By Campaign Agent Charlotte Spencer-Smith
If you download the Facebook mobile app, you may be surprised by the amount of access the company wants to your phone. Its unusually long list of permissions, none of which you can opt out of, does include some items that make sense. Facebook wants its users to share photos, so the app requests access to the camera on your phone, allowing you to take pictures in-app. Many users check in to locations like restaurants or museums, and the app retrieves your location to tag your posts. Other permissions, however, are more difficult to understand. Why does the app need access to your browser history and how you use other apps? Or the names of wifi routers your phone connects to? And what about other people’s information, like telephone numbers and email addresses stored in your contacts?
None of your business
A common view is that you deserve what you consent to: users share data with companies like Facebook because they have explicitly agreed to this, in return for the right to use social media services. However, Austrian lawyer and privacy activist Max Schrems is suing Facebook for breaching European data protection law. In multiple areas, Facebook is alleged to be collecting information that it has no right to under European legislation, and keeping and processing information beyond what users can agree to. When the new European General Data Protection Regulation (GDPR) comes into force at the end of May this year, his new NGO, noyb (“None of Your Business”), will to use it to strengthen its lawsuit against Facebook Ireland, where all of Facebook’s operations outside the US and Canada are headquartered. Users who live outside the US or Canada have a user agreement with Facebook Ireland, not with Facebook’s Silicon Valley offices.
Schrems started his legal battles in 2011, when he filed 22 complaints against Facebook with the body responsible for regulating Facebook Ireland’s operations, the Irish Data Protection Commissioner. Using a 1,400-page document that Schrems obtained about himself from Facebook, he complained that the company was storing information that users believed they had permanently deleted from their accounts. This included deleted pokes, posts, messages, tags and photos. Schrems argued that the practice was in breach of the European Data Protection Directive (the forerunner to the upcoming GDPR) and that the company had no legitimate right to keep hold of this data. After complaints to the Irish Data Commissioner were rebuffed, Schrems filed a class action lawsuit in his home country of Austria, representing 250,000 other European Facebook users. In January 2018, the Court of Justice of the European Union ruled that he could not bring a class action suit, but could still sue Facebook as an individual consumer, which he will do once the GDPR comes into force in May.
The most serious of Schrems’ allegations involve purported behind-the-scenes behaviour at the world’s largest social media company. This includes building “shadow profiles” beyond users’ profile pages. Schrems alleges that Facebook is “using data provided by the users themselves (e.g. status messages or uploaded photos) as well as data of other users (e.g. synchronisation of telephone directories, searches for current cities or friends with other users), additionally buying data from third parties (e.g. data vendors), importing public information (e.g. from Wikipedia) and collecting data itself (e.g. by analysing clicks, meta-data or search requests or tracking data).” This mass of information helps Facebook target advertising more effectively, making it a popular choice for marketers. As well as collecting information about users, the company also collects information about non-users.
To return to the Facebook mobile app, Facebook can access phone numbers stored on a phone. If the telephone number of a non-user is retrieved from a number of their friends who have downloaded the app, there is little to stop Facebook from reconstructing the non-user’s social circle and information about their social life. Since the original complaint filed in 2011, Facebook has updated its Data Use Policy to be more explicit about the information it collects. However, Schrems remains unsatisfied, writing on his website that, “they did not stop their illegal forms of data processing but simply wrote them into the policy, which made the new policy worse than the old one”.
Jump to 2018 and concern over shadow profiling is growing with the development of machine learning. Machine learning takes technology a step beyond programmers merely telling computers what to do. Algorithms can now tweak themselves to become more successful at performing given tasks. This might be more efficient, but in searching for patterns, machine learning can infer personal details about users that they never intended to share. Controversial research claims that machine learning algorithms are relatively successful at using photographic information to determine whether a person is homosexual or heterosexual. Facebook has already started using artificial intelligence to search through posts to identify suicidal users, looking for comments like, “are you ok?”, so that they can alert first responders to a potential emergency. While Facebook claims that the technology can help save lives, it is also eerily reminiscent of the 2017 film The Circle, in which a social media company intrudes further into its users’ private lives in the pursuit of a safer, more transparent world. The suicide alert technology is currently being rolled out worldwide, with the exception of Europe, which Facebook claims is because of local sensitivity to data protection issues, if not the GDPR itself.
Legal battles in Europe
Facebook has good reason to tread carefully in Europe. In 2015, Max Schrems scored a major victory by getting the European Court of Justice to strike down the “Safe Harbor” data sharing agreement between the EU and the US. After the former US government contractor Edward Snowden exposed PRISM, a programme that allowed the National Security Agency to read private communications between social media users, Schrems swiftly filed new complaints against Facebook, Apple, Skype, Microsoft and Yahoo Germany. Ultimately, the Court of Justice of the European Union decided that American companies could not adequately protect EU citizens’ data on US servers because of the NSA’s PRISM programme, invalidating the “Safe Harbor”. Furthermore, while Max Schrems waits for the GDPR to come into force to sue Facebook, the company faced defeat in Belgian and German courts in the same week in February. A Berlin regional court ruled that Facebook users cannot give informed consent because they cannot agree to five default settings that intrude on their privacy. It also ruled that Facebook’s terms about data collection are too broadly framed, and that the real name policy (in which users have to use their real names) is illegal. A few days later, a Belgian court found that Facebook’s tracking of users on third party sites with cookies is illegal, ruling that the social media platform must delete the data.
Facebook’s alleged privacy violations touch on major political questions about the digital landscape. As the internet has emerged as a major dimension of the world economy, data has become a valuable resource. While resources like water and fuel are mined from the natural environment, user data comes from people, and not all of it is obtained with their informed consent. Although Facebook claims that user data belongs to its users, its maximalist approach to data collection, processing and storage is testing the limits of the law and consumer rights. To complicate matters, social media has come to dominate public life and socialising in many countries, while in turn being dominated by a closed circle of tech giants. This gives consumers limited choice and little consumer power when they want to participate digital life.
While users may legally consent to Facebook’s terms, this does not mean that they are happy with them or felt free in their choice. Social media companies operate an uncompetitive market by building walled gardens. For example, while email is open between different providers, allowing a Yahoo email user to email a Hotmail account, a Google Plus user cannot connect with a Facebook user, forcing users to gravitate to where all the other users are. The law and citizens’ rights should protect consumers from overwhelming market power wielded by social media and tech companies. However, the epic legal battle against Facebook demonstrates that the rights enshrined in law are not a given, especially if regulatory bodies and lawmakers are not able or willing to defend them.
Sources and Further Reading:
- Mehreen Khan and Hannah Kuchler, “Facebook escapes Austria class action but still faces grilling”, Financial Times, (25 January 2018)
- Europe v Facebook website (archived from February 2018)
- General Data Protection Regulation 2016/679
- NOYB - European Center for Digital Rights
- 'Data Protection Bill', UK Information Commissioner’s Office
- Max Schrems, “Complaint against Facebook Ireland Ltd. – 02 “Shadow Profiles”, Europe v Facebook, (18 August 2011)
- 'Audience Insights', Facebook
- Michal Kosinski and Yilun Wang, “Deep Neural Networks Are More Accurate Than Humans at Detecting Sexual Orientation From Facial Images”, Journal of Personality and Social Psychology, (7 September 2017)
- Sandra Wachter, Brent Mittelstadt and Luciano Floridi, “Why a Right to Explanation of Automated Decision-Making Does Not Exist in the General Data Protection Regulation”, International Data Privacy Law, (24 January 2017)
- Nicole Kobie, “Facebook's suicide alert tool isn't coming to the EU. Here's why”, Wired, (28 November 2017)
- English translation of lawsuit filed by Maximilian Schrems against Facebook Ireland Limited, dated 31 July 2014
- 'Facebook in Breach of German Data Protection Law', Federation of German Consumer Organisations, (14 February 2018)
- Samuel Gibbs, “Facebook ordered to stop collecting user data by Belgian court”, The Guardian, (16 February 2018)
Image Credit: Wikimedia Commons