
Facebook’s entire business model is under fire in the EU - ukdm
http://venturebeat.com/2011/11/28/facebook-advertising-eu/
======
reso
Factually incorrect article.

>First, let’s have a primer on how Facebook makes money: The company gets you
to willingly enter all kinds of demographic and behavioral information into a
massive database. Advertisers, big brands and Facebook’s sales team call it
“data.” You call it your profile, your likes, your checkins, your comments and
everything else you do on the site. Facebook then sells that data — in an
aggregated, anonymized form, of course — to brands and advertising agencies so
they know how, when, where and to whom to market their wares.

Data is not "sold". Data only leaves Facebook's servers when you ask for it.
Facebook makes money by targeting ads on facebook.com. This is constantly
misstated and it frustrates the hell out of me.

EDIT: I tweeted at the author and she made the language much less ambiguous.
Journalism points to Jolie O'Dell.

~~~
hack_edu
Then it sounds to me like the legal battleground here is the word 'sold.'

~~~
reso
Agreed. For a certain definition of the word, Facebook does "sell" data to
advertisers, but not by my intuitive definition of "sell". To me, they "sell"
targeted ad space.

------
law
_However, Facebook maintains that users prefer seeing ads that are linked to
their interests and lifestyles. Also, the company reminds us that private
information stays private, even when data is used to sell ads, because
information is collected in aggregate and is anonymized._

This troubles me, because information being collected and 'anonymized' is
somewhat of a misnomer. I think many would contest any assertion that data
capable of disassembly into its constituent parts (assuming each constituent
part to be a _unique_ combination of variables represented in the aggregate)
comports with anonymity. I'm generally not one to praise governmental
regulatory agencies for their technological prowess, but the U.S. Department
of Health & Human Services really "got it" with HIPAA's de-identification
standard.

HHS understands the importance of aggregating healthcare data and conducting
statistical research, and does not let HIPAA preclude this from occurring.
Instead, HIPAA outlines a "safe harbor" approach that limits a covered
entity's criminal/civil liability in the event of a breach if and only if the
covered entity removes 18 identifiers and has no actual knowledge that the
remaining information could identify the individual. These identifiers include
names, dates, geolocational codes covering populations less than 20,000, etc.
Alternatively, covered entities may opt to use a 'statistical' approach by
hiring a qualified statistician (or other scientific expert) who can use
acceptable analytic techniques to conclude that the risk of identifying the
person from the disclosed information is very, very small.[1]

A safe harbor approach to large-scale data privacy would be absolutely
wonderful. Using statistics to prove the anonymity of data being
collected/used by Facebook is nonsensical, since by default, we've given them
a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license
to 'use' anything we submit to them. Contracts of adhesion, in my opinion, are
more of the problem since there's no good way to 'make change' for the
information that you submit. For example, someone very active on Facebook
might arguably be 'worth more' to the company than someone who isn't, but both
receive the same product.

EDIT: A safe harbor approach to large-scale data privacy isn't even unknown.
See COPPA[2], for example.

[1] [http://ecfr.gpoaccess.gov/cgi/t/text/text-
idx?c=ecfr&rgn...](http://ecfr.gpoaccess.gov/cgi/t/text/text-
idx?c=ecfr&rgn=div8&view=text&node=45:1.0.1.3.77.5.27.9&idno=45) 45 CFR
164.514(b)(1)--(2).

[2]
[http://en.wikipedia.org/wiki/Childrens_Online_Privacy_Protec...](http://en.wikipedia.org/wiki/Childrens_Online_Privacy_Protection_Act)

~~~
Silhouette
> Contracts of adhesion, in my opinion, are more of the problem

In the Internet/data mining era, contracts of adhesion are an incredibly
overpowered legal tool. Suddenly things you used to do in person, with
reasonable expectations and no practical way for commercial entities to
override those expections, have been replaced by doing everything in software
and on-line, with EULAs and click-through agreements that contain numerous
obviously abusive terms that are not necessary for the performance of the
basic agreement, would be unexpected by the individual agreeing to the
standard form contract, but are never known (until it's too late) because _no-
one_ actually reads the full details of every form agreement they "agree" to.

It is well past time that consumer protection laws were updated to
dramatically rebalance the legal weight of form contracts containing
potentially unexpected or misunderstood terms against what would seem
necessary and reasonable to the person entering into such an agreement.

It is also well past time that privacy laws were updated to reflect the
Internet/database/data-mining age. You can't just assume that some minor
action that might not in itself have been considered an invasion of privacy in
more innocent times is still harmless at a time when technology can turn a
collection of such actions into a searchable life story.

------
zalew
why not link to the original article
[http://www.telegraph.co.uk/technology/facebook/8917836/Faceb...](http://www.telegraph.co.uk/technology/facebook/8917836/Facebook-
faces-a-crackdown-on-selling-users-secrets-to-advertisers.html)

------
jphackworth
Saying their "entire business model is under fire" seems too extreme. From the
article:

 _The EC is planning to ban such activity unless users themselves specifically
agree to it._

Okay, so, at worst Facebook just has to make users specifically agree to this
before they can continue using Facebook. I'm sure some people wouldn't agree,
but it's not a big enough deal that Facebook would change their business
model.

~~~
101010010101
Change their business model to what?

~~~
viscanti
The current data sales business model doesn't support their sky-high
valuation. Most investors assume that Facebook will "figure out" a better way
to monazite their audience. Facebook commerce and credits sales for the
Facebook platform look to be their most promising options. Facebook isn't all-
in on data mining. They're certainly hedging their bets.

Obviously nothing is guaranteed, and I personally believe that they'll have
trouble finding anything that justifies their valuation. But a lot of smart
people think they'll figure it out, and are putting their money where their
mouths are. They have some options, but we'll just have to wait and see how
those actually progress.

~~~
samstave
$.99/month per user.

$6 Billion per year revenue

~~~
1010100101
Sounds simple enough. It's probably far more revenue than they're making now.
So why haven't they tried it? What's to lose?

~~~
pyoung
I am sure google+ would love it if FB started charging for accounts.

~~~
1010100101
I think we have an answer.

------
nextparadigms
With how much Facebook are doing behind the scenes with the user tracking,
it's hard to blame the EU officials trying to stop them. Facebook tried to
bite more than they can chew, and they've been warned about going too far with
all the privacy invasion for 2 years now, and they still didn't care, and went
ahead anyway.

------
flyt
Is the EU also going to require Google to get user permission before
collecting data they turn around and use for selling ads?

------
guimarin
One thing that strikes me as interesting is that Facebook repeatedly states
that they do not sell personal information to third parties. Yet, I've never
read or heard it stated plainly that this behavior is forbidden by
applications running on the Facebook platform. In fact, at one point I
remember that friends applications had access to my personal information, even
if I did not authorize said application. I dont' know whether that is still
the case, but the idea behind it is troubling.

I would also like to follow-up that people are dissimilar enough that de-
anonymizing is not that difficult. I do not know why, yet, an advertiser would
want to explicitly de-anonymize its data, but it is certainly possible.

~~~
nroman
I don't think you looked very hard. This is quite plainly stated in the
developers policy. You don't have to be a lawyer to understand this:

From <https://developers.facebook.com/policy/>

6\. You will not directly or indirectly transfer any data you receive from us,
including user data or Facebook User IDs, to (or use such data in connection
with) any ad network, ad exchange, data broker, or other advertising or
monetization related toolset, even if a user consents to such transfer or use.
By indirectly we mean you cannot, for example, transfer data to a third party
who then transfers the data to an ad network. By any data we mean all data
obtained through use of the Facebook Platform (API, Social Plugins, etc.),
including aggregate, anonymous or derivative data.

------
peterhunt
Hmm...

<http://www.privacyparrot.com/privacy-policy-for-facebook.com>

------
DanBC
See also

(<http://news.ycombinator.com/item?id=3285466>)

