
Facebook Doesn’t Tell Users Everything It Really Knows About Them - colinprince
https://www.propublica.org/article/facebook-doesnt-tell-users-everything-it-really-knows-about-them
======
ForrestN
There must be many HNers who work at Facebook. Anyone willing to make a
throwaway account and tell us how it feels from the inside for Facebook to be
one the wrong side of so many ethical issues? It just seems like in so many
dimensions they've been caught saying wrong things or appearing to outright
lie, and I'm curious how developers who work for them think about aiding a
company that seems to be so compromised at the moment. Now that it's fairly
clear that the service doesn't serve any unique, unambiguously positive
purpose, what world-changing mission can you possibly decide that Facebook is
achieving these days?

~~~
closeparen
It's easy to forget on HN, but there is far from universal buy-in for the
notion that having or collecting data on people is unethical. Some may even
consider it _noble_ to optimize and perfect the world and its institutions
(including commerce, via efficient advertising) using large-scale personal
data.

The impulse to make something better by applying a database engine that you
might feel for business processes, can just as easily be felt for customer
interactions or the world at large.

For an interesting (and very critical) look at this philosophy I recommend The
Circle by Dave Eggers.

~~~
lithos
The US doesn't have the privacy parts is WWII in memory. Where govt workers
had to scramble to destroy what data they could before it was seized, where
fire fighters let document storage burn as long as possible because it had
census data, where others where forced to go through govt. Data to sentence
neighbors to death, and similar hero/horror stories.

I feel that the IT world is irresponsible in its collection of data, and
doesn't treat it as the liability it is.

(What's the proper word for old data/information before computers)?

~~~
drunken-serval
> I feel that the IT world is irresponsible in its collection of data, and
> doesn't treat it as the liability it is.

A lot of that is due to a lack of training. There's two major ways new people
come into programming.

1\. Go to college, get a computer science or engineering degree.

2\. Self taught.

Neither of those prepares you to deal with the ethics of information storage.

I happened to have an entire course on the topic but only because I took an
Information Science minor with my Computer Science major. That course wasn't
even an optional elective for me otherwise.

A computer science degree trains you for thinking how to do something. It
doesn't teach you how to figure if you should do something.

~~~
pluma
You can be lucky if a college education in CS/SE teaches you about open source
licensing, even more so if it deals with privacy in any way.

IMO every SE curriculum should contain a mandatory course looking into
historical precedents how information was used in genocides and oppressive
regimes (Nazi Germany and the German Democratic Republic are two of the most
obvious examples but there are plenty others).

It's ridiculous how it took Trump to get elected for the liberal techies in my
Twitter stream to realise that the US government has the power to do really
bad things with all the data FB & friends have been collecting.

------
soared
You can replace "Facebook" with thousands of other companies. Everyone is
doing this because the cost is low, its easy, and the return is massive. The
sole service my roommate's company does is match your customer with data about
them from countless other sources.

If you want a peek into a small section of this type of data, go build a
facebook ad. You can see all the targeting options. You can upload a list of
email and build a "look a like" audience of people who are similar to your
customers.

A company called cartalytics will let a brand purchase lists of people who
have bought a specific product in the past 6 months and show them ads. Ex. If
you've bought a big mac (with a credit or debit card) in the last month, I can
show you McDonalds ads.. but they are super expensive.

~~~
ForrestN
Apple, for example, seems quite committed to competing on the fact that they
_do not_ do this...

~~~
malz
Apple has plenty of its own ethical issues, starting with 350,000 Chinese
workers paid $1.90 an hour in dubious conditions.

~~~
GuiA
Well, that particular issue is not really Apple's "own" \- pretty much every
single tech company on earth benefits from cheap foreign labor.

But then they'll tell you that these employees are very happy to work at such
factories, because they make way more money than they would ever make on the
farm in their hometown, and often work there a year or two to save as much
money as they can before moving back to where they lived before.

(Apple actually does way better than most other companies on that front - see
[http://www.apple.com/supplier-responsibility/](http://www.apple.com/supplier-
responsibility/))

Does it open an entire rabbit hole about the ethics of globalization? Sure. Is
it a strictly black and white issue? ...heh.

------
quadrangle
I know this is too late to get noticed much, but here's the truth:

This is a race-to-the-bottom. Everyone in this whole area has to compete with
whoever is the scummiest exploiter unless they really go out of their way to
sell their service with privacy and ethics as the top feature. So, some
ethical niche services can exist, but meanwhile, everyone else is screwed, and
network effects make any niche thing stay pretty irrelevant.

The only way to avoid races-to-the-bottom in a competitive market is with real
enforceable regulation that outlaws the worst shit and requires truly
effective disclosures otherwise. That's not easy, sometimes it's impossible,
and it often has major negative side-effects and problems, but whether or not
we determine that regulation is worth it or not, we know that races-to-the-
bottom are a real thing, so we can give _some_ leeway that each company isn't
actively _trying_ to be malicious — they are just competing in a race-to-the-
bottom situation (and we can reject the dogmatic free-market people who deny
that this and all sorts of other natural market-failures exist).

~~~
Taek
I agree that it's a race to the bottom but not that regulation is a way out.
There are too many services employing too many engineers, and furthermore
governments benefit from this massive surveillance. They pay for the results,
and the direction in government today is towards less privacy, not more.

And if you do win the regulation battle, you only win it for the current
generation of tech. There will be more, and every decade the power of
information collection will get stronger.

I believe that we need to embrace the loss of privacy and ask ourselves how to
transition to a world where one's personal history and daily life is freely
available to the general public. I give it 30 years until we get there. The
tech is certainly not going away.

~~~
eriknstr
>I agree that it's a race to the bottom but not that regulation is a way out.
There are too many services employing too many engineers, and furthermore
governments benefit from this massive surveillance. They pay for the results,
and the direction in government today is towards less privacy, not more.

In Norway we have an independent administrative body of the government called
Datatilsynet, known in English as The Norwegian Data Protection Authority.
Wikipedia has a very short article about it in English [1] and a longer
article in Norwegian [2]. For a translation of the Norwegian article, see [3].

Notably, the King and the Ministry may not instruct or reverse Datatilsynet's
exercise of authority in the individual case according to law.

So while some parts of a government might want to maximize data collection and
surveillance, it is still possible to have other bodies of the government work
to protect the privacy of its citizens.

[1]:
[https://en.wikipedia.org/wiki/Norwegian_Data_Protection_Auth...](https://en.wikipedia.org/wiki/Norwegian_Data_Protection_Authority)

[2]:
[https://no.wikipedia.org/wiki/Datatilsynet_(Norge)](https://no.wikipedia.org/wiki/Datatilsynet_\(Norge\))

[3]:
[https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...](https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fno.wikipedia.org%2Fwiki%2FDatatilsynet_%28Norge%29&edit-
text=&act=url)

------
caconym_
> Facebook Doesn’t Tell Users Everything It Really Knows About Them

I've been saying this for years. It's pretty clear that if Facebook told
regular users just how much they knew, those users would be seriously creeped
out (though, these days, probably not creeped out enough to do anything about
it). I expect that another example of this would be the ability of their
facial recognition system and the breadth of the database behind it.

Users are Facebook's product, and they should expect to be treated as such.
The Facebook site and associated services are just infrastructure designed to
a) collect information on users and b) give advertisers optimal access to
those users.

edit: also, obviously, Facebook is not the only company engaged in this sort
of thing. It's all around us.

~~~
wallacoloo
When you download the archive of personal data Facebook shares with you, it
includes some facial recognition data. Specifically, it gives 3 "Threshold"
decimal values. Does anyone know what these numbers mean?

I read up on "eigenfaces", and it sounds like Facebook is most likely
subtracting my face from the mean and then projecting it onto N different
face-like and orthogonal images to obtain numbers like this, and so these
numbers would represent the weights used to reconstruct an approximation of my
face from a linear combination of basis images. But N=3 is way too small for
this method to be useful. It seems silly to share these values with a user but
not tell them what it means.

~~~
IshKebab
Facebook has far more sophisticated facial recognition systems than
Eigenfaces, based on deep neutral networks.

------
mattbee
Facebook have to respond to Data Subject Access Requests in the UK, which
oblige them to send you every piece of personally-linked information - for a
maximum £10 fee.

I did this with my bank a few years back and got back a box file full of
credit scores, lending decisions and other stuff they'd never normally expose.
Facebook's data for a busy user is going to be enormous by comparison - has
anyone done this lately (and published / summarised the results?)

~~~
xg15
Max Schrems filed a request via the irish Data Protection Commission a few
years ago and explains the returned data at [1].

Since then, however, the commission seems to have simply stopped processing
requests, without any legal justification to do so [2].

[1] [http://www.europe-v-
facebook.org/EN/Data_Pool/data_pool.html](http://www.europe-v-
facebook.org/EN/Data_Pool/data_pool.html)

[2] [http://www.europe-v-
facebook.org/EN/Get_your_Data_/get_your_...](http://www.europe-v-
facebook.org/EN/Get_your_Data_/get_your_data_.html)

------
kminehart
That might explain a pretty creepy thing Facebook did the other day to me.

I just created a new Facebook account after maybe 4 years of radio silence.
Two years ago, I had a job doing IT contracting; often I would go to
businesses and repair laptops or run cable to a COM room. We had very very few
residential clients since they weren't worth our time; the few that we did
have were really just courtesy for doing business for so long. I went to one
residents home a SINGLE time, hardly interacted with the man, and he
definitely did not know my last name.

Guess who pops up on my "Suggested friends", with no mutual friends or place
of work or any similar "liked" pages? Yeah, that one client.

Similarly, we worked in a small office in a cold storage facility, and
Facebook also suggested that I add their accountant as my friend.

It's really creepy, but if Facebook was able to know that I worked at that
employer then it's possible that it was able to make the connection.

~~~
dublinben
The most common source of those suggestions is phone contacts. Anyone using
the Facebook (or Instagram) app is sending them a copy of their entire address
book to be used for network mapping purposes.

~~~
bagacrap
I don't know if this is still true given the permissions model on Android
(don't know about iOS). I just checked IG and it only has access to storage.
Contacts, SMS, microphone, etc are not enabled.

~~~
marcosdumay
WatsApp can read your contacts.

------
emptybits
> "He said users can visit a page in Facebook’s help center, which provides
> links to the opt-outs for six data brokers that sell personal data to
> Facebook."

The link provided is:
[https://m.facebook.com/help/494750870625830?helpref=uf_perma...](https://m.facebook.com/help/494750870625830?helpref=uf_permalink).

LOL. The amount of personal information requested at those "opt-out" links is
suspicious and/or ironic.

Examples of information requested to "opt-out" of the USA partners' reach
include: Social Security Number (!), date of birth, "all variations" of full
name, all recent mailing addresses, ... (!!)

~~~
yalooze
I thought that at first too. But they want to make sure they're removing the
correct person. I don't know how else they could do it.

~~~
username223
They're surveillance companies, so they could probably figure that out based
on device fingerprinting if they wanted to. Or they could just remove every
record matching the request, since no sane person actually wants to be in
their database. But of course neither of those things will ever happen, for
obvious reasons.

------
bogomipz
>"For instance, opting out of Oracle’s Datalogix, which provides about 350
types of data to Facebook according to our analysis, requires “sending a
written request, along with a copy of government-issued identification” in
postal mail to Oracle’s chief privacy officer."

This is outrageous. Why is the onus on a user who never gave permission to a
data broker in the first place? They deal in digitial domain when it comes to
selling your data when it comes to consumers rights and concerns they operate
exclusively via snail mail?

Don't expect this to change any time soon. These brokers have the US
Electorate in their pocket. Bought and paid for.

~~~
nxc18
It isn't your data. It is their data about you, which is a very important
distinction.

Facebook and Oracle aren't the bad actors here, if you think there is a bad
actor. The baddies are the people giving Oracle (and others) that data about
you.

(And now I have to hang my head in shame for saying something that sounds like
it is a defense of Oracle. They're baddies for many, many other reasons, just
not this one)

~~~
kuschku
If you’re an EU citizen, by law, all data about you is owned by you, and only
by you. That includes personal data, but also any intellectual property you
create, and is irrevocable (you can sell usage rights, but never the ownership
rights).

So, yes, they have a legal responsibility to not have that data about you, and
you can at any point require any company to delete any and all data they have
about you, or created by you, and any data derived from it (oops, does that
mean training neural networks on your private data means they have to be
deleted, too?)

~~~
nxc18
That seems particularly absurd (which isn't to doubt you, but as much as I
like the EU, they have some absurd policies). If you take a very narrow view
of data as just bits on a hard drive somewhere, then this seems reasonable.

But if the ownership right to your data is centered on the information itself,
and not the company part, that raises issues. I can't simply destroy the
memory of reading the message you wrote - is someone to cudgel me until I do?
If I write in my diary that I saw xyz person walking down the street and they
had blue hair, could they demand that I destroy the entry? Would they have to
know about the diary entry before they could make such demands, or could they
simply say, "destroy all information regarding me"?

Further, as I understand it, municipal security cameras are in wide use,
particularly in European cities. Could I demand that the city/town/council/etc
delete all footage of me ever? Could I deny them permission to make those
recordings?

And last but not least, how on earth would this stance on data ownership not
ruin data retention? E.g. this would seem to open up a pretty big hole where I
could commit fraud or launder money, and then demand that my bank destroy the
evidence.

These are all awkward questions that come up when you try to protect very
broad definitions of privacy. Privacy is a thoroughly unnatural concept; In
the physical world, it takes a lot of work to do anything in private, and even
then, you're just making it easier for people to avoid stumbling on what
you're doing.

~~~
pluma
It's simple: you don't get to store data unless there's a technical
requirement to keep that data stored to provide whatever service a user signed
up for.

If a user didn't agree to their data to be stored in the first place, you
don't get to retain it at all.

Whether you can discard data about a user "against their wishes" is likely
covered by your terms of service. If you're a commercial hosting provider,
there's probably a higher barrier than if you're a free doodling website. This
has nothing to do with privacy, though.

If a user tells you to destroy their information, you need to destroy all
information about them. There's obviously some wiggle room (e.g. if you keep a
flat "view count" on an article, there's likely no way to argue that you
should have to deduct the user's views but if you're keeping a record of
"views" linked to user IDs the user ID may still be personally identifiable if
it can be correlated with other data).

But most companies fail at deleting even the most obvious data. If you
"delete" someone's account and they're unable to sign up with the same
username or e-mail address again, you're likely not properly deleting
information.

And that's if you even offer the option of deleting an account at all. It's
horrifying how many (especially American but sometimes even EU) websites don't
offer any such option at all or even simply offer an option to "close" an
account, marking it as disabled but still retaining all data forever.

> Could I demand that the city/town/council/etc delete all footage of me ever?

Yes. Security cameras have strict regulations and generally recordings have to
be destroyed eventually unless there's a good reason to keep them (e.g.
they're part of a criminal investigation). This even extends to police
cameras: if a police officer makes a recording (e.g. at a demonstration) and
the recording isn't relevant to any investigation, you can ask for it to be
destroyed ASAP (rather than waiting for them to destroy it). This also extends
to other information like your name and address.

> I could commit fraud or launder money, and then demand that my bank destroy
> the evidence.

There are special laws for financial transactions and criminal investigations.
There is such a thing as a "permanent record" but it is clearly defined what
goes on it and what doesn't (and at what point it has to be destroyed). There
are also very strict laws for handling such information, similarly to the
strict PCI rules for handling credit card information.

You're basically arguing that privacy is a slippery slope but in reality it
isn't. Privacy may be an "unnatural" concept but the expectation of privacy is
a human right (like, officially, as part of the UN Declaration of Human
Rights). The EU actually has very few "absurd" policies -- most of them only
appear absurd when taken out of context. I assure you that EU privacy laws are
not part of them.

Except for the cookie notice. That's not only ineffective but outright
ridiculous.

~~~
kuschku
Well, the cookie notice also only is ridiculous if taken out of context.

You literally have the cookie notice in your post, too, as the law simply
states:

If you collect any tracking data about a user that's not technically required,
you have to let them opt in.

This obviously means tracking cookies have to be opt in, and that's how the
cookie notice came to be.

Technical cookies, such as login cookies, are exempt, obviously, but other
tracking methods, such as storing in localStorage are included.

~~~
pluma
True, but I would argue that the _idea_ of cookie notices is good but the
execution is poor.

This is one of the few situations where a technical solution would have been
better, e.g. having each cookie come with a specified purpose and letting the
browser prompt per issuer and displaying the purpose to the user:

* 3 cookies from ads.google.com: "Personalizing the advertisements you see on this page" [Allow] [Deny]

* 1 cookie from share.facebook.com: "Social media integration" [Allow] [Deny]

* 1 cookie from analytics.example.com: "Anonymized site analytics. For more information see [http://example.com/privacy](http://example.com/privacy). We value your privacy." [Allow] [Deny]

* 1 cookie from www.example.com: "Keeping you logged in as kuschku on www.example.com" [Allow] [Deny]

But this would require passing an actual web standard and getting browser
vendors on board (and Chrome has a conflict of interest making them unlikely
to support it without sufficient pressure).

This would have satisfied the legal requirement without creating the obnoxious
obligatory "Please click 'okay' or we'll keep showing this message on every
page" experience we have now. It would also be less error-prone because the
failure state would be "users might deny unjustified cookies" rather than
"site will send cookies regardless" when not implemented correctly.

Besides, browsers already ask for permissions for things like desktop
notifications or geolocation.

EDIT: I'm not saying this shouldn't have been passed into law. I'm saying the
EU should have involved browser vendors and investigated a technical solution
before making the notices mandatory. Compliance would have then be easier
("just add these headers") and adoption would have been faster ("it's easy to
fix and it's the law").

EDIT2: Unlike the old Semantic Web problem of websites being liars I don't
think deceptive purpose statements for cookies would have been a noteworthy
issue because it would be literally against the law in the EU to deceive
users. It would also have imposed the burden on the actual cookie issuers and
created incentives for EU websites to hold their advertising providers
accountable to comply with EU laws (rather than build a kludge around them to
make their scripts opt-in).

------
owly
1\. Of course! 2\. It's not too late to delete your account. Go for it! 3\.
Block it all!
[https://github.com/jmdugan/blocklists/blob/master/corporatio...](https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all)

~~~
politician
Unfortunately, one should not believe that deleting your account removes the
underlying data. The actual operation is probably more like, "set a bit that
prevents anyone from logging in to this profile."

~~~
dade_
True, but I deleted my account 2 years ago, so at least they have a lot less
info during that time. Also, I don't miss it at all, not even a little bit. I
think it offers no value for my time, let alone data. I am not sure why I am
still on Twitter, but Snapshot has been entertaining and LinkedIn invaluable.

~~~
lisper
> at least they have a lot less info during that time

How do you know? If FB can't be trusted to actually delete your account (and
they can't) how can they be trusted to stop collecting data on you?

~~~
x1798DE
Presumably if you've cleared your cookies and you use an adblocker, their
ability to reliably track your activity goes way, WAY down.

In addition to the standard protections of the adblocker and privacybadger, I
also generally set a full block on all content from facebook[.com/.net] and
any identifiable facebook subdomains. I really have no use for facebook, so it
is zero imposition on me, and if I ever want to view something on facebook, I
can open up a new private window in an alternate browser as a one-off (or, if
I'm feeling paranoid, spin up a VM).

~~~
lisper
All of those precautions are orthogonal to deleting your FB account. You can
do all of those things without deleting your account (only log in using an
incognito window). Deleting your account may or may not change anything with
regards to FB's collection of information about you. There is simply no way to
know because it is entirely up to FB what the semantics of deleting your
account actually are.

------
throw2016
I think this forum has to recognize a lot of work being done in the valley
especially Google and Facebook is ethically questionable and seeking to brush
it under the carpet or 'normalize' it perpetuates a dissonance. For starters
the whole mythology of liberal freedom loving nerds sits in stark contrast to
the reality of actively developing and enabling authoritarian technologies.

The curious consequence of the willful ignorance on one's own actions is the
continued posturing and stark dissonance in expecting ethical behavior from
other segments of society. If you can't behave ethically you can't expect it
from others.

That level of dissonance is untenable and ultimately every intelligent person
has to realize not recognizing and confronting unethical behavior is a race to
the bottom and will reflect in every aspect of life around you.

------
j2bax
Is there anyone out there making a paid, zero advertising/data collecting
social network? What if this service allowed you to buy access for 50 of your
closest friends and family? I would think if it was executed properly and you
provided a standard "I'm deleting Facebook and here is why, apply to join my
paid for network group" post people would consider making the jump. I know
there's a lot to Facebook and I wouldn't expect some new company to stack up
feature for feature. Just give me chat, text/image posts and the wall and I
will be happy that I can keep up with my close friends and family. I wouldn't
be entirely surprised or disappointed if Apple attempted something like this
on their Messages platform but I would just hope they'd make it accessible to
all phone/computer/tablet users.

~~~
frik
Facebook will censor/shadow-ban such a "good bye" post. It won't show up at
most of your friends news feed. You also cannot advertise a competiting social
network. The same goes fr private messages to more than a few people. Even if
you try to write a seperate message to everyone, if it contains the same link
or a similar text body, most of your friends will never see te message you
wrote. That's all automatic. And for photos, they have a semi-automatic review
process in place, with an army of contracted FTEs working in low paid
countries to scan photos (there was a news story about that recently). I
wouldn't be surprised if their other properties like WhatsApp and Instagram
are monitored and censored/shadow-ban in a similar fashion nowadays.

~~~
olejorgenb
Source for some of the parents claims:
[http://money.cnn.com/2015/11/05/technology/facebook-
tsu/](http://money.cnn.com/2015/11/05/technology/facebook-tsu/)

------
lalos
Sort of related, have people noticed or have they officially announced that
they are tagging photos on the alt html field with a description of the actual
photo? It's pretty accurate with texts like "two people smiling, with baby".

~~~
petters
[https://code.facebook.com/posts/457605107772545/under-the-
ho...](https://code.facebook.com/posts/457605107772545/under-the-hood-
building-accessibility-tools-for-the-visually-impaired-on-facebook/)

------
creepydata
It's creepy how much companies know about you.

When I got married my husband pretty much immediately showed up as my spouse
on my transunion credit report as my spouse. How did they know that? Our names
are different. At the time we didn't have any loans together. We lived
together but so do siblngs and roommates. We didn't register for any wedding
registries or send out any announcements. Our wedding consisted of signing
some paperwork at city Hall. They also marked me as "Active Duty Military or
Dependant" (hubby is in the army so I became a "dependant" when we got
married). So the only logical explanation is transunion can access DEERS, but
I would hope the DoD doesn't allow random private companies access to DEERS...
They DO have a website where you can lookup if someone is covered under the
SCRA but dependants aren't covered under the SCRA and don't show up when
queried (I tried).

Again this is my credit report. I didn't report a change in my martial status
to any of my financial institutions. Not banks, not credit cards, and we
already had a joint account for two years before we were married.

~~~
aub3bhat
Marriage is a legal agreement, the fact that you "signed some paperwork at
City Hall" is not at all a minor thing. The records are of course made
available to credit reporting agencies.

I don't know why you think this would be a creepy thing, social security and
credit scores are stongly connected to the legal and taxation system. Its only
obvious that the information gets connected. If tomorrow you were to divorce
and claim alimony/child support the wages and tax return of your spouse would
be garnished, How would that be possible without linking SSN.

~~~
creepydata
I don't know why you believe I am somehow confused about the legal agreement I
entered into with my husband. I am not, I know what civil marriage is. I
mentioned it to illustrate that we didn't have a venue or wedding planner so
they couldn't have made a newspaper announcement for us.

Transunion is a private for-profit company; it has nothing to do with Social
Security or the legal or taxation systems. Transunion gets its records from
institutions that _voluntarily_ report to it, as a business arrangement,
(credit card companies, mostly) or they pull from publicly available sources.
They don't have direct access to any private government (or non-government)
databases unless the owner lets them have access. The reason they collect
information about you is for their own business purposes. We aren't talking
about the IRS here.

In other words my spousal information got in some company's database somewhere
which was relayed to transunion, probably through a few other company's
databases. It was surprising that information got to Transunion that fast
because, as I said in a reply to a sibling comment, marriage records do not
appear to be publicly available in my state. It's creepy to know how fast,
far, and wide random information about you spreads. It's also scary to think
about how false information about you can spread.

After reading this article it seems like that information almost could have
indirectly come from Facebook (we did update our status!)

~~~
aub3bhat
I think you misunderstand just how tightly integrated the credit reporting
system is with government. The fact that "Transunion is a private for-profit
company" is immaterial. or that it "only" gets information via "voluntarily
reports to it, as a business arrangement, (credit card companies, mostly)
pulled from publicly available sources" is plain wrong.

Just because some information is not "publicly available" does not means
Government wont share it with third parties, especially credit bureau.

As far as information coming from Facebook posts thats just ridiculous.

~~~
creepydata
I'm not going to argue anymore because it's pointless but I'd like to see any
hard evidence my state reports directly to Transunion because they have no
reason to.

------
chriswwweb
It's funny that a newspaper criticizes Facebook's data mining practices ...
but when I opened the article on their website, my privacy badger addon told
me that 16 scripts had been blocked (facebook!, twitter, google analytics,
chartbeat, outbrain, pardot, ...). Then I read through the article and half
way down they throw me a huge banner in the way telling me to like their page
on Facebook :/ So basically they preach something and do something else, they
are really a bunch of hypocrites!

~~~
username223
This could also be seen as a newspaper operating as it should: one group is
paid to report news, another is paid to sell ads, and they don't talk to each
other. Things are more complicated in real life, more so now that the news
people are under pressure to "generate viral content," but having creepy
trackers next to an article about creepy trackers isn't necessarily hypocrisy.

------
alanh
Ironically, I cannot read this article as I am immediately redirected to
[https://www.facebook.com/plugins/share_button.php?app_id=229...](https://www.facebook.com/plugins/share_button.php?app_id=229862657130557&channel=https%3A%2F%2Fstaticxx.facebook.com%2Fconnect%2Fxd_arbiter%2Fr%2FiPrOY23SGAp.js%3Fversion%3D42%23cb%3Df21dff110d4cfe%26domain%3Dwww.propublica.org%26origin%3Dhttps%253A%252F%252Fwww.propublica.org%252Ff944895a89fb34%26relation%3Dparent.parent&container_width=0&href=https%3A%2F%2Fwww.propublica.org%2Farticle%2Ffacebook-
doesnt-tell-users-everything-it-really-knows-about-
them%2F%3Futm_campaign%3Dbt_facebook%26utm_source%3Dfacebook%26utm_medium%3Dsocial&locale=en_US&sdk=joey&type=box_count&utm_mangled=fuckyeah)

(likely due to a script having a bad reaction with one of the browser
extensions granting me a small illusion of privacy)

------
mungoid
I cant speak for other countries, but why do American people seem to trust
companies more than they do the government? I mean, it is completely known
that companies are here to make money, and publicly traded companies are here
to please their investors so they will do whatever it takes to do that. They
study us, classify us, categorize us, manipulate us. They spend billions in
research so they can make that 'perfectly tailored' ad to get us to buy their
product. They are constantly buying our data and selling our data, JUST to
make their investors happy, and we seem to always just shrug it off.

'Meh.'

I am honestly more ok with the government having this data to keep tabs on me
than these hundreds of other companies treating my personal info like it's a
trading card.

~~~
chrischen
I think the reason is that government is vastly more powerful than any single
company.

~~~
mungoid
Yeah that's definitely true, and it is what makes me question a lot of why
they do what they do and distrust it generally. But would it be better if a
company was vastly more powerful than the government?

Actually, I think some companies kind of are in some aspects. They may not
have the military, but some definitely have a hand on the reigns.

------
pwnna
Speaking of which, perhaps someone can shed some light on the suggested
friends feature. Many people suspected it uses GPS/Wifi to perform location
based friend suggestions, as well as contact book uploading. However, it
doesn't really explain my own case:

I recently encountered a friend suggestion for someone that I only know online
(IRC and later, Google Hangout). I don't really know who they are other than a
name (as exposed by GHangout). I've never met them as they are in a completely
different country. I don't have the facebook app and the messenger app is
forbidden to read my contacts as per CyanogenMod's Privacy Guard. I fail to
understand how FB can suggest this? The only possible reason I can think of is
when they searched my name on Facebook. How else can they do it?

~~~
junto
If they have your email address and they leaked it, then the same applies. You
get reverse suggestions.

The sad thing is that you can be completely privacy conscious, but if just one
of your friends, family or acquaintances uploads their contacts, and you're
part of that upload, they've screwed your privacy via the back door.

------
linkregister
When I read this article, I was expecting to see a description of what they
collect from users. But the real controversial and creepy part is what's
available from the data brokers.

The fact Facebook is aggregating all this to make for better advertising
options is discomforting, to be sure.

The most concerning aspect of the article is that these data brokers are able
to correlate my purchases. It seems inevitable that insurance companies will
take all of these individual data points into account: "We're sorry Mr.
Register, because you buy McDonald's every week we'll have to raise your life
insurance rates."

~~~
sixothree
I'm curious if it could be possible to buy this data on one's self. Maybe
someone could start a company that would allow you to find out this
information.

------
fritzw
This became painfully obvious when LinkedIn's algorithm started making
extremely circuitous connections that freaked people out. People in a relative
manner are painfully stupid, algorithms are ridiculously capable. The result
is freak out. Facebook being psychologically aware, protected its users from
the truth before it could be known. It was long ago that google's Eric Schmidt
said "we are on the verge of predicting our users thoughts" google is just as
slick as Facebook.

~~~
laxatives
LinkedIn's incredible algorithm was reading your contact book without your
permission before those kinds of permissions existed or had any sort of
granularity between none and complete access.

------
tripzilch
> One Facebook broker, Acxiom, requires people to send the last four digits of
> their social security number to obtain their data.

This is just one of the many WTFs that Facebook apparently actively supports.

In what world, what possible explanation was this ever a good idea? Or a
reasonable idea? Either the US SSN is like a password (it's not) then how did
Acxiom get their hands on it, or it isn't (correct) and it doesn't serve the
purpose for identification.

Letting this sort of crap run wild also affects what is considered "normal" or
common privacy in other parts of the world, like the EU, it slides the window.
Continuously pushing the boundaries against people watching helplessly as
layer upon layer of foundations of surveillance are built. Authorities don't
do much until adoption is way beyond the curve of network effect, or they do
it weirdly. And by then people think it's normal or acceptable.

Already now, on countless popular sites, advertising transgresses heavily on
not only guidelines but also law. Medical claims, product placement, child
advertising, you name it.

What can we do to not make the lowest common denominator decide what's normal?

------
bigmofo
How do the data brokers know whether one shops at dollar stores? Who is
leaking our inforamtion to the brokers? Is the store or the credit card
company releasing information to a third party? Store gets the customer name
from the credit card. Credit card company knows that a transaction took place
at the dollar store. Any other possibilities?

~~~
throwaway12145
Visa requires at least some of their banking/prepaid partners to periodically
upload customer data to an Acxiom FTP site. It's considered a "compliance"
ask.

Source: helped write a microservice for said FTP upload.

------
pschastain
I haven't had a Facebook account for years, and my phone number was never
associated with it. Yesterday I visited the site on my laptop to look up the
page for a tavern that's re-opening. 1/2 hr later I got a text from 32665 with
a Facebook confirmation code. WTF; creeped the hell outa me. I replied with
"stop" and received verification that "Texts from Facebook are now turned
off." I visited their site again to request whatever data they have on me, but
even though I checked the "I don't have a Facebook account" button for the
request they insist that I log in to finish the process. Not sure where to go
from here with it.

[edit] grammar

------
NumberCruncher
It is easy to forget that FB is a media company and as such it is not only
making money by selling ads but also by manipulating the masses. They may
focus today on serving ads making $3.6 billions annually. Tomorrow they may
focus on something else for example on serving fake news for manipulatig
elections and making 10x more. The data they collect is only a means to an end
and I am afraid I won't like the end when it arrives.

~~~
dhruvghulati
Good point. Their whole business model relies on addiction to the intoxication
of getting likes, shares, approval. If fake news stories that achieve those
better do the trick, it goes against their business model to prevent it.

------
MarkMc
> Of the 92 brokers she identified that accepted opt-outs, 65 of them required
> her to submit a form of identification such as a driver's license. In the
> end, she could not remove her data from the majority of providers.

So what exactly was the problem? She doesn't have a driver's licence?

~~~
malz
Maybe she didn't want to share a lot of personal documents with companies that
profit by selling her personal information. Obviously there's no reason for
them to require a driver's license except to make it so inconvenient to opt-
out that nobody does it.

------
discordianfish
I understand the general privacy concern but what exactly is the critic here?
That facebook aquires data from external source? Aren't those external source
the real problem?

------
Karunamon
Why is it obligated to?

No, really. Why? Why on earth is it a problem what a company does internally
with its own collected data? Why is this only being directed at Facebook?

------
intrasight
If everyone (like me) installed an FB ad blocker, then they'd not get a return
on their investment for buying that 3rd party data.

------
throwaway4897
I'm operating on the assumption that some day soon there will be a market for
personal services.

I know it sounds crazy now but people also thought no regular person would
ever need a personal computer. IMO the next computing revolution is in
personal appliances with OS (but black box, plug-n-play to regular foks) that
serve up usable voice recognition and other SaaS stacks that replace the
"free" data black holes currently in use.

------
antoniobg
Who thought they did?

------
optionalparens
Some day I'll need to reclassify all my cyberpunk books as non-fiction it
seems. We are nearly at the point of having real-life equivalents of things
like information brokers and a Central Intelligence Corporation. The funny
thing is the real companies I've seen are more creepy than the over-the-top
portrayals of your typical dystopian corporate future. Worse yet, they do a
better job of automating it all vs. the typical human intelligence or hacking
missions in those types of books.

