Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document (2024)

Facebook is facing what it describes internally as a “tsunami” of privacy regulations all over the world, which will force the company to dramatically change how it deals with users’ personal data. And the “fundamental” problem, the company admits, is that Facebook has no idea where all of its user data goes, or what it’s doing with it, according to a leaked internal document obtained by Motherboard.

“We’ve built systems with open borders. The result of these open systems and open culture is well described with an analogy: Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere,” the document read. “How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”

(3PD means third-party data; 1PD means first-party data; SCD means sensitive categories data.)

“We can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do”

The document was written last year by Facebook privacy engineers on the Ad and Business Product team, whose mission is “to make meaningful connections between people and businesses,” and which “sits at the center of our monetization strategy and is the engine that powers Facebook’s growth,” according to a recent job listing that describes the team.

This is the team that is tasked with building and maintaining Facebook’s sprawling ads system, the core of the company’s business. And in this document, the team is both sounding an alarm, and making a call to change how Facebook deals with users’ data to prevent the company from running into trouble with regulators in Europe, the US, India, and other countries that are pushing for more stringent privacy constraints on social media companies.

“We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation,” the document read. (Motherboard retyped the document from scratch to protect a source.)

In other words, even Facebook’s own engineers admit that they are struggling to make sense and keep track of where user data goes once it’s inside Facebook’s systems, according to the document. This problem inside Facebook is known as “data lineage.”

In the last few years, regulators all over the world have tried to limit how platforms like Facebook can use their own users’ data. One of the most notable and significant regulations is the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018. In its article 5, the law mandates that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

What that means is that every piece of data, such as a user’s location, or religious orientation, can only be collected and used for a specific purpose, and not reused for another purpose. For example, in the past Facebook took the phone number that users’ provided to protect their accounts with two-factor authentication and fed it to its “people you may know” feature, as well as to advertisers. Gizmodo, with the help of academic researchers, caught Facebook doing this, and eventually the company had to stop the practice.

According to legal experts interviewed by Motherboard, GDPR specifically prohibits that kind of repurposing, and the leaked document shows Facebook may not even have the ability to limit how it handles users’ data. The document raises the question of whether Facebook is able to broadly comply with privacy regulations because of the sheer amount of data it collects and where it flows within the company.

A Facebook spokesperson denied that the document shows the company is not complying with privacy regulations.

“Considering this document does not describe our extensive processes and controls to comply with privacy regulations, it’s simply inaccurate to conclude that it demonstrates non-compliance. New privacy regulations across the globe introduce different requirements and this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations,” the spokesperson said in a statement sent via email.

In regards to the ink in a lake analogy, the spokesperson said “this analogy lacks the context that we do, in fact, have extensive processes and controls to manage data and comply with privacy regulations.”

Do you have more information about how Facebook handles user data? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or emaillorenzofb@vice.com

A former Facebook employee, who asked to remain anonymous to avoid retaliation, reviewed the document for Motherboard and called it “blunt.”

“Facebook has a general idea of how many bits of data are stored in its data centers,” he said in an online chat. “The where [the data] goes part is, broadly speaking, a complete shitshow.”

“It is a damning admission, but also offers Facebook legal cover because of how much it would cost Facebook to fix this mess,” he added. “It gives them the excuse for keeping that much private data simply because at their scale and with their business model and infrastructure design they can plausibly claim that they don’t know what they have.”

“The where [the data] goes part is, broadly speaking, a complete shitshow.”

Privacy experts who have been fighting against Facebook in an attempt to limit how the company uses private data say they believe the document is an admission that it cannot comply with regulations.

“This document admits what we long suspected: that there is a data free-for-all inside Facebook, and that the company has no control whatsoever over the data it holds,” Johnny Ryan, a privacy activist and senior fellow at the Irish Council for Civil Liberties, told Motherboard in an online chat. “It is a black and white recognition of the absence of any data protection. Facebook details how it breaks each principle of data protection law. Everything it does to our data is illegal. You’re not allowed to have an internal data free-for-all.”

Facebook also made two employees available to discuss how it handles data internally. In the call, company representatives told Motherboard that Facebook is trying to get ahead of more privacy laws and building infrastructure to meet the requirements it may face. That means investing in tools that make analyzing user data and figuring out where it can or cannot go more automated, and less reliant on humans being involved in the process, as it is today. The representatives said that to get to that point there will need to be significant investments, but that this is a priority for the company. They also said that Facebook at this point does not have technical control over every piece of data. But it already has some mechanism to manage user data such as an opt out flag that goes along with data that the user has opted out of using for advertising, and that follows the data making it clear it can’t be used for certain purposes, they said.

Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document (1)

Jason Kint, CEO of Digital Content Next, a trade organization that represents journalism publishers and an outspoken critic of Facebook, said that “consumers and regulators would and should be shocked at the magnitude and disorder of the data inside of Facebook’s systems.”

Kint said the ink in the lake metaphor shows that Facebook can’t keep track of the “source and purpose” of the user data it collects. Kint is referring to GDPR’s article 5, which sets a principle known as “purpose limitation.”

This principle, according to Ryan, means companies like Facebook need to be able to tell users and regulators what they are doing with every specific piece of data and the specific reason they are collecting it. For example, if you provide your religious orientation for your Facebook bio, that shouldn’t be used to target you with ads.

The principle of purpose limitation was created to protect people’s privacy. In 2020, Ryan sued Google in Ireland, accusing the tech giant of violating this principle with its “several hundred processing purposes that are conflated in a vast, internal data free-for-all.”

Ravi Naik, Ryan’s lawyer in that case and a privacy expert himself, told Motherboard that if regulators consider Facebook in violation of GDPR, the company could not only face administrative fines of up to 4 percent of its global revenue, but also open the door for the regulators to order the company to stop processing data in a certain way. Individual users could also sue Facebook requesting to tell them what it does with their data, like Naik and Ryan are doing with Google.

The leaked document also refers to a new, unreleased, product called “Basic Ads,” which the document authors refer to as a “short term” response to requirements of regulations around the world.

“When launched, Facebook users will be able to ‘opt-out’ from having almost all of their 3P [third party] and 1P [first party] data used by Ads systems – page likes, posts, friends list, etc,” the document reads.

The document said that Basic Ads “needs to be launch-ready in Europe by January, 2022.”

As of this writing, Facebook has yet to launch Basic Ads, showing that the company is late to the deadline its own employees established.

Facebook declined to comment on basic ads.

Company representatives said that the name is an internal codename, and that the product will show that Facebook can build advertising that is relevant to users while preserving their privacy.

Subscribe to our cybersecurity podcast,CYBER. Subscribe toour new Twitch channel.

Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document (2024)

FAQs

Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document? ›

Facebook's systems are such a maze that even its engineers cannot keep track of the data that enters it. An explosive document that leaked out of Facebook's stables indicates the social media giant has no idea how to control first-party and third-party data and keep track of the personal information of its users.

What is the Facebook data leak issue? ›

Facebook data breach in 2021

The accident exposed such details as the names, phone numbers, Facebook IDs, emails, relationship statuses, and locations of 533 million Facebook users from 106 countries. This data was found on a hacking forum, where it could be downloaded for free.

How do I know if I have been affected by Facebook data breach? ›

But a third-party website, haveibeenpwned.com, makes it simple to check by inputting your email. For now, it just checks if your email was among those stolen. That's a pretty big catch: Although 533 million Facebook accounts were included in the breach, only 2.5 million of those included emails in the stolen data.

What can Facebook do with your data? ›

We use the information we have to deliver our Products, including to personalize features and content (including your ads, Facebook News Feed, Instagram Feed, and Instagram Stories) and make suggestions for you (such as groups or events you may be interested in or topics you may want to follow) on and off our Products.

Is Facebook stealing my data? ›

Data sharing goes both ways. Facebook is also keeping track of some of your online surfing activities even when you're not on Facebook itself. That's because plenty of sites share data on you with Facebook—mostly via ad links. You can view what that data is and clear it.

Why does it say my data has been leaked? ›

Data breaches are incidents in which confidential information, including consumer data, is stolen from a company or organization. If you receive a notice that your information has been compromised in a data breach, it's important to act quickly to secure your accounts and take preventive measures against fraud.

What is the Facebook data scraping scandal? ›

How was Facebook hacked? Hackers exploited a vulnerability in Facebook's system, allowing them to access and scrape the personal information of millions of users. The company has since made changes to its systems to prevent unauthorized data scraping and continues to work on addressing this industry-wide challenge.

How many people stopped using Facebook after data breach? ›

In the months that followed the initial news reports of the Cambridge Analytica scandal, about 74% of users made some adjustments to their use of Facebook by adjusting privacy settings, taking a break from the service or deleting the app from their phones (Perrin, 2018).

Can I contact Facebook for a hacked account? ›

If you're worried about the security of your Facebook account, please visit https://www.facebook.com/hacked for assistance.

Can I find out if my data has been breached? ›

See if your personal data has been exposed on the dark web

F‑Secure helps you to check if your private information appears in known data breaches. Email address or breach information won't be stored.

Does Facebook track your IP address? ›

Whenever you use our products, we may receive location information based on things like the settings you've chosen on your device, or your activity across our products. We're also able to receive location information from the network you connect your device to, including your IP address and Wi-Fi connection.

How do I stop Facebook from accessing my data? ›

Change your off-Facebook activity settings
  1. Click your Facebook profile picture.
  2. Go to Settings & Privacy, then select Settings.
  3. Select Accounts center, then click Your information and permissions.
  4. Click Your activity off Meta > Manage Future Activity > Disconnect future activity.
  5. Select Continue, then hit Confirm.
Feb 2, 2024

What data does Facebook take from you? ›

We collect the content and other information you provide when you use our Services, including when you sign up for an account, create or share, and message or communicate with others. This can include information in or about the content you provide, such as the location of a photo or the date a file was created.

Does Facebook leak data? ›

In 2019, Facebook experienced a significant data leak that affected 533 million users¹. Now, just a few years later, the social media platform has experienced another data leak, this time affecting nearly 80k of its users. The ramifications of this breach can be severe.

What kind of data was stolen from Facebook? ›

The leaked information, spotted by Insider, was posted to an online hacking forum and included the full names, phone numbers, locations, and birthdates of users on the platform from 2018 to 2019.

Does Facebook have access to my Google searches? ›

The collection of user data is an essential aspect of online businesses such as Facebook. Data is collected from various sources, including search engines like Google, to enable the platform to personalize content and advertisements.

What is the Facebook data privacy scandal all about? ›

The data privacy scandal on Facebook involves the company Cambridge Analytica, which was accused of collecting and misusing the personal data of millions of Facebook users without their consent.

What is the Facebook data usage scandal? ›

The collection of personal data by Cambridge Analytica was first reported in December 2015 by Harry Davies, a journalist for The Guardian. He reported that Cambridge Analytica was working for United States Senator Ted Cruz using data harvested from millions of people's Facebook accounts without their consent.

Why did I get a notification about a data leak? ›

If you get a notification on your phone that says “data leak,” don't panic! Yes, it means your data has ended up in a data breach, and unauthorized individuals can access your accounts and personal information.

Is the Apple data leak warning real? ›

Is an iPhone password data leak real? Again, this can cause confusion but a notification on iPhone that your password was in a data leak does not mean your actual account details were leaked. It just means your password matched a password that was part of a data leak.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Arielle Torp

Last Updated:

Views: 6264

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Arielle Torp

Birthday: 1997-09-20

Address: 87313 Erdman Vista, North Dustinborough, WA 37563

Phone: +97216742823598

Job: Central Technology Officer

Hobby: Taekwondo, Macrame, Foreign language learning, Kite flying, Cooking, Skiing, Computer programming

Introduction: My name is Arielle Torp, I am a comfortable, kind, zealous, lovely, jolly, colorful, adventurous person who loves writing and wants to share my knowledge and understanding with you.