Does anyone know if /anyone/ has successfully gotten a large chunk of the data FB stores about them from them since GDPR went into effect. I vaguely remember reading some story of "thousands of pages of print-outs"
--
I wonder how much of this is simply that no one outside of FB has ever seen large chunks of the data that is stored an worries about a PR crisis?
--
Kudos to the author, but I'm guessing that at some point this will have to go to some sort of legal battle as FB may have a /novel/ interpretation of the law, but clearly that interpretation was not made up on the fly by a customer support email person....
There is a retention policy for every bit of data we store and no data is kept longer than absolutely required! This is also true for backups!
We also anonymize and aggregate data whenever possible!
Some people always bring up that the data still exist in abstract form in ML models...but afaik most/all models were constantly rebuild with fresh data. I can't think of a model that still uses data from let's say 2 years ago.
Sensitive data such as location for example was only kept in encrypted form for a few minutes until the aggregation jobs had processed it. Such data stores were guarded like fort knox with multiple lines of defense!
You would think then, that Facebook would make it easier to actually go and delete old data, rather than forcing the most motivated people to go through hoops such as browser plugins and other scripts.
If it doesn't matter to the business, then just give people the option to set a sunset period and have the system do it for them. As a user, I was happy enough sharing pictures of cats and nature hikes, but there was zero value to me in keeping any of it. With all the obvious, public screw-ups, I took the nuclear option and deleted my account.
"Unfortunately, that tool only gives me all of the data I put on there myself. So nothing I didn't already have. After all, why would I leave my only copy of a photo on Facebook? So no, this tool does not allow me to exercise my GDPR rights."
When the author is visiting a website that hosts a "Like" button, the author's web browser makes a request to Facebook's (httpd) servers for the button image. He then sends data to Facebook in HTTP headers. If he uses third party DNS service, it is possible he could also be sending part of his IP address, i.e., location data, to Facebook's (authoritative DNS) servers in the DNS request packet. For example, see https://developers.google.com/speed/public-dns/docs/ecs
Personal data is anything that can be linked to your person in the context of the GDPR. Doesn’t matter if they store your IP or the movements of your mousepointer or your user agent, it is all personal data, unless they store it in a way that can’t link back to you (e.g. just counting the number of useragents of each kind).
And the author is right. There is with high certainty a lot of data about you that you didn’t explicitly upload and I don’t see why facebook shouldn’t give it to him.
I see why they don’t want to give it to him (because it would show the extent of their data collection), but exactly for that reason it is even more important that they comply.
The typical approach is to keep the PII in the backups encrypted with a user-specific key which is stored separately and can be deleted without touching the backups. I'd expect Facebook to do the same, but who knows?
That's clever and interesting. What happens in the case there is a vulnerability with the encryption method? Say, an exploitable backdoor or general weakness is found. Or even quantum computing comes along and makes it crackable? I guess in any scenario, since the data is not actually deleted, just theoretically being able to access it would be a big liability to have, no?
