100 comments

[ 3.2 ms ] story [ 235 ms ] thread
"But 'Download Your Data' hardly tells you everything Facebook knows about you. Among the information not included:

- information Facebook collects about your browsing history;

- information Facebook collects about the apps you visit and your activity within those apps;

- the advertisers who uploaded your contact information to Facebook more than two months earlier;

- ads that you interacted with more than two months prior.

Download Your Data is particularly spotty when it comes to the information Facebook taps to display ads."

---

TL; DR When you get too close to their business model, Facebook clams up.

- the data that Facebook collected about you from various other sources, e.g., data brokers

Mr. Zuckerberg and other Facebook staff assert: "We do not sell data."

Does Facebook acquire/purchase data about people from other sources, e.g., data brokers, and then combine it with (a) the highly personal data people voluntarily submit to Facebook and (b) the highly personal behavioural data people consent to allow Facebook to collect from their use of the Facebook website, Facebook app, and websites hosting Facebook anchors.

Is Facebook allowing users to download all the data Facebook has on them?

(comment deleted)
PSA: Facebook looks at what websites you visit in an incognito window, provided that the incognito window is open the same time as a regular browser.
How does it do this?
Apparently, incognito mode uses the same temporary cookies folder as regular chrome, so FB looks at this folder if incognito is open in one window while FB is being used in another.
Are you sure about that? Wouldn't it mean that all third party trackers could continue to track you while in incognito mode? How could it be called incognito mode if sites can still read your non-incognito cookies?
I'm 95% confident. And yes, I think it does mean that. The trackers have to be active in a non-incognito window for it to work. It reads the shared temporary cookie folder.
If incognito mode is that broken in Chrome, and still allows sites that are open in normal tabs to track you, that would be very newsworthy.
agreed
I had to know the answer, so I wrote a quick script to test it. It appears that incognito windows can't read cookies from normal windows. I've linked to the source code there. If I've missed anything, let me know.

https://cookiechecker.netlify.com/

So cool that you built that!

Here's what Google says about cookies in incognito mode: "If you use Chrome in incognito mode (or in guest mode on Chrome OS), it will not transmit any pre-existing cookies to sites that you visit. Sites may deposit new cookies on your system while you are in these modes; these cookies will only be temporarily stored and transmitted to sites while you remain in incognito / guest mode. They will be deleted when you close the browser, close all open incognito windows or exit guest mode." Source: https://www.google.com/chrome/browser/privacy/archive/201408...

I first noticed that FB might be able to detect sites you visit while in incognito mode when I noticed that I was personally being retargeted by sites I visited in incognito mode while on Facebook. Here's an interesting quora thread I found while looking into it: "Also the cookies act too important role here. Cookies during Incognito Mode are saved in temporary folder, and they get purged after session ends. But when browsing Facebook and Google in the same session, they both share same cookies folder and cookies help to send tailored ads to users." https://www.quora.com/Im-using-Incognito-mode-for-Google-sea...

Curious for your take.

"It appears that incognito window can't read from cookies from normal windows."

To be clear, the claim I'm making is that normal windows can read cookies from incognito windows.

A simple test suggests otherwise, using Gruez's recipe above but swapping the private and non-private windows.

There are potential information leaks, such as the combination of IP address, user agent, screen size, and fonts available. And there may be bugs in 3rd party plugins like Flash that fail to respect private mode. But it doesn't seem to be anything as simple as cookies being shared.

Thanks. If they're not using the temporary cookies folder, I'm curious how Facebook shows ads based on incognito browsing. Some form of device fingerprinting?
I’m thinking, GDPR is not live yet. They might expand the type of data they export in a month.
In theory, GDPR doesn't change very much in this area. Data subjects already had similar rights to access personal data about them under existing law in much of the EU. The potential fines for non-compliance may be much bigger, though. There is also some expansion in what constitutes personal data under the GDPR, which might be relevant if we're talking about areas where you could have tried to argue they didn't count before but they're going to be explicitly covered in the new scheme.
In case, anyone is wondering how to get to the "Your Categories" option on Facebook. Go to Settings -> Ads and the tab will appear.

I have always been paranoid about sharing information on social media. So, this section has only Facebook access information - 4G, Ipad etc. Couple of categories are even incorrect.

This 'Download Your Data' tool is highlighted every few years when ire toward facebook is renewed, but while appealing it's never seemed more than table scraps to me looking at the data.

Even without looking, the idea that a data broker would just willingly give us all the information it has is unbelievable. The scale is so large, how would you even know?

They don't have a choice under GDPR.
To what extent will GDPR require them to include the information they have to serve and target you ads? Does anyone even know yet?
Not only will it require them to include the info they're using to target you with ads, but also their source for that info (if it wasn't submitted by the user itself), the existence of automated-decision making, and "meaningful information about the logic involved".

https://gdpr-info.eu/art-15-gdpr/

That's yet to be seen. Can you imagine the ire when Europeans are able to download a rich set of information on how they're being tracked and so on, whereas Americans and the rest of the world has no access to that information? I can't. What is more probable is tha FB will try a legal trick claiming they are an American company and they follow the laws of California, not EU, even if they gladly accept European advertisers's money via Ireland.
> What is more probable is tha FB will try a legal trick claiming they are an American company and they follow the laws of California, not EU

This would be an enormously stupid move. It guarantees not only failure but an acidic backlash.

"What is more probable is tha FB will try a legal trick claiming they are an American company and they follow the laws of California, not EU, even if they gladly accept European advertisers's money via Ireland"

That is specifically not possible under GDPR. It doesn't matter where your company sits, if you store data from europeans (or people living in europe) you have to follow the GDPR with potential for severe punishment. There really is no loophole afaik.

> ... if you store data from europeans (or people living in europe) you have to follow the GDPR ...

Does that mean the company has to follow it even for non-European users?

No. For all users within EU it must follow the GDPR. If you are a US citizen and access FB from EU, they must follow the GDPR, as far as I understand it.

And being FB, they really do not have a choice, since the EU do have leverage over them because they're doing business here.

I live in the EU. If I'm your "customer" (as in, you store my personally identifiable data), you have to comply with GDPR, regardless of where your company is.

Hope that simplifies things.

(comment deleted)
How can the EU punish a business with no EU location? An American company is not bound by another countries laws
If you do business within a country and that country rules against you, they can certainly stop you doing business within that country.

They can also file a case in the country that you do belong you to get you to pay your fines in the original country. This sometimes works.

A company is bound by the laws of every country it does business in under threat of not being able to continue doing business there.
This is why FB has moved data for 1.5b users back to the USA
Has there been any conversation on HN regarding what this move achieves? I cannot see any clear benefit with regards to GDPR.
It's so the non-EU users won't have any rights under the GDPR. All non-US users were officially being served by Facebook Ireland instead of Facebook US, which would have put them under GDPR too (like India, Australia, etc.).

The discussion is here:

https://news.ycombinator.com/item?id=16872542

I don't see it in a quick scan, but I wonder if that means all the revenue from those countries will no longer be shielded from US taxes, which might indicate how seriously FB see the GDPR as a threat.

EDIT: pdkl95 mentions in another comment, they claim it doesn't.

According to Reuters[1], "Facebook said the latest change does not have tax implications." If they are still paying taxes through Ireland for the profit they make off those 1.5b users, they seem to be choosing to EU jurisdiction (which would include the GDPR) regardless of any contract of adhesion they forced users "agree" to.

[1] https://www.reuters.com/article/us-facebook-privacy-eu-exclu...

Facebook could have made a startegic decision to permanently repatriate profits based on US tax law changes before making the GDPR decision, which would make the GDPR decision tax-consequence free.
It's the 1.5b non-EU users who were legally treated as customers of Facebook Ireland subsidiary.

This is an indication that they won't apply GDPR globally (for users in e.g. India or Brazil), but they don't have a choice for the EU users.

They don't have a choice under existing data protection legislation in much of the EU either, but that doesn't appear to have stopped them.
GDPR's right to portability only extends to things you provide directly, or are collected on the basis of explicit consent, or wmthings which are required to fulfill a service or contract, like status and photos. There are explicit exclusions for a lot of things like things collected in service of antifraud & security efforts, and for things collected offline (IIRC), leaving a big set of holes that they can hide quite a bit.

They're also not allowed to infringe on the data rights of other users which is why the friends list export is so anemic, for example.

Not covered here: it does not really export your social graph. Just a list of names. No way to easily import that into contacts etc. This is making quitting Facebook time-consuming, but I'm getting there.

Similarly with birthdays, although it's quite easy to work around that via their calendar link.

> No way to easily import that into contacts etc. This is making quitting Facebook time-consuming, but I'm getting there.

Also, IIRC, all the photos are resized smaller and recompressed, while the full-res versions are still accessible through the Facebook website. This also makes it harder to quit if 1) you don't have the original photos and 2) don't want to live with the unnecessary sacrifice of quality.

Facebook really ought to include the best versions it has of the data you've uploaded, even if it makes the archive size enormous. The option to shrink things should be a non-default option only, since the download might be a prelude to an irreversible account deletion.

> since the download might be a prelude to an irreversible account deletion.

Is it not one of their aims to make it always reversible?

An important omission is the data that Facebook collected on you using browser fingerprinting.

Since a fingerprint is like a hash, it is theoretically impossible for Facebook to determine if the data really belongs to you, or to someone else who happened to have the same browser fingerprint.

This means that if Facebook is legally obliged to offer a complete user data download, then the practice of fingerprinting is illegal.

Do they really have to use browser fingerprinting? With everyone giving them everything they want hey have no reason to use more complex tehchniques.
That assumes that they collect such finger prints
I don't think fingerprinting in the interesting target here -- it's whether anything derived from somoene's data is part of their data and if so where the boundaries are.

* Can I use differential privacy? Can a user request a correction to such a dataset?

* If I train a ML model on some user data what responsibility do I have with acquisition or deletion?

* Can I anonymize my data-sets?

* How do I handle aggregate statistics?

Funny that the website is entirely unusable for me unless I turn off ghostery.
Well, not very surprising
Thought experiment: if after 5/25, I download my data, then revoke consent and delete my account, then a while later reactivate my account and log back in -- if any of my previous personal data is tied to my "new" account, have I proven that my personal data wasn't entirely deleted since Facebook could still uniquely identify me?
Yes. I'm waiting to delete my account until after the 25th because:

* There's slightly more of a chance they'll actually delete my data

* If they don't, I'll be entitled to be a part of any class-action.

Same, and I'll be encouraging others to do so.
What timezone are we using for this? Is it midnight Zulu on the 25th, the 26th?
Why not just wait till the 27th?
FFS, just delete it on 27
Sorry, I'm not hip to most of this stuff. I just thought it would be a fun event. Perhaps it's already on the social media calendar, complete with a cat logo?
Will that be a possibility for people who are not from USA?

I had deleted (not deactivated) my account ~4 months ago and they were supposed to delete everything after 14 days but I have a feeling they didn't.

What do you mean not from USA? The legislation going into action May 25 is GDPR which applies to those in EU
Yeah, this comment thread is strange.

Most eu Nations don't have anything like a class action suit...

This is confusing me as well about this subthread.
> If they don't, I'll be entitled to be a part of any class-action.

I am absolutely shocked to discover that Facebook doesn't have a class action waiver in their terms.

Would it be enforceable?
Good question. Yahoo/Verizon put one in, and Google did too last week. EDIT to say: Well, I came across Google's last week. I don't really know when they put it in.
I recently received an email with subject "Alan, please accept our updated Terms by May 25 to continue using Facebook".

Currently I haven't done anything in response to it. I don't want my account but it's not clear what happens should I not accept. Does my account get deleted, or does it just get put in purgatory? Should I login and just delete after the 25th?

>"Thought experiment: if after 5/25, I download my data, then revoke consent and delete my account, then a while later reactivate my account and log back in ..."

If you actually delete your account you won't be able to reactivate it. There is an option to deactivate it but then all of your personal data is preserved anyway.

If you delete your account, only your data is erased, not your "ghost profile".

I don't know if it is the official term but your ghost is all the data Facebook has about you that doesn't come from you. For example, friends can talk about you and even tag you even if you never touched Facebook. It means that if you are the only one within your group of friends not using Facebook, they already know pretty much everything they need to know.

If you delete your account, unless all your friends do the same, your ghost won't disappear, and it can be easily reconnected if you create a new account.

> If you delete your account, only your data is erased, not your "ghost profile". I don't know if it is the official term but your ghost is all the data Facebook has about you that doesn't come from you.

It is not the official term, because Zuck is shocked—shocked!—at the term:

> Lujan: So these are called shadow profiles, is that what they’ve been referred to by some?

> Zuckerberg: Congressman, I’m not, I’m not familiar with that.

(https://techcrunch.com/2018/04/11/facebook-shadow-profiles-h...).

(OK, I realised just after posting that you said 'ghost profile', not 'shadow profile'. Anyway, my snarky point stands that there is no official term for this, because it doesn't officially exist.)

I'd say that assumption would be correct. Otherwise they have access to some serious non-facebook metadata repository! But then again how would they assume it was you without a trace of the former data.
I'm not familiar with FB's APIs...do they allow for programmatic download of your data with the same set as via the manual download tool? Because if they do, then a neat little script - leveraging their API - could be used periodically to download one's data to at least address the issue with 2-month expiration on the ad data.
In my experience it doesn't have your comments, posts, etc in groups.
One thing is clear. If they delete my data upon my request, they do not,for obvious reasons, delete it's contribution to any ML that was trained with it. Also, when deleting data, I wonder whether they delete any derived scores based on my data.
This is a very good point and one that I've been wondering but not seen much discussion of.
> Wikileaks, Julian Assange, and alt-right provocateurs recommend giving it a whirl.

Classic guilt-by-association propaganda technique.

I really can't even figure out what posessed the writer to put that line in there. It has absolutely nothing to do with the story, and kind of comes out of nowhere.
The author linked to Tweets from said individuals who were mentioning the tool. So it's relevant, however a bit odd they chose those specific examples when I'm sure they're are other "celebrities" who also linked to the tool. Maybe the author thought of these people as those most interested in data privacy?
I'm not so sure, considering how their coverage of the DNC lawsuit read like a press release, with zero journalistic objectivity. It treated the currently unproven claims of a civil suit as if it was already assumed fact.[0] It contains this gem of a paragraph:

> The leaks continued steadily from there, as the suit details. Guccifer 2.0 struck again on June 27, June 30, and July 6. On July 22, WikiLeaks took the wheel, releasing nearly 20,000 internal DNC emails. The following day, according to the suit, multiple DNC employees received an email that said: “I hope your children get raped and murdered. I hope your family knows nothing but suffering, torture, and death.”

All evidence suggests, as Wikileaks has maintained, that their emails came from a physical source, and not Guccifer 2.0.

I think there is a larger editorial bias at play at Wired.

[0] https://www.wired.com/story/dnc-lawsuit-reveals-key-details-...

It seemed like both an attempt to associate Assange/Wikileaks with the "alt-right", and an attempt to associate the desire to find out what Facebook has on you with the same.

It felt forced and awkward in the context of the article.

This is how Wired rolls lately, unfortunately. I'm a subscriber and noticed that even innocuous articles frequently attempt a jab at Trump, for example. I really don't understand attempts to politicize all issues, when it's not called for.
How complete is this data? Does it include content like comments?

It'd be nice to download my data and import it into a competing social network.

The irony to see the "Would you like to login using facebook"-popup on the wired article..
There is a potentially disastrous blow to FB's business model in the GDPR that relates to this sort of profiling. It is forbidden under GDPR, unless the user grants explicit consent (opt-in). See [1].

Without this, FB's targeting abilities for ads just evaporates. It is going to be interesting to see how this pans out.

[1] https://ico.org.uk/for-organisations/guide-to-the-general-da...

Despite never enabling location services, Facebook once (briefly) gave me a weather forecast when I was traveling. Spooked me quite a bit.

The best I could figure is that I temporarily enabled access to my camera roll so I could post a few photos (ordinarily I just copy/paste them to keep Facebook out of my photos), and either it scanned the photos' exif data during upload or directly from the roll once I enabled it.

I wasn't remotely surprised to find that particular piece of location data wasn't part of the data download.

Makes me wonder how many "features" considered internally at FB, Google, etc are being scrapped only because it would not be worth the risk of potential backlash by spooked out users even though they have in their possession all the necessary data.
Could just be IP geolocation
Geo IP location is possible but unlikely: the location was very precise and accurate, and I would assume Verizon (wasn't on wifi) wouldn't be handing out IPs with that level of specificity.

Plus it only ever happened that once.

in addition to that, wouldn't it have access to the MAC addresses of the wifi networks around you, and more importantly, be able to do a geo-ip check?
Wouldn't have access to MAC addresses.

Geo IP location is possible but unlikely: the location was very precise and accurate, and I would assume Verizon (wasn't on wifi) wouldn't be handing out IPs with that level of specificity.

Plus it only ever happened that once.

I'm surprised this article does not mention Max Schrems, who requested all data Facebook had on him in 2011:

> He later made a request under the European "right to access" provision for the company's records on him and received a CD containing over 1,200 pages of data, which he published at europe-v-facebook.org with personal information redacted.

(See https://en.wikipedia.org/wiki/Max_Schrems.)

why people still uses facebook ? how much you want to disclose your life to them ?
The zip file Facebook provides doesn't include full resolution photos I uploaded, only heavily compressed low-resolution low-quality previews. Useless.