Be careful of what you ask for. That’s a lesson that Max Schrems of Vienna, Austria, learned the hard way when he sent a formal request to Facebook citing European law and asking for a copy of every piece of personal information that the world’s largest social network had collected on him.

After a wait, the 24 year-old law student got what he was seeking: a CD with all his data stored on it – 1,222 files in all. The collection of PDF format documents was roughly the length Leo Tolstoy’s War and Peace but told a more mundane story: a record of Schrems’ years-long relationship with the world’s largest social network.

Collected together were records of when Schrems logged in and out of the social network, the times and content of sent and received messages and an accounting of every person and thing he’s ever liked, posted, poked, friended or recorded. The archive captured friend requests, former or alternative names and email addresses, employment and relationship statuses and photos, in some cases with their GPS locations included, to name a few. To Schrems’ dismay, much of the data he received from the network was information he thought he had deleted. Facebook, it seems, doesn’t think much of the Delete key and continued to hold copies of the data on its servers.

 

The social network provides all its users with a feature for downloading their personal data. However, EU Directive 95/46/EC (PDF), which gives persons the “right of access to data relating to him” in order to verify the accuracy of that data and the lawfulness of how it is being used. 

Schrems’ experience has inspired a legal project he’s working on called Europe vs. Facebook to increase transparency on Facebook, make opt-in data access the default (instead of opt-out) and to encourage data-minimization on the network. 

Though EU privacy laws are generally more stiff than those in the U.S., Facebook is under pressure at home as well as abroad.  The FTC proposed a settlement in late November requiring the site to take the privacy of its users more seriously by subjecting itself biennial privacy audits.

Also, the U.S. House Subcommittee on Oversight and Investigations and the Congressional Bipartisan Privacy Caucus recently wrote a letter [PDF] to Facebook founder and CEO, Mark Zuckerberg. The letter seeks to find out more about Facebook’s information collection and archiving practices of users and non-users, whether or not there is an opt-out option for all data collection, and why Facebook’s privacy policy has expanded from just over 1,000 words in 2005 to its present incarnation of almost 6,000 words among other things.

So how much data is Facebook collecting on you? To help laypeople understand, the Web site Taz.de has taken Schrems’ data and visualized in different ways. You can find them here.You can find a list of the groups of data disclosed to Schrems by Facebook here.

Categories: Cloud Security, Compliance, Data Breaches, SMB Security, Social Engineering, Videos, Web Security

Comments (61)

  1. Anonymous
    1

    What is such a hard way about getting a CD with PDF’s on it ? I’m not sure what the lesson is, he asked for it, he got it..

     

  2. Peter
    3

    However, EU Directive 95/46/EC (PDF), which gives persons the “right of access to data relating to him” in order to verify the accuracy of that data and the lawfulness of how it is being used.”  However what?  And why doesn’t the standard data download comply with the law?

  3. Anonymous
    4

    “What’s the story here? He asked for his data and he got it. So what?”

    Did  you even read the story??? 
    …1,222 pages???
    …FB knows every little thing about EVERYONE he’s ever contacted!!
    …He had deleted info and FB didn’t actually delete it.
    …Exact times that he’s logged in and out.
    …GPS locations.

    FB knows more about you than God does!!!!!!!!!

  4. Anonymous
    6

    Ummm…. do you people realize that using facebook is not a requirement or a right?… If you don’t like that facebook tracks all this sh*t, the solution is easy, don’t use facebook.  Problem solved.

  5. Anonymous
    8

    Facebook is keeping shadow profiles, so the ‘don’t use facebook’ suggestion isn’t a valid one. If you choose not to use Facebook, and your friend that uses Facebook has your email address, it begins tracking on your email address that it scraped from your friend. Whatever site that you log into that has a Facebook login button, it reports to Facebook that this email address is using this web page, and Facebook now has more info. If you think that the way FB does business isn’t worrisome, then I suggest you start paying more attention in general, and to slashdot, Ars Technica, or Wired specifically.

  6. Anonymous
    9

    Isn’t the key word to why this is not a problem – “consent”?
    By getting a facebook account you also agree to your data being registered?
    You read their agreement and agree to open an account, with the good and bad that that brings

    In regards to the friend with my e-mail adress – I suppose that entierly different though, you don’t generally store or keep a lot of e-mail adresses in facebook, it’s no address book as such…

  7. Anonymous
    11

    The problem is about DELETING. He asked FB to delete things, yet it is listed still in the 1’200 pages. When you delete something you want it deleted permanently and not just “mark as deleted”. Deleted things (posts, mails, chats …) shouldn’t be in those pages! In the USA it’s maybe ok (different laws). In Europe it’s not!

    It looks like there is no way to delete things permanently, FB makes you believe it, but it’s not true, as you can see in the exemple.

  8. Anonymous
    12

    Oh my god, they knew when he logged in or out, which friends requests he got, and *gasp*, gps locations and pictures he sent to facebook!

     

    Oh my god! I would have never imagined that facebook stores the information you give to them!

     

    I don’t get it:

    1. People sign up for a social network and explicitly and voluntarily share a lot of their data with them

    2. They are surprised to find that the social network holds the information they sent to it. 

     

    And surprise surprise, when you ask them to delete something it becomes marked as deleted and no-one (besides facebook) can see it, and of course facebook won’t shred their disks just because you want to wipe every bit of traces you have left over the years.

     

    If you are THAT paranoid, why are you even using a social network and sharing so much data with them? It’s not like Zuckerberg would want to spy on your pictures. Your life is not that interesting, get on with it :)

  9. Anonymous
    13

    Nothing unexpected here. These are results from there database and they can get much more if they need to.

  10. Anonymous
    14

    I don’t understand why people are shocked about this information.  I bet all the information that he got from facebook was stuff that he typed in or uploaded.  If you don’t want that information out there, don’t type it!

    When will people learn that once you put something on the internet it cannot be deleted?  People like to pick on facebook because the number of users, but even the far less used websites are most likely back ended with backup tapes and storage that absolutely stores your information, no matter how you try to delete it.

  11. Anonymous
    15

    interesting approach to the subject: Be careful of what you ask for. That’s a lesson …. learned the hard way.

    The author is obviously working for the black guy aka establishment.

  12. Brian Donohue
    16

    To those who ask how this is news, here’s the angle:

    Facebook has 1,200 pages of data stored on a seemingly random user. That’s a lot of data.

  13. Anonymous
    17

    and the fact that so many of you don’t care about how you’re being tracked covertly is exactly the reason the world is going to hell in a handbag.

    unbelievable.

    at least there are places in the world where this type of news is an outrage.  I don’t expect neutered Europeans to understand.

     

     

     

  14. RevRuby
    18

    fb doesnt have to be used as an address book to get your email address. every user has the chance to let fb raid their address book in the major web based email clients for finding friends. they can also do this on a mobile phone with only access to the phone numbers. i think twelve hundred pages is excessive, but what are they doing with it is the question. prolly just making an attempt to guide advertisements to you. not follow you or sell you out to your government as a traitor. they just want you to click the ad. 

  15. Anonymous
    21

    The story is based on peoples assumption of privacy…

    Bottom line is FB stores everything it can on FB users of their *FREE* service.  someone earlier posted

    Ummm…. do you people realize that using facebook is not a requirement or a right?… If you don’t like that facebook tracks all this sh*t, the solution is easy, don’t use facebook.  Problem solved. “

     

    I agree

  16. Anonymous
    22

    Someone asked “is there a way to completely delete all personal information off facebook? “

    LOL..law of the internet, once posted, its out there for life.  FB is a business, they have backups and off site storage etc.. Your data is too valuable, deleting is an acronym for making not available to the public.  I doubt seriously they will worry about purging databases and restoring backups to delete you data.  Now if you are the government or have a warrant, I am sure they will restore those backups and retrieve your data…but delete…never…

  17. Anonymous
    23

    If you don’t want Facebook to have all this data on you, then simple…don’t go on Facebook. I won’t lose any sleep over the fact Facebook still knows that i had a shit 3 years ago or it’s kept all the information on when i was single or in a relationship.

  18. RTP
    24

    Really? “What’s the story here?” Are you completely naive? I suppose you’re teeny boppers with little real world experience (ironically, partially due to online social networks). They’re tracking everything your doing, all the time. This is not paranoia, it is reality. Look up Big Brother (and I don’t mean the damn reality show). Take into account that Mark Zuckerberg has had numerous meetings with heads of state both in America and Europe. Don’t think for second that the governments around the world aren’t using this information. As a matter of fact, the U.S. Library of Congress now officially keeps EVERY tweet from Twitter (and retroactively has them all from the beginning). This is a way to keep track of people…as a matter of controlling the people and outcomes. They know where you live, where you work, where you eat, who you hang around with, your children or parents… it goes on and on and on. You may not understand the gravity of the situation here, but, I assure you, it is grave indeed.

  19. Klaus von Riehardt
    25

    Don’t think this is a big deal? When the DA’s people come knocking on your door and grill you about your association with a long time friend (say, a Jerry Sandusky) and make you account for every word and contact you had with him (or her) on Facebook … well, don’t go crying about an invasion of privacy.

  20. AustralianCapitalTerritory
    26

    Facebook can prove that we so-called (ex)criminals are really victims of the para-mililitia.  My skin-color & religion (village-Chinese) had our secret services make the dumb tax payers pay $000′s for years of imprisonment.  The colored people of other white-dominated nations also could be shown to not be criminal, if we had Facebook evidence to prove our non-criminality.

  21. Km Gaad
    27

    Good day to all

    Not surprized at all tt FB has such data is just example. So many otherways of loging in free give aways n other web sites also does the same. But it is entirely up to user to decide of good he / she used it being used constructively or accodentaly. Therefore blaming face book would certainly not a gd idea, this is open jungle n world is small global village, its upto iser to take precautions n be carefull, now a days every one every where watching everybody, therefore dont do things which involve you in troubles. Thanks n be smart. KMG

  22. Anonymous
    28

    While the possibility for abuse exists (as it alwasy has with any information), if it helps authorities to monitor and catch wrong-doers (and perhaps in prevent crime from taking place) then I am all for it. If you aren’t doing anything wrong then you nothing to worry about. Simple.

  23. Anonymous
    29

    Does the data contain an indication of what it means to Facebook’s behavioral profiling algorithms that a particular collection of data (hereafter, “user”) does or does not click on an ad, friend somebody at n-degrees of separation on a particular occasion, or how this data correlates with cross-site tracking data?

  24. Anonymous
    31

    But why do they need info what if you have a fb and never use it a email and never log into it an all u do is watch music vids…should we all just get aluminum foil hats and hide in the corner and break our computers? I knew I should have never made a fb in 2010 but south parh made it look so funny to go and poke people..I always knew it was gay ..But damn TV has to make everythings look so good like The McRib I just found out it has the same material in it as a yoga mat sounds tasty huh ..what about everything else around us Fb is just 1 thing …nothing you can do about it if you havent been watching Nancy Grace lately and see how everytime they have a story about a death or a crime they go to those people’s fb and see what they did at whatever certain time and what pictures they have and status updates..Its weird it makes you feel uncomfortable even if your not a bad person/criminal etc. 2012 just right around the corner who knows what other crazy shit the world has to lure us into doing

  25. Anonymous
    36

    Interesting…I have a son who patched into FB with a phone.  He said when he did it…the app allowed him access to all information about anyone he was linked to…name, dob, email, phone # etc.  He the went to mine and said, “See…oh, it doesn’t pull much up on you Mom.  Why?”  I let him know it was because I don’t put all of my information out there in cyberworld…I am a puzzle that you have to find the pieces and put them together.  Now I definately know why I have been so cautious.

  26. Anonymous
    38

    All those are activities he did on Facebook. Obviously Facebook would know everything he does on Facebook.

  27. Nimer
    40

    It is common practice not to delete informations about user activities from database – instead flag named ‘deleted’ is set to ‘true’ (or 1). It is done this way to keep databases consistant when ‘it specialist’ does not realy know how to program db or speed concerns are top priority.

    Never use social networks with your real name/surname. Never install their software on cell phones. Never ever upload any pictures to those services (face recognition software is scary).

    PS.

    Remember… they are watching your every step… I need to run before they catch me XD.

     

  28. Anonymous
    41

    The problem is that even if I don’t use FB, my friends might. They can post photos I am in and tag me, answer quiz questions about me, and mention me in messages. Not using FB does not necessarily keep your personal data out of its servers.

  29. Anonymous
    43

    I am amazed and confused by responses like this to the above article.

    Are people getting defensive about their use FB and in denial that FB’s archiving of our personal information might not be a good idea for democracy?

    Given the crackdown on the Occupy movement in the states yes indeed, some people’s lives have gotten pretty interesting to the US government agencies. It is troubling that databases like Facebook’s can and will get subpoenaed.

    Pay attention.

  30. DCW
    44

    I fail to see how details regarding how individuals’ private data being kept/used is ever not news.

  31. DCW
    45

    Sure.  Don’t use it if you never have.  That doesn’t really help if you have used it and have since thought the better of it and canceled?  Kind of important to know whether your personal data still exists on their servers.

  32. Klaus von Riehardt
    49

    You got it, bro … anyone who takes this lightly should just take an evening and read up on the McCarthy hearings in the 50′s. Can you imagine if this type, and depth of info was readily available back then?

  33. Hugh Milner
    50

    Because Schrems ikntended and believed it had deleted it . Please read the article in full. Hugh.

  34. Anonymous
    51

    are you high? internet privacy is JUST as important as everyday privacy, the fact that facebook has soo much info about people, and the fact that its never deleted, and the fact that facebook LOVES to give the FBI and CIA anything they ask for means anything you put into that site can be used against you by anyone from a government official/hacker employed by gangsters looking for dirt or a weakness against you.

    It SHOULD be crimminal, not supported.

  35. Anonymous
    52

    It gets deleted from the GUI, but they will keep this data stored in their database.  Eventually they will archive it.  However, it will always be there.  I’m not sure why this is so shocking.  It’s no different than how companies manage their databases and old data/tables.  They typically archive, not delete.  Once deleted, it’s gone forever.  Legally, this is a good way to “cover your ass”.

  36. Anonymous
    54

    A voice of reason….thought this was pretty much lost in today’s world.  Never had a FB account and never will….the rest are just sheep to the slaughter

  37. Anonymous
    58

    It tells you just how facebook knows everything about you. Would you want facebook to know EVERYTHING there is to know about you? Too personal if you ask me. It kills the privacy that people once had.

  38. Anonymous
    59

    The solution? Don’t publicly post anything to the interest you don’t want the government to know. 

Comments are closed.