Christian Fuchs

What is Facebook’s New Privacy Policy All About? More Complexity, More Intransparent Data Storage, Continued Internet Prosumer Commodification, Ideological Pseudo-Participation, and a Reaction to the Privacy Complaints Filed by “Europe versus Facebook”.

On September 7th, 2011, Facebook changed its privacy policy, replacing the policy that was updated on December 22, 2010.

The policy’s length increased from 35 709 characters to 40 085 characters (from approximately 11 single-spaced A4 pages to 12), which shows that the complexity of the regulations increased.

Facebook continues to collect data about user behaviour from other websites.
New policy: “Sometimes we get data from our advertising partners, customers and other third parties that helps us (or them) deliver ads, understand online activity, and generally make Facebook better. For example, an advertiser may tell us how you responded to an ad on Facebook or on another site in order to measure the effectiveness of – and improve the quality of – those ads”.

Old policy: “Information from other websites. We may institute programs with advertising partners and other websites in which they share information with us:

• We may ask advertisers to tell us how our users responded to the ads we showed them (and for comparison purposes, how other users who didn’t see the ads acted on their site). This data sharing, commonly known as “conversion tracking,” helps us measure our advertising effectiveness and improve the quality of the advertisements you see.
• We may receive information about whether or not you’ve seen or interacted with certain ads on other sites in order to measure the effectiveness of those ads.“

The content of this regulation has not much changed, but Facebook now claims that it collects information about users from other websites in order to “make Facebook better”. It is intransparent to the single user, which data from which websites Facebook stores about him/her. If a lack of data storage transparency “makes Facebook better” is a question of interpretation. The question is if it makes Facebook a privacy-respecting platform or not.

The regulations about the storage of location data have been expanded, which reflects the increasing importance of mobile Internet use and therefore of mobile targeted advertising for Facebook:
New policy: “We may put together your current city with GPS and other location information we have about you to, for example, tell you and your friends about people or events nearby, or offer deals to you that you might be interested in. We may also put together data about you to serve you ads that might be more relevant to you. When we get your GPS location, we put it together with other location information we have about you (like your current city). But we only keep it until it is no longer useful to provide you services”.
Old policy: “When you access Facebook from a computer, mobile phone, or other device, we may collect information from that device about your browser type, location, and IP address, as well as the pages you visit“.

Another new quality of Facebook’s privacy policy is the “instant personalization” feature. Facebook shares certain user data with other platforms, with which it has entered business partnerships. The first time a user goes to the partner website, the platform should inform him/her that it uses Facebook information about the user. In Facebook’s privacy settings, one can turn off instant personalization for all of Facebook’s partner sites. This is, however, a opt-out solution, which shows that Facebook wants to share the information it collects about users with partner sites so that they can also use the data for targeted advertising. This circumstance is typical for the networked character of Internet commerce and shows how strongly advertising culture shapes social media and the World Wide Web (WWW). If a user at some point of time decides to deactivate instant personalization, but used a Facebook partner site that employ instant personalization before, the data that the partner site uses is not automatically deleted: “If you turn off an instant personalization site after you have been using it or visited it a few times (or after you have given it specific permission to access your data), it will not automatically delete your data. But the site is contractually required to delete your data if you ask it to”. This means that the user has to explicitly write to Facebook’s partner sites to delete personal data. Furthermore, it is not transparent to a single user, which data exactly Facebook partners store about him or her. Facebook’s instant personalization feature increases the non-transparency of data storage.

The description of how targeted advertising works on Facebook has changed, but not the content of the description. Facebook still makes use of all user data, user communication data, user browsing behaviour, and even data collected from other websites in order to sell these data as commodity to advertising clients that serve targeted ads to users. Facebook thereby makes profit, the users create value, are not paid for this work and their data becomes a commodity. I have termed this process Internet prosumer commodification (see the articles here, here and here). Facebook’s advertising settings have remained unchanged. There is no opt-in advertising and targeted advertising is always activated. The only opt-out options concern social adverts and the use of names and pictures in third-party advertisements.

Regulations about targeted advertising in the new privacy policy: “We do not share any of your information with advertisers (unless, of course, you give us permission).When an advertiser creates an ad on Facebook, they are given the opportunity to choose their audience by location, demographics, likes, keywords, and any other information we receive or can tell about you and other users. For example, an advertiser can choose to target 18 to 35 year-old women who live in the United States and like basketball. Try this tool yourself to see one of the ways advertisers target ads and what information they see at: https://www.facebook.com/ads/create/ If the advertiser chooses to run the ad (also known as placing the order), we serve the ad to people who meet the criteria the advertiser selected, but we do not tell the advertiser who any of those people are. So, for example, if a person clicks on the ad, the advertiser might infer that the person is an 18-to-35-year-old woman who lives in the US and likes basketball. But we would not tell the advertiser who that person is.
After the ad runs, we provide advertisers with reports on how their ads performed. For example we give advertisers reports telling them how many users saw or clicked on their ads. But these reports are anonymous. We do not tell advertisers who saw or clicked on their ads.
Advertisers sometimes place cookies on your computer in order to make their ads more effective. Learn more at: http://www.networkadvertising.org/managing/opt_out.asp
Sometimes we allow advertisers to target a category of user, like a “moviegoer” or a “sci-fi fan.” We do this by bundling characteristics that we believe are related to the category. For example, if a person “likes” the “Star Trek” Page and mentions “Star Wars” when they check into a movie theater, we may conclude that this person is likely to be a sci-fi fan.”

Regulations about targeted advertising in the old privacy policy: “Advertisements. Sometimes the advertisers who present ads on Facebook use technological methods to measure the effectiveness of their ads and to personalize advertising content. You may opt-out of the placement of cookies by many of these advertisers here. You may also use your browser cookie settings to limit or prevent the placement of cookies by advertising networks.  Facebook does not share personally identifiable information with advertisers unless we get your permission. [...] We don’t share your information with advertisers without your consent. (An example of consent would be if you asked us to provide your shipping address to an advertiser to receive a free sample.) We allow advertisers to choose the characteristics of users who will see their advertisements and we may use any of the non-personally identifiable attributes we have collected (including information you may have decided not to show to other users, such as your birth year or other sensitive personal information or preferences) to select the appropriate audience for those advertisements. For example, we might use your interest in soccer to show you ads for soccer equipment, but we do not tell the soccer equipment company who you are. You can see the criteria advertisers may select by visiting our advertising page. Even though we do not share your information with advertisers without your consent, when you click on or otherwise interact with an advertisement there is a possibility that the advertiser may place a cookie in your browser and note that it meets the criteria they selected“.

The policy regulation concerning deletion of an account has been changed. The major change is that Facebook now says that all information of an account will be deleted at latest 90 days after the user deleted the account, whereas the regulation in the old policy was somehow unclear, saying on the one hand that data is deleted, but on the other hand “that Facebook we may retain certain information to prevent identity theft and other misconduct even if deletion has been requested“.

New policy: “When you delete an account, it is permanently deleted from Facebook. It typically takes about one month to delete an account, but some information may remain in backup copies and logs for up to 90 days. You should only delete your account if you are sure you never want to reactivate it. You can delete your account at:
https://www.facebook.com/help/contact.php?show_form=delete_account
Old policy: “When you delete an account, it is permanently deleted from Facebook. [...] Additionally, we may retain certain information to prevent identity theft and other misconduct even if deletion has been requested. [...] Limitations on removal. Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users. However, your name will no longer be associated with that information on Facebook. (For example, if you post something to another user’s profile and then you delete your account, that post may remain, but be attributed to an “Anonymous Facebook User.”)  Additionally, we may retain certain information to prevent identity theft and other misconduct even if deletion has been requested. If you have given third party applications or websites access to your information, they may retain your information to the extent permitted under their terms of service or privacy policies.  But they will no longer be able to access the information through our Platform after you disconnect from them. Backup copies. Removed and deleted information may persist in backup copies for up to 90 days, but will not be available to others“.

On August 18, 2011, members of the initiative “Europe vs. Facebook” that was founded by Austrian law students filed a complaint against Facebook to the Irish Data Protection Commissioner. Facebook Europe is legally registered in Ireland. The initiative members made 16 complaint points and asked the Commissioner to check Facebook violates European data protection laws in these 16 privacy areas.

One point of complaint is that Facebook engages in excessive processing of data. One of the complainers demanded from Facebook to send him the data it stores about him. Although he had deleted his account, he received a print out with 1 200 pages of personal data stored about him by Facebook. This topic is addressed in the complaint under point 15: “After using facebook.com for 3 years, Facebook Ireland gathered more than 1.200 pages of personal information about me (in fact Facebook Ireland might hold a much bigger amount of data, see Complaint 10), even though I have deleted just about everything I could (e.g. all my posts, all messages, and many friends)”.

The Irish Data Protection Act says that data “(iii) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and (iv) shall not be kept for longer than is necessary for that purpose or those purposes“ (DPA §2 (1) (c) (iii) (iv)). The EU Data Protection Directive regulates that ”Member States shall provide that personal data must be: […](c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed” (Directive 95/46/EC of the European Parliament, §6 (1) (c)).

Another complaint is that Facebook does not use opt-in options and thereby may breach the regulation that users have to give consensus to the processing of their personal data. This regulation is specifically important among other topics also for targeted advertising, which is organized without opt-in on Facebook. “2A. (1) Personal data shall not be processed by a data controller unless section 2 of this Act (as amended by the Act of 2003) is complied with by the data controller and at least one of the following conditions is met: (a) the data subject has given his or her consent to the processing or“ (Irish Data Protection Act, §2A (1) (a)). “Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent” (Directive 95/46/EC of the European Parliament, §7 (a)).

Facebook’s change of the data deletion regulations from rather ambiguous and unclear formulations to a clearer version may reflect the circumstance that a complaint against its privacy practices has been filed. This might be a direct reaction to the complaints filed by “Europe versus Facebook”, which were however filed on August, 18^th, 2011, whereas Facebook changed its policy on September 7^th. Therefore the old privacy policy is subject of the complaints. Furthermore it looks like many of the privacy areas addressed by the complaints have not been cleared out by the new privacy policy. “Europe versus Facebook” is not only a highly important initiative, it also shows that companies are unlikely to voluntarily protect users’ privacy, but to be only willing to do so if they feel the threat of the state’s law enforcement capacities. The profit motive is so inherent to companies that they always tend to put profit interests above users’ privacy concerns. The only two alternatives are to make use of the law for enforcing privacy protection and to support the creation of alternative non-profit platforms.

Facebook has changed the content sharing options, it is now relatively easily possible to define with whom one wants to share content and to share it only with customized users. This change is also reflected in the privacy policy (in the section titled “Control over your profile”). It is likely that it has been taken because Google in June 2011 introduced its own social networking site Google+, which poses competition to Facebook and is based on the “friend circles” concept that allows customization of content. Other new regulations include a section about tagging (“Tags”), the possibility for other websites to provide a login into their sites by enabling users to log in with their Facebook accounts (section “Logging in to another site using Facebook”), social plugins (section “About social plugins”), sponsored stories (section “Sponsored stories”), and featured content (section “Featured content”).

A new regulation is that Facebook says that it allows users to vote privacy changes under certain circumstances: “Unless we make a change for legal or administrative reasons, or to correct an inaccurate statement, we will give you seven (7) days to provide us with comments on the change. If we receive more than 7000 comments concerning a particular change, we will put the change up for a vote. The vote will be binding on us if more than 30% of all active registered users as of the date of the notice vote”.

This regulation is extremely unclear. One can interpret every imaginable privacy policy change as legal change, administrative change or change of an inaccurate statement. It is therefore arbitrary and unclear, on which changes Facebook users are able to vote or not. Furthermore no link for comments is provided. It is also unlikely that 30% of all registered users will ever engage in a vote because privacy policy matters are a complex issue. It looks like Facebook wants to respond to the criticism that users have no decision-rights about the privacy of their personal data, but at the same time wants to immunize itself against loosing control of decision making power.

We can summarize the changes of the Facebook privacy policy that took effect on September 7^th, 2011:

* The change of Facebook’s privacy policies has come shortly after members of the initiative “Europe versus Facebook” filed privacy violation complaints against Facebook to the Irish Data Protection Commissioner.
* The length and complexity of Facebook’s privacy policy has increased.
* Facebook has introduced new features like instant personalization that have increased the non-transparency of data storage. It is not clear for a user, which data Facebook stores about her/him, with whom Facebook shares user data, and which data exactly Facebook partners store.
* Facebook continues to receive data about users from other websites.
* Facebook continues to commodify user data by using targeted advertising. It does not use opt-in for advertising, targeted ads are automatically and always activated. Internet prosumer commodification continues to be Facebook’s capital accumulation model.
* Facebook has implemented a user participation mechanism in privacy decision-making that is formulated in an extremely shallow way so that this regulation seems to be an ideological pseudo-participation strategy.