Ask HN: Invited by Facebook for privacy roundtable. What questions should I ask?

261 points by AdriaanvRossum ↗ HN
This Thursday I'm invited to a privacy roundtable with Facebook Legal and Privacy Policy teams in Amsterdam. The round table will be with other entrepreneurs and experts in the privacy field. I'm invited because I'm the founder of Simple Analytics - a privacy friendly analytics SaaS business [1] - and critical about Facebook on Twitter [2].

Some people advised me not to go there because it would only do harm to my name and brand, but I think I should. The Facebook teams are going to give a presentation with some new plans where they want feedback on. For internal push back they need critical people from outside Facebook, which I'm happy to contribute for.

To make it more interesting for the outside world I'm going to ask a few questions for Facebook in general (privacy wise). And that's where I need some help. What questions do you want answers for from Facebook?

Facebook agreed I could use the answers outside of the meeting (with the exception of sharing from non-Facebook attendances).

[1] https://simpleanalytics.com

[2] https://twitter.com/adriaanvrossum

180 comments

[ 2.8 ms ] story [ 211 ms ] thread
Ask which one person at FB is held ultimately accountable for privacy, by whom, and how they measure it.
Thanks. That would be interesting to know. One thing; what do you mean with measure it?
If they’re holding someone accountable, how do they determine whether that person is being effective?
> One thing; what do you mean with measure it?

Come PSC (Performance Summary Cycle) time, how do they justify a "Meets All" or "Exceeds" evaluation?

Only aiding and abetting one genocide this year would be a 50% improvement over last year!
Oh, also? Perhaps ask how that person is empowered and included in decision making?
Any info on shadow profiles you could get would be very valuable.
Yes, will definitely ask about that.
I'm not so hopeful. I explained here why: https://news.ycombinator.com/item?id=20390678
I agree. I also don't think it's useful to use the term as Zuck explicitly evaded answering to that. What is more useful would be the answer to the question how easy for them is to aggregate information about a person not using FB and whether this information is used in any way (I have no hope of hearing any meaningful answer to that, but it can be amusing to see how they evade it).
I'd assume the Legal and Privacy Policy teams can't give you answers about strategy from their C-level other than what they've already made public through vague statements. So I wouldn't get angry if I couldn't get anything useful from them.

You could ask if they plan to let users know exactly (and be able to opt out) where their data will end up (internal only, 3rd-parties, which ones? Could you select purpose?).

And of course, GDPR globally.

The one privacy control that everybody is waiting for is: automatically delete all my activity data older than N days, where N can be specified by the user.

Why isn't it implemented yet?

While allowing them to specify a minimum and/or incremental value for N. They're a business after all, and our data is their value. I'd be happy with that compromise.
I expect minimal value of N to be either sky high, or decent..with plenty of exceptions written in ToS so that it dosen't do anything - just like most 'out out' forms in other sites that always 'fail' to deliver your opt out.
Agreed, I severely doubt knowing decades old minutiae helps them sell products.
(comment deleted)
1. How can one find out about their shadow profiles that have been created by FB?

2. How can they delete the data associated with the above?

3. Info on how they group personal data from WhatsApp, FB and Instagram

4. Who do they share such data with?

5. Who within FB is responsible for privacy policies, etc.?

> 1. How can one find out about their shadow profiles that have been created by FB?

I feel like this is a misguided notion. Facebook doesn't need to create "shadow profiles" for anybody to achieve the same effect: they can just pull together the data on-demand (e.g. say when you create an account, they could scan others' contact lists for a match for your name), without aggregating them together into a 'profile' beforehand. Unless you really intend to ignore that possibility (which I doubt, given the effect would be exactly the same), you probably want to approach it differently than talking about 'shadow profiles'.

For some data, this might be true. But, for example, where is my browsing history stored, which is undoubtedly collected by FB through their social sharing buttons even if I don't have an account? Or any other drive-by data that is collected through third-party apps, websites or whatever and send back to FB. It wouldn't make any sense to store my browsing history somewhere else than in a shadow profile.
No, it actually doesn’t make sense to store it in any kind of profile.

You are right that some fly by data might end up in a server log somewhere but those aren’t kept around for long...if they are kept at all at Facebook scales

Storing and computing data is very expensive and risky at FB scale so they will only keep around what they actually need for as long as they need it. Meaning that data gets send to the server, gets aggregated and then deleted.

An exception of course is content generated by users such as a newsfeed post, as is the nature of the product that content stays around until users delete it

(comment deleted)
I have my doubts that storing compressed plaintext is expensive for a company that makes, what, 13 billion a year in profit or something like that? Their business is data. The more data they have, the more profit they can generate. The browsing history reveals a lot about humans. Storing it makes sense imho.
> This Thursday I'm invited to a privacy roundtable with Facebook Legal and Privacy Policy teams

On 5, I would hazard that it's those teams. Of course, the buck stops at zuck.

>1. How can one find out about their shadow profiles that have been created by FB?

Funny how this question always seems to generate distracting and misdirecting responses.

The simple fact that detractors seem unwilling to address is that FB and countless other internet advertisers are stalking billions of unaware people on a micro level using all sorts of shady and opaque techniques and compiling the most detailed psychological profiles on the most number of people in history.

The public has only just begun to contemplate the massive national security and mental health problems that this mass stalking and manipulation creates.

What prevents them from publishing an explanation of what they do with their users private data in language understandable by their average users?
What about their current privacy policy do you find hard to understand?
Bit late, but not me. The average user. I think the average user still doesn’t understand how and to what extent their data is analyzed for the ultimate purpose of discovering details about the user which the user did not reveal — for the purposes of advertisements.
I would ask a more generic question.

What's the right level of control users should have over their data?

Then as a follow up I would ask what's keeping Facebook from implementing those controls.

Unless this was already covered in an acceptable way after the Cambridge Analytica f*ckup (I haven't followed what actions Facebook took afterwards to address the issue), I would also ask about what are they doing about policing bad actors, companies trawling or leaking users' private information or abusing it. How are they going to better prevent that in the future. Once it's outside of Facebook they've already lost control of the situation.

Will they honor GDPR related requests? The last I saw, the have some checkbox they require european users to "agree" to in order to continue using FB, which basically waives their GDPR rights.

In addition, you might want to review the questions from when Zuckerberg was in front of the European parliament. The MEPs asked some good questions and Zuck basically weasled out of it. I'd love to see the same questions brought up again.

And also, info about shadow profiles.

GDPR is a good question as I'm not sure they can 'waive' the GDPR rights. There is an ongoing court case in the EU at present.
I'm fairly sure that you can't make "waiving" the rights that the GDPR grants you a condition for using a service.
Privacy lawyer here...you 100% cannot waive your GDPR rights as a condition of the service. In fact your consent can not be a precondition of using the service. Most adtech companies out there will try to rely on legitimate interest as a basis for processing.
they can write whatever they want when asking user to 'waive' GDPR rights.

That isn't legally binding at all.

1. Do your apps upload metadata and/or thumbnails from photos to which they’re permissions to access, but which aren’t explicitly selected by the user for posting/uploading?

2. Do your apps “skim” the contents of device clipboards and send this info off device without user intent to do so?

And one open-ended question to try to gauge how open they’re being about the whole process:

3. What information do you collect that would surprise or upset privacy-conscious individuals?

> “skim”

I feel like if you ask questions where you have to quote your own words like this, you're basically begging them to be interpreted differently than you intend. I'd be crystal clear about what is being asked.

Agreed. It’s almost impossible to construct a question that can’t be talked around if their intent is to deceive. But if that’s their intent then the whole exercise is pointless.

How’s this?

“Do your apps access the contents of device clipboards and send this information or any modified version of this information off the device without explicit user consent to do-so?”

I'd imagine they'd just say "no" to that because almost certainly somewhere in their ToS/PP they got "explicit" consent from you to sell your soul and everything that goes with it.

Remember, all you need to know from them is what they do and when they do it. You don't need or want them to make a judgment call on the legalities or morality or anything else when responding; you can do that yourself later.

To that end, I'd word it like this:

"What are all the situations in which your apps read clipboard contents, and why is it necessary in each case?" (Obviously pasting would be one scenario, to which you'll just nod and move on...)

(And I would ask the same about microphone data, location data, etc. too, not just clipboard contents.)

Well, The big one would be nice: Facebook makes her money from harvesting and selling privacy sensitive data, or at least that is the perception shared by nation states, the EU and the wider audience. For any claim Facebook makes about respecting privacy to have at least face validity she need to show how she is going to make money without violating her users privacy. So how is Facebook going to make money if they need to respect users privacy?

Somewhat more constructive: Facebook seems to have an unhealthy appetite to collect _all_ user data including privacy sensitive information. But lets be fair: She is definitely not the only company on the quest for the Big Data insights, that seem to always be at least one data point away. Does Facebook have information on which data points they really need to make a commercial viable user profile? What data points are privacy sensitive? Is Facebook looking into alternatives for those privacy sensitive data points? If not: can Facebook enumerate those and ask their users for explicit consent to collect those points and ask for explicit consent in the future for any new data points?

Good luck this afternoon. I hope you get some insights.

They need to change their business model to be able to become privacy friendly, I totally agree. Not even sure which huge company is privacy friendly. Maybe it's not even possible at that level. But that doesn't mean you shouldn't.

I will try to ask as much as possible, and really like your questions of what data points are useful and are they privacy sensitive.

Thanks!

Can I ask you to ask a question that's not about their apps?

"I understand many if not all of your employees, and even your interns, are technically capable of accessing at least some data from any user, should they decide to do so against Facebook's will. I also understand the repercussion for this is that they would get fired and potentially sued. However, this is not accepted practice in every company that handle such sensitive data on users' personal lives. Moreover, it is easy to imagine adversaries and targets for which the risk of getting fired and/or sued is easily worth the benefit of obtaining a particular user's private data. How, then, do your security experts, who take security seriously and who surely understand the notion of 'defense in depth', justify that the proper safeguard is an employment/legal threat, and that there should not be a technical barrier preventing interns or other normal employees from accessing any user data?"

Bonus points if you can get them to talk such occurrences, which they almost certainly won't tell you, and why users should trust that they're handling this properly when they're unwilling to report sufficiently precise information on such incidents.

I might highlight that there is significant internal technical barriers to access user data!

And it would be very, very hard to circumvent the protection mechanisms without getting caught!

> there is significant internal technical barriers to access user data

Is this a new thing or has it always been the case? Because I'm pretty sure I've heard otherwise before. (Unless by "technical barrier" you don't mean the same thing I do.)

Also what do you mean by "very hard without getting caught"? Is it like hacking their database from the outside/open internet? Or is it like "they can, but it'll trip fifty alarms" [but they'd still get the data].

1. It’s been in place for a long time now...at least since IPO

2. Yes, it’s like hacking the database from the outside in most cases in others it trips alarms and starts an investigation. It all data is created equal here...but generally speaking PII data is highly guarded

It is not true that Facebook makes its money by selling private data, as you can verify by reading its publicly available earnings reports. It makes its money by selling ads, which it uses private data to target — a completely different thing.
True - bur that doesn’t make their business any more ethical. Users haven’t knowingly given them all that data for that purpose.
That’s a reasonable position to hold but it’s certainly much more likely that reasonable people would disagree than it is that they’d disagree that selling data indiscriminately is wrong.

So criticizing Facebook for the latter (which it doesn’t actually do) is intellectually dishonest.

This is sort of similar to how content owners have muddied the waters of debate by calling copyright infringement stealing. One can certainly argue that both are unethical, but they’re still different things!

I was really careful enough in my wording: Facebook sells privacy sensitive data as in very, very specific target groups for among other things ad targeting for their customers to use. I did not refer to the selling of private data.
I genuinely don’t understand the distinction you’re making.

Facebook does not make its money from “selling data” at all, whether “private data” or “privacy-sensitive data”.

Not the OP, but I am guessing they are trying to say that the distinction between "you pay facebook and they give you a database full of private data" and "you pay facebook and they give you API access to a database of private data and allow you to query it in myriad ways leading to you creating your own database of highly accurate private data" is not as important a distinction as Facebook would have you believe. Or something along those lines.
But Facebook doesn’t let advertisers query their database of private data. I agree that if they did, it would not be very different from selling data, but they don’t.
But.. they do, though. You can (and people do) make a very targeted ad, then query what users matched with it, and so on until you've sufficient data for your purposes. Plus you can use their public APIs to then match their ad data with the users public information. Facebook knows this, and does not prevent it (by hiding user identifiers for instance) because it's part of their strategy.
Ah now this is sneaky. Is this widespread? Any sources?
By making a Custom Audience and then selectively uploading? I think you have to agree to not do this.

The audience size tricks like uploading an audience, then adding one to it and reuploading won’t work. There’s a cardinality fudging thing.

Dear umanwizard,

Genuinely not understanding something is fine. Already claiming someone was intellectually dishonest because you misread or misunderstood not so much.

The ads business of Facebook is based on the very specific data Facebook can provide their advertisers for very specific target audiences based on private information they gathered through their platform. Like ads for people who die their hair, have an affliction for cheese burgers, are right wing and live in zip code 20500. That is privacy sensitive information (although I picked a public person for this example). They do not provide customers with Trump's private number. That would be private data. They do not just sell ads on their platform, they sell specific target audiences on their platform.

> The ads business or Facebook is based on the very specific data Facebook can provide their advertisers

Again, no it isn’t. Facebook at no point provides data to its advertisers.

Yes, advertisers can say “show this ad to people who are right-wing and live in DC” (although I doubt “dyed hair” is a category). However, the advertisers are never provided with any data about who is in that category. That data never leaves Facebook.

In zuckerbergs testimony to congress he references "the data brokers" or third parties involved all of the time.
Aside: Interesting use of the pronoun 'she' in this comment. FB's behaviour is totally due to Zuck, as he owns 53.3% of the voting shares of the company. FB is Zuck, for all intents and purposes.
I see this use of 'she' from time to time and also curious about motivation here. Also, I'd say even though Zuck is practically face of facebook (heh), company is still genderless and should be referred to as it. In my opinion, of course.
My usual assumption is that the speaker’s first language uses the feminine pronoun for companies. Outside of English, I certainly have the reverse problem of using “it” for all inanimate objects even when they should be “he/she” according to the language’s rules.
In languages with grammatical gender you certainly don't use "it" (neuter gender) for words that have different gender. Interestingly, in both Russian and Spanish "company" has feminine grammatical gender. Also in German (one of the words).
To really get off-topic: The use of 'she' is likely in immitation of the female-gender pronouns that are used to refer to ships and other watercraft or like nation-states, as is common in English. Likening FB to a large ship or country is not unreasonable in terms of how big corporations can be, and I think it may be applicable to larger firms like GE, Ford, Shell, etc that do not have majority voting control by one person. However, as FB is totally controlled by Zuck (an edge case in public companies,for sure), I think that refering to FB like a large ship or micro-state is not apt.

FB is Zuck.

As a native English speaker, I have always been irritated by that usage (which I’ll be the first to admit is not really rational) and I’m pleased that it seems to be dying out.
Well, afaik English used to have 3 genders for nouns, and it died out everywhere but for third person pronouns.

There are some languages that don't have gender for pronouns, even.

Or some languages that have 2 genders for most things but 3 genders for pronouns (eg. Spanish distinguishes between este and esto because Latin distinguished between iste and istud, but most masculine/neuter contrasts of -us vs. -um did not survive their final consonants no longer being pronounced. Whether or not a language retains such a distinction can appear highly coincidental in the face of such seemingly unrelated phonetic changes.)

Personally, I think it's beautiful and poetic and adds a sense of life to an inanimate or immaterial thing.
Kinda like the names English gives to groups of animals? Pounce of kittens, parliment of owls, dash of cheetahs, etc
Totally going off-topic, but for others like me who love these poetic phrases, they're called "terms of venery", dating back to the late middle ages' hunting tradition [0].

In the list I see "coalition of cheetahs" and "kindle of kittens". But then again, I don't mind new coinages, these are fun.

[0] https://en.wikipedia.org/wiki/List_of_English_terms_of_vener...

I think it irritates me for the same reason I get irritated by American English speakers calling soccer “football”, or by people using a dieresis when writing “coördinate”.

Basically, it’s rare enough that it doesn’t sound natural and therefore comes off to me as an affectation, and makes the person sound weirdly smug about being “technically correct”.

I really should get over it, but like I said, not really rational.

You might ask if FB organization is a parasitic operation sucking down personal data any way they can and selling it to who?. Who knows who else. You know part of the answer. Watch the squirm ensue.
The squirming would be from everyone else in the room, embarrassed on your behalf.
I'm fairly sure that you can't make "waiving" the rights that the GDPR grants you a condition for using a service
> “skim” I feel like if you ask questions where you have to quote your own words like this, you're basically begging them to be interpreted differently than you intend. I'd be crystal clear about what is being asked.
(comment deleted)
Facebook and a "privacy friendly" analytics company. This roundtable will be used just for propaganda.
Huh? From a quick skim here[0], they don't collect IP addresses, respect DNT headers, and delete user agents after 90 days.

I legitly can't think of a more privacy-friendly way to do that. If you're paranoid enough to believe that no analytics is the only right solution, you probably have DNT on, and this is one of the rare cases in which it's actually respected.

[0] https://docs.simpleanalytics.com/what-we-collect

It'll be propaganda for Facebook, not Simple Analytics. If anything, those fears about this roundtable tarnishing their reputation may not be so unfounded...
"Why have you argued in court that your users have no 'reasonable expectation of privacy'?"
I'm not sure how to phrase this in a non-combative, constructive way, but I do think it's a really good question.

Facebook's PR team and legal team are arguing two completely separate things right now, and I'd like management to explain how they reconcile those views.

I'd like to know whether their lawyers are right that users have no expectation of privacy, or whether Zuckerburg is right that privacy is the future of Facebook. If Facebook's lawyers aren't misrepresenting the company, then I'd like to know why Zuckerburg and management are so hesitant to make the same arguments in public press releases.

No matter how you phrase it I would guess the response would be something along the lines of "cannot comment on matters relating to ongoing litigation." They'll have a clever way to sidestep every issue they haven't explicitly decided in advance to discuss.
I have one.

1. How can someone who does not have an account prevent themselves from being tagged and/or identified in uploaded photos? Corollary: why isn't the tagging and identification of a person an opt-in feature only?

I'd like to add to the above question: how does (or can) a person who never had an FB account request deletion of (possibly illegally collected) private data about them, without having to register to the very platform they're not a member of?
What would the most privacy aware social media company look like?
You're being invited to Facebook Amsterdam. That's like speaking at a Walmart in Kentucky. They won't have any answers to any questions.
I'm about 70% sure someone from fb will notice this thread and construct non-answers for all questions here. Hi!
Ask them what their main basis for processing personal data under GDPR is when they collect user data. Also ask about their retention management. How can they ensure personal data is only retained so long as they have a basis for processing?
This one: If you don't use Whatsapp but a friend of yours does, he has to give Whatsapp access to his address book which includes your name as well (although you don't use Whatsapp). So the question is: Does Facebook/Whatsapp have information about such passive users (e.g. the name or phone number)?
This is already known, yes, and they're called shadow profiles.
Ok, good to know. But then I would like to know if these show (Whatsapp) profiles are used to match with existing Facebook profiles (based on phone number or name).
The European Commission has fined Facebook €110 million for providing incorrect or misleading information during the Commission's 2014 investigation under the EU Merger Regulation of Facebook's acquisition of WhatsApp... When Facebook notified the acquisition of WhatsApp in 2014, it informed the Commission that it would be unable to establish reliable automated matching between Facebook users' accounts and WhatsApp users' accounts. It stated this both in the notification form and in a reply to a request of information from the Commission. However, in August 2016, WhatsApp announced updates to its terms of service and privacy policy, including the possibility of linking WhatsApp users' phone numbers with Facebook users' identities.

Facebook using the phone number they requested "for security purposes" to improve ad targeting and let people identify you from your phone number: https://www.forbes.com/sites/leemathews/2019/03/04/facebook-...

Thanks for the detailed information. However, this seems to refer to a match between your own whatsapp number and your own facebook account. What I find even more interesting is that the entire address book can be matched, also if most of your address book contact don't have a whatsapp account but a facebook account!
I’d take a different approach to your preparation:

Try to find videos of FB officers (Zuck, Sandburg) who have already been publicly grilled.

Most likely on a corporate level, FB employees already know how to answer and respond to most of these privacy questions.

That means you need to figure out their initial canned responses, what assumptions they’re building on, and prepare a line of questioning/reasoning to chip away at their logic in follow-ups.

"Would you object to GDPR-style legislation being passed in the United States?"
Which teams budget is larger, privacy or legal?

If that question is deniable, then does FB take no efforts to guess at individuals budgets? (Ie household income, rent/mortgage, monthly subscriptions, etc) Does FB grant people privacy for what’s in their bank accounts?

1. What sustainable business models will Facebook pursue that respect or even facilitate user privacy?

2. What will be simple to use mechanisms / technologies / standards employed by FB to allow users to identify and delete their private information?

3. Will those privacy control mechanisms be standardized across Facebook products / technologies?

4. Will there be an effort to open source technologies / standards with respect to user privacy, so they can be peer reviewed and if good implemented by others in the industry?

Thanks for your efforts!