Max Schrems, a 24-year-old law student from Vienna, a meticulous document requester and researcher, is now sitting on a pile of 1,200 pages that comprise his personal-data Facebook dossier.
He secured the data by using a European requirement that entities with data about individuals make it available to those individuals if they request it.
After Mr. Schrems made the request, Facebook handed over a CD containing data that’s now fueling 22 complaints that the law student has filed against Facebook with the Irish Data Protection Commissioner (according to Facebook, European users have a relationship with the Irish Facebook subsidiary).
Watch the following German TV news report (with English subtitles) which features Schrems:
The complaints, which Mr. Schrems began to file in August, concern the illegality of these charges (for the full set and PDFs of the filed complaints, go to Kim Cameron’s Identity Weblog):
* Pokes: Retained even after a user removes them.
* Shadow Profiles: Facebook is collecting data about people without their knowledge, using it to substitute existing profiles and to create profiles of non-users.
* Tags: Used without specific user consent. Users have to “untag” themselves (opt-out).
* Synchronizing: Facebook is gathering personal data – e.g., via its iPhone app or the “friend finder” – and using it without the consent of the data subjects.
* Deleted Postings: Postings that have been deleted showed up in the set of data Mr. Schrems received from Facebook.
* Postings on other Users’ Pages: Users can’t see the settings under which content is distributed that they post on other’s pages.
* Messages: Messages, including Chat Messages, are stored by Facebook even after the user deletes them. This means that all direct communication on Facebook can never be deleted.
According to the Europe vs. Facebook website, the complaints have brought about an audit of Facebook’s Irish headquarters, scheduled for the coming week.
“The Irish DPC will go into the premises of Facebook in Dublin and audit the Company for 4 to 5 days,” according to the site. “We hope that this will bring more evidence for the complaints we filed before.”
News of Schrems’ legal activities, along with demands for users’ own personal dossiers, went viral at the end of last month. Reddit users stampeded, swamping Facebook with requests for personal data after going through the Reddit submission’s four-step tutorial on how to do so.
Here are the steps on how you can request your personal data from Facebook:
1. Open this site: http://www.facebook.com/help/contact_us.php?id=166828260073047
2. Enter your personal information
3. Make a reference to the following law:
"Section 4 DPA + Art. 12 Directive 95/46/EG"
4. Click on “Send”
Facebook cried uncle, sending an email claiming that it could not comply with the requests within a 40-day period.
Of course, a Facebook page, Europe vs. Facebook, has also been created. The page had 447 members as of this posting.
Remember how Mark Zuckerberg, in the early days of creating Facebook, called users dumb f*cks for trusting him with their private information?
After 7+ years of The Facebook bloating into a private-data behemoth (or boondoggle, depending on your attitude about privacy), one user has finally arisen from the land of dumb f*ckery to strip the label from his own online persona and instead paste it across the data-gobbling gut of Facebook itself.
Kudos, Mr. Schrems.
If you’re on Facebook and want to keep informed about privacy issues, scams and internet attacks, join the Sophos page on Facebook, where over 140,000 people regularly share information on threats and discuss the latest security news.Follow @LisaVaas