

How to Force Facebook into Handing Over their Secret Tracking Data - stfu
http://europe-v-facebook.org/EN/Get_your_Data_/get_your_data_.html

======
sek
Unbelievable: <http://europe-v-facebook.org/EN/Data_Pool/data_pool.html>

They delete sh*t, if you delete your posts they don't remove them from their
databases.

This makes me really angry, there is a reason why i delete this stuff. I can't
believe this, they have a responsibility.

Edit: WTF [http://europe-v-
facebook.org/EN/Data_Pool/data_pool.html#Mac...](http://europe-v-
facebook.org/EN/Data_Pool/data_pool.html#Machines)

This is maybe the most frightening: [http://europe-v-
facebook.org/EN/Data_Pool/data_pool.html#Mes...](http://europe-v-
facebook.org/EN/Data_Pool/data_pool.html#Messages)

~~~
nak3d
Best advice I ever heard (and it came from an ex-Facebook employee), "treat
communication ("private" & "public") on all services, including Gmail,
Facebook, and Tumblr, like a million people are listening."

~~~
X-Istence
Or better yet start using OTR on these services and verify the "key" on each
end before continuing to talk about private matters.

~~~
incongruity
That doesn't account for the times the receiver decrypts your communication
and then intentionally makes it public.

There's a deep wisdom to the idea that one ought not put into words that which
they wouldn't want the world to see... Once it's out of your head, your
ability to control it diminishes if not outright vanishes... Just say'n is
all..

------
techiferous
So let's say I launch TrackMyEatingHabits.com. If a user that happens to live
in the UK signs up, they can send me a request for all of their data and I
have to comply, right?

So this means that when I design the software for TrackMyEatingHabits.com, I
should also be mindful to have a process (and data model) that makes it easy
to locate this user data quickly, right?

Also, I should have in place processes to verify the identify of the requester
too, right?

Or alternatively, I can just limit my market to the U.S.

~~~
rmc
No, probably not. Usually you only have to abide by a countries laws if your
server are based there, or you have a company incorporated there. If you have
a US company with servers hosted in the US, acbd an EU citizen uses it, and
claims you are breaking their laws, then there its nothing the courts in that
country can do to make you abide them.

To put it another way, are you worried if your US company breaks Chinese
censorship laws? That's illegal in China. Are you worried if your company
denies that the Holocaust happened? That's illegal in Germany.

You only need to abide by laws in the country you are in. Unless you have a EU
server you don't have to abide by EU laws.

~~~
tonfa
Like most legal matter it's a bit more complex than that. As far as I know,
you can be targeted by foreign laws with a .com domain, and servers physically
in the US.

If you specifically target/advertize (e.g. with translated interfaces) your
services to EU citizens, a judge _might_ decide that EU laws apply to you.

~~~
Sandman
Is this just your opinion or do you have some examples to back it up? I don't
see why a US judge would care at all if a US company breaks laws of another
country.

~~~
tonfa
Check "conflict of laws" and "conflict of jurisdiction". I don't know the US
legal system well enough to find it, but it happens in European countries
(e.g. french judge applying US laws), so I guess it would be similar.

Moreover a US judge might not care, but a French or German judge might decide
he is competent (if there are good reasons to think the website is not US
only).

~~~
Sandman
If a french or german court decides that a foreign company is violating their
laws, they can do little besides preventing them from reaching their market,
which would in this case mean that they can order ISPs to block the site. I'm
pretty sure that there is no way that they can actually _make_ a foreign-based
company abide by their laws. How would they enforce the ruling?

Of course, if the company in question also owns a EU-based daughter company
through which it operates on EU market (as Facebook apparently does), then
that's a whole different ballgame.

------
gburt
There doesn't appear to be any non-facebook.com data in the example PDFs --
i.e., no "you commented on TechCrunch" or "you visited TechCrunch which has
our widgets".

I would suspect this means Facebook just simply did not provide it?

~~~
kragen
It's surprising that the PDF I looked at (the first one) doesn't contain any
access-log data at all. Shouldn't it contain the time, date, and IP address of
every time she's viewed a page on Facebook, at least as far back as they keep
HTTP access logs? Or do they not log the user ID when they log HTTP accesses?
Someone (in Europe, therefore not me) should ask the Irish Data Protection
Commissioner to get an answer to these questions.

~~~
nl
I doubt they HTTP access logs are tied directly to the user id.

It might be possible to derive this information by linking on the IP address,
but that isn't the same thing as a direct link at all.

~~~
_delirium
Facebook is able to tell which profiles you view more frequently than others,
so _some_ sort of log data correlated with users is being kept.

~~~
nl
That's different to HTTP access logs.

If I view a profile on the mobile app or on the web page it is (presumably)
measured the same, presumably in the application layer. That's different to
recording the your id in the HTTP access logs.

------
cdh
Does anyone know if requests made by Americans are honored? I'm guessing we
don't have the same privacy protections here in the US, but maybe I've assumed
incorrectly?

------
avar
Facebook knows too much about us, let's all send them a scanned copy of our
passport!

~~~
tripzilch
You're allowed to (and should) black out your photograph and your social
security number, they don't need those for ID. Only your government, your
employer and a list of government-sanctioned organisations can require social
security numbers for ID purposes. the rules for photo ID are even more strict.

Additionally you should write in big letters over the scan "Request to access
Facebook Data <date>", so that nobody else can use the scan of your ID-card
for anything else.

The rest of the data, Facebook already knows (name, date of birth) or is
useless (passport/ID document number).

Source: <https://pim.bof.nl/gebruikers/geef-niet-meer-dan-nodig/> (Dutch)

~~~
abcd_f
> _Additionally you should write in big letters over the scan "Request to
> access Facebook Data <date>", so that nobody else can use the scan of your
> ID-card for anything else._

This serves no purpose as it is trivial to 'shop these big letters out of the
image.

~~~
tripzilch
I dunno what your ID cards look like, but ours have intricate patterns all
over them. Additionally there's a punctured-hole pattern that vaguely
corresponds to the photograph, so that's unique for every ID.

I can't really imagine how you'd want to reconstruct that, and even if you
could I'd hardly call it trivial.

~~~
abcd_f
No need to reconstruct anything, just save the image with a higher JPEG
compression and all the intricate patterns will be well blurred. I really
doubt FB is spending any time whatsoever on validating these patterns.

------
phreeza
I wonder if anyone has tried to do this with google?

~~~
click170
Google already provides a pretty good interface for exporting your data..

<http://www.dataliberation.org/>

Or, from your Google+ page, click on your picture in the top right corner,
then Account Settings, then on the new page click on Data Liberation on the
left hand side.

~~~
Loic
You cannot get all your logins, session time, IP address, etc. This is what
you have a right to get out of a EU based company. Yes, this means that as a
business, it is pretty hard to comply with the law.

~~~
sek
When they don't save it there is nothing to get. They have a policy to remove
personal data after 3 months or so.

~~~
1337p337
It's at least six months, and they don't do a very good job of anonymizing:
they scrub the last two digits of the IP, but not tracking cookie logs.
DataLiberation further contains no information they keep when you are not
logged in, and only a fraction of what they have (and keep) when you are
logged in. The "privacy dashboard" points to several chunks of data that are
retained but not accessible, and there is far more that actually is kept.

A simple but perhaps inconvenient way to verify this is to be criminally
prosecuted for something where your Google account is relevant. Google will
hand over what they have to the prosecution, and as the defendant, you'll be
entitled to see the evidence. (I've not tried this and don't recommend it, but
do know someone that this happened to, and have examined the contents of the
provided CD.)

DataLiberation is mostly a PR site, and it's main use is migrating what data
Google feels is useful to you, not finding out what Google knows.

------
driverdan
The missing data is what's interesting. The data they provided isn't
surprising or shocking at all, it's exactly what I'd expect to get from this
type of request.

------
lunchbox
Facebook also tracks what profiles I view. Looks like that data isn't released
here.

------
mituljain
what bothers me - or has me in awe even (to some extent) is how early on in
the process facebook started storing all this information! I've had status
updates from years ago show up in my "this day in 2009" pop-up on the sidebar.
And clearly from the content of these files on the above website - they have
stuff on you that goes way -way back. It seems almost sinister - as if they
knew all along that they would aggregate so much information - althought on
the face of it - it was just another social networking site. Which I would
assume like any other website or web-app would delete unneccesary stuff in
order to save space / efficiency etc (atleast before they got huge and had
their own server farms). At the same time - one cant help but wonder if having
all this data (and probably a lot lot more that we dont see from an outsider's
perspective) - is really what is responsible for facebook making the "right"
moves every now and then with regards to really delivering features that its
users will use and growing at unbelievable rates? Might be food for thought -
after all - the more you know about your users - the better you can serve
them!

------
ubuntufreak
why they keep those data in their data base. If i deleted a content, i meant
it to be deleted forever. and knowing the fact "Note: According to facebook’s
privacy policy, messages on facebook can not be deleted anymore. If you click
on ‘delete’ the messages will only be invisible to you. US law enforcement
agencies can access this information at there own liking, without judicial
review."

by @nextparadigms I'm thinking of quitting facebook

------
ldd-
I have a dual citizenship . . . U.S./France. While I live in the U.S., I may
try this with my French passport.

~~~
kiiski
Facebook TOS says:

"If you are a resident of or have your principal place of business in the US
or Canada, this Statement is an agreement between you and Facebook, Inc.
Otherwise, this Statement is an agreement between you and Facebook Ireland
Limited."

So if you're living in USA it seems like they don't need to comply with your
requests.

~~~
ldd-
Thanks for the head's up on the TOS. Actually, there WAS a period of time when
I was on FB when I was living in Germany. In fact, when I signed up for FB, I
was living in Germany (not in the military), so still probably worth a shot.

------
danielrhodes
I don't find any of this surprising. All of the data Facebook has on me I have
given to them. Just like anywhere else on the internet or not, if you don't
want somebody to know about something then don't share or keep a record of it.
Privacy is not absolute, it is contextual.

------
0x12
This is the sort of thing that causes governments to enact legislation. Either
you self-regulate and do a good job of it or sooner or later you get a bunch
of rules forced upon you that may be far more impractical and expensive to
implement.

------
bretthellman
Wouldn't that be giving FB more data? You need to send either a driver
license, national ID, passport.

------
dafarian
I wonder if there's a way to do this in the US. I will look into this.

------
dbbo
Is there a similar law in the United States? If so, I've never heard of it.

~~~
_delirium
No, there's no general right-to-data law. There are general right-to-
_government_ -data laws, so you can e.g. request your own FBI record. But
private businesses don't normally have to disclose what data they collect on
you. There are a few exceptions for specific areas; for example, the credit-
ratings agencies have to provide you with a copy of your credit report, and in
some cases an employer may be required to provide you with a copy of certain
personnel records. But they apply to fairly limited situations.

~~~
skcin7
So for those of us that live in the US, is it not possible for us to request
to have the data that Facebook stores about us???

Related (well, maybe): You can easily download a copy of your Facebook data no
matter where you are located, by logging in and clicking "Account Settings" >
"Download a copy of your Facebook data". This will include all things like
messages, pictures, etc., but I am positive that it isn't nearly as in depth
as what is outlined in that article.

~~~
dbbo
I would like to see the data they're using to target ads at users (i.e. the
metadata assembled from a user's input).

------
barbazfoobuzz
ha. this is smart by fb. if they follow the yahoo model, access to that data
is sold to the agencies that want it. they don't get access for free. so fb
has an interest in having a nice store of data on offer. it's a nice business
unit on its own in addition to their ad selling pursuits.

------
toadstone
I don't understand this community. I thought you were wolves, but here you are
taking the part of the sheep. Instead of being outraged, you should be trying
to get your own piece of the data pie. Every single web startup is doing
exactly that.

~~~
Helianthus
I don't think you understand communities. People acting in a group will act
similarly and be derided by you as 'sheep.' It it is the type of thing that
motivates group action that determines whether you think group members are
'wolves.'

Wolves move in packs, too.

~~~
toadstone
It was a predator/prey metaphor, not a individual/group metaphor.

~~~
forensic
It's out of date. The planet has enough resources for everyone. Humans do not
need to prey on our own species.

~~~
toadstone
Predator/prey is also a metaphor. People aren't actually being eaten. They are
voluntarily sharing data that is used to provide them with a service that they
want. I'm so depressed that I have to spell everything out.

~~~
forensic
And in these threads where you call us sheep, we are deciding that the data
price is too high for the service rendered.

We have the right to use government to nationalize these programs if they are
going to be so deceptive and intrusive.

Facebook falsely advertises their service as free. They don't tell their users
that they are collecting unnecessary amounts of data to violate people's
privacy, and that this data is payment for the service.

------
gilted
Thanks to the Google employee ring for voting this one up too, I found that
the 5 breathless Facebook articles already on the front page weren't
sufficiently satisfying my intellectual curiosity. Now you may proceed to
transition into downvote mode.

I really hope one day pg changes it so that all votes on articles and comments
are publicly available, so that we can run our own analysis' using it. It
would be interesting to see how much of the content on HN has become dominated
by these employee rings over time.

~~~
mattmanser
Woah, less of the crazy conspiracy theories.

If you're so out of the loop that you didn't know about f8 and 'frictionless
sharing' then read up about those things and viola, you'll realize why these
stories are all popping up the rankings.

FB is creepy and keeps getting creepier.

Keep your tinfoil hat on though if you want.

~~~
spooneybarger
Some of the other recent posts about facebook have similar comments from low
karma accounts. I'm just writing it off as some facebook employee ring.

