Friday, November 16, 2012

Facebook data access experiment

On 30th November last year I deleted my Facebook account. The account and all the data associated with it were supposed to be purged within 14 days.

Nearly 12 months on I wanted to test that, so as an experiment I've signed up for Facebook again. I don't intend to use the account so please do not message me or send friend requests etc. as I won't be responding to them.  I've locked down the privacy and security settings in an effort to block Facebook from harassing people they think I know that I'm back but I don't have a lot of time, didn't go through all of them and this will be leaky.

Apologies in advance, therefore, if Facebook do hassle anyone about my (non) return.

The sign up process was tedious and, amazingly, Facebook eagerly invited me to become friends with a whole host of familiar names and faces. How did they know?!

So suspicion has already set in that what I remember as a promised data purge (I knew I should have checked/recorded the wording more closely at the time), on account deletion, was not as thorough as the warning that it might be implied. Looking at the current wording on the delete my account page it hints at data deletion but then again not really:
If you do not think you will use Facebook again and would like your account deleted, we can take care of this for you. Keep in mind that you will not be able to reactivate your account or retrieve any of the content or information you have added. If you would still like your account deleted, click "Delete My Account".
The data won't be retrievable by me and the capacity to reactivate the account won't be within my control but the fate of data generated by and about the deleting account holder is left unspecified.

In any case, now I'm a fully fledged Facebook devotee [sic] again, (though I don't necessarily have to be an account holder to do so), I can send them a subject access request which I have duly done, in the hope of finding out what deleted/ irretrievable/retained data they inadvertently or otherwise might have about me, since the cancellation of my original account:
Dear Sir/Madam,
I wish to make a data access request, under section 4 of the Data Protection Act 1988 as amended by the Data Protection (Amendment) Act 2003, for a copy of any information you keep about me, on computer or in manual form.
Thank you,
Ray Corrigan
Email: **@**
Birthdate: ** *** *****
Since Facebook's European headquarters is in Dublin I've made the request under the Irish data protection regulations and Facebook are obliged to respond within 40 days. If anything interesting emerges I'll report back.

In the meantime if you'd like to pursue Facebook's ongoing compliance with EU data protection regulations you can find the Irish Data Protection Commissioner's audit of the company here. Further details of how well Facebook are doing on the EU privacy front are available at Europe v Facebook and Ars Technica has a prominent profile in recent days of the student behind the site. Thanks to Eoin O'Dell for the link.

Update: Facebook's automated response has arrived:

Thank you for contacting us to make a data request. You can access your data on Facebook in several ways.  First, your account itself, including your timeline and activity log, contains the vast majority of your personal data.  Second, we have two tools that allow you to download your data. They are both available by going to your Account Settings. One tool provides the most common data users are seeking when they make data requests. The second tool, called “expanded archive”, contains additional data.  We will continue to add data to your expanded archive over the next few months.

Your expanded archive may include:

• Pending friend requests
• Your mobile telephone numbers
• Account status changes – if, for example, you deactivated and then reactivated your account • Birthday visibility • City and hometown info • Data cookie info – cookie used for security purposes • Events info • Family members (listed by you or your family) • IP addresses stored by Facebook • Spoken languages • Login info, including a list of the logins we have stored • Logout info, including a list of IP addresses we've stored, from which you’ve clicked Log Out • Poke info • Previous names • Relationship info

You may also use the main download your information tool, as well as your Wall or timeline and activity log to access your:

Comments on others' posts, photos
Posts on others' timelines or Walls
Others' posts on your timeline or Wall
Various apps’ activity
Open graph activity –listened to a song, read an article, and so on Status updates Likes Posts in groups Posts on pages Shared links, photos and other info Added friends

To learn more about specific types of personal data that Facebook uses and how you can access your own data, please read on.

Personal Data Processed by Facebook

To learn more about your data on Facebook, please read the Data Use Policy:
This policy describes:

• Categories of data being processed by Facebook • Personal data that Facebook receives from Facebook members • Sources of this info, if known • Reasons for processing this data • Recipients or categories of recipients to whom Facebook members’ personal data are or may be disclosed

Accessing Your Facebook Data – Active Account

To download your information or your expanded archive:

1. Click the V menu at the top right of any Facebook page.
2. Choose Account Settings.
3. Click "Download a copy of your Facebook data." To access the new categories of info, click “expanded archive.”

To check to see whether your credit card information is storied on Facebook, go to Account Settings > Payment Methods. From there, you may choose to change or delete stored credit card information.

Please note that you’ll be asked for your account password in order to start your download. Your downloaded file may contain sensitive information. You should keep your downloaded info secure and take precautions when storing, sending or uploading it.

You can also access personal data from your current timeline and activity log anytime. Just log into Facebook to edit this info. If you have trouble logging in to your account, please visit our Log In and Password help page:

Accessing Your Personal Data – Without an Account

If you can’t access your account or don’t have an account, please follow the link below to complete a form and request your data:

You may be required to provide additional information to authenticate your identity.

The Facebook Data Access Request Team"
This does not address the company's obligation under section 4 of the Irish Data Protection Act to provide me with the data they hold on me.  So I've contacted the Irish Data Protection Commissioner at '' to complain.
"Data Access Request unsatisfactory response: Facebook Ireland Ltd.
Office of the Data Protection Commissioner.
Canal House,
Station Road
Portarlington ,
Co. Laois

Dear Sir/Madam,

I sent the initial request by email today, 16 November 2012.

I got an automated response by e-mail from the company, saying that I should use two tools to download “common data” and additional “expanded archive” data.  The company says they “will continue to add data to your expanded archive over the next few months”. By the company’s own automated admission, therefore, they have not provided me with full access to “any personal data” they hold about me.

These tools mentioned in the response are not sufficient to discharge Facebook’s obligation in law to provide me with access to “any personal data” the company holds and processes about me, in intelligible form.  Under section 4 (a)(iii) of the Data Protection Act,

an individual shall, if he or she so requests a data controller by notice in writing—

(iii) have communicated to him or her in intelligible form—

(I)  the information constituting any personal data of which that individual is the data subject, and

(II) any information known or available to the data controller as to the source of those data unless the communication of that information is contrary to the public interest,

(iv) where the processing by automatic means of the data of which the individual is the data subject has constituted or is likely to constitute the sole basis for any decision significantly affecting him or her, be informed free of charge by the data controller of the logic involved in the processing,

I therefore ask you to take the necessary steps to make Facebook Ireland Ltd comply with my personal data access request and section 4 of the Irish Data Protection Act. I would appreciate your formal decision on this complaint as soon as possible.

Yours faithfully,

Ray Corrigan"

No comments: