Max Schrems, a 24-year-old law student from Vienna, a meticulous document requester and researcher, is now sitting on a pile of 1,200 pages that comprise his personal-data Facebook dossier.
He secured the data by using a European requirement that entities with data about individuals make it available to those individuals if they request it.
After Mr. Schrems made the request, Facebook handed over a CD containing data that’s now fueling 22 complaints that the law student has filed against Facebook with the Irish Data Protection Commissioner (according to Facebook, European users have a relationship with the Irish Facebook subsidiary).
Watch the following German TV news report (with English subtitles) which features Schrems:
The complaints, which Mr. Schrems began to file in August, concern the illegality of these charges (for the full set and PDFs of the filed complaints, go to Kim Cameron’s Identity Weblog):
* Pokes: Retained even after a user removes them.
* Shadow Profiles: Facebook is collecting data about people without their knowledge, using it to substitute existing profiles and to create profiles of non-users.
* Tags: Used without specific user consent. Users have to “untag” themselves (opt-out).
* Synchronizing: Facebook is gathering personal data – e.g., via its iPhone app or the “friend finder” – and using it without the consent of the data subjects.
* Deleted Postings: Postings that have been deleted showed up in the set of data Mr. Schrems received from Facebook.
* Postings on other Users’ Pages: Users can’t see the settings under which content is distributed that they post on other’s pages.
* Messages: Messages, including Chat Messages, are stored by Facebook even after the user deletes them. This means that all direct communication on Facebook can never be deleted.
According to the Europe vs. Facebook website, the complaints have brought about an audit of Facebook’s Irish headquarters, scheduled for the coming week.
“The Irish DPC will go into the premises of Facebook in Dublin and audit the Company for 4 to 5 days,” according to the site. “We hope that this will bring more evidence for the complaints we filed before.”
News of Schrems’ legal activities, along with demands for users’ own personal dossiers, went viral at the end of last month. Reddit users stampeded, swamping Facebook with requests for personal data after going through the Reddit submission’s four-step tutorial on how to do so.
Here are the steps on how you can request your personal data from Facebook:
1. Open this site: http://www.facebook.com/help/contact_us.php?id=166828260073047
2. Enter your personal information
3. Make a reference to the following law:
"Section 4 DPA + Art. 12 Directive 95/46/EG"
4. Click on “Send”
Facebook cried uncle, sending an email claiming that it could not comply with the requests within a 40-day period.
In addition to filing the complaints, Mr. Schrems has worked to bring together a crowd of like-minded individuals with the Europe Vs. Facebook website, and setting up a YouTube channel.
Of course, a Facebook page, Europe vs. Facebook, has also been created. The page had 447 members as of this posting.
Remember how Mark Zuckerberg, in the early days of creating Facebook, called users dumb f*cks for trusting him with their private information?
After 7+ years of The Facebook bloating into a private-data behemoth (or boondoggle, depending on your attitude about privacy), one user has finally arisen from the land of dumb f*ckery to strip the label from his own online persona and instead paste it across the data-gobbling gut of Facebook itself.
Kudos, Mr. Schrems.
If you’re on Facebook and want to keep informed about privacy issues, scams and internet attacks, join the Sophos page on Facebook, where over 140,000 people regularly share information on threats and discuss the latest security news.
66 comments on “How to find out everything that Facebook *really* knows about you”
Can anyone tell me what Australian law to cite?
or american law?
its written up there in the article
Section 4 DPA + Art. 12 Directive 95/46/EG
Serena, neither Australia nor the USA are covered by laws in Europe
Sadly, I don't think the US *has* an applicable law.
Give me a break…
Go to your account settings and request an electronic copy. I do this once every 6 months. You people are idiots if you think everything you throw onto a public web server is going to stay private. Didn't you have to take computer science 101 in school? Just because a PC is in your bedroom doesn't mean all the data stays there… HELLO? It's the INTERNET! Everything you post (including this rant) is public record. EVERYTHING.
Protect yourself by getting smart, not by getting angry. L 2 use a client-server system, n00bs (rolls eyes)
I presume you have to be a resident or citizen of the European Union to successfully file this request? I would be interested in seeing exactly what facebook has kept about me, however I presume they won't want to give it up lightly. Thanks 🙂
Assume they've kept everything. Meaning everything you've posted, shared, etc. and everything if not most things you publicly share online outside of Facebook.
This information is for Europe. How do Australians go about obtaining this information?
Seeing that Facebook isn't based in Australia then you can't cite any law 🙂
I'm thinking there should be international laws regarding social networking. It's everyone's information, so we should have a right to see what is retained and to choose (to a good extent) who else can. Vote up if any of you agree. 🙂
Start lobying your members of parliment for the introduction of a bill (if one does not already exist) that allows you to request personal information about yourself from companies.
or congress 🙂
You can actually download your profile from Facebook now under account settings.
I haven't tried it out yet so I'm not sure if it contains all your deleted comments & messages as well but according to Facebook:
"What's in your archive?
Any photos or videos you've shared on Facebook
Your Wall posts, messages and chat conversations
Your friends' names and some of their email addresses
(Note: We'll only include email addresses for friends who've allowed this in their account settings.)
What's not in your archive?
Your friends' photos and status updates
Other people's personal info
Comments you've made on other people's posts"
It shouldn't contain all of your deleted comments and messages… but like all things (particularly all things Facebook) there are bugs.
My account's archive.zip, for example, doesn't archive comments, and deleted messages fail to purge themselves from the archive.
I believe this bug is due to the fact that I was an early adopter of Facebook's "new" Messages. (But I didn't active the e-mail function and something broke along the way…)
The important thing to remember about Facebook is that it's a massive database, not a file system. Objects are marked as deleted, they aren't overwritten.
Let he without [flaws in their database] cast the first stone. (I don't think there is any such thing as a flawless database…)
While there are some good points – this is a very cynical post.
I downloaded mine and after reading this post and your reply, I found that it seems to contain every post I have made up to the point where I downloaded it. I haven't found any messages yet, but I will see about that shortly.
This feature has been available for a very long time – I download my profile every 6-9 months. It contains the kinds of content you might find in computer backups.
OMG – yes, computer backups: almost as if FB had an IT infrastructure in place, or some such nonsense like that … you know, in case the data centers crashed and the file servers needed to be restored or something. (/facepalm)
Yes, but the information you download is just a subset of the information Facebook has about you.
That's what Max Schrem found, when he received his CD.
Facebook's European headquarters covers all of Europe, Middle East, and Asia and you do not need to be a resident or citizen of the EU to use this right.
So go ahead and request away.
I tried requesting this information as a US citizen, and got the following message: "Unfortunately, we won’t be able to respond to your email directly, as this form is only applicable in certain jurisdictions."
How do Americans go about obtaining this information? What law do we cite?
None, because US law doesn't afford you this right.
Great. Our supposedly transparent laws here in the US do not afford it's citizens the right to have this information…. 🙁
Doesn't Freedom of Information figure into it?
I believe freedom of information applies only to government entities.
I think FOIA only deals with public information. Facebook isn't a public company. Plus they want my drivers license but say they'll delete it after they verify my identity…ummmm didn't that story just say they don't delete any information?
If you follow the link in the article there is a notice "Please note: We have a self-service tool that allows you to download all of your data without submitting this form. Learn how."
Click the link at "learn how". TaDa!
Downloading your profile is quite different from requesting the CD of everything they have about you.
Elo. Any idea for south africans to get their info from facebook?
This chap is complaining that the data can be viewed by anyone, but only if he allows it through his own security settings. And let's not forget that he chose to add this information to a social networking site in the first place. He put his information on his profile to share with others.
Tell me; if your facebook images or profile was to be deleted or lost by FB, would you be bleating that FB did not adequate archive and backup your data?
It works both ways.
If you do not want your personal data on the internet do not publish your personal data on the internet.
Burrito – 34/24/34. DOB 04-09-82. Status: Grumpy. Hometown – London
Yes, he chose to add some information to his FB profile, but there are ways that information gets added without his consent as well.
For example: Alice has her security settings all set to friends only (a simplified example). However, one of her friends, Bob, whose security settings are fully open, posts pictures of himself and Alice out drinking and partying. Bob then tags both of them in the photos. Here's some data that Alice has no control over who sees. You could say that she shouldn't be hanging out with Bob or that she should ask him to not post these pictures, but really, are we going to start screening our friends on the probability that they'll post something we don't want them to?
Alice can set her privacy controls to prevent anyone's tags of her from showing up without her approval, like I did.
Actually Alice can remove the tag. But granted that is after the fact and it could be seen before then.
Facebook has been going through my email contacts without my permission to suggest friends to me. When you log in from a mobile device it also uploads all your mobile phone contacts without your permission.
Not only that but the FB add-tracker installs a cookie every time you open FB that tracks useage in your browser, even if a FB tab/window isn't open at the time. So they can 'target their advertising'. Which is not only creepy, but an invasion of privacy. And I didn't agree to that.
And if my profile picture was deleted, there's a 90% chance it's sitting on one of my, or my friend's hard drives, so no /I/ don't expect FB to archive everything as you stated.
I would sincerely like it if FB stopped accessing my personal things without my permission. Unless of course it was in the T+C that nobody reads and this is FB laughing at the general population for never reading the 30 pages of bullshit T+C
actually many posts or parts of posts seem to vanish mysteriously… i am not speaking of archives, because i wouldn't know about archives… i just mean in the moment when trying to post things… much goes missing! it is extremely frustrating when have spent a bit of time on something and didn't manage to back it up before hitting the post button… social networking sites can not be trusted in this way 9and in other ways too it seems)… if you don't want to waste your own time and energy (or have your time and energy wasted by facebook, myspace, etc…) then if you write something you value, you must remember to back it up and save it… otherwise you will most likely feel robbed when it gets lost in the ethers. (it's prob. the safest best to write in a writing program, save it, and then copy and paste to the social networks…etc…) i don't know if fb for example archives even the content that is mysteriously loses on it's users in real virtual time. i'd def. be interested in knowing that.
Just go to the federal gov website and go to Australian privacy laws the act is all written there.
American's can go to their account settings, at the bottom, click download a copy of your facebook data. Click the archive or download button, and follow the onscreen prompts. You will receive an e-mail when the archive is ready to verify you are who you say to are and a link to download the archive.
Agreed–I'd be interested to know if Americans have a similar law.
For Australia you are probably best citing the Privacy Act 1988, National Privacy Principles, Principle 6:
Access to records containing personal information
Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents. "
So basically Facebook would need to cite a Commonwealth law providing them with the authority to refuse to provide you with your own information.
I am not a lawyer, however I have used this method to obtain records of my personal information kept by Australian companies. Facebook could of course turn around and simply say they do not acknowledge our privacy act, that would be when you contact the EFF and media outlets…
The OP obviously doesn't know how databases work. When you delete data, it isn't always deleted. Many times, it's "tombstoned" and will be removed at some future date and a flag set showing that it's "deleted" so the software doesn't display it.
Anyways, this guy is as bad as patent trolls. Umm, dumbass? If you didn't want personal info out there, um, don't sign up for SOCIAL networks.
Right. "Social networks" and "privacy" are pretty much antithetical concepts.
But I think you're missing the point. Facebook isn't just a "social network"—some kind of passive system that only knows what you tell it. It's a system that actively and aggressively seeks out all possible information about its users, including their connections to others, and uses it for purposes the user isn't aware of and was never even notified about.
It is malevolent. The very fact that Facebook refuses to convert its "features" to opt-in and persists in adding new features that are opt-out establishes their nefarious intent. Mr. Zuckerberg's disdain for his users (his "dumb f_cks" comment) and aggressive manipulation and use of their personal information without their knowledge or consent are matters of fact, not opinion.
If none of that matters to you, you're entitled to your opinion. But you're off-base calling Mr. Schrems a "dumbass" for caring about how Facebook is abusing his personal information, and for doing something about it. Such epithets might best be uttered while standing in front of a mirror.
You are correct about the "tombstoning", this is how we usually do it at our company. I suspect they got backups/archives also, that don't get deleted. And 3:rd party companies who have bought all of your data already and won't delete it.
You are missing the other point however. Social doesn't mean: I'm dating you, so it's OK for you to rape me.
If you don't want Facebook to use your data then don't signup for a Facebook account. Stay off of the site.
I think it might be worth pointing out that there are many legal requirements that facebook would need to comply to. take sms services for example where your sms messages are stored for months. obviously the data must tgerefore be used and stored reponsibly. When you consider the amount of abuse that occurs over any communication media then you understand the requirement. zuckerberg and co though do need to be heavily regulated but users also need to be more aware of what we agree to
To the folks bleating that 'if you don't want Facebook to use your data, don't sign up', please try reading the article.
Facebook is logging data about you EVEN IF YOU DON'T HAVE AN ACCOUNT.
As for the 'never being deleted' argument, that's also bull. If something is deleted and no references to it exist any more, why does it need to be kept in perpetuity? Even in the UK, under the Data Protection Act, there is a rule that data should be kept only as long as it is necessary – and deleted data can (and should) be removed after a period of time.
Also please note that putting data on Facebook isn't the same as posting publicly on Facebook; almost none of my status updates on there are public, and yet I'm fairly sure people who aren't listed as my friends (and thus shouldn't be able to see it) have sometimes seen it – but there's no way to tell if that's the case, you have to trust them not to abuse your data.
Wait, so to request information about your Facebook account, you have to give them MORE information?
NO said "ENGLISH SUBTITLES" on the above Video! ??? !
Try clicking the "CC" button at the lower edge of the video.
When you post ANYTHING on ANY website you need to accept the risk that it may be there forever and may be Copied and Posted to any other website by Any Other Person without your permission or knowledge – So the bottom line is DONT post anything you do not want to be seen by anybody its not intended for
If you have something to share with your friends or collegues that you do not want posted all over the internet Send it to them in their Personal E-mail NOT on a social networking website
And even then there is a small risk that one of your friends may post your message to some other place
Its frightening what some people will do if they have a grievance or too much to drimk
I beg your pardon but the point is not to accept the risk someone sees what it is posted on a facebook account.
The point IS that when someone DELETE something from its Facebook account, the person await the data (d)he asked DELETION for is EFFECTIVELY deleted.
No more, no less
If Facebook is mining your data why the hell should I provide them with a SIGNED government document like passport, driving license, etc? Who can gurantee they would DELETE that document?
Ok, I have double nationality. German and Peruvian.
Presently living in Peru. What article of the Privacy Law should apply here.
Or should I pretend I'm living in Germany, give my brother's address and take from there. In that case, Which article of the law applies in Germany ?
I really want to get to the bottom of this, thanks for any information you may provide in advance.
And even if they state in any manual what they want me to accept by a non-signed click, they have to obey the laws.
Why would anyone get a facebook account using their real name, unless it's for business networking? Of course facebook will still compile data on who your online friends or contacts are (because they're too stupid to use a fake, excuse me, accidentally mispelled name) and what "your interests" are and have your IP number, etc., but it still makes the data mining more difficult.
Same for gmail and yahoo and iTunes (you can get a free, anonymous account – tech notes are around on the web) and any other sites where you don't need to use a credit card.
I found the same problem with google+ who shows me things that I deleted from internet two years ago, an even some information I know I never wrote anywhere, but they knew it. Facebook and Google are becoming a real Big brother,
Let's see if I got this right: Facebook creates fake identities from our data. Facebook thinks we are all a bunch of "dumb f*cks" to give them our personal information. Facebook may or may not delete information that we request they delete. We should join Facebook and go to the Sophos Facebook page: "If you're on Facebook and want to keep informed about privacy issues, scams and internet attacks, join the Sophos page on Facebook,. . . "
I don't get the last one. The logic escapes me completely. Why would I want to do that after you just warned me about all the perils and what a "dumb f*ck" I would be.
Because if you choose to remain on Facebook, we would rather you kept aware of the risks than live with your head completely in the clouds.
This is funny. Try deactivating your account. You'll get an email that says: "Hi,
You have deactivated your Facebook account. You can reactivate your account at any time by logging into Facebook using your old login email and password. You will be able to use the site like you used to. Thanks, The Facebook Team"
This means that even if you decide to not use Facebook, they still keep all this info (personal chats, posts, likes, friends, family) on you FOREVER. If this isn't illegal, it should be!
I've been wondering about that "poke" business all this time. Are there a bunch of pre-schoolers using Facebook or something? More bizarre than the fact that the "poke" process exists is the idea that anyone would complain that "pokes are "retained even after a user removes them."
I have noticed that if i click one of the "show friendship" links between myself and another user, that photo's i have deleted and comments or status updates that i have deleted all show up on FB's version of our relationship. Try it and see if that is true for you too.
Just got to this article and what do u know, the link to the request page has now become an “expired” link 🙁
Interesting article, I like to look into all the Facebook options and settings once in a while (or whenever I notice something has changed) and I recall discovering this data request and sending one in… this must have been a few months ago now and I have never received anything from them…………. Will try filling out the form again quoting this law as you have instructed.
The url does not work
The page you requested was not found.
Guess yo got them all upset…..
Interesting that I am unable to post the link to this page in my fb status …
I think it might be worth pointing out that there are many legal requirements that facebook would need to comply to. take sms services for example where your sms messages are stored for months. obviously the data must tgerefore be used and stored reponsibly. When you consider the amount of abuse that occurs over any communication media then you understand the requirement. zuckerberg and co though do need to be heavily regulated but users also need to be more aware of what we agree to.
We’ll take a look at the documents you submitted and get back to you. If we need more help confirming your name, we’ll reach out for additional documentation.?