Facebook has denied allegations it is building profiles of non-users ahead of a data protection audit this week
Facebook has denied allegations that it is building “shadow profiles” of non-users, as it faces its first audit by the Irish data protection authorities this week.
The allegations were made by Europe vs. Facebook, the organisation launched by Austrian law student Max Schrems that is campaigning for changes in the way Facebook handles personal data.
Facebook faces its first audit by the Irish data protection commissioner this week, which will include an investigation into 22 privacy complaints filed by Schrems.
Schrems’ other complaints include concerns that the site is retaining personal data such as messages that have been deleted by the user.
The company could be fined a maximum of €100,000 (£87,000) if it is found to be breaking European data protection rules.
One of Schrems’ complaints alleges that the site is encouraging users to hand over sensitive information on non-users that is then retained without the subject’s knowledge.
“Facebook Ireland is gathering excessive amounts of information about data subjects without notice or consent by the data subject,” the complaint states.
The data “might be embarrassing or intimidating for the data subject. This information might also constitute sensitive data such as political opinions, religious or philosophical beliefs, sexual orientation and so forth.”
Facebook responded that it does retain the names and email addresses of non-users in cases where, for instance, a user sends an invitation to a non-user. The data is retained so that Facebook can inform the user when the non-user joins. However, the matter goes no further than that.
“The allegations are false,” Facebook said in a statement. “We enable you to send emails to your friends, inviting them to join Facebook. The assertion that Facebook is doing some sort of nefarious profiling is simply wrong.”
The company said it offers more control than other services by enabling people to delete their email address from Facebook or opt out of receiving invitations.
It said information from users is not used to target advertisements and said the information collected is not sold on to other companies.
Deleted data retained
Schrems’ complaints follow a request he made to Facebook in June asking to receive a copy of all of the data the social network held on him. He received a CD containing 1,200 pages of his personal data collected over his three years of using the site, including information he said he had deleted.
The data included rejected friend requests, incidents where he “de-friended” someone, logs of all his chats, a list of photos of himself that he had de-tagged, which events he had attended and which he had not, among other information.
The data included a list of times he had logged in and the IP address used and a list of emails associated with his account, including some that he had never used on the website but that appeared to have been taken from other users’ profiles.
Schrems said one of his principal objections concerned the fact that Facebook retained information he had deleted.
“I discovered Facebook had kept highly personal messages I had written and then deleted, which, were they to become public, could be highly damaging to my reputation,” Schrems told The Guardian last week. “Of course, they are not misusing it at the moment, but the biggest concern is what happens when there is a privacy breach, either from hackers or from someone inside the firm?”
Facebook denied that it had done anything wrong, and explained that in many cases users simply don’t have the right to decide whether certain data is retained or not.
For instance, a user might delete messages from his or her sent messages folder, but those messages will still be retained unless they are also deleted by the user who received the message.
“People can’t delete a message they send from the recipient’s inbox or a message you receive from the sender’s sent folder,” said Facebook in a statement. “This is the way every message service ever invented works. We think it’s also consistent with people’s expectations. We look forward to making these and other clarifications to the Irish DPA.”
Schrems noted that when users request access to the data Facebook is holding on them, they are directed to a data download tool that includes only a fraction of the information he was provided with. Users who access the tool therefore have an incomplete picture of the real extent of the data the site is collecting about them, Schrems argued.
In response, Facebook said it isn’t obliged to provide certain data, such as log records, under European data protection law.
“We are examining the extent of the log records that should also reasonably be provided in response to a subject access request as part of the review by the Irish Data Protection Commission and will provide further information on the outcome of this consideration in due course,” Facebook said in a letter emailed to users who requested a record of their personal data held by the site.
The company said the data it had provided to Schrems went beyond what European users would normally be given in response to such a request.
“Facebook provided Mr Schrems with all of the information required in response to his request,” the company said in a statement provided to The Guardian. “It included requests for information on a range of other things that are not personal information, including Facebook’s proprietary fraud protection measures, and ‘any other analytical procedure that Facebook runs’. This is clearly not personal data, and Irish data protection law rightly places some valuable and reasonable limits on the data that has to be provided.”
The self-service tool can be accessed by clicking “Download a copy of your Facebook data” on a user’s settings page.
There have long been concerns about the amount of data that social networking websites hold on people, as well as of course the usual privacy worries. Indeed, in January 2010 Facebook founder Mark Zuckerberg caused a storm of controversy when he said that privacy is no longer a social norm.
Meanwhile in the United Kingdom, the Information Commissioner’s Office (ICO) has been pressurising organisations to protect personal data. In July it warned private businesses that they should be more willing to undergo data protection audits.
The European Commission believes that data protection legislation reform is needed and is working on a comprehensive new framework for data protection across Europe this year.
Tom Jowitt contributed to this report.