Getting my personal data out of Facebook
ruben.verborgh.orgIt seems like Facebook has staked out a legal position on this. A dubious one likely to fail and doubtless designed mostly to buy time, but a legal position nonetheless, which will only be struck down by a court, not an email reply chain.
You had me up until the legalese email, after which the correct response is to sue. You lost me with the belligerent reply ranting about what Mark said in the Washington Post. It seems, at that point, that you're more interested in grandstanding than making a defensible case.
No worries, that e-mail is definitely not my only response. Not putting all my cards on the table yet.
Grandstanding is not my goal; it's a means of attracting attention to a matter that people have been desensitized to. A secondary goal is to cause internal escalation. In the end, I really just want my data, as way to create a path for myself and others.
> I really just want my data
Is data posted on FB by other people, which just happens to be (partly) about you, "your" data?
Since he's making the request under the GDPR, yes; if the data relates to him, it's his personal data.
I believe that is all you are entitled to, under the data portability portion of GDPR:Unfortunately, that tool only gives me all of the data I put on there myself. So nothing I didn’t already have
For information about you, uploaded by someone else, I thought your rights are not so clear:The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controllerWhere personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) the categories of personal data concerned; (e) the recipients or categories of recipients of the personal dataThe Data Portability article is about receiving that uploaded data in a standard, machine-readable format, and Article 14 on data not obtained from the data subject just says what extra information must be provided about it.
Article 15 - "Right of access by the data subject" - is what defines one's right to a copy of personal data, and has no restriction on the personal data one is entitled to access.
Based on the other comments mentioning that the Ireland's GDPR office is apparently trying its best to avoid helping EU citizens, I'd guess he might be double-checking if there's any chance he can get anything from FB before taking it to the courts.
Other than that, my guess is he hopes that this story will get picked by press sooner or later, and thus tries to make the paper trail as attractive and instantly easy to use in newspapers as possible. With a side goal of also making it as attractive, fun to read, and generally entertaining as possible, to any other people casually coming by his site. Which I see as a very noble and valuable goal, esp. when talking about legal stuff, which is super hard to talk and write about in entertaining and approachable way.
IMHO to support Ruben's cause, we should all request our data from Facebook. At least those of us who are eligible for that "privilege".
A hand full of people are just an annoyance and can be easily stalled. But to stall many more without running in legal trouble seems more difficult to me, and requires Facebook to actually invest some resources into it.
Google myactivity has that. But I'll be happy to get an api for it to integrate for productivity purposes
Thank you for fighting the good fight. This sort of nonsense is exactly the type of thing that needs to be reported far and wide. People need to understand that for all of Facebook’s PR dollars, they are still the same company as they were a few years ago.
It's a very interesting web page. But it would be better told without all the sarcasm and invective.
I understand the author's need to vent his spleen, but he should create a second, more black-and-white version that comes off as more credible and is less easily dismissed.
I disagree. I think getting angry as hell at having one’s legal rights knowingly stomped on is appropriate, and acting cool about it implicitly validates FB’s behavior.
You coolly negotiate with business partners; you get pissed off at being screwed with by conmen.
What stood out to me is that the author does have an inflated sense of self importance
> And let’s not pretend that it’s a big cost to you: getting the listed data about a single person is about the simplest query you can write. (Did I mention I’m a data scientist?)
And that particular trait emerges quite a bit throughout the correspondence. Where the author labels things as reasonable, I open the link only to find anything but.
Since the author is happy to put words into Facebook's mouth, I may venture as well that the author was _looking_ to pick a fight.
Trust me, I don't take myself too seriously ;-)
Facebook responds with an overload of legal nonsense to discourage people from replying. I overload them with a lot of non-legal nonsense. In the end I just want my data—it's my legal right.
Thank you for taking the fight and making a scene! I tell myself that I will send Facebook my GDPR letter one day, but just thinking about the time and brainpower I’d have to spend to understand exactly what my rights are and how to exercise them, makes me dread it.
This is just ad hominem.
That is fine though - I doubt they would have made any further headway if they were calm and polite.
Maybe he wants it to be easily understood by politicians who are very skilled in the manners of sarcasm and slinging invectives.
Yeah, I enjoyed the story telling but the sarcasm watered it down as a ragey customer who was being unreasonable—and it made it really hard to read. If you want to get a company to ignore you, all you have to do is get pissy, and it's clearly what's going on here.
How does tone policing the author offer any insight into the argument at issue here?
One person's 'tone policing' is another person's 'advice on how to most effectivly get your point across'.
It's not helpful advice. The post above attacks the author's writing credibility due solely to its emotional tenor. That's essentially an ad hominem.
> he should create a second, more black-and-white version that comes off as more credible and is less easily dismissed.
Its absolutely not ad hom. It's saying that the writing style chosen isn't optimal if the author wants to be seen as credible. It says nothing about the author, his credentials, or expertise and does not attack him as a person.
It would be great if this could result in a dedicated page with instructions and templates on how to successfully move through this kafkaesque absurdity. Thanks for the effort already.
That's the intention. He says so at the bottom of the page:
"How will this end?" This will only end me getting my data, obviously. And thereby giving you a clearer path to get yours.Max Schrems, who successfully sued FB over this, has such a page! http://europe-v-facebook.org/EN/Get_your_Data_/get_your_data...
See also his non-profit org dedicated to data protection in the EU: https://noyb.eu/
What you are asking for does not seem unreasonable, quite the opposite. What exactly are they afraid of?
> What exactly are they afraid of?
Exposing the level of detail in the data accumulated.
This starts at "opened the messenger app at this location on this date&time" and goes to "visited this Facebook-unrelated website on these times". Having to provide all of this data exposes the detailed profile they're getting on people.
They are only getting what you are giving to them.
If you decide to browse the web without uBlock Origin or if you decide to use Android, you know what you're being exposed to.
> If you decide to browse the web without uBlock Origin or if you decide to use Android, you know what you're being exposed to.
Time to step out of the bubble of tech-savvy people and talk to everyday users. It's unrealistic to assume everybody understands technical consequences, and it's unreasonable to require everybody to do so. That's why there is regulation. This applies to all fields, including medicine, food, and IT.
This is almost certainly not true for the majority of consumers.
1. No, you don't know what you're exposed to. There are multiple ways to get data on you regardless of uBlock Origin or non-Android OSes.
2. No, it doesn't matter if you use Android (what does using Android have to do with Facebook?) or not, Facebook can and will collect info on you through other means: analytics, logins, sharing etc.
3. You have very little to no idea of how pervasive tracking is especially in the case of large social platforms that everyone integrates with.
> If you decide to browse the web without uBlock Origin or if you decide to use Android, you know what you're being exposed to.
This is just clearly and verifiably false for the vast majority of users who browse the internet.
I'd agree that everyone on HN knows what they are getting into, but we're not an accurate cross section of humanity to be fair.
I think that even within a relatively tech-savvy audience, most people don't realize both the extent of the data facebook may be gathering and the implications of facebook hoarding this information and turning it over (intentionally or accidentally) to untold third parties at some point in the future. Lots of information is harmless... until it isn't.
Consider, for example, giving your genetic material to a company that researches genealogy. Mostly harmless fun. That company is later quietly purchased- along with its databases- by a medical supplier. Meanwhile, cancer research has found that people with a particular gene sequence are at elevated risk for lung cancer. A partnership between the medical supplier and a medical insurance company means you can be screened for that risk without your knowledge, and suddenly you're screwed.
Even for those who don't see facebook as a malicious entity, there's considerable evidence that they do not exercise due diligence in storing and securing this information- see, for example, the recent case of leaking an enormous quantity of plaintext passwords via log files.
Enormous risks to individuals exist because the current regulatory environment poses no penalty to private entities for gathering personal information, sitting on it indefinitely, and transferring it to other entities until some purpose is identified. These risks may seem very small, but I believe that is mostly a fault of our collective imagination.
Well for a start it would involve not being able to keep denying shadow profiles exist, and the joining up of some not especially well understood programmes. Like being able to connect up all those facebook bugs and third party logins to get large parts of your off Facebook activity.
Then maybe exposing some of the third party quizzes, VPN's, and privacy apps that have poured more into the data vats. Possibly exposing the third party sources they've bought data from - connecting other data you didn't knowingly provide.
Who knows what else. Maybe they're afraid that once the full picture comes out they simply won't have users.
Someone asked Zuck during the congressional hearings about shadow profiles (worded as data about people who don't have Facebook accounts).. he deflected and said something like "I'll get back to you on that.".
That they have more than they say that they have (and are allowed to have) to the point where cleaning this up would be a serious engineering effort.
I say this in jest but at the same time I'm concerned this might be true.
They are afraid of people cooking up ways to take the data to fuel competition.
Remember how you could cross post between twitter and FB ages ago? That went away for a reason!
A precedent, I think.
If I worked at FB I'd seriously be considering my morals these days, and how important they are versus a cush job.
Most of this thread is filled with toxic, logically fallible attacks, which is why I avoided commenting earlier. I decided, however, to create a throwaway to respond to this. Anyone in this thread who is willing to step back and actually look at the facts, this message is for you.
Facebook takes the GDPR very seriously. I know this, because I know some of the people who worked on compliance. Facebook has lawyers who have studied the law. Facebook has worked with the EU to ensure compliance. Facebook publishes online the steps necessary to access your data, the list of uses of that data, and even a form for special requests. You may ask, then, how I reconcile that statement with the website posted here?
Well, take a moment to actually read the linked website. The writer made a request for their data, and was disappointed when Facebook complied, and gave them access to all of the data that they had on him.
The writer then asks for this specifically: access to their own data, how it's processed, and some minutiae around the processing. The user already has access to their own data, and the additional information requested is already publicly available.
The writer uses email and a special request form in order to make this request, and becomes irate when the special request takes longer than he would like.
Facebook then politely sends the writer an explanation of all of this, at which point the writer starts harassing the customer service agents who are helping him. He then researches ways that he can personally harass members of Facebook's team. He sends an email not just demanding his data, but requesting the raw data from Facebook's servers.
Facebook's response is still quite polite and factual. They have already delivered all of his data to hime, as well as all of the descriptions requested. They point out the timeline of events. They then explain that despite his request, the GDPR does not cover raw server dumps, a fact which has been proven in court.
Finally, the writer creates a defamatory website and posts it to Hacker News.
So no, sir, this event does not make me question my morals.
From Facebook's email: "We use location-related information – such as your current location, where you live, the places you like to go, and the businesses and people you’re near (..)"
From their Help page on the data downloaded in the "Your Information", the only locations included are "The last location associated with an update."
How can you possibly claim they "gave them access to all of the data that they had on him"? FB itself denies this claim.
This comes off like you're mainly trying to justify your moral views to yourself.
How do you figure "the user already has access to their own data" when the author never received their explicitly requested location/device/wireless history (which FB definitely has)?
Does the GDPR only apply to publicly available data? I was under the impression the company was obligated to give the user everything, public and private.
I concur, this sounds more like someone trying to convince themselves that their morals are still intact and justify their decision. Certainly not changing my point of view.
I guess drinking too much of the KoolAid does this to... maybe thats why all the big co's have so many KoolAid drinking sessions. :)
its not a single event that should, its the overarching point of view from your CEO and such, along with a long list of violations that should make you question you morals.
> the GDPR does not cover raw server dumps, a fact which has been proven in court.
What's the case?
This bit
>Article 12(1) GDPR requires that the information provided to an individual in response to an access request is in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”. At its most basic, this means that the information Facebook provides in response to a request should be capable of being understood by the average person. Highly technical data in its original form is likely to be meaningless to the average Facebook user and providing such data would be inconsistent with Facebook’s GDPR obligations.
is reflective of the scorn with which Facebook treats their users.
One bit of misinformation in the article, I believe:
> Not valid, since gdpr applies to eu citizens everywhere, regardless of where they live.
This isn’t correct. GDPR applies to people IN the European Union, not their citizenship [0]
[0] https://ec.europa.eu/info/law/law-topic/data-protection/refo...
True. It also applies to everyone if the company is registered in the EU.
Since Facebook was using their Ireland branch as the main company for all users outside the US and Canada, that means everyone outside those countries can make GDPR requests to them. Unfortunately, not for long: https://www.reuters.com/article/us-facebook-privacy-eu-exclu...
Who else could wade through the sea of garbage you people produce, retrieve valuable truths and even interpret their meaning for later generations?
‘you people’ is an invective that apparently excludes yourself from the class you refer to. You don’t visit web pages?
The comment by xenihn makes a lot of sense when read as sarcasm/irony. Personally, I believe that was the author's intention. That said, it's unfortunately infamously hard to distinguish sarcasm/irony from actually "meaning it" in online conversations.
That said, the post may as well be trolling and seeding doubt on purpose.
It's from Metal Gear Solid 2
You still might like to consider giving some more context and explaining it, for the benefit of people who may be lacking it. I myself personally never played MGS, so I'm still not clear on what was your actual intention, even with the link you provided in the other comment (which looks like a loooong read).
Oh, that changes things. I suggest to attribute quotes to avoid people thinking they’re your words.
Under the GDPR, each country has a Data Protection Authority set up in order to enforce and supervise these rules.
The author needs to contact his country's DPA and they will be the ones to drop the hammer on Facebook.
Facebook might not listen to an end user, but European governmental authorities have the power to force them to.
It's the only logical next step in my opinion.
Ah no. The EU countries have agreed, that the home country of the organization (not the country of the data subject) will take the lead in any GDPR enforcement.
Facebook in EU is registered in Ireland.
Ireland is making a mockery of GDPR, slow walking investigations while paying lip service to GDPR.
Ireland is a leech. They've figured out that they can attract global companies through very lenient tax auditing and (now) GDPR enforcement. A little tax is better than none. As such they are undermining the rest of EU when it comes to actions against companies like Facebook, Google, Microsoft.
This is wrong, in every country there is national data protection authority who you should contact.
"EU countries have set up national bodies responsible for protecting personal data in accordance with Article 8(3) of the Charter of Fundamental Rights of the EU." Source: https://ec.europa.eu/info/law/law-topic/data-protection/data... https://edpb.europa.eu/about-edpb/board/members_en
It is correct that as a data subject you should file any complaints about GDPR with the data protection agency of your country of residence. However, that agency will refer the complaint/case to the data protection agency of the company in question.
You may lodge a complaint with the designated data protection agency in Germany, but when they establish that the complaint is against Facebook residing in Ireland, they will refer the complaint to Ireland. Ireland clearly sees slow walking complaints as a competitive advantage.
Thank you for detailed explanation I get it now.
> Ireland is a leech.
Eh, a leech that took the brunt of the real estate crunch for the EU? A leech would have let the German banks fold instead of paying bond holders.
> Ireland is making a mockery of GDPR, slow walking investigations while paying lip service to GDPR.
Slow walking is pushing it - the agreement to allow home countries be the enforcement authority put a massive burden on a really small country and its civil service. Ireland's population is 4.7 (about 1/2 that of London on its own). Our DPC offices are overwhelmed by the number of requests, and hiring people to deal with the uptick is taking time. We also have a lot of the majorly complex GDPR cases, as we have FB, GOOG, MSFT, etc, along with a ... interesting ... relationship with the Catholic Church, which has ... views ... on what the GDPR means for them.
Isn't Ireland is home to these business because they have lower corporate taxes than the rest of the EU? Lower taxes likely make it harder to fund the regulatory agencies that should oversee these companies, which were intentionally courted to Ireland with lower taxes.
I don't disagree with you, but it seems to be largely a problem of Ireland's own making.
Sure, that is definitely part of it, but without those companies, our income tax take would be lower, so we are probably in a net positive.
Thanks for this information. I was unaware.
As this is the process though, I'm still going to say that this is the logical next step.
Likely the only way to get any movement on this is with public outcry, and if this issue gets enough attention, would be good to show not only the flaws in Facebook's system, but also any flaws in GDPR enforcement.
That's all well and good, until you realise the actual resources the DPA's are working under. Here in Finland it's a tiny organisation [1] and it was reported that they are completely overwhelmed with all the problems post-GDPR.
Same in my country. Here the DPA is providing summaries of cases + reasoning to the public, so that it can be refered to when making GDPR requests to companies in similar cases, making it more likely to get compliance.
Exactly.
Now, to make a decentralized social network that can automatically import Facebook's GDPR data dumps...
So they don't comply with GDPR, what are his next steps?
He should contact national data protection authority.
It is well and truly time for a digital uprising against these feudal lords.
I advise you to contact them in person. Their privacy officers for EU are more or less public people.
"Disappointed about the lack of appropriate action, I decide it’s time to directly contact Stephen Deadman, Facebook’s fresh Data Protection Officer (DPO)."