Facebook's information access feature still violates European law
Facebook's new "Download your Information" feature reveals a radically different interpretation of transparency to one that the rest of us in Europe might hold. The feature may be a promising start, but the company still clearly has difficulty understanding the requirements of European Data Protection law. The feature provides only a fraction of the personal information held by Facebook and is thus still in violation of law.
The company may escape a prosecution under the UK Trades Description act for misleading advertising, but only just. The download feature does carry a caveat. It says the feature will give you:
- Any photos or videos you've shared on Facebook
- Your Wall posts, messages and chat conversations
- Your friends' names and some of their email addresses
but that's a far cry from the masses of other data held by the company. To avoid a claim of misleading advertising the feature should be called something like "Download a Sliver of Your Information".
The feature merely shows you all the stuff you can already see, but nothing that's stored in the backroom. For example, information about successful and failed logins, IP address, assumed location of login and whether that IP is tied to other accounts are not revealed. Many other categories of data are also being withheld.
The company recently sent a notice to users claiming that the company is on the case complying with access rules for disclosure of data to users, but the commitments are at best narrowly conceived and at worst deceptive. The site Europe-v-Facebook has already conducted a superb analysis of what data is lacking. This includes:
- Content users were posting on other peoples sites
- Meta data of videos
- The information that users “liked” certain content
- Information about my browser type, as listed in Facebook’s privacy policy
- Information about my interaction with advertisements (as listed in the privacy policy)
- Information gathered through “conversation tracking” (as listed in the privacy policy)
- Information that “indicates a relationship” with other users (as listed in the privacy policy)
- Information about pictures that users used to be tagged in, but removed my tag from.
- “Tracking information” that Facebook Ireland gathered from users interaction with other websites, such as when I clicked on a “like”-Button, or loaded the plug-ins from Facebook.
- Information about “Searches” that users made through the “search” function.
- Information about settings such as the newsfeed settings
- Information about “click flows” and the visits of individual pages of the platform
- Information about the use of personal data in the “friend finder” functionality
- A disclosure about the use and outcome of any processing of users’ data, such as “matching” processes, face recognition or targeting for advertisement.
- Information about the use of pictures for Facebook’s new “face recognition” tool, or the outcome of such a process (such as biometrical data that may be used to identify users).
- Data that Facebook gathered about users (e.g. phone numbers) when other people “synchronized” a device (e.g.iPhone) with Facebook.
- More detailed information about users’ relationships to other users. Facebook Ireland is e.g. asking users where they know each other from or they track how often users interact.
- Information on individual content I was posting that indicates the reaction of other users.
- Information about “invitations” to groups, events or pages users sent to other users.
The most worrying aspect of this situation is that Facebook is now responding to Subject Access requests under Data Protection by merely providing a link to the feature. Until this situation is rectified the company must stop publicly proclaiming its commitment to transparency. Even as recently as yesterday Facebook's global head of public policy and communication, Elliott Schrage told a high level political conference in Paris that the company was absolutely committed to transparency.