This article was taken from the December 2012 issue of Wired magazine. Be the first to read Wired's articles in print before they're posted online, and get your hands on loads of additional content by <span class="s1">subscribing online. "Personal data is the 'oil' Facebook is drilling for," says Max Schrems, Austrian law student and founder of the advocacy group Europe versus Facebook. "They might not have the best motor to burn it yet, but they know it will be coming." Schrems, 26, is all too aware of how much data the world's largest social network stores. In 2010, while researching his thesis, he asked Facebook if it could send him all of the user data the company had relating to his own account. Amazingly, he got a response.
Facebook was, in Schrems' words, "dumb enough" to send him all his data in a 1,200-page PDF. It showed that Facebook kept records of every person who had ever poked him, all the IP addresses of machines he had used to access the site (as well as which other Facebook users had logged in on that machine), a full history of messages and chats and even his "last location", which appeared to use a combination of check-ins, data gathered from apps, IP addresses and geo-tagged uploads to work out where he was.
As Schrems went through the document, he found items he thought he had deleted, such as messages, status updates and wall posts. He also found personal information he says he never supplied, including email addresses that had been culled from his friends' address books. European law is worded vaguely, but says that personal data must be processed "fairly"; people should be given comprehensive information on how it will be used; the data processed should not be "excessive" in relation to the purpose for which it was collected; it should be held securely and deleted when no longer needed. And each person should have the right to access all of their personal data.
In 2011, Schrems created Europe versus Facebook, which published the documents Facebook had sent him and flagged up where they didn't comply with EU law. He got in touch with the Office of the Irish Data Protection Commissioner (IDPC) -- Facebook Ireland is the "data controller" for its European users -- and sent 22 detailed complaints showing how Facebook wasn't compliant, five relating to it allegedly not deleting data. He also complained about "shadow profiles", where Facebook collects contact information relating to non-users when users sync their contacts from other services. He argued that the standard privacy settings were too liberal and that tools such as facial recognition should be opt-in rather than opt-out (Schrems admits that he can't think of many social networks that conform to his standards). The IDPC analysed these complaints, along with those from other citizens and European consumer groups, and drew up recommendations for Facebook.
Schrems' next line of attack was to create a web interface to make it easy for people to make access requests for their data from Facebook. Within weeks, Facebook received 40,000 enquires. In response, Facebook developed an archive download tool. However, it only supplied data from 23 of the 57 categories identified by Schrems. "They said that all data was included but it was easy to send back a list of categories to show this wasn't the case," says Schrems.
Gary Davis, 40, deputy data protection commissioner at the IDPC, says Schrems' complaints were "well-researched", but stresses that Facebook complied without any problems. He believes it is simply a US company struggling with EU legislation. "The concept of access
[to your data] was just alien to them. In the US consent is just a privacy policy and a tick-box approach." In response to the IDPC, Facebook made changes, agreeing deadlines for action and querying only a few areas where deletion of data might lead to a clunky user experience.
The IDPC carried out a second on-site audit at Facebook's headquarters in July 2012, and on September 21 published a report on the changes the network had made. Schrems acknowledges that it is a step in the right direction, but argues that more can be done. "They break democratically decided laws in the EU and get away with it. Instead of putting money into compliance, they expect NGOs and authorities to do that work for them."
For Facebook, Schrems's campaign highlights the differences between two regulatory schools of thought. Richard Allan, Facebook's director of policy for Europe, Middle East and Africa, explains: "The first is where regulators encourage compliance.
There's a stick at the end of it if you don't comply, but you don't start with the stick."
The second school of thought defines regulation in terms of catching out and punishing. Allan, 46, likens it to school inspections: "Inspectors can write a report with five things they want the school to improve. They can come back in a year to see that it's been done. Or they can come in and say, 'Aha! In lesson three you didn't use the right textbooks and now I'm going to fine you.'" Schrems -- who adheres to the second school of thought -- thinks that EU data-protection law is the reason why US corporations don't comply. "Businesses calculate the cost of compliance versus the cost of breaking the law," he says. "If there are no fines that are high enough, the calculation will always have one result: breaking the law." Schrems supports the proposed update to the EU data-protection directive that would allow for fines of up to two per cent of global annual turnover for breaches. Allan dismisses this idea, insisting that "the strongest weapon the IDPC has" is to publicly declare, as "the authoritative source", that Facebook is not compliant. The punishment is the brand damage this could cause. "Facebook has a monopoly on social networking," says Schrems. "Everyone gets sucked in. This lets them do what they want."
Despite his indignation, Schrems still has a Facebook profile. "Social media is a cool thing and that sometimes gets lost when I talk to the media. The social-media monopolist is misbehaving, not social media."
How Facebook tracks your behaviour trail 1. Check-ins
This lists the exact locations where a user has checked in. It includes author, messages, tagged users, an ID number and a time stamp. \2. Last location
Shows the last place the site got from you. How is this obtained?
Probably from apps, check-ins, geo-tagged photos and the last used IP address. \3. Friends
A listing of all your friends with their ID number. If you remove a friend he or she will be listed in the section "removed friends". \4. Messages
All messages, including chat, you have ever sent or received. They can no longer be deleted and US agencies can access them at will \5. Shares
This shows all the links a user posted on a user's wall. Each has to be deleted from the wall individually. It includes posts that the user has deleted. \6. Connections
This section lists links to pages that the user "likes". Highly useful for ad targeting, these often include sensitive information.
How to get your data According to European data-protection law, every individual has the right to get a copy of all personal data a company holds about them. Here's the Max Schrems way to get your data back from Facebook. \1. Use the download tool
Request a copy of your data at facebook.com/settings. This will include photos, posts, messages and friend lists (and some email addresses). Make sure you click "expanded archive". Our data was ready within two hours. \2. Send an email request
First, correct your data on Facebook. Send an email using the prepared text from the Europe versus Facebook website to datarequests@fb.com. You'll get a standard response; your actual one will come later. \3. Send a postal request
As with email, you must first correct any errors in the data about yourself. Then fill in Europe versus Facebook's online form and send it to Facebook's local address. It has a statutory 40-day limit to respond. \4. Double-check the data
Once Facebook sends you your data, either as a PDF or on a
CD, you can compare it with the data-pool page on Europe versus Facebook's website, in case Facebook hasn't supplied all of the data requested. \5. File a complaint
Some data (such as removed photo-tags) are only available when you file a complaint after the request. To do this, fill in the UK Information Commissioner's online form at ico.gov.uk/complaints.aspx.
This article was originally published by WIRED UK
