That’s what they say...
(Our childish response on childish responses)
Facebook was now giving the first “responses” on our allegations. Since none of the answers was a least bit satisfying we now felt like we had to clarify some things.
Deleted Content
Deleted Messages
Access Requests
>> What Facebook said:
„Concerning reports about deleted data which sometimes appear in the downloaded files it has to be said that it concerns, in this case, probably posts which were removed on a certain place on Facebook, but were not deleted. Or the information had to be kept for a short time for investigations. We work on preforming this process as seamlessly as possible.“ (German RTL / Stern TV, October 5th 2011)
>> What the Oxford English Dictionary says:
“DELETE - remove data from a computer's memory”.
>> What we say:
Removing and deleting is raising the same expectation in the user: “THE DATA IT IS GONE”. But in fact it is not: Facebook is keeping the data for years. Certain data categories such as “removed friends” are only existing of removed/deleted data.
In our data sets there were deleted messages, posts, pokes or friends from the beginning of our Facebook profile (more than three years). This is by no stretch of imagination a “short time”.
>> What the Irish DPC said:
“When you delete data, it should be gone. So in fact if Facebook is holding on to data of which they have no justification to hold then that is contrary to the law.” (to German RTL / Stern TV, October 5th 2011)
>> What Facebook said:
"People can't delete a message they send from the recipient's inbox or a message you receive from the sender's sent folder. This is the way every message service ever invented works." (Guardian, October 21st 2011)
>> What we say:
Get the facts right.
We never questioned the fact that the messages cannot be deleted in the other recipients inboxes.
Never deleted.
According to Facebook’s (old) privacy statement the messages are not even deleted when both correspondents have deleted them:
“Certain types of communications that you send to other users cannot be removed, such as messages.” (Facebook’s Privacy Policy of August 18th 2011; The new privacy statement does not say anything about deleted messages)
Facebook can always access the “Inbox”
On top of that, the messages are not “hidden” in the inbox of the recipient but they can be accessed and analyzed by Facebook for an indefinite time. That’s something we have never heard of either.
Other messaging systems...
So if you compare this to a regular letter it is like when the postal service is opening and storing all letters you ever received or sent for an unlimited time. In addition to that they read all messages and send you a commercial that fits your text.
But also if you compare it to e-mail or other IM services: All of them work in a privacy friendly way that does not allow the provider to store and analyze all your private communication for an indefinite time.
Copied from the commies?
In no way this is how “every message service ever invented works”, unless Facebook is comparing itself e.g. with the message services of former communist regimes.
>> What Facebook says:
- In different statements they claim that they fully comply with all access requests that are send to them.
- In E-Mails to the users they said that they will not be able to deliver the data within the legal deadline of 40 days.
- All other personal data would be Facebooks “intellectual property”, “trade secret” or “to hard to hand over” (E-Mail to Max Schrems from the 28th of September).
- In other e-mails they say that they fully comply by providing a download link and that the data provided under this link is sufficient to comply with the Irish law.
>> What the (Irish) law says:
Upon request in writing Facebook has to send all personal data it holds about users. The data has to be handed over within 40 days. There are very limited exception if is too hard to hand over the data (e.g. backup filed, spread out over thousands of files, need for excessive manual work). (See section 4 Irish Data Protection Act)
Facebook also has to disclose decision logics that are used when processing personal data. There are special limitations on this disclosure for intellectual property and trade secrets.
(See section 4 Irish Data Protection Act)
>> What we say:
@ 40 day period:
That’s a legal obligation. It shows the lack of respect towards the European laws that Facebook tells users right away that they will not meet the deadline.
@ Downloading you data from facebook.com:
Our group got a data set of up to 57 data categories. Users that just download the data from facebook.com seem to get only 23 of these categories (see comparison).
All the (sensitive) data that Facebook collects in the background is not included at all (e.g. IP addresses, cookie information, deleted messages, removed friends…).
@ IP & TS:
This does not apply to personal data at all, but only to decision logics. Facebook is purposely misleading the people.
When Facebook e.g. claims this excuse for the face recognition data then, one has to wondering if Mr. Zuckerberg is now thinking that he “invented” our faces?
@ “Too hard to hand over”:
With the files we received there were e.g. the “comments” to every picture, but not the likes to the pictures. What is so hard to hand over “Likes”?
What about the information Facebook gathers via the “Like Button”? What is so hard about sending us all the URLs we visited in the last 90 days?
What about the face recognition data?
Is it so hard to send us the bits and bytes that stand for our face?
Summary:
We think Facebook is not handing out the data because it would give us evidence of even more privacy breaches. And information like the tracking that happens via the “Like” Button would freak out users.
The excuses are more than nebulous.
So we are asking: Mr Zuckerberg, do you have something to hide?