Today, Bruce Schneier linked to a story about Max Schrems’s response to discovering exactly what data Facebook is collecting about him. Schrems, a 24-year old law student in Vienna, was shocked to find that Facebook had the equivalent of 1,200 pages of data on him, covering 57 categories. Because Facebook has a headquarters in Dublin, Ireland, Schrems examined the data for possible violations of European data privacy laws. Schrems found many, so like any good soon-to-be lawyer, he filed 22 complaints against Facebook. Like a good twenty-something savvy internet user, he has also created an online campaign to raise awareness of Facebook’s practices. Once this campaign hit reddit.com, Facebook was no longer able to produce user dossiers within the required 40 days due to the overwhelming number of requests.
But there’s more to this story. It’s not just about what Facebook collects, it’s also about what Facebook collects but refuses to share with you. Facebook claimed two exceptions for withholding information from Schrems. The first was based on the claim that retrieving and providing that information would require disproportionate effort. The second was based on the claim that providing the information would reveal trade secrets or intellectual property. Schrems believes this second exception is based on the software underlying the Facebook “like” button, and it became the basis for his 17th complaint against Facebook.
If you visit any site that contains a “like” button off to the side, even if you do not hit the button, Facebook records your visit to the site. It then links that visit to your profile. The complete list of those visits (in other words, a large portion of his internet viewing) was not disclosed to Schrems.
Gizmodo.com also reported on a similar feature of Facebook: OpenGraph.
Open Graph is a development tool that lets third-party apps and sites report your activities back to Facebook. It’s meant to extend or replace the Like button. It’s a way for sites and services to jack directly into Facebook from anywhere. If companies use Open Graph, they can publish to your Ticker and Timeline, too, effectively sending tattle-tale updates on anything you do to everyone you know, in real time. And then Facebook gets to keep that data forever. It is the ultimate collection tool, a way for Facebook to monitor you, wherever you go.
Now some sites, including Spotify, are requiring users to sign in with their Facebook profile. In other words, you are now required to share more information with Facebook in order to use a non-Facebook service like Spotify, or the Washington Post’s website. Without your knowledge, Facebook could have access to nearly everything you do online, if the sites you visit use OpenGraph.
I can hear people saying now, “So if you don’t like Facebook’s privacy rules, don’t use Facebook.” Well, it’s not as simple as that, because look at Schrems’s second complaint: “Shadow Profiles.” Facebook will collect information on you even if you are not a member, using what others say about you. And thinking about OpenGraph, by working to avoid Facebook’s data collection, you may soon have to opt out of other services that require a Facebook log in or avoid pages that have the “Like” button. By ditching one site, you now have to ditch a multitude. Might that be enough to get you to reconsider Facebook’s rules? Remember this old internet saying: ““If you’re not paying for something, you’re not the customer; you’re the product being sold”.
What do you think? Will this change your online behavior? Will it prompt you to call out Facebook? Or maybe just complain about Facebook and then post a link to your blog on Facebook (like me)?