The Irish Data Protection Commissioner will begin an audit of Facebook next week, based on privacy-related complaints from the Europe-v-Facebook group. It’s a test not only of Facebook but of Ireland as a place to do business
HERALDED in the German-speaking press as a David-versus-Goliath struggle, what started off as a university paper by an Austrian law student has become an Irish privacy challenge against Facebook that could affect up to 600 million users across Europe.
The complaints against Facebook have their origin in a request made under European law by Max Schrems, a 24-year-old Austrian law student, for access to the data Facebook holds on him. He eventually received a CD containing 1,222 pages of information that the social network retained about him.
Within his personal file he found certain information that unsettled him. Posts, pokes, messages and friends he knew he’d deleted still showed up in his data. Personal chat or instant messages, some of which contained personal information about him and his friends, were there too.
He was also concerned that other types of data were missing. For example, there was no background information on his use of the “like” button, which allows users to link other sites to their Facebook pages. Nor were there any details of how his image was processed in recently introduced face-recognition data.
So Schrems and some friends set up Europe-v-Facebook, an online campaign that is seeking to clarify what it believes are serious privacy issues for Facebook users. The group set out 22 complaints, which it subsequently sent to the Irish Data Protection Commissioner. Because Facebook’s European headquarters are in Dublin, the Irish agency has jurisdiction over the social network’s users outside the US and Canada.
Among the complaints are allegations that Facebook is creating shadow profiles about users and non-users; that direct communications, including chat messages, show up after they have been deleted; and that Facebook is involved in “excessive processing” of data.
Schrems says that this data storage is potentially dangerous. He fears that Facebook, like so many companies before it, will be the target of attempted privacy breaches or that bits of apparently innocuous information will grow into easily searchable life archives with the potential to be misused by government, secret services or others.
His goal, Schrems says, is transparency, something he feels that Facebook preaches but does not practise. Companies dealing with huge amounts of personal data must comply fully with privacy laws, he says, especially when one considers that more than 800 million people use Facebook. In Ireland alone, almost half of over-15s use the site.
“We’re not trying to kill Facebook . . . I’m still a Facebook user,” Schrems says. “I am actually a big fan of Facebook, or let’s say social networking in general. I think it’s a cool technology.”
Europe-v-Facebook has already mobilised users. Since the campaign was launched, in August, Facebook has been inundated with requests from thousands of users seeking access to their own data. Previously, the social network received only a handful of such requests each week. It is talking to the Irish data-protection office about what information the company must divulge as part of these access requests. A decision seems imminent.
“We are co-operating fully with the Irish Data Protection Commissioner as part of this routine audit,” a spokeswoman says. “We look forward to welcoming to our European headquarters over the coming weeks so we can demonstrate our commitment to the appropriate handling of user data and reinforce our compliance with EU data-protection laws.”
The commissioner’s office agrees that Facebook is co-operating fully and anticipates that the company “will implement any necessary changes to comply with any requirements identified”.
The audit comes at a time when online companies in a number of jurisdictions, including the EU and the US, are increasingly coming under official scrutiny. In March Viviane Reding, the EU Commissioner for Justice, said that companies operating in Europe were bound by EU rules. In August the German state of Schleswig-Holstein ordered state institutions to remove the “like” button from their websites after its data-protection commissioner, Thilo Weichert, ruled that it could lead to profiling that contravenes German and European law. Facial-recognition technology has also concerns some data-protection agencies in the UK and Germany.
In the fast-developing online world, governments and consumers are often playing catch-up.
In Market Insight: Social Media Privacy Strategies, a study published earlier this year by the technology research company Gartner, research director Brian Blau notes that “social-media technology development has leapt ahead of consumers’ insight into protecting their online data, and this gap is being exploited by social-media providers, which are pushing the boundaries of what types of data access consumers will tolerate”.
Nowadays, Blau adds, social media – through social networking, blogs, forums and location-based services – have unprecedented access to the increasing amount of information that people are sharing online. When collected and analysed, this data gives “deep insights into individuals, their location, their likes and dislikes, their personal habits and who they interact with”.
With the announcement of the Facebook Timeline, it would appear that the amount of information Facebook users share is going to grow again. Mark Zuckerberg’s online scrapbook invites users to paint a chronological picture of their lives online, and to add details retrospectively to fill it out.
As well as being a test of Facebook, the upcoming Irish audit will also test the capability of the Office of the Data Protection Commissioner. TJ McIntyre, a lecturer in law at University College Dublin and chairman of Digital Rights Ireland, says that the reputation of the Irish data-protection team will be at issue at a time when the European Commission is reviewing EU law on the protection of personal data. He also notes that, in a country that seeks to attract the big hitters of digital technology, the commissioner’s office is becoming increasingly important, so the Government’s decision to cut funding to the office is “disappointing and counterproductive”.
Ireland has been successful in recent years in attracting digital and social-media companies, with Facebook, Google, LinkedIn and, most recently, Twitter establishing operations here. According to the American Chamber of Commerce, “the balance to be struck is in ensuring that we have a strong regulatory environment which is fair and transparent but does not over-regulate to the degree that it is a barrier to innovation and to companies being able to transact their business in a competitive and efficient way”.
What Facebook knows about you . . . and how to find it
Method 1
Facebook says it provides an “an easy way for people to download everything they have ever posted on Facebook”. Click on the arrow on the right of the blue Facebook bar at the top of the page, then choose “account settings” and “download a copy of your Facebook data”.
I did this and received a prompt reply. Two hours later my Facebook history landed in my laptop inbox. The file contained posts and pictures charting the mundane, the mad, the public and the personal aspects of my life since mid-2008 when I joined the site. The material came to more than 300 pages. It tallied with what is currently on my Facebook site and contained no information that I had previously deleted.
The download made me think about the breadth of information contained in personal messages: phone numbers, addresses, and messages containing very personal information about me and my friends. Although I won’t delete my Facebook account as a result, it did make me consider just how important it is that this information is properly secured.
Also, I received none of the data that Facebook must collate about me, to provide friend suggestions or personalise ads, for example. Essentially, it left some questions unanswered.
Method 2
Europe-v-Facebook claims that the data in Facebook’s online download does not contain all the information it holds on users, and that users need to fill out a separate online form to get this.
I searched Facebook to find this form, but could not (Europe-v-Facebook says it is a “well-hidden page”). Instead I accessed it through the “get your data!” link on europe-v-facebook.org.
To complete the form I had to provide a scan of a Government-issued ID containing signature, full name, date of birth and photo. I was prompted to black out personal information, such as passport number, that was not needed to verify my identity. The site said it would subsequently delete this scan.
I also had to cite the law under which I was requesting the information (in EU jurisdictions it can be requested under section 12 of EU Directive 95/46/EC).
I got an e-mail within minutes saying that, due to the recent high volume of personal data access requests, there are significant delays and that Facebook would be unlikely to respond within the 40-day period set down by the Irish data-protection office. So I cant verifyEurope-v-Facebook’s claim that the data contained therein differs from what I downloaded from Facebook.
Five complaints
These are five of the 22 complaints made by Europe-v-Facebook, which the Irish Data Protection Commissioner is investigating:
* The “like” button “This is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented.”
* Shadow profiles “Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.”
* Face recognition “The new face-recognition feature is a disproportionate violation of the users’ right to privacy.”
* Messages “Messages (including chat messages) are stored by Facebook even after the user has ‘deleted’ them. This means that all direct communication on Facebook can never be deleted.”
* Groups “Users can be added to groups without their consent. Users may end up in groups that lead others to false impressions about a person.”