
Getting my personal data out of Facebook - mpweiher
https://ruben.verborgh.org/facebook/
======
drcongo
Discussed previously here:
[https://news.ycombinator.com/item?id=19959064](https://news.ycombinator.com/item?id=19959064)

------
megous
Quality redaction:

[https://www.asktheeu.org/en/request/5496/response/18228/atta...](https://www.asktheeu.org/en/request/5496/response/18228/attach/5/Cover%20and%20letter%20Ms%20Sandberg%20redacted.pdf)

------
llamataboot
Does anyone know if /anyone/ has successfully gotten a large chunk of the data
FB stores about them from them since GDPR went into effect. I vaguely remember
reading some story of "thousands of pages of print-outs"

\--

I wonder how much of this is simply that no one outside of FB has ever seen
large chunks of the data that is stored an worries about a PR crisis?

\--

Kudos to the author, but I'm guessing that at some point this will have to go
to some sort of legal battle as FB may have a /novel/ interpretation of the
law, but clearly that interpretation was not made up on the fly by a customer
support email person....

~~~
throwaway2022
former FB employee here

There is a retention policy for every bit of data we store and no data is kept
longer than absolutely required! This is also true for backups!

We also anonymize and aggregate data whenever possible!

Some people always bring up that the data still exist in abstract form in ML
models...but afaik most/all models were constantly rebuild with fresh data. I
can't think of a model that still uses data from let's say 2 years ago.

Sensitive data such as location for example was only kept in encrypted form
for a few minutes until the aggregation jobs had processed it. Such data
stores were guarded like fort knox with multiple lines of defense!

~~~
tlavoie
You would think then, that Facebook would make it easier to actually go and
delete old data, rather than forcing the most motivated people to go through
hoops such as browser plugins and other scripts.

If it doesn't matter to the business, then just give people the option to set
a sunset period and have the system do it for them. As a user, I was happy
enough sharing pictures of cats and nature hikes, but there was zero value to
me in keeping any of it. With all the obvious, public screw-ups, I took the
nuclear option and deleted my account.

------
3xblah
"Unfortunately, that tool only gives me all of the data I put on there myself.
So nothing I didn't already have. After all, why would I leave my only copy of
a photo on Facebook? So no, this tool does not allow me to exercise my GDPR
rights."

When the author is visiting a website that hosts a "Like" button, the author's
web browser makes a request to Facebook's (httpd) servers for the button
image. He then sends data to Facebook in HTTP headers. If he uses third party
DNS service, it is possible he could also be sending part of his IP address,
i.e., location data, to Facebook's (authoritative DNS) servers in the DNS
request packet. For example, see [https://developers.google.com/speed/public-
dns/docs/ecs](https://developers.google.com/speed/public-dns/docs/ecs)

Did the GDPR drafters consider that data?

~~~
atoav
Personal data is anything that can be linked to your person in the context of
the GDPR. Doesn’t matter if they store your IP or the movements of your
mousepointer or your user agent, it is all personal data, unless they store it
in a way that can’t link back to you (e.g. just counting the number of
useragents of each kind).

And the author is right. There is with high certainty _a lot_ of data about
you that you didn’t explicitly upload and I don’t see why facebook shouldn’t
give it to him.

I see why they don’t _want_ to give it to him (because it would show the
extent of their data collection), but exactly for that reason it is even more
important that they comply.

------
emptyparadise
Oh, gonna be fun to see how this plays out.

------
kerng
Yesterday someone mentioned that Facebook stores data offline on BlueRay -
wonder how they make sure records are deleted accordingly in that case.

Something tells me Facebook might see some rather big GDPR fines in future if
they can't successfully resolve these requests.

~~~
SoReadyToHelp
The typical approach is to keep the PII in the backups encrypted with a user-
specific key which is stored separately and can be deleted without touching
the backups. I'd expect Facebook to do the same, but who knows?

~~~
herpderperator
That's clever and interesting. What happens in the case there is a
vulnerability with the encryption method? Say, an exploitable backdoor or
general weakness is found. Or even quantum computing comes along and makes it
crackable? I guess in any scenario, since the data is not actually deleted,
just theoretically being able to access it would be a big liability to have,
no?

~~~
firethief
All of those problems are extremely theoretical, and nothing ever posted on
Facebook is private in any meaningful sense anyway.

~~~
szuze
>nothing ever posted on Facebook is private in any meaningful sense anyway

That's false.

