Jump to Navigation
A project of the Tactical Technology Collective
You are viewing the printer / low bandwidth version click for: [High Bandwidth Version]

| Or navigate further in low-bandwidth mode: [Exposing the Ridiculous] [Exploring the Truth] [Mobilising for Action] [Original 10t]


10 tactics remixed: [Mobilising for Action] informationactivism.org

Europe vs Facebook

New example

What does Facebook actually know about me? Max Schrems, a 24 year old law student in Vienna, tried to find an answer to this question.

In 2011, Schrems used European data privacy laws to file a request for his personal data from Facebook. Facebook provided him with a CD that had 1,222 pages of data chronicling about 3 years of his use of the service. 

After reviewing the data, Schrems discovered that Facebook had retained deleted chat conversations, event invitations he did not respond to, pokes, and details on his physical location identified by IP addresses, among other data which he never agreed to share. 

And the 1,222 pages only contained data from 23 out of the 84 categories Facebook has. 

Although Facebook is a North American company, all non US and Canadian accounts are managed by its international headquarters in Dublin. This means that the majority of Facebook accounts are subject to Irish data privacy law. Schrems found that much of the data Facebook stores and records is in direct violation of this law. 

Schrems decided to use the law to question the Facebook company and he filed 22 different complaints (see them here) with the Irish Data Protection Commissioner. With other students, he set up a campaign website called, Europe versus Facebook. The website documented his case against Facebook's data policies and provided a video tutorial for others to request their own data from Facebook too.  

This lead to over 40,000 requests to Facebook. 

Facebook responded in two ways. It first removed the online form for personal data requests from its website and redirected users to a download of their profile. The copy of the profile does not contain any of the data Facebook holds or generates about profiles and only provides information on 22 out of the 84 data categories. Then Facebook started to use an auto-reply email which claimed that the volume of requests was too high and a response could only be expected in 40 days. This violates the the legal time frame stipulted by the Irish Data Protection Commission.

This campaign has been crucial in exposing what many of us already suspected about Facebook. And Facebook's official response has been telling. It places responsibility for privacy almost entirely on the user, who agrees to Facebook's terms and conditions when creating an account. But Facebook is not transparent about its privacy policy; it keeps changing the terms and the agreement we're supposed to read before signing up is impossibly long. It consists of 19 main pages and links to over 200 sub-pages. 

Policymakers have taken notice, too. At the end of 2011, the Irish Data Protection Commission (DPC) conducted an audit of Facebook Ireland Ltd's data policy in relation to the law (you can read the full report here). As well as this, the EU Commission published a fact sheet, using the campaign as a model, in a proposal for new, stricter data protection laws within the EU. 

Follow the continuing campaign on the Europe vs Facebook website. 

FURTHER READING 
Should personal data be personal? New York Times Sunday Review, 2012
Big Data age puts Privacy in Question as Information Becomes Currency, The Guardian, 2012
Europe versus Facebook Objectives
Terence Craig and Mary E. Ludloff 2011 (Book)
What are Digital Shadows and Why do they Matter?Me and My Shadow, Tactical Tech, 2012

VIDEO
Max Schrems presents Europe vs Facebook at the Unlike Us conference
What Facebook knows about you, Tageszeitung, 2011.
Facebook Shares More About How It Uses Your Data, New York Times Bits, 2012. 

PODCAST
The Facebook Show on onthemedia.org: An Austrian man who got Facebook to give him everything they had on him, a writer whose rapist friended her on Facebook, the value of a "Like." 

IMAGES: 
Europe versus Facebook
Facebooks Personal Data Request Form which has been removed