How to find out everything that Facebook *really* knows about you

Filed Under: Facebook, Featured, Law & order, Privacy, Social networks

Max SchremsMax Schrems, a 24-year-old law student from Vienna, a meticulous document requester and researcher, is now sitting on a pile of 1,200 pages that comprise his personal-data Facebook dossier.

He secured the data by using a European requirement that entities with data about individuals make it available to those individuals if they request it.

After Mr. Schrems made the request, Facebook handed over a CD containing data that’s now fueling 22 complaints that the law student has filed against Facebook with the Irish Data Protection Commissioner (according to Facebook, European users have a relationship with the Irish Facebook subsidiary).

Watch the following German TV news report (with English subtitles) which features Schrems:

The complaints, which Mr. Schrems began to file in August, concern the illegality of these charges (for the full set and PDFs of the filed complaints, go to Kim Cameron’s Identity Weblog):

* Pokes: Retained even after a user removes them.

* Shadow Profiles: Facebook is collecting data about people without their knowledge, using it to substitute existing profiles and to create profiles of non-users.

* Tags: Used without specific user consent. Users have to "untag" themselves (opt-out).

* Synchronizing: Facebook is gathering personal data - e.g., via its iPhone app or the "friend finder" - and using it without the consent of the data subjects.

* Deleted Postings: Postings that have been deleted showed up in the set of data Mr. Schrems received from Facebook.

* Postings on other Users' Pages: Users can't see the settings under which content is distributed that they post on other's pages.

* Messages: Messages, including Chat Messages, are stored by Facebook even after the user deletes them. This means that all direct communication on Facebook can never be deleted.

Facebook not deleting posts - complaint

According to the Europe vs. Facebook website, the complaints have brought about an audit of Facebook’s Irish headquarters, scheduled for the coming week.

"The Irish DPC will go into the premises of Facebook in Dublin and audit the Company for 4 to 5 days," according to the site. "We hope that this will bring more evidence for the complaints we filed before."

News of Schrems’ legal activities, along with demands for users’ own personal dossiers, went viral at the end of last month. Reddit users stampeded, swamping Facebook with requests for personal data after going through the Reddit submission’s four-step tutorial on how to do so.

Here are the steps on how you can request your personal data from Facebook:

1. Open this site:

Request your personal data from Facebook

2. Enter your personal information

3. Make a reference to the following law:

"Section 4 DPA + Art. 12 Directive 95/46/EG"

4. Click on "Send"

Facebook cried uncle, sending an email claiming that it could not comply with the requests within a 40-day period.

Europe Vs FacebookIn addition to filing the complaints, Mr. Schrems has worked to bring together a crowd of like-minded individuals with the Europe Vs. Facebook website, and setting up a YouTube channel.

Of course, a Facebook page, Europe vs. Facebook, has also been created. The page had 447 members as of this posting.

Remember how Mark Zuckerberg, in the early days of creating Facebook, called users dumb f*cks for trusting him with their private information?

After 7+ years of The Facebook bloating into a private-data behemoth (or boondoggle, depending on your attitude about privacy), one user has finally arisen from the land of dumb f*ckery to strip the label from his own online persona and instead paste it across the data-gobbling gut of Facebook itself.

Kudos, Mr. Schrems.

If you're on Facebook and want to keep informed about privacy issues, scams and internet attacks, join the Sophos page on Facebook, where over 140,000 people regularly share information on threats and discuss the latest security news.

, , , ,

You might like

66 Responses to How to find out everything that Facebook *really* knows about you

  1. Damian · 1414 days ago

    Can anyone tell me what Australian law to cite?

    • pissed off fb user · 1413 days ago

      or american law?

      • serena · 1413 days ago

        its written up there in the article
        Section 4 DPA + Art. 12 Directive 95/46/EG

        • anon · 1413 days ago

          Serena, neither Australia nor the USA are covered by laws in Europe

      • Laura_D · 1413 days ago

        Sadly, I don't think the US *has* an applicable law.

    • Smarter_than_U · 1413 days ago

      Give me a break...

      Go to your account settings and request an electronic copy. I do this once every 6 months. You people are idiots if you think everything you throw onto a public web server is going to stay private. Didn't you have to take computer science 101 in school? Just because a PC is in your bedroom doesn't mean all the data stays there... HELLO? It's the INTERNET! Everything you post (including this rant) is public record. EVERYTHING.

      Protect yourself by getting smart, not by getting angry. L 2 use a client-server system, n00bs (rolls eyes)

  2. Joel · 1414 days ago

    I presume you have to be a resident or citizen of the European Union to successfully file this request? I would be interested in seeing exactly what facebook has kept about me, however I presume they won't want to give it up lightly. Thanks :)

    • Angel · 1413 days ago

      Assume they've kept everything. Meaning everything you've posted, shared, etc. and everything if not most things you publicly share online outside of Facebook.

  3. Rob · 1414 days ago

    This information is for Europe. How do Australians go about obtaining this information?

    • None · 1414 days ago

      Seeing that Facebook isn't based in Australia then you can't cite any law :)

      • Joel · 1414 days ago

        I'm thinking there should be international laws regarding social networking. It's everyone's information, so we should have a right to see what is retained and to choose (to a good extent) who else can. Vote up if any of you agree. :)

    • Feefers · 1414 days ago

      Start lobying your members of parliment for the introduction of a bill (if one does not already exist) that allows you to request personal information about yourself from companies.

  4. Ale · 1414 days ago

    You can actually download your profile from Facebook now under account settings.

    I haven't tried it out yet so I'm not sure if it contains all your deleted comments & messages as well but according to Facebook:

    "What's in your archive?

    Any photos or videos you've shared on Facebook
    Your Wall posts, messages and chat conversations
    Your friends' names and some of their email addresses

    (Note: We'll only include email addresses for friends who've allowed this in their account settings.)
    What's not in your archive?

    Your friends' photos and status updates
    Other people's personal info
    Comments you've made on other people's posts"

    • Sean · 1414 days ago

      It shouldn't contain all of your deleted comments and messages… but like all things (particularly all things Facebook) there are bugs.

      My account's, for example, doesn't archive comments, and deleted messages fail to purge themselves from the archive.

      I believe this bug is due to the fact that I was an early adopter of Facebook's "new" Messages. (But I didn't active the e-mail function and something broke along the way…)

      The important thing to remember about Facebook is that it's a massive database, not a file system. Objects are marked as deleted, they aren't overwritten.

      Let he without [flaws in their database] cast the first stone. (I don't think there is any such thing as a flawless database…)

      While there are some good points – this is a very cynical post.

    • L Scott · 1413 days ago

      I downloaded mine and after reading this post and your reply, I found that it seems to contain every post I have made up to the point where I downloaded it. I haven't found any messages yet, but I will see about that shortly.

    • Smarter_than_U · 1413 days ago

      This feature has been available for a very long time - I download my profile every 6-9 months. It contains the kinds of content you might find in computer backups.

      OMG - yes, computer backups: almost as if FB had an IT infrastructure in place, or some such nonsense like that ... you know, in case the data centers crashed and the file servers needed to be restored or something. (/facepalm)

      • Yes, but the information you download is just a subset of the information Facebook has about you.

        That's what Max Schrem found, when he received his CD.

  5. Simon · 1414 days ago

    Facebook's European headquarters covers all of Europe, Middle East, and Asia and you do not need to be a resident or citizen of the EU to use this right.

    So go ahead and request away.

    • Caitlin · 1413 days ago

      I tried requesting this information as a US citizen, and got the following message: "Unfortunately, we won’t be able to respond to your email directly, as this form is only applicable in certain jurisdictions."

  6. Jan · 1414 days ago

    How do Americans go about obtaining this information? What law do we cite?

    • None · 1414 days ago

      None, because US law doesn't afford you this right.

      • Beth · 1414 days ago

        Great. Our supposedly transparent laws here in the US do not afford it's citizens the right to have this information.... :-(

      • mm23 · 1414 days ago

        Doesn't Freedom of Information figure into it?

        • Rick · 1413 days ago

          I believe freedom of information applies only to government entities.

        • I think FOIA only deals with public information. Facebook isn't a public company. Plus they want my drivers license but say they'll delete it after they verify my identity...ummmm didn't that story just say they don't delete any information?

    • Deeeee · 1413 days ago

      If you follow the link in the article there is a notice "Please note: We have a self-service tool that allows you to download all of your data without submitting this form. Learn how."
      Click the link at "learn how". TaDa!

  7. Elo. Any idea for south africans to get their info from facebook?

  8. Burrito · 1414 days ago

    This chap is complaining that the data can be viewed by anyone, but only if he allows it through his own security settings. And let's not forget that he chose to add this information to a social networking site in the first place. He put his information on his profile to share with others.

    Tell me; if your facebook images or profile was to be deleted or lost by FB, would you be bleating that FB did not adequate archive and backup your data?

    It works both ways.

    If you do not want your personal data on the internet do not publish your personal data on the internet.

    Burrito - 34/24/34. DOB 04-09-82. Status: Grumpy. Hometown - London

    • Kenn · 1414 days ago

      Yes, he chose to add some information to his FB profile, but there are ways that information gets added without his consent as well.

      For example: Alice has her security settings all set to friends only (a simplified example). However, one of her friends, Bob, whose security settings are fully open, posts pictures of himself and Alice out drinking and partying. Bob then tags both of them in the photos. Here's some data that Alice has no control over who sees. You could say that she shouldn't be hanging out with Bob or that she should ask him to not post these pictures, but really, are we going to start screening our friends on the probability that they'll post something we don't want them to?

      • Erica · 1413 days ago

        Alice can set her privacy controls to prevent anyone's tags of her from showing up without her approval, like I did.

      • Actually Alice can remove the tag. But granted that is after the fact and it could be seen before then.

    • imthejb · 1412 days ago

      Facebook has been going through my email contacts without my permission to suggest friends to me. When you log in from a mobile device it also uploads all your mobile phone contacts without your permission.

      Not only that but the FB add-tracker installs a cookie every time you open FB that tracks useage in your browser, even if a FB tab/window isn't open at the time. So they can 'target their advertising'. Which is not only creepy, but an invasion of privacy. And I didn't agree to that.

      And if my profile picture was deleted, there's a 90% chance it's sitting on one of my, or my friend's hard drives, so no /I/ don't expect FB to archive everything as you stated.

      I would sincerely like it if FB stopped accessing my personal things without my permission. Unless of course it was in the T+C that nobody reads and this is FB laughing at the general population for never reading the 30 pages of bullshit T+C

    • guest · 1410 days ago

      actually many posts or parts of posts seem to vanish mysteriously... i am not speaking of archives, because i wouldn't know about archives... i just mean in the moment when trying to post things... much goes missing! it is extremely frustrating when have spent a bit of time on something and didn't manage to back it up before hitting the post button... social networking sites can not be trusted in this way 9and in other ways too it seems)... if you don't want to waste your own time and energy (or have your time and energy wasted by facebook, myspace, etc...) then if you write something you value, you must remember to back it up and save it... otherwise you will most likely feel robbed when it gets lost in the ethers. (it's prob. the safest best to write in a writing program, save it, and then copy and paste to the social networks...etc...) i don't know if fb for example archives even the content that is mysteriously loses on it's users in real virtual time. i'd def. be interested in knowing that.

  9. guest · 1414 days ago

    Just go to the federal gov website and go to Australian privacy laws the act is all written there.

  10. Jim · 1414 days ago

    American's can go to their account settings, at the bottom, click download a copy of your facebook data. Click the archive or download button, and follow the onscreen prompts. You will receive an e-mail when the archive is ready to verify you are who you say to are and a link to download the archive.

  11. juliaskinner · 1414 days ago

    Agreed--I'd be interested to know if Americans have a similar law.

  12. Bigalski · 1414 days ago

    For Australia you are probably best citing the Privacy Act 1988, National Privacy Principles, Principle 6:

    "Principle 6

    Access to records containing personal information

    Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents. "

    So basically Facebook would need to cite a Commonwealth law providing them with the authority to refuse to provide you with your own information.

    I am not a lawyer, however I have used this method to obtain records of my personal information kept by Australian companies. Facebook could of course turn around and simply say they do not acknowledge our privacy act, that would be when you contact the EFF and media outlets...

  13. Hellscreamgold · 1413 days ago

    The OP obviously doesn't know how databases work. When you delete data, it isn't always deleted. Many times, it's "tombstoned" and will be removed at some future date and a flag set showing that it's "deleted" so the software doesn't display it.

    Anyways, this guy is as bad as patent trolls. Umm, dumbass? If you didn't want personal info out there, um, don't sign up for SOCIAL networks.

    • Nigel · 1413 days ago

      Right. "Social networks" and "privacy" are pretty much antithetical concepts.

      But I think you're missing the point. Facebook isn't just a "social network"—some kind of passive system that only knows what you tell it. It's a system that actively and aggressively seeks out all possible information about its users, including their connections to others, and uses it for purposes the user isn't aware of and was never even notified about.

      It is malevolent. The very fact that Facebook refuses to convert its "features" to opt-in and persists in adding new features that are opt-out establishes their nefarious intent. Mr. Zuckerberg's disdain for his users (his "dumb f_cks" comment) and aggressive manipulation and use of their personal information without their knowledge or consent are matters of fact, not opinion.

      If none of that matters to you, you're entitled to your opinion. But you're off-base calling Mr. Schrems a "dumbass" for caring about how Facebook is abusing his personal information, and for doing something about it. Such epithets might best be uttered while standing in front of a mirror.

    • Toob · 1413 days ago

      You are correct about the "tombstoning", this is how we usually do it at our company. I suspect they got backups/archives also, that don't get deleted. And 3:rd party companies who have bought all of your data already and won't delete it.

      You are missing the other point however. Social doesn't mean: I'm dating you, so it's OK for you to rape me.

  14. aaa · 1413 days ago

    If you don't want Facebook to use your data then don't signup for a Facebook account. Stay off of the site.

  15. bricorgn · 1413 days ago

    I think it might be worth pointing out that there are many legal requirements that facebook would need to comply to. take sms services for example where your sms messages are stored for months. obviously the data must tgerefore be used and stored reponsibly. When you consider the amount of abuse that occurs over any communication media then you understand the requirement. zuckerberg and co though do need to be heavily regulated but users also need to be more aware of what we agree to

  16. Arantor · 1413 days ago

    To the folks bleating that 'if you don't want Facebook to use your data, don't sign up', please try reading the article.

    Facebook is logging data about you EVEN IF YOU DON'T HAVE AN ACCOUNT.

    As for the 'never being deleted' argument, that's also bull. If something is deleted and no references to it exist any more, why does it need to be kept in perpetuity? Even in the UK, under the Data Protection Act, there is a rule that data should be kept only as long as it is necessary - and deleted data can (and should) be removed after a period of time.

    Also please note that putting data on Facebook isn't the same as posting publicly on Facebook; almost none of my status updates on there are public, and yet I'm fairly sure people who aren't listed as my friends (and thus shouldn't be able to see it) have sometimes seen it - but there's no way to tell if that's the case, you have to trust them not to abuse your data.

  17. Amasea · 1413 days ago

    Wait, so to request information about your Facebook account, you have to give them MORE information?

  18. Dido · 1413 days ago

    NO said "ENGLISH SUBTITLES" on the above Video! ??? !

    • Angstela · 1412 days ago

      Try clicking the "CC" button at the lower edge of the video.

  19. Colin - Surrey - UK · 1413 days ago

    When you post ANYTHING on ANY website you need to accept the risk that it may be there forever and may be Copied and Posted to any other website by Any Other Person without your permission or knowledge - So the bottom line is DONT post anything you do not want to be seen by anybody its not intended for
    If you have something to share with your friends or collegues that you do not want posted all over the internet Send it to them in their Personal E-mail NOT on a social networking website
    And even then there is a small risk that one of your friends may post your message to some other place
    Its frightening what some people will do if they have a grievance or too much to drimk

    • RBR · 1409 days ago

      I beg your pardon but the point is not to accept the risk someone sees what it is posted on a facebook account.

      The point IS that when someone DELETE something from its Facebook account, the person await the data (d)he asked DELETION for is EFFECTIVELY deleted.

      No more, no less

  20. If Facebook is mining your data why the hell should I provide them with a SIGNED government document like passport, driving license, etc? Who can gurantee they would DELETE that document?

  21. Daniela Vegas · 1413 days ago

    Ok, I have double nationality. German and Peruvian.
    Presently living in Peru. What article of the Privacy Law should apply here.
    Or should I pretend I'm living in Germany, give my brother's address and take from there. In that case, Which article of the law applies in Germany ?
    I really want to get to the bottom of this, thanks for any information you may provide in advance.

  22. joda · 1413 days ago

    And even if they state in any manual what they want me to accept by a non-signed click, they have to obey the laws.

  23. Mark Zeckerberger · 1410 days ago

    Why would anyone get a facebook account using their real name, unless it's for business networking? Of course facebook will still compile data on who your online friends or contacts are (because they're too stupid to use a fake, excuse me, accidentally mispelled name) and what "your interests" are and have your IP number, etc., but it still makes the data mining more difficult.

    Same for gmail and yahoo and iTunes (you can get a free, anonymous account - tech notes are around on the web) and any other sites where you don't need to use a credit card.

  24. Necrostar · 1409 days ago

    I found the same problem with google+ who shows me things that I deleted from internet two years ago, an even some information I know I never wrote anywhere, but they knew it. Facebook and Google are becoming a real Big brother,

  25. Boomer · 1409 days ago

    Let's see if I got this right: Facebook creates fake identities from our data. Facebook thinks we are all a bunch of "dumb f*cks" to give them our personal information. Facebook may or may not delete information that we request they delete. We should join Facebook and go to the Sophos Facebook page: "If you're on Facebook and want to keep informed about privacy issues, scams and internet attacks, join the Sophos page on Facebook,. . . "

    I don't get the last one. The logic escapes me completely. Why would I want to do that after you just warned me about all the perils and what a "dumb f*ck" I would be.

    • Because if you choose to remain on Facebook, we would rather you kept aware of the risks than live with your head completely in the clouds.

  26. vanarie · 1409 days ago

    This is funny. Try deactivating your account. You'll get an email that says: "Hi,
    You have deactivated your Facebook account. You can reactivate your account at any time by logging into Facebook using your old login email and password. You will be able to use the site like you used to. Thanks, The Facebook Team"

    This means that even if you decide to not use Facebook, they still keep all this info (personal chats, posts, likes, friends, family) on you FOREVER. If this isn't illegal, it should be!

  27. georgebutel · 1409 days ago

    I've been wondering about that "poke" business all this time. Are there a bunch of pre-schoolers using Facebook or something? More bizarre than the fact that the "poke" process exists is the idea that anyone would complain that "pokes are "retained even after a user removes them."

  28. Paul · 1396 days ago

    I have noticed that if i click one of the "show friendship" links between myself and another user, that photo's i have deleted and comments or status updates that i have deleted all show up on FB's version of our relationship. Try it and see if that is true for you too.

  29. Dragynne · 1303 days ago

    Just got to this article and what do u know, the link to the request page has now become an "expired" link :(

  30. Charles · 1297 days ago

    Interesting article, I like to look into all the Facebook options and settings once in a while (or whenever I notice something has changed) and I recall discovering this data request and sending one in... this must have been a few months ago now and I have never received anything from them............. Will try filling out the form again quoting this law as you have instructed.

  31. gboswellsac · 1294 days ago

    The url does not work
    The page you requested was not found.

    Guess yo got them all upset.....

  32. guest · 1272 days ago

    Interesting that I am unable to post the link to this page in my fb status ...

  33. Stephan White · 858 days ago

    I think it might be worth pointing out that there are many legal requirements that facebook would need to comply to. take sms services for example where your sms messages are stored for months. obviously the data must tgerefore be used and stored reponsibly. When you consider the amount of abuse that occurs over any communication media then you understand the requirement. zuckerberg and co though do need to be heavily regulated but users also need to be more aware of what we agree to.

  34. Anonymous · 99 days ago

    We’ll take a look at the documents you submitted and get back to you. If we need more help confirming your name, we’ll reach out for additional documentation.?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.