
What’s Not Included in Facebook’s “Download Your Data” - NicoJuicy
https://www.wired.com/story/whats-not-included-in-facebooks-download-your-data
======
JumpCrisscross
"But 'Download Your Data' hardly tells you everything Facebook knows about
you. Among the information not included:

\- information Facebook collects about your browsing history;

\- information Facebook collects about the apps you visit and your activity
within those apps;

\- the advertisers who uploaded your contact information to Facebook more than
two months earlier;

\- ads that you interacted with more than two months prior.

Download Your Data is particularly spotty when it comes to the information
Facebook taps to display ads."

\---

TL; DR When you get too close to their business model, Facebook clams up.

~~~
richardfeynman
PSA: Facebook looks at what websites you visit in an incognito window,
provided that the incognito window is open the same time as a regular browser.

~~~
tlb
How does it do this?

~~~
richardfeynman
Apparently, incognito mode uses the same temporary cookies folder as regular
chrome, so FB looks at this folder if incognito is open in one window while FB
is being used in another.

~~~
JoshMnem
Are you sure about that? Wouldn't it mean that all third party trackers could
continue to track you while in incognito mode? How could it be called
incognito mode if sites can still read your non-incognito cookies?

~~~
richardfeynman
I'm 95% confident. And yes, I think it does mean that. The trackers have to be
active in a non-incognito window for it to work. It reads the shared temporary
cookie folder.

~~~
JoshMnem
If incognito mode is that broken in Chrome, and still allows sites that are
open in normal tabs to track you, that would be very newsworthy.

~~~
richardfeynman
agreed

~~~
JoshMnem
I had to know the answer, so I wrote a quick script to test it. It appears
that incognito windows can't read cookies from normal windows. I've linked to
the source code there. If I've missed anything, let me know.

[https://cookiechecker.netlify.com/](https://cookiechecker.netlify.com/)

~~~
richardfeynman
"It appears that incognito window can't read from cookies from normal
windows."

To be clear, the claim I'm making is that normal windows can read cookies from
incognito windows.

~~~
tlb
A simple test suggests otherwise, using Gruez's recipe above but swapping the
private and non-private windows.

There are potential information leaks, such as the combination of IP address,
user agent, screen size, and fonts available. And there may be bugs in 3rd
party plugins like Flash that fail to respect private mode. But it doesn't
seem to be anything as simple as cookies being shared.

~~~
richardfeynman
Thanks. If they're not using the temporary cookies folder, I'm curious how
Facebook shows ads based on incognito browsing. Some form of device
fingerprinting?

------
mtremsal
Thought experiment: if after 5/25, I download my data, then revoke consent and
delete my account, then a while later reactivate my account and log back in --
if any of my previous personal data is tied to my "new" account, have I proven
that my personal data wasn't entirely deleted since Facebook could still
uniquely identify me?

~~~
fredley
Yes. I'm waiting to delete my account until after the 25th because:

* There's slightly more of a chance they'll actually delete my data

* If they don't, I'll be entitled to be a part of any class-action.

~~~
maaark
Same, and I'll be encouraging others to do so.

~~~
killjoywashere
What timezone are we using for this? Is it midnight Zulu on the 25th, the
26th?

~~~
21
FFS, just delete it on 27

~~~
killjoywashere
Sorry, I'm not hip to most of this stuff. I just thought it would be a fun
event. Perhaps it's already on the social media calendar, complete with a cat
logo?

------
whyever
I'm surprised this article does not mention Max Schrems, who requested all
data Facebook had on him in 2011:

> He later made a request under the European "right to access" provision for
> the company's records on him and received a CD containing over 1,200 pages
> of data, which he published at europe-v-facebook.org with personal
> information redacted.

(See
[https://en.wikipedia.org/wiki/Max_Schrems.](https://en.wikipedia.org/wiki/Max_Schrems.))

~~~
vageli
Just a heads up, your Wikipedia link doesn't work.

~~~
DoreenMichele
[https://en.m.wikipedia.org/wiki/Max_Schrems](https://en.m.wikipedia.org/wiki/Max_Schrems)

------
randomsearch
Not covered here: it does not really export your social graph. Just a list of
names. No way to easily import that into contacts etc. This is making quitting
Facebook time-consuming, but I'm getting there.

Similarly with birthdays, although it's quite easy to work around that via
their calendar link.

~~~
Lionsion
> No way to easily import that into contacts etc. This is making quitting
> Facebook time-consuming, but I'm getting there.

Also, IIRC, all the photos are resized smaller and recompressed, while the
full-res versions are still accessible through the Facebook website. This also
makes it harder to quit if 1) you don't have the original photos and 2) don't
want to live with the unnecessary sacrifice of quality.

Facebook really ought to include the best versions it has of the data you've
uploaded, even if it makes the archive size enormous. The option to shrink
things should be a _non-default option_ only, since the download might be a
prelude to an irreversible account deletion.

~~~
shakna
> since the download might be a prelude to an irreversible account deletion.

Is it not one of their aims to make it always reversible?

~~~
koko775
that's what disabling your account is for, but deletion is deletion.

~~~
shakna
> but deletion is deletion.

Is it? Cases like this [0] make that seem unlikely.

[0] [http://europe-v-facebook.org/](http://europe-v-facebook.org/)

------
lamename
This 'Download Your Data' tool is highlighted every few years when ire toward
facebook is renewed, but while appealing it's never seemed more than table
scraps to me looking at the data.

Even without looking, the idea that a data broker would just willingly give us
all the information it has is unbelievable. The scale is so large, how would
you even know?

~~~
cromulen
They don't have a choice under GDPR.

~~~
dvfjsdhgfv
That's yet to be seen. Can you imagine the ire when Europeans are able to
download a rich set of information on how they're being tracked and so on,
whereas Americans and the rest of the world has no access to that information?
I can't. What is more probable is tha FB will try a legal trick claiming they
are an American company and they follow the laws of California, not EU, even
if they gladly accept European advertisers's money via Ireland.

~~~
dmoo
This is why FB has moved data for 1.5b users back to the USA

~~~
pdkl95
According to Reuters[1], "Facebook said the latest change does not have tax
implications." If they are still paying taxes through Ireland for the profit
they make off those 1.5b users, they seem to be choosing to EU jurisdiction
(which would include the GDPR) regardless of any contract of adhesion they
forced users "agree" to.

[1] [https://www.reuters.com/article/us-facebook-privacy-eu-
exclu...](https://www.reuters.com/article/us-facebook-privacy-eu-
exclusive/exclusive-facebook-to-put-1-5-billion-users-out-of-reach-of-new-eu-
privacy-law-idUSKBN1HQ00P)

~~~
dragonwriter
Facebook could have made a startegic decision to permanently repatriate
profits based on US tax law changes before making the GDPR decision, which
would make the GDPR decision tax-consequence free.

------
SubiculumCode
One thing is clear. If they delete my data upon my request, they do not,for
obvious reasons, delete it's contribution to any ML that was trained with it.
Also, when deleting data, I wonder whether they delete any derived scores
based on my data.

~~~
alex_hitchins
This is a very good point and one that I've been wondering but not seen much
discussion of.

------
amelius
An important omission is the data that Facebook collected on you using browser
fingerprinting.

Since a fingerprint is like a hash, it is theoretically impossible for
Facebook to determine if the data really belongs to you, or to someone else
who happened to have the same browser fingerprint.

This means that if Facebook is legally obliged to offer a complete user data
download, then the practice of fingerprinting is illegal.

~~~
Spivak
I don't think fingerprinting in the interesting target here -- it's whether
anything derived from somoene's data is part of their data and if so where the
boundaries are.

* Can I use differential privacy? Can a user request a correction to such a dataset?

* If I train a ML model on some user data what responsibility do I have with acquisition or deletion?

* Can I anonymize my data-sets?

* How do I handle aggregate statistics?

------
thisisit
In case, anyone is wondering how to get to the "Your Categories" option on
Facebook. Go to Settings -> Ads and the tab will appear.

I have always been paranoid about sharing information on social media. So,
this section has only Facebook access information - 4G, Ipad etc. Couple of
categories are even incorrect.

------
macintux
Despite never enabling location services, Facebook once (briefly) gave me a
weather forecast when I was traveling. Spooked me quite a bit.

The best I could figure is that I temporarily enabled access to my camera roll
so I could post a few photos (ordinarily I just copy/paste them to keep
Facebook out of my photos), and either it scanned the photos' exif data during
upload or directly from the roll once I enabled it.

I wasn't remotely surprised to find that particular piece of location data
wasn't part of the data download.

~~~
Peyphour
Could just be IP geolocation

~~~
macintux
Geo IP location is possible but unlikely: the location was very precise and
accurate, and I would assume Verizon (wasn't on wifi) wouldn't be handing out
IPs with that level of specificity.

Plus it only ever happened that once.

------
NietTim
Funny that the website is entirely unusable for me unless I turn off ghostery.

~~~
spraak
Well, not very surprising

------
AnnoyingSwede
The irony to see the "Would you like to login using facebook"-popup on the
wired article..

------
notimetorelax
I’m thinking, GDPR is not live yet. They might expand the type of data they
export in a month.

~~~
Silhouette
In theory, GDPR doesn't change very much in this area. Data subjects already
had similar rights to access personal data about them under existing law in
much of the EU. The potential fines for non-compliance may be much bigger,
though. There is also some expansion in what constitutes personal data under
the GDPR, which might be relevant if we're talking about areas where you could
have tried to argue they didn't count before but they're going to be
explicitly covered in the new scheme.

------
mxuribe
I'm not familiar with FB's APIs...do they allow for programmatic download of
your data with the same set as via the manual download tool? Because if they
do, then a neat little script - leveraging their API - could be used
periodically to download one's data to at least address the issue with 2-month
expiration on the ad data.

------
bengale
Not long now ... [https://www.linkedin.com/pulse/nightmare-letter-subject-
acce...](https://www.linkedin.com/pulse/nightmare-letter-subject-access-
request-under-gdpr-karbaliotis/)

------
not_that_noob
There is a potentially disastrous blow to FB's business model in the GDPR that
relates to this sort of profiling. It is _forbidden_ under GDPR, unless the
user grants explicit consent (opt-in). See [1].

Without this, FB's targeting abilities for ads just evaporates. It is going to
be interesting to see how this pans out.

[1] [https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/individual-rights/rights-related-to-automated-
decision-making-including-profiling/)

------
ikeboy
In my experience it doesn't have your comments, posts, etc in groups.

------
andrewshadura
The zip file Facebook provides doesn't include full resolution photos I
uploaded, only heavily compressed low-resolution low-quality previews.
Useless.

------
fortythirteen
> Wikileaks, Julian Assange, and alt-right provocateurs recommend giving it a
> whirl.

Classic guilt-by-association propaganda technique.

~~~
908087
I really can't even figure out what posessed the writer to put that line in
there. It has absolutely nothing to do with the story, and kind of comes out
of nowhere.

~~~
josefresco
The author linked to Tweets from said individuals who were mentioning the
tool. So it's relevant, however a bit odd they chose those specific examples
when I'm sure they're are other "celebrities" who also linked to the tool.
Maybe the author thought of these people as those _most interested_ in data
privacy?

~~~
fortythirteen
I'm not so sure, considering how their coverage of the DNC lawsuit read like a
press release, with zero journalistic objectivity. It treated the currently
unproven claims of a civil suit as if it was already assumed fact.[0] It
contains this gem of a paragraph:

> The leaks continued steadily from there, as the suit details. Guccifer 2.0
> struck again on June 27, June 30, and July 6. On July 22, WikiLeaks took the
> wheel, releasing nearly 20,000 internal DNC emails. The following day,
> according to the suit, multiple DNC employees received an email that said:
> “I hope your children get raped and murdered. I hope your family knows
> nothing but suffering, torture, and death.”

All evidence suggests, as Wikileaks has maintained, that their emails came
from a physical source, and not Guccifer 2.0.

I think there is a larger editorial bias at play at Wired.

[0] [https://www.wired.com/story/dnc-lawsuit-reveals-key-
details-...](https://www.wired.com/story/dnc-lawsuit-reveals-key-
details-2016-hack/)

------
kdot
How complete is this data? Does it include content like comments?

It'd be nice to download my data and import it into a competing social
network.

