The new Facebook data policy: like or dislike?

02 Dec 2014 by Anne Helmond on Data protection

This contribution provides a quick analysis of Facebook’s new terms and policies that will go into effect on 1 January 2015. The announcement was sent by e-mail and displayed as a notification on Facebook. However, research has shown that few people actually read the Terms of Service (TOS) or privacy policies (Bechmann, 2014; Böhme & Köpsell, 2010). The documents are often very long and complex, which makes them difficult to read.

Besides the Terms of Service (TOS) there are a number of other documents that describe how data will be handled. Facebook and Twitter publish separate Privacy Policies, Data Use Policies and Cookie Policies - which describe how data are collected and used. The fact that there are many different documents which are all related to each other makes it quite difficult to achieve a coherent overview.

Furthermore, these documents are frequently updated, changed and renamed. This time, Facebook is announcing its new Data Policy which will go into effect in the new year.

Building a data-intensive web

As part of an ongoing interest in the data collection practices of Facebook, I have carefully read the new Data Policy. In a paper colleague Carolin Gerlitz and I wrote, we described how Facebook is using its Open Graph infrastructure to build a data-intensive infrastructure on the web (Gerlitz & Helmond, 2013). This infrastructure is created by decentralising Facebook platform features via extensions into external websites and apps. We have argued that ‘Social Plugins’ such as the ‘Like’ button play a central role in this decentralisation of platform functionality. They create connections back to the platform to re-centralise data collected through these features. In this infrastructure, data continuously flows between users, Facebook, websites, apps, webmasters, app developers and advertisers. So while Facebook’s mission statement is “to give people the power to share and make the world more open and connected”, the new policy makes clear that this world is built on connecting more and more external websites and apps to Facebook, in order to gather more data for advertisers.

Reading the new data policy

Facebook presents its Terms of Service as a contract between users and Facebook. When you use Facebook, you implicitly provide consent. Bechmann describes this as the “non-informed consent culture” of Facebook (2014, p.35).

The Data Use Policy describes which information is collected, in which way and for what purpose. These terms apply to all Facebook services, including its website and Messenger app, but also to products directed at advertisers, such as ‘Audience Insights’.

# 1 Collecting more and more data

While there are no major changes in the updated policy, it becomes clear that Facebook is increasingly expanding its data collection mechanism using more devices, services and partners. A few things that Facebook collects, for example, are all content and data produced using Facebook services, all data about you that others provide using Facebook services, the contacts from your phone’s address book (when you synchronise your contacts), all information from the devices you use to access Facebook services (such as your computer, smartphone or tablet), data from visits to external websites and apps that are integrated with Facebook, as well as data from Facebook partners such as advertisers.

In the updated policy, Facebook explicitly acknowledges that it is tracking its users to collect data. The following statement speaks to this: “We're continuing to improve ads based on the apps and sites you use off Facebook.” While Facebook previously denied tracking allegations, developer Nik Cubrilovic showed that Facebook’s ‘Like’ button still sends data back to the platform even when users had logged out.

# 2 Sharing data with other Facebook services

The new policy enables Facebook to share information with other services that belong to Facebook such as Instagram and WhatsApp. These services also have their own Terms of Service and/or Privacy Policies which serve as primary documents. Instagram’s Privacy Policy states the following about sharing data:

We may share User Content and your information (including but not limited to, information from cookies, log files, device identifiers, location data, and usage data) with businesses that are legally part of the same group of companies that Instagram is part of, or that become part of that group ("Affiliates"). Affiliates may use this information to help provide, understand, and improve the Service (including by providing analytics) and Affiliates' own services (including by providing you with better and more relevant experiences).

This implies that Instagram can share user data with businesses that are part of the same group of business or become part of this group. When Facebook bought Instagram, it became part of Facebook’s business group. If we continue reading the policy, Instagram also addresses what happens to their collected information in case of an acquisition:

If we sell or otherwise transfer part or the whole of Instagram or our assets to another organization (e.g., in the course of a transaction like a merger, acquisition, bankruptcy, dissolution, liquidation), your information such as name and email address, User Content and any other information collected through the Service may be among the items sold or transferred. You will continue to own your User Content. The buyer or transferee will have to honor the commitments we have made in this Privacy Policy.

This notice allows Instagram to transfer its user data and content, in turn enabling Facebook to connect more data points and to build richer data profiles for advertisers.

# 3 Friends can make private information public

Authors danah boyd and Eszter Hargittai describe Facebook users’ long and complex relationship with Facebook’s privacy settings (2010). Not only do users rarely modify their privacy settings - which are also set up as a complex and layered system, changing a setting in one menu can affect the settings in another menu.

To address these complex privacy settings, Facebook announced a new ‘Privacy Basics’ tool. The tool helps users to adjust their settings step-by-step. This gives users the impression of regaining a sense of control while the layered system of privacy settings is still in place.

Even if you configure your own privacy settings very strictly, if your friends share your content, their privacy settings will apply:

'In some cases, people you share and communicate with may download or re-share this content with others on and off our Services. When you comment on another person’s post or like their content on Facebook, that person decides the audience who can see your comment or like. If their audience is public, your comment will also be public.

If I share a link with my friends only and one of my friends re-shares this private link and her privacy settings are set to public, my private post will become public. This means that your friends can make your private content public.

# 4 Friends can give apps permission to access your data

This is not new (cf. the old policy) but once again it deserves attention. Your Facebook friends determine which part of your data will be shared with their apps through their app settings. It is very hard to maintain control over what will be shared with whom if this control also lies with your friends.

If you don’t want your friends to be able to share any information about you with the apps they use, you will have to turn off all ‘Facebook Platform’ apps. This means that you also won’t be able to use ‘Facebook Login’ or the ‘Like’ button on an external website. You either allow your friends’ apps to be able to at least access your basic info (profile information and list of friends) or you disable all platform connections.

# 5 Disabling everything is not sufficient

Is it possible to say no to Facebook’s new policies and their expanding data collection practices? If you continue using Facebook after 1 January 2015, you provide implicit consent. Is leaving Facebook then the only solution? Even logging out or deleting your profile is not enough as Nik Cubrilovic has demonstrated. On top of that, Arnold Roosendaal (2010) found that Facebook also tracks non-Facebook users. The new Cookie Policy now officially acknowledges these practices: “We still use cookies if you don’t have an account or have logged out of your account.” Facebook is expanding its data-intensive infrastructure on the web and the app space through a diverse set of services: ‘Social Plugins’, analytics or advertising services. This turns every web and app user into a potential trackable data object for Facebook (Gerlitz & Helmond, 2013).

If you don’t want Facebook to track you on external websites and apps and want to opt-out of its 'interest-based advertising’ this can only be achieved through an external opt-out with the European Interactive Digital Advertising Alliance.

#6 Europe versus Facebook

The Europe versus Facebook group, led by Austrian law student Max Schrems, has been very active in addressing the data collection practices of Facebook. Since Facebook operates in Europe as Facebook Ireland Ltd, Europe versus Facebook has brought over 20 cases to the Irish Data Protection Commissioner.

The Europe versus Facebook group is currently in the middle of a European privacy class action which has been supported by 25,000 European users. A number of days ago, it became clear that Facebook will do everything in its power to delay the case as long as possible. The new Data Policy that has been addressed in this article will provide enough material for another case.

Disclaimer

This article was written for Faces of Science, a project from the Royal Netherlands Academy of Arts and Sciences & the Young Academy to showcase research from young Dutch scholars. It has also been published in Dutch in De Correspondent.

References

Bechmann, A. (2014). Non-informed Consent Cultures: Privacy Policies and App Contracts on Facebook. Journal of Media Business Studies, 11(1), 21–38.

boyd, danah, & Hargittai, E. (2010). Facebook privacy settings: Who cares? First Monday, 15(8). Retrieved from http://firstmonday.org/ojs/index.php/fm/article/view/3086.

Böhme, R., & Köpsell, S. (2010). Trained to Accept?: A Field Experiment on Consent Dialogs. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 2403–2406). New York, NY, USA: ACM. doi:10.1145/1753326.1753689

Cubrilovic, N. (2011, September 25). Logging out of Facebook is not enough. Retrieved from https://www.nikcub.com/posts/logging-out-of-facebook-is-not-enough-2/

Gerlitz, C., & Helmond, A. (2013). The Like economy: Social buttons and the data-intensive web. New Media & Society, 15(8), 1348–1365. doi:10.1177/1461444812472322

Roosendaal, Arnold, Facebook Tracks and Traces Everyone: Like This! (November 30, 2010). Tilburg Law School Legal Studies Research Paper Series No. 03/2011. Available at SSRN: http://ssrn.com/abstract=1717563 

Add new comment