~
peteretep

        > And I guess WhatsApp probably also used the same
        > practice to grow their network
    

... how would that work? I've never seen WhatsApp offer to let me message
someone who didn't have an account.

~~~
brazzledazzle
I think the idea of a shadow account is that you build the information on the
person (from disparate data points, like phone contacts) and their
connections. Then when they sign up they are presented with a list of people
that have them in their contacts. From a UX perspective it can be nice but I
can definitely see the privacy concerns.

------
eridal
so what are we waiting to deny third-party cookies?

~~~
cpeterso
Blocking third-party cookies breaks some websites, including some bank
websites. Then again, Safari on iOS and OS X defaults to only allowing first-
party cookies and websites must surely want their services to work on iOS..

Mozilla tried to adopt Safari's cookie policy for Firefox, but backed down
when the ad industry turned up the heat:

[https://blog.mozilla.org/privacy/2013/02/25/firefox-
getting-...](https://blog.mozilla.org/privacy/2013/02/25/firefox-getting-
smarter-about-third-party-cookies/)

[http://www.computerworld.com/article/2495739/internet/ad-
ind...](http://www.computerworld.com/article/2495739/internet/ad-industry-
threatens-firefox-users-with-more-ads-if-mozilla-moves-on-tracking-plans.html)

~~~
cm2187
Blocking third party cookies without blocking third party javascript is pretty
much toothless.

------
Kristine1975
>Facebook faces a fine of 250,000 euros ($269,000) a day

Facebook's net income in 2014 was US$2.94 billion, according to Wikipedia. I'm
not so sure they will care about a fine that low. Especially if they expect to
make more money by continuing to store non-users' personal data.

~~~
ladybro
Meh, $94MM a year is still probably not worth it just to store non-users data
from Belgium.

~~~
cm2187
All they need is a simple filter by country of IP. The question is rather they
are willing to comply given that this may spread across Europe very quickly.

~~~
vidarh
It will spread.

Basically, if Facebook is really building up profiles of people, then the EU
standpoint is clear across the board that you don't even need to be able to
actually name the person from the data in order to be governed by the data
protection laws, and e.g. details like IP addresses that are not considered
personally identifiable by themselves easily becomes so when combined with
other data.

It is very unlikely that they are compliant anywhere in the EEA if they're not
compliant in Belgium.

Their argument that they're only subject to privacy laws in Ireland is a total
non-starter, as it "worst case" for Belgian authorities just means they'll
have to go after Facebook in Ireland, and given that all EEA countries have
privacy legislation closely modelled after the Data Protection Directive, it's
highly unlikely they'll get a better result there (and if they do, it'll get
appealed, and if they win an appeal, the law is likely to get changed.

If they are maintaining shadow profiles, then what they do is very, very
obviously at odds with the principles the Directive are based on). More likely
I'd expect Belgian courts to insist they have jurisdiction on behalf of
victims in Belgium.

In either case, as soon as this case is concluded, you can expect a bunch of
other EEA states to pile on.

------
scottshepard
Good.

------
GauntletWizard
How about we learn to deal with the fact that they're not storing data that is
yours in the sense of ownership, but only in the sense that it's about you?
They're not storing data for no reason; They are storing data their customers
have provided for the purposes of contacting you. They are storing data about
you for the people who, like it or not, you shared your data with.

The nasty 90s database-dump sharing is over; Companies hoard this data and
consider it their private treasure, not to mention the nasty and ill-
considered privacy laws that have already sprung up around sharing it.
Facebook is not selling your info to marketers; They are selling your eyeballs
to marketers if you use the service, and using your data to better target it.
For all the egregious offenses that Facebook is guilty of, this is not an
offense.

I have the right to a little black book. I have a right to a diary that calls
you names. I have a right to free speech, and sometimes your name is on my
lips.

~~~
gradys
> They are storing data about you for the people who, like it or not, you
> shared your data with.

Exactly.

I'll add that on a technical level, you aren't being tracked like a hunter
would track prey; your machine is being periodically asked to provide
identifying information, and you have it configured to automatically comply.

I get that most consumers of the web don't understand this, but it is the
truth.

This is what I find vexing about the EU cookie disclaimer law. Every
individual website owner has to add a message to their site letting you know
that they are going to _request_ that your browser store some information on
their behalf.

It makes me think about all of the manhours that could have been saved if the
law had instead required major browser vendors to include a feature enabled by
default that would prompt the user before storing cookies.

~~~
unabridged
>It makes me think about all of the manhours that could have been saved if the
law had instead required major browser vendors to include a feature enabled by
default that would prompt the user before storing cookies.

You only need a disclaimer for a permanent cookie, which should only be used
when you are logged into an account (and the disclaimer could just be part of
the ToS when you create the account). I blame the websites for using permanent
cookies when session cookies or no cookies would do the job.

------
throwawayaway
Good. But, I expect something unfortunate to happen to a high profile Belgian
company or official in the near future.

Of course, there's going to be no way for anyone to prove cause and effect
either way. If I'm wrong about the reason, my confirmation bias will convince
me otherwise.

