It's not clear from the text of the post, but I believe most of these features/redesigns have yet to be released -- that is, they aren't in the most recent iOS update, which was yesterday:
> ...we’re taking additional steps in the coming weeks to put people more in control of their privacy. Most of these updates have been in the works for some time, but the events of the past several days underscore their importance.
I guess it's confusing because these updates/steps are talked about in the present tense, e.g. "Some people want to delete things they’ve shared in the past, while others are just curious about the information Facebook has. So we’re introducing Access Your Information..."
Something like, "Expect to see these updates in the coming weeks" would have made things clearer.
I just spent 5 minutes hunting for these new capabilities and figured it was only a change made in the mobile app, which I never install. Figures. It will be interesting to see how/if they surface this via browsers vs. apps
"It’s Time to Make Our Privacy Tools Easier to Find" (just not quite yet!)
I wish they would give more clarity on what 'delete' means. Is it
a) It's deleted from your timeline etc
or
b) It is really deleted from Facebook's servers
If it's a) then that's either a 'hidden' toggle which does not meet GDPR needs. If it's a 'hidden' and do not process further, it is questionable (unless a right to be forgotten is invoked).
Also if it's a) then everything is discoverable by someone with legal authority, even years after you believe you have deleted it.
As U.S. citizen, I'd be interested in hearing how the GDPR enforces an actual delete. I do think it's intentional that Facebook is so vague about what "delete" means; in the given article, there is mention of "delete your Facebook data" and "delete anything from your timeline or profile that you no longer want on Facebook", but nothing about where the data is deleted from.
You can try to argue that the author wants to keep things simple for a general audience. Though a cynic would point out that one of the authors is FB's deputy general counsel, the type of person who we would expect to be incredibly precise and purposeful about wording.
I looked around on the FB support pages for more clarification and this is the best I could find:
> When you delete your account, people won't be able to see it on Facebook. It may take up to 90 days from the beginning of the deletion process to delete all of the things you've posted, like your photos, status updates or other data stored in backup systems. While we are deleting this information, it is inaccessible to other people using Facebook.
Since it is talking about deleting backup/caches, I think it's reasonable to interpret that they mean a complete wipeout. Though I assume there's no guarantee either -- i.e. if FB's deletion process "happens" to not wipe out the cache or do a real wipe, how can we really confirm?
For a non-Facebook example, here's how Google talks about deletion of search activity:
It explains that Google will retain the "meta" of your activity, and also says that the meta will be removed if you delete your account:
"When you use Google products and services, we keep some data with your Google Account, like when and how you use certain features. We keep this data even if you delete activity or other items. For example, if you go to My Activity and delete a search you did on Google, we'll still know that you did a search, but not what you searched for. What you searched for will no longer be stored with your account...We keep this data as long as it's relevant to meet uses like those above. If you delete your account, we remove this data from it."
In addition to that, that data derived from the data you supply (i.e. a trained ML model on your preferences or face) aren't deleted even if they do permanently delete data you've posted.
Whoa, I hadn't considered this at all. This opens a huge can of worms.
How could this even be enforced? If something like the GDPR gave you the ability to request that your data be deleted, would that extend to learned data?
In my opinion, there's no way they could make FB delete that kind of data. How would you even know they had it? It's not like FB would throw out entire trained models or attempt to retrain with everyone else's data, that would never make economic sense.
Could someone with more knowledge of the current data protection laws comment about how|if this is addressed? To me it seems like companies could just process all your data into some derivative and then delete the original data to stay compliant.
I am not a lawyer, but I think that learned or aggregated data should be fine, however hashed identifiable data is not OK. Identifiable data includes IP addresses and mobile device ids.
"What you searched for will no longer be stored with your account...We keep this data as long as it's relevant to meet uses like those above. If you delete your account, we remove this data from it."
I'm still not absolutely certain it is deleted from disk.
Based on what I saw when I worked at FB, deletion means “it is really deleted from Facebook’s servers”. It just takes time for that to propagate across all data centers, get out of all caches, that sort of thing. Naturally, nobody believes this even though it’s true, just like nobody believes that Facebook doesn’t sell user data, even though their very business is based on keeping that data to themselves so they can profit from it through ad targeting.
Some minimal tombstone metadata like “This ID was a post/image” is kept around for things like error messages (“The post you are trying to view is not available. It may have been deleted or you may not have permission to view it.”). There might be exceptions for illegal things (like child pornography) where there’s some obligation to keep the data (or a hash or something) for law enforcement purposes, but I’m not aware of any.
The irony is that this was built so Facebook can be more compliant with GDPR.
They hinted this January that they would release this soon:
> “We’re rolling out a new privacy center globally that will put the core privacy settings for Facebook in one place and make it much easier for people to manage their data,” Sandberg said at a Facebook event in Brussels on Tuesday.
So I guess the takeaway here is that privacy regulation works?
I also just love how they put it in their post:
> People have also told us that information about privacy, security, and ads should be much easier to find.
Really, Facebook? People have just told you that? Are you freaking kidding me? People have been telling you that for a god damn decade. But you chose to ignore it, because you didn't care - until this major scandal was created that forced you to do this. It wasn't because "people told you" and as a company that "always listens to its users" (ha! good one), you decided to actually do that. Come on.
Facebook's tone throughout this entire scandal has been nothing but condescending. And yes, they really do think we're all idiots (as proven by how they responded on every other past screw-up and how they typically come out and lie about it):
Remember how they outright lied about the datr cookie being a "bug" for years, until they finally admitted in a Brussels court that the cookie has always been there on purpose, but as a "security feature" (another lie) ? I do:
Facebook's leadership is full of pathological liars, and they're always looking for another "angle" to get out of the latest scandal and come out ahead. Like how Zuckerberg put out full page ads with his "message" in multiple UK papers, so he doesn't have to go and testify before the committee. Despicable people. I used to think Uber was alone in its own class of evil companies, but Facebook is starting to fit the very same class of companies.
"It's time to <blah blah blah dishonest projection of fake sincerity bullsh*t>"
Whenever I read marketing sentences like this, I can remember sitting in meetings deciding how we were going to lie, but discussing the topic using words to make it seem even to ourselves that deceit wasn't our goal. I often wonder what my life would be like if I'd happened to end up on some sort of a blue collar path where I just did an honest day's work for an honest day's pay, my guess is that I'd be much happier, and most likely better off financially as well.
So glad I only used FB for a few years before deleting my account. I could see this stuff coming from miles away.
It just never ends with FB though. I can't tell what's worse though. Them continually telling their users they care about privacy and then going right back to taking and using people's data for nefarious reasons; or the users who continue to put up with it year after year, scandal after scandal and willing give up their privacy.
Unless that's a blackphone in your pocket[0], you're already giving up enormous amounts of data to a giant megalithic company. If you're doing it for one, is there really any harm in doing it for two?
[0]...I suppose I'm assuming here that somebody who has an account on HN has a smartphone.
Think of it like the prospect of having unprotected sex with a partner. One potential partner has always been faithful, another has had a few slip ups, a few betrayals. Do you see potential relationships with each a little differently?
Of course, a valid followup question is, "Yeah, but has any data-hoovering company in SV been faithful?"
Facebook, if you're reading this, please give me a control that allows me to automatically delete everything I do on Facebook except for the last N days (where N can be freely chosen by the user).
amelius, if you're reading this, don't use platforms that do not respect your privacy. If they didn't respect it yesterday and don't respect it today, what makes you think they'll start respecting it in the future? Quit while you are ahead.
So you're prepared to believe FB will delete your personal data as promised, right? This time, if they promise to play nice, it will be great? What I would believe is a system where data is sent encrypted to the social network and content filtering is happening locally at the end user - in other words, something like the internet.
Too little too late FB. You knew exactly what you were doing when you made them difficult to find in the first place. Now you're sorry because everyone realized it? Get bent. Delete your FB/Whatsapp/Instagram/whatever owned by FB. It's the only fair response.
Anyone who has requested a copy of "your Facebook data" did the data you got include a listing of which websites with embedded "Like" buttons you visited?
Presumably Facebook has this data, for people who are logged in with the same browser at the same time as they visit any page having a Like button. No need to click the button.
The question is whether Facebook is keeping the existence of this data hidden from people who request a copy of the data Facebook has on them.
In 2016, there was a ruckus about Facebook collecting nonmembers viewing habit across the internet, so the answer is yes for my case. As far as I know, as a nonmember, I cannot access my shadow profile unless I join and give them yet more data to invade my privacy.
Rather than live in George Orwell's nightmare, I have resorted to spending my time blocking their tracking at the dns request level on my router for all my devices. The great thing is you can block a bunch of other trackers and spyware as well.
This is even more highly disturbing and problematic. How do I prove it's me? How do they keep other people from impersonating my "shadow" and downloading my data w/o my knowledge?
Face book needs to delete all nonmember data now. My solution is to block everything they do via dns. I blocked 43 requests from my devices this morning alone, and I stay as far away as I can, and yet they tried to access 43 times.
My next tactic is to spook them into thinking I moved to Europe and they risk serious revenue loss if they continue data collection w/o opting in. I will probably get a euro VPN once the law takes effect and see via dns if they still collect.
Yes, but I no longer feed it, and all this blocking speeds my internet substantially. I wonder how many people pay extra to subsidize their own tracking.
There is a lot of information the download did not include. Another example I noticed is your "affinity" for each user. They obviously track how close you are with each friend but didn't include that.
FB seems to be using these tools as an engagement hook, ie. find the users they know are not engaged or lurking then lure them in with targeted emails about face recognition and privacy features. They probably love all the publicity as it gets people back in app to configure their privacy settings. I also suspect that the privacy settings' backends are 'being figured out' and users are just turning knobs that aren't connected to anything.
I find it somewhere between amusing and disingenuous that their call to action doesn't link to the tools they are trying to promote.
The only links in the article body are to a post from Zuckerberg and to "Ad preferences" - nothing about how to get to the new-and-improved privacy tools.
"Today Facebook finally started to roll out a new set of privacy controls. These tools, many months in the making, are designed to help simplify the site's notoriously confusing privacy options. But alongside them Facebook is also rolling out a "Transition Tool" that promotes Everyone updates as the new default. In other words, Facebook is giving up its reputation as a `private' social network - where the default is to restrict access to everything that is shared - in favor of something that can challenge Twitter head on."
...
"If you delete "everyone" content that you posted on Facebook, we will remove it from your Facebook profile, but have no control over its use outside of Facebook."
51 comments
[ 4.4 ms ] story [ 98.5 ms ] thread> ...we’re taking additional steps in the coming weeks to put people more in control of their privacy. Most of these updates have been in the works for some time, but the events of the past several days underscore their importance.
I guess it's confusing because these updates/steps are talked about in the present tense, e.g. "Some people want to delete things they’ve shared in the past, while others are just curious about the information Facebook has. So we’re introducing Access Your Information..."
Something like, "Expect to see these updates in the coming weeks" would have made things clearer.
"It’s Time to Make Our Privacy Tools Easier to Find" (just not quite yet!)
If it's a) then that's either a 'hidden' toggle which does not meet GDPR needs. If it's a 'hidden' and do not process further, it is questionable (unless a right to be forgotten is invoked).
Also if it's a) then everything is discoverable by someone with legal authority, even years after you believe you have deleted it.
You can try to argue that the author wants to keep things simple for a general audience. Though a cynic would point out that one of the authors is FB's deputy general counsel, the type of person who we would expect to be incredibly precise and purposeful about wording.
I looked around on the FB support pages for more clarification and this is the best I could find:
https://www.facebook.com/help/224562897555674/
> When you delete your account, people won't be able to see it on Facebook. It may take up to 90 days from the beginning of the deletion process to delete all of the things you've posted, like your photos, status updates or other data stored in backup systems. While we are deleting this information, it is inaccessible to other people using Facebook.
Since it is talking about deleting backup/caches, I think it's reasonable to interpret that they mean a complete wipeout. Though I assume there's no guarantee either -- i.e. if FB's deletion process "happens" to not wipe out the cache or do a real wipe, how can we really confirm?
For a non-Facebook example, here's how Google talks about deletion of search activity:
https://support.google.com/accounts/answer/465
It explains that Google will retain the "meta" of your activity, and also says that the meta will be removed if you delete your account:
"When you use Google products and services, we keep some data with your Google Account, like when and how you use certain features. We keep this data even if you delete activity or other items. For example, if you go to My Activity and delete a search you did on Google, we'll still know that you did a search, but not what you searched for. What you searched for will no longer be stored with your account...We keep this data as long as it's relevant to meet uses like those above. If you delete your account, we remove this data from it."
How could this even be enforced? If something like the GDPR gave you the ability to request that your data be deleted, would that extend to learned data?
In my opinion, there's no way they could make FB delete that kind of data. How would you even know they had it? It's not like FB would throw out entire trained models or attempt to retrain with everyone else's data, that would never make economic sense.
Could someone with more knowledge of the current data protection laws comment about how|if this is addressed? To me it seems like companies could just process all your data into some derivative and then delete the original data to stay compliant.
I'm still not absolutely certain it is deleted from disk.
If it is recoverable, then it falls into the ominous term: Pseudonymous : https://www.wsgrdataadvisor.com/2015/09/personal-data-anonym...
Some minimal tombstone metadata like “This ID was a post/image” is kept around for things like error messages (“The post you are trying to view is not available. It may have been deleted or you may not have permission to view it.”). There might be exceptions for illegal things (like child pornography) where there’s some obligation to keep the data (or a hash or something) for law enforcement purposes, but I’m not aware of any.
They hinted this January that they would release this soon:
> “We’re rolling out a new privacy center globally that will put the core privacy settings for Facebook in one place and make it much easier for people to manage their data,” Sandberg said at a Facebook event in Brussels on Tuesday.
https://www.reuters.com/article/us-facebook-sandberg-privacy...
So I guess the takeaway here is that privacy regulation works?
I also just love how they put it in their post:
> People have also told us that information about privacy, security, and ads should be much easier to find.
Really, Facebook? People have just told you that? Are you freaking kidding me? People have been telling you that for a god damn decade. But you chose to ignore it, because you didn't care - until this major scandal was created that forced you to do this. It wasn't because "people told you" and as a company that "always listens to its users" (ha! good one), you decided to actually do that. Come on.
Facebook's tone throughout this entire scandal has been nothing but condescending. And yes, they really do think we're all idiots (as proven by how they responded on every other past screw-up and how they typically come out and lie about it):
https://mondaynote.com/mark-zuckerberg-thinks-were-idiots-63...
Remember how they outright lied about the datr cookie being a "bug" for years, until they finally admitted in a Brussels court that the cookie has always been there on purpose, but as a "security feature" (another lie) ? I do:
https://www.propublica.org/article/its-complicated-facebooks...
Facebook's leadership is full of pathological liars, and they're always looking for another "angle" to get out of the latest scandal and come out ahead. Like how Zuckerberg put out full page ads with his "message" in multiple UK papers, so he doesn't have to go and testify before the committee. Despicable people. I used to think Uber was alone in its own class of evil companies, but Facebook is starting to fit the very same class of companies.
Whenever I read marketing sentences like this, I can remember sitting in meetings deciding how we were going to lie, but discussing the topic using words to make it seem even to ourselves that deceit wasn't our goal. I often wonder what my life would be like if I'd happened to end up on some sort of a blue collar path where I just did an honest day's work for an honest day's pay, my guess is that I'd be much happier, and most likely better off financially as well.
It just never ends with FB though. I can't tell what's worse though. Them continually telling their users they care about privacy and then going right back to taking and using people's data for nefarious reasons; or the users who continue to put up with it year after year, scandal after scandal and willing give up their privacy.
[0]...I suppose I'm assuming here that somebody who has an account on HN has a smartphone.
Think of it like the prospect of having unprotected sex with a partner. One potential partner has always been faithful, another has had a few slip ups, a few betrayals. Do you see potential relationships with each a little differently?
Of course, a valid followup question is, "Yeah, but has any data-hoovering company in SV been faithful?"
CopperheadOS:https://copperhead.co/android/
So you're prepared to believe FB will delete your personal data as promised, right? This time, if they promise to play nice, it will be great? What I would believe is a system where data is sent encrypted to the social network and content filtering is happening locally at the end user - in other words, something like the internet.
I understand this adds nothing to this conversation, I understand HN doesn't like this type of comment.
But this made my day
Have you done it yet?
Presumably Facebook has this data, for people who are logged in with the same browser at the same time as they visit any page having a Like button. No need to click the button.
The question is whether Facebook is keeping the existence of this data hidden from people who request a copy of the data Facebook has on them.
Rather than live in George Orwell's nightmare, I have resorted to spending my time blocking their tracking at the dns request level on my router for all my devices. The great thing is you can block a bunch of other trackers and spyware as well.
Face book needs to delete all nonmember data now. My solution is to block everything they do via dns. I blocked 43 requests from my devices this morning alone, and I stay as far away as I can, and yet they tried to access 43 times.
My next tactic is to spook them into thinking I moved to Europe and they risk serious revenue loss if they continue data collection w/o opting in. I will probably get a euro VPN once the law takes effect and see via dns if they still collect.
All in all, this is a great talk, I highly recommend you watch from start.
The only links in the article body are to a post from Zuckerberg and to "Ad preferences" - nothing about how to get to the new-and-improved privacy tools.
Make the dissidents tag themselves as such.
...
"If you delete "everyone" content that you posted on Facebook, we will remove it from your Facebook profile, but have no control over its use outside of Facebook."
Source: https://beta.techcrunch.com/2009/12/09/facebook-privacy/