Facebook: Releasing your personal data reveals our trade secrets

Facebook: Releasing your personal data reveals our trade secrets

Summary: Facebook says it is not required to give you a copy of some of your personal data as it could adversely affect the company's trade secrets and intellectual property.

SHARE:

Update: I followed up with both organizations. See Facebook: The law reasonably states you can't have all your data and Europe versus Facebook: The law protects program logic, not data.

An Austrian group called Europe versus Facebook has so far made 22 complaints regarding the social network's practices. In the process, the organization has stumbled upon an important tidbit: Facebook says it is not required to give you a copy of some of your personal data if it deems doing so would adversely affect its trade secrets or intellectual property.

On its website, Europe versus Facebook shows how to request a copy of your personal data on the social network. It explains that because of Ireland's 1988 Data Protection Act (DPA), Facebook has to send you your data on a CD within 40 days of a request.

The organization managed to accidentally get Reddit involved, whose users recently overwhelmed Facebook with data requests by following a slightly altered version of the instructions. The company was forced to e-mail all users requesting data to say it was experiencing a significant delay in processing the requests and will be unlikely to respond within 40 days of the initial request.

Before Reddit found out about Facebook's request tool, Max Schrems of Europe versus Facebook managed to receive a reply to his request. It was in the form of a CD-ROM storing over 1,222 pages. As he looked through the ridiculously long document however, Schrems noticed that important information was missing, and so he contacted Facebook again asking for the remaining data. Here's Facebook response:

Dear Mr. Schrems:

We refer to our previous correspondence and in particular your subject access request dated July 11, 2011 (the Request).

To date, we have disclosed all personal data to which you are entitled pursuant to Section 4 of the Irish Data Protection Acts 1988 and 2003 (the Acts).

Please note that certain categories of personal data are exempted from subject access requests. Pursuant to Section 4(9) of the Acts, personal data which is impossible to furnish or which can only be furnished after disproportionate effort is exempt from the scope of a subject access request. We have not furnished personal data which cannot be extracted from our platform in the absence of is proportionate effort.

Section 4(12) of the Acts carves out an exception to subject access requests where the disclosures in response would adversely affect trade secrets or intellectual property. We have not provided any information to you which is a trade secret or intellectual property of Facebook Ireland Limited or its licensors.

Please be aware that we have complied with your subject access request, and that we are not required to comply with any future similar requests, unless, in our opinion, a reasonable period of time has elapsed.

Thanks for contacting Facebook, Facebook User Operations Data Access Request Team

When Reddit users started getting e-mails from Facebook about a delay for their data requests, Schrems got one as well. He also got the response above, but I only picked up on it now, after TechDirt linked to the a PDF of both e-mails.

It's worth noting that also last month, Billy Hawkes, Ireland's Data Protection Commissioner, announced that he will conduct a privacy audit of Facebook's activities. Since Facebook's international headquarters is in Dublin, all users outside the US and Canada could be affected by his findings.

His office decided to investigate the company after Europe versus Facebook's 22 complaints were covered repeatedly in the media. For reference again, here are all the complaints:

  1. Pokes are kept even after the user "removes" them.
  2. Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.
  3. Tags are used without the specific consent of the user. Users have to "untag" themselves (opt-out). Note: Facebook has announced changes for this.
  4. Facebook is gathering personal data e.g. via its iPhone-App or the "friend finder". This data is used by Facebook without the consent of the data subjects.
  5. Postings that have been deleted showed up in the set of data that was received from Facebook.
  6. Users cannot see the settings under which content is distributed that they post on other’s pages.
  7. Messages (incl. Chat-Messages) are stored by Facebook even after the user "deleted" them. This means that all direct communication on Facebook can never be deleted.
  8. The privacy policy is vague, unclear and contradictory. If European and Irish standards are applied, the consent to the privacy policy is not valid. Facebook tried improving it earlier this year.
  9. The new face recognition feature is an disproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.
  10. Access Requests have not been answered fully. Many categories of information are missing.
  11. Tags that were "removed" by the user, are only deactivated but saved by Facebook.
  12. In its terms, Facebook says that it does not guarantee any level of data security.
  13. Applications of "friends" can access data of the user. There is no guarantee that these applications are following European privacy standards.
  14. All removed friends are stored by Facebook. This was reconfirmed recently.
  15. Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes. It seems Facebook is a prime example of illegal "excessive processing".
  16. Facebook is running an opt-out system instead of an opt-in system, which is required by European law.
  17. The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.
  18. Facebook has certain obligations as a provider of a "cloud service" (e.g. not using third party data for its own purposes or only processing data when instructed to do so by the user).
  19. The privacy settings only regulate who can see the link to a picture. The picture itself is "public" on the internet. This makes it easy to circumvent the settings.
  20. Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).
  21. Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.
  22. The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.

The Irish Data Protection Commissioner will have a tough time going through all of these complaints. Still, I would argue it will be even more difficult for Facebook to show that sending you certain parts of your personal data "would adversely affect trade secrets or intellectual property."

I have contacted Facebook for more information about this issue and will update this article if I hear back.

See also:

Topics: Data Centers, Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

75 comments
Log in or register to join the discussion
  • RE: Facebook: Releasing your personal data reveals our trade secrets

    then again, you have the option not to use Facebook
    tatiGmail
    • RE: Facebook: Releasing your personal data reveals our trade secrets

      @tatiGmail - This is the option I choose. Besides, owning your own server is far more rewarding :)
      LinuxRocks
      • RE: Facebook: Releasing your personal data reveals our trade secrets

        @LinuxRocks Regardless Facebook needs to get its act together. The same tools they are using to gather information are the same tools hackers are using to hack other people. Just last week I got the <a href="http://www.ihowtoremove.com/guard-online-virus/"> Guard Online Virus </a>and had to visit that site just to remove it.. What a pain... I truly believe they have the talent and the know how to make FB a lot safer and for some reason they do nothing.
        reviewsgirl
      • RE: Facebook: Releasing your personal data reveals our trade secrets

        @tatiGmail My preferred choice also.
        declutterbug51
      • RE: Facebook: Releasing your personal data reveals our trade secrets

        @LinuxRocks How is owning one's own server necessarily more rewarding? Many of us DON'T want to fiddly around with the technology. Geeks like you do and that's fine. But don't assume that everyone else necessarily wants to do it!
        thibaulthalpern
    • RE: Facebook: Releasing your personal data reveals our trade secrets

      @tatiGmail Who needs Facebook? Use Wordpress or some other blogging package.
      wrcousert
      • You all are fools

        @wrcousert people who write blogs are writers that couldn't make it in the real world. losers.
        xangpow
    • it is worst

      @tatiGmail

      I never ever used facebook, but usually i receive facebook email about some people that i know it.
      magallanes
      • RE: Facebook: Releasing your personal data reveals our trade secrets

        @magallanes I don't like using FB just for this reason. I have nothing to hide but if your information get into the wrong hands they can use it against you! When another program similar to FB comes out i will be letting my friends and contacts know. I get some stuff done on FB. but very limited and going to be less....much less I like my privacy to much! And i do get people sending me stuff that i never heard of.
        phoenix.54
    • RE: Facebook: Releasing your personal data reveals our trade secrets

      @tatiGmail It doesn't matter if I have the option or not. Facebok is breaking laws. In general it is time that steeling data gets the same penalty as steeling property.
      edv1
      • RE: Facebook: Releasing your personal data reveals our trade secrets

        @edv@... Facebook no better then wall-street bankers
        stolen property is stolen money
        newbedave
    • RE: Facebook: Releasing your personal data reveals our trade secrets

      @tatiGmail - That's exactly correct. And that's precisely what I have chosen to do. If it ended there, fair enough.

      Alas, apparently it doesn't end there. If Facebook retains my "deleted" data and uses it without my consent, then they're not really even a true "opt-out" service, after all. If there's no way to delete my data once they have it, and they continue to use it without my consent, they're no better than a common thief.

      No, wait...they're worse than that; they're thieves masquerading as a legitimate service provider. And if "deleting" my data doesn't actually end up deleting it, then they're liars into the bargain.

      I've said this before, and each new discovery about Facebook's operations and policies increasingly convinces me that it's true: Facebook is headed for a fall.
      slingzenarrowzuvowtrayjissforchin
      • RE: Facebook: Releasing your personal data reveals our trade secrets

        @slingzenarrowzuvowtrayjissforchin YEP!
        declutterbug51
      • RE: Facebook: Releasing your personal data reveals our trade secrets

        @slingzenarrowzuvowtrayjissforchin Facebook no better then wall-street bankers
        newbedave
    • wanna bet

      Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.
      ZombyWulf
    • RE: Facebook: Releasing your personal data reveals our trade secrets

      unless you've opted-in to Facebook, and then opted-out by deleting your profile -- what then ? does all your data disappear, I suspect they will keep it all anyway.<br><br>it's ironic, that when China blocked Facebook many times in recent years, the rest of the World protests about rights and freedoms -- while China is blocking this (and other similar sites) for it's own nefarious, inscrutable agenda, it has unwittingly protected some of those rights of it's own citizens. <br><br>one thing is for sure, many EU governments, along with South Korea, are likely to continue keeping Facebook under close surveillance for many years to come, or until it mends it's ways.
      krzyst0ff
    • RE: Facebook: Releasing your personal data reveals our trade secrets

      @tatiGmail Except for the many who used it before the sneaky bastids were found out. The point is that info cannot all be deleted, that you can't know what is kept hidden, or how it is or will be used.
      frankerin
    • RE: Facebook: Releasing your personal data reveals our trade secrets

      @tatiGmail It is not enough. The "Like" button scripts embedded on third party sites can collect enough information about non-members to track them across the net as well, even if they can't immediately put a name to the surfer.

      That is why it is illegal to have "Like" and +1 buttons on sites in Germany by default - the user has to explicitly enable them, they cannot just be displayed.
      wright_is
    • RE: Facebook: Releasing your personal data reveals our trade secrets

      I wonder if the second point:
      Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.

      Does it means that facebook will create a profile for every contact in the e-mail contact list and starting an indirect consumer tracking based on data fragments related with people with the same contacts, this could be helpful for marketing research, it's like if your contacts will help to fill the answers in the marketing form without you even know you are taking a survey.
      delimitaciones
      • RE: Facebook: Releasing your personal data reveals our trade secrets

        @delimitaciones I think you are right and as long as I cannot be personally identified, they can use it any way they want to - just my opinion.

        In fact, I would rather facebook do it this way. But if some company figures out a way to associate me to that profile (Possibly by seeing my name on this site with a comment and the same exact comment is in the facebook database because zdnet has a 'like' button, a site uses OpenGraph or whatever the name of that facebook connect is, then there is a problem.

        Yes, we all have the option to not use facebook, and I am one to believe in the philosophyof 'TANSTAAFL' - There Aint No Such Thing As A Free Lunch - something I learned in high school economics, I believe certain restrictions must be place on any data that can ever be personally identifiable.
        jollygreenguy