Hacker News new | past | comments | ask | show | jobs | submit login
Facebook's 'Clear History' Tool Doesn't Clear Shit (2020) (gizmodo.com)
287 points by decrypt 9 months ago | hide | past | favorite | 88 comments

Even if you clear it, they continue to link future third-party site activity to your FB profile.


To actually opt out, you have to click the "More Options" button, then "Manage Future Activity" at the bottom, then "Manage Future Activity" button, then toggle off the "Future Off-Facebook Activity" toggle.

Dark patterns. So disrespectful. Shameful. :(

This is the main point the article is making:

> The only thing you’re clearing is a connection Facebook made between its data and the data it gets from third parties, not the data itself.

However this is not the main privacy issue with Facebook in my opinion. Even if Facebook users could legitimately clear their third party data entirely, they still can't easily clear their own first party data (posts, photos, searches, likes, Instagram activity, etc). Right now, you have to go click "delete" in your activity log one-by-one on individual posts. This is so time consuming and manual that most users will never do it - which is of course by design.

There is a plugin that helped users delete their Facebook content (https://chrome.google.com/webstore/detail/social-book-post-m...), by letting you select the time period and type of content you want to delete. However, Facebook repeatedly breaks it by changing the page design for seemingly no real reason. The cat and mouse updates worked for a while but this extension has not been updated since 2019. Some creative people then built a second extension that switches Facebook to an older layout (https://chrome.google.com/webstore/detail/switch-to-classic-...) and this allowed the above history clearing extension to work. But then Facebook made an even more drastic redesign of the Activity Log, which broke this approach of using a second extension in conjunction with the first.

Can any enterprising HN code ninja help solve this problem? I think we need a suite of tools to help users easily clear their history from all social media platform, whether it is Facebook, Twitter, Instagram, or whatever. Ideally we'd have a law requiring such controls be provided to users but I'm not holding my breath.

There is also a reason websites have stopped using the term 'delete' and are using 'clear' instead. Because clearing something does not imply that it's gone unlike with delete, just out of view.

I'm not sure what distinction I'm supposed to be making. What are these websites doing differently?

To me, 'delete' means 'remove this entry' and 'clear' means 'remove the data in this entry.'

What you want it to mean is "remove this entry from my view in the frontend, delete the related record in the backend, and delete all previously cached copies of it in the backend."

If someone decided to meticulously track everything I do. Follow me wherever I went. Put a GPS tracker on my car to see everywhere I visit. Peep inside my windows to see what websites I browse. Look over my shoulder at the grocery store to see what items I buy. I would consider that stalking and attempt to file a restraining order against that person.

Can I file a restraining order against Facebook? Or Google?

You can't, because all the websites they're tracking you on are actually helping Facebook by choice. They didn't plant a GPS tracker on your car, they paid a bunch of amoral civilians to monitor your movements through the city.

Our legal system isn't equipped to handle the majority of free people deciding to act like broad-spectrum stalkers within the span of a few years. Society only works if most people aren't evil or utterly susceptible to evil influence.

They didn't plant a GPS tracker, you bought it and use it for navigation, messaging, and social media.

No, because of a 1996 US Federal law, information collected about you is no longer your property, even if there is no business relationship.

When was it ever? Anyone could write an article about you. Articles about specific people are discussed all the time on Hacker News. Usually the person being written about doesn’t get a say about their reputation.

The common law arguably put the question you ask in the hands of a jury.[1] It is public figures whose lives are fodder for public consumption; more generous privacy rules traditionally have applied for the more mediocre among us.

[1] https://law.jrank.org/pages/9409/Privacy-Common-Law.html

Sadly, I'm inclined to agree with your assessment, from my utterly amateur legal armchair.

We need new laws for this. GDPR is a good start, if one happens to be an EU citizen, if a bit toothless.

We need new laws because automated collection of vast amounts of personal data, at scale, is a thing different in kind from manually collecting personal data about a specific person. Due to the expense and difficulty, the earlier system would tend to scale broadly with someone's fame, or at least wealth, which matches our expectations: it's not surprising that, say, a gossip magazine would have a fat file on Leonardo DiCaprio, and we figure he has lawyers on hand to deal with any consequent fallout.

In fact, we all used to be quite grateful for the unsung laborers who would collect and publish a doxxing book, called the white pages, which would list the names, phone numbers, and addresses, of most local people. Of course they were legally obligated to unlist those who requested it...

> We need new laws for this. GDPR is a good start, if one happens to be an EU citizen, if a bit toothless.

It actually has a better bite than most. The problem is that the one suposed to do the biting doesn't do a lot of it.

What law specifically?

I would guess the "Telecommunications Act of 1996".


Probably the text starting here:

  Title II is amended by inserting after section 221 (47 U.S.C. 
  221) the following new section:

If it is about customer (!) information, does it still apply to people simply visiting websites, and due to not knowing better, not blocking Google and FB trackers? It would not seem like they are automatically Google's or FB's customers.

On the off-chance that the parent's description has a typo, it may be this 1976 court ruling:

United States v. Miller, 425 U.S. 435

> Can I file a restraining order against Facebook? Or Google?

Not as long as you're maintaining an active relationship with them. First step is to break up and stop using their services entirely.

You do not need any relationship in order to have a shadow profile on Facebook.

If you're a European citizen, then you can invoke your legal right to erasure.

It's not a silver bullet of course. Discord, for instance, just 'anonymises' message history by renaming your account to Deleted User. But most people's message history is enough to deanonymise them, making that completely null and void. If you ask for your messages to actually be deleted they will refuse your request.

I published a tool on GitHub for deleting message history in the most efficient way I could find. Yet users of the tool sometimes get their accounts banned because Discord's TOS prohibits unauthorised use of their API. I speculate this is because they don't want custom clients which don't send back telemetry.

Discord is either tone-deaf to common privacy concerns or they're completely conscious of them and don't want people to clear their message history.

One tactic I've worked out with individual mods is I have them ban me, then unban me, which causes all of my posts to be erased from the public chat. Of course Discord probably still has them privately, but it's better than nothing.

That's interesting, thanks for the tip. I would hope they would have a sort of garbage collection that deletes orphaned messages, but this is Discord we're talking about.

Are they owned by Microsoft yet?

I don’t think this will be enough in case they get sued if the messages contain personably identifiable information they will have serious problems.

How does the EU enforce the deletion of said data from Facebook servers standing on US ground?

How do I enforce deletion if I have unwittingly only a "shadow account" in Facebook?

Fine the Facebook subsidiaries incorporated in the EU. Or completely ban them from doing business, which prevents advertisers in the EU from giving them money.

This is impossible - the fine would have to be absurdly high to matter and if they disabled their business in the EU there would be riots. Facebook can essentially do whatever they want as they are also likely sending information to services.

> This is impossible - the fine would have to be absurdly high to matter

Fines here are proportional to profits, so it would be absurdly high for Facebook.

> and if they disabled their business in the EU there would be riots.

Not really. In the last five years I've seen an ever growing anti American sentiment around here. I guess it's because all the antics that were coming from the angry Cheeto.

America is now seen as unstable and unreliable. The sentiment around here is basically (generally speaking): "and what happens of they decide to elect (another) Trump again?"

> if they disabled their business in the EU there would be riots.

Line em up.

California Privacy Act also gives you similar rights.

Not if the Irish have any say in the matter.

That's an interesting question, but it doesn't accurately describe the collection/transfer of data as far as FB or Google are concerned.

Millions of websites/apps/stores willingly deliver this information to Facebook/Google for free, and it's your relationship with each of those websites/apps/stores that governs the collection and sharing of that data.

GDPR, for instance, makes a distinction between "data controllers" and "data processors." The businesses are the controllers, and FB/Google are processors. Both have responsibilities regarding the handling of your data, but most of the requirements fall on the controller. The processors are able to assume that the controller had the right to share the data with them.

I guess no, because you agreed to terms and conditions that they can.

How about if one deleted the account with them 5 years before and they still follow you. I hope that is stalking.

I would agree. If you cease use and end the agreement then they should stop. If they continue then they should be liable.

“When you delete content, it's no longer visible to other users; however, it may continue to exist elsewhere on our systems”

This is from FB’s terms and conditions, so I guess they can still keep the data.

If you agree to any other website’s terms and conditions saying “any third party can track you”, you have again given permission.

The problem with this interpretation is that valid contracts depend, among other things, on informed consent and on the legality of what's being required, meaning you can't trick someone into being bound to terms they never really accepted or sufficiently understood and you can't bind them to illegal terms.

In this case, most people haven't read the Facebook terms of service and it is probably unreasonable to expect everyone to not only read them, but to keep abreast of any updates. So it's a grey area. And if you pass laws and regulations around data privacy, then FB won't be able to legally impose such conditions. But as I said earlier, there isn't much inertia behind data privacy. Nobody with power wants it.

> valid contracts depend, among other things, on informed consent and on the legality of what's being required

Yes, and they also depends on power dynamics.

That's why there are a lot of restrictions on what can be written in a contract between public utilities and users. An electricity provider could strong-arm users into signing draconian contracts otherwise.

Social networks have the same negative externalities: if most of your friends move from using emails to using Facebook to communicate and you are not on it your life gets provably worse. You are cut out from a lot of your social circle.

Having walled-garden social networks is anti-competitive by design.

Unfortunately legislators turn a blind eye to this.

>Nobody with power wants it.

Or is too influenced by big technopoly lobbying dollars.

“most people haven't read the Facebook terms of service and it is probably unreasonable to expect everyone to not only read them”

I completely disagree with this thought process. If a website is asking your birthday, every like / dislike , every detail about relatives and is able to predict if you like someone even before you do .. you better know how they will use all this data.

Strictly speaking you're correct, but you're describing the should rather than the is. There are too many overly-long ToSes written in arcane legalese to do mundane things like use a website or play a game for the average person to comprehend even the fist time for everything they use, let alone keeping up with the changes and their implications.

To coin a meme: "Ain't nobody got time for that"

On the other hand consent given once does not imply giving consent forever.

For those who have signed up. What about "shadow profiles"?

It seems that the term "shadow profile" refers to a feature where Facebook retains contact information uploaded by other users in order to recommend them as friends if/when you create a profile [1]. For all the fear associated with the term, that's pretty benign. Is there any evidence for a link between these "profiles" and some of the more egregious claims of privacy infringement?

[1] https://www.zdnet.com/article/firm-facebooks-shadow-profiles...

For privacy advocates the simple act of linking people that way is worrying enough. Not much of a concern for me (my government's creepiness is vastly overshadowed by its incompetence) but it could certainly be dangerous to free thinkers in certain regimes.

I find it hard to believe that they can't associate more information with those profiles than just who has who else as a contact (or has in the past), some derived/guessed and some from purchasing access to other data-sets, and I find impossible to believe that they won't if they can. Not just FB but other purveyors of advert targetting stalkerdom too. This isn't "don't trust the man" foil-hat paranoia - knowing as much as possible about as many people as possible is their well documented business model.

And of course, the shadow profiles would have had names, email addresses, phone numbers, and linkages that could help answer questions like "mother's maiden name". If shadow profiles were included in the recent huge leak then people who had not ever touched nor wanted to touch facebook, may have just become easier social engineering targets.

Terms and conditions which would have a hard time holding up in court without a signature and witness. Maybe things will change in the future since my own bank does this for online agreements as well as a few government agencies but those do have more stringent KYC rules for online verification.

They track you even without an account, so no not everyone agreed to their terms and conditions.

Can Facebook legitimately pivot into any other service/product and still make money? It seems like they're always going to be at odds with privacy/public trust.

One one hand, it is extremely sad to see talented engineers at Google/FB work hard on products designed to spy on people, but OTOH, I suppose it could be far worse if these were companies who simply sold our data.

as a ~40yr old it feels like the greatest disappointment of my generation is that most of our brain power went towards making better spyware, click tracking, etc, all in the name of maximizing ad revenue and click through.

I think there are several parallels in other industries - financial, pharma, etc. Very smart people, working on products that are (on some axis) detrimental to our society (or at-least one vision of what a society should look like).

Went from designing stupid stuff like cheap audio IC's which meant any teenager with a part time job could afford a bitchin stereo. To designing cool stuff like a wiget that disables a single mother's car when she's a day late on her car payment!!!

Who is the employer so I can avoid working for, or doing business, with them?

You say that car thing like it's bad. Instant enforcement of debt is good for both the lender and borrower. It stops people getting trapped deeper and deeper in debt. A lot like pre-pay phone/power/etc. Your life isn't ruined because you stopped paying, just inconvenienced for a few days.

Would it be worse? A big part of what companies like FB and Google do is get people "hooked" (A good book on this very topic) on sharing that data. In effect willingly revealing more and more data about themselves. If it were simply being sold I don't think people would divulge as much information.

Agreed. If entity A makes billions of dollars by selling everything they know about you, and entity B makes billions of dollars by merely knowing everything they know about you, I much prefer entity A. Entity B and its investors terrify me with the confidence they have in the future returns on that knowledge.

So you’d rather me be able to purchase information about everything you’ve done, down to your gps location from five minutes ago? Even “anonymized” data is trivially easy to de-anonymize with publicly available information. It makes me shudder to think how many apps (like weather channel) are on everyone’s phones that allow companies to sell your current location to the highest bidder. It’s shockingly pervasive.

If you can purchase it then so can I, so yes, I would absolutely prefer that. Better than Facebook building up a totally proprietary information hoard. If Facebook knows it, I consider it lost anyway.

Quite true, it is their business model. There are so many talented engineers using their great talent on ways to gather advertising data. I wonder what will happen when their business model is no longer viable? Do they then begin the pivot of selling our data to anyone?

The Facebook Portal seemed like an attempt to make a product less dependent on ad revenue; unfortunately, the fundamental nature of it made people really distrustful of it. This is also why I'm closely watching what they do with Oculus.

Any EU authorities out there reading this?

Color me surprised. I kept hoping that with one of these privacy leaks, or any of the other atrocities that FB has committed, it would've triggered the beginning of their demise...but nope. Their stock prices just keep rising, and people continue to use the platform.

... and people continue to use the platform

I imagine that the number of people who even hear or read about these privacy leaks represent a minuscule fraction of the user base.

And of those that are aware of these leaks, a small fraction are concerned about internet privacy.

People are addicted and enjoy it too much. I have family members who spend all day posting memes, pictures, comments, etc. The only way I see FB failing is if something better comes along that can replace it.

Is there a browser plugin or something that filters Facebook-related posts from HN? We get it, they don't respect your privacy, but seeing the same content voted to the frontpage multiple times a day is getting exceptionally tiring.

well this is not a surprise at all. I am pretty sure facebook engineers have outright said the system does not have the capability to delete anything. Their claim was that deleting things "is hard"... id bet that scaling to keep everything forever is much harder.

Wouldn't be surprised if they haven't even written the code to actually delete stuff.

They will mouth some words about "our high availability data replication and backups are not designed to delete information instantly". Meanwhile, their metric ton of machine learning has already been loaded up with your behavioral traces and cannot be unlearned. It'll still predict your behavior well enough to target ads, even if the raw trace of what you did is gone.

Wouldn't you say the "right to be forgotten" includes deleting the weights and biases that have been accumulated for a person?

Absolutely, everything needs to go.

I totally agree. But they can't do that. Or at least, it's hard. And they'll lie about it being impossible.

Given how they and companies like them behave, how they drag their feet and stall all the time, I am not surprised.

I suspect Facebook is too useful as an intelligence and surveillance tool to lead to some kind of meaningful legislation, penalties, whatever. If you can delete your data, then you can hide your tracks. Also, even if we assume that the US at least has in its favor a cultural apprehension toward surveillance, China doesn't, so you'll have a situation where a country is monitoring everything to death while you don't know what's going on. At least that might be the thinking. If that is so, I cannot imagine any realistic solutions. A race toward the bottom. You would need to ween people off Facebook, to cause them to leave the platform in droves. The only way to do that is to offer something better and that something would need to have privacy "built-in" in some way and either remain profitable or decentralized.

actually, that was the situation at one point. Facebook never wrote the code to delete things from their CDN.. so if you deleted your photo from your profile or album or whatever but someone else still had a link then that photo was still available.

I assume that's changed since 2010 - https://www.zdnet.com/article/facebook-does-not-erase-user-d...

Similarly if you try to delete your Facebook account, the only option is "Deactivate Account". Or at least it was for me. They don't give a whoot- until their bottom line losses reflects the damage they cause.

I've noticed when deleting reactions from my activity history, that after they appear to be all gone if I wait a few days more pops up. It is like impossible to remove them all.

The most surprising thing may be that people are surprised.

I once worked with a guy who said "I don't know how Facebook can even be making money, like they don't charge for anything." Seriously.

Granted, this was a decade ago but even then all of us tried not to laugh and I just said something along the lines of "Do you know how they have ads for wedding venues right after you were engaged? That's how."

I tried to see my data... all i gotta say is "WWWWTTTFFF!!!!" <--- who knew all of this existed!

it's funny how when you open an article criticizing how Facebook tracks you the first thing you have to do is go through 70 pages to tell the site you're reading the article on to not track you.

The fucking article even mentions how many trackers are on Gizmodo, and then says "BUT THATS NORMAL ITS ON EVERY SITE YOU GO TO!" The author writes a piece and shits all over Facebook, and then goes on to minimize it when it comes to them doing it.

The author has absolutely 0 control over that.

Directions on analytics come from the "serious, business-minded" end of the company. That is true for every [major] journalism outlet. It's always been true.

Don't put that on the writers to resolve. Unless they have the resources to found their own competitor, they're as much at the mercy of the whims of the company heads as the readers are.

Even the development staff have little to no say about it. Inclusions of those kinds of things are at the behest of sales/marketing and management/executive. There is less crossover between those groups and the editorial staff than many people have decided to believe, no matter how often they're reminded.

If you ask me, the writer is doing plenty and they're doing exactly what is in their power to do: write about it.

Frankly, it seems like a modern miracle that a publication will produce editorial pieces that are so self-critical. I think it speaks to a healthy journalistic environment in general, even if the business practices need an overhaul.

uBlock has a blocklist for cookie notices and other annoyances. Turning it off feels like watching cable TV after a decade of Netflix.

It's crazy that we need to go through so much crap (tracking, cookie notices, ads, newsletter prompts, SEO keyword soup) to get the simplest answers.

The website I run is deliberately annoyance-free. I see it as a competitive advantage.

There's also a Firefox extension called "I don't care about cookies"

You can use their blocklist with uBlock Origin. It's a great extension but it wasn't available on Firefox for Android. Maybe that changed.

Which blacklist is this?

There's a few of them, labelled "annoyances". You can also subscribe to I Don't Care About Cookies' list.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact