I Finally Read Facebook’s Terms of Service

Just like many people using free online services, I used to ignore many Terms of Service notices and just scrolled to the bottom to confirm them. I believed that the best mindset is just acknowledging the Terms and behaving defensively as if free online services had no Terms protecting their users. In other words, view them as postcards that anyone can read.

Photo of postcards by Annie Spratt on Unsplash

However, the recent Facebook and Cambridge Analytica scandal made me think about what services like Facebook actually promise. The scandal also serves as a reminder that some uses of private data are hard to imagine until you see them. I never considered how a British firm could impact US elections by using Facebook data available to developers, a lot of online surveys, and machine learning.

“A large number of shipping containers” by chuttersnap on Unsplash

Just like free shipping, free online services are not really free. The money necessary to offer them must to come from somewhere.

Now, I don’t think that there is anything wrong with people willingly exchanging their personal data for services they enjoy. Insurance companies offer tracking devices to discount some drivers, for example. If people value their privacy less that an endless scrolling of Facebook’s timeline, they should be free to make that exchange. As long as such an exchange is made with full knowledge of the facts. And that’s where Terms of Services come in.

Below I will refer to Facebook’s Terms of Service as of June 2, 2018.

We use the data we have — for example, about the connections you make, the choices and settings you select, and what you share and do on and off our Products — to personalize your experience. Facebook, June 2, 2018

I will ignore large funnel statements such as the one above because they not very informative. They could be theoretically used to encompass and justify every use of personal data. I will also ignore statements that should be obvious to users such as we collect information about how you use our Products.

We also have developed, and continue to explore, new ways for people to use technology, such as augmented reality and 360 video to create and share more expressive and engaging content on Facebook. Facebook, June 2, 2018

This statement nicely couches all new technology as if it were a birthday gift to its users. However, Facebook probably already has all the face recognition technology it needs to create user graphs across posts, pictures, and videos even if users do not actively tag them. Such technology has some good uses such eradicating hate or adult content.

However, it could also be used for dangerous purposes such as the building of profiles even of people who do not have Facebook accounts. Google search reveals pictures and names of people. If a complete stranger posts a picture of somebody who doesn’t even have a Facebook profile (let’s call him John Smith), Facebook could pattern match the picture with other public data to build a profile. It can learn that John Smith attended a concert in New York on May 5, 2015 from a picture with tens of faces posted by someone else. All of this without John Smith’s knowledge.

“A black sign with white text on a wall that reads "Please respect our neighbors' privacy".” by Kai Brame on Unsplash

To be fair, government agencies are likely already building such profiles, but those should be governed by strict privacy laws. The Economist claims that the size of the surveillance tech market in China is now $120bn.

However, it appears that the only thing preventing Facebook from building such dangerous graphs of people’s lives is integrity.

You should know that, for technical reasons, content you delete may persist for a limited period of time in backup copies (though it will not be visible to other users). In addition, content you delete may continue to appear if you have shared it with others and they have not deleted it. Facebook, June 2, 2018

This is a more problematic statement and it will be interesting to see how GDPR impacts it. One of the goals of GDPR is to ensure that users have unconditional ability to delete their content. However, Facebook will correctly argue that due to the nature of content being shared around the globe and cached in computers for better user experience, it may be technically difficult to guarantee deletion. CDNs, caching, and other forms of partial data retention in many locations near users are fundamental to the user experience internet services are able to provide today.

One of the first GDPR-related statements is already visible in Facebook’s Data Policy:

You can choose to provide information in your Facebook profile fields or Life Events about your religious views, political views, who you are “interested in,” or your health. This and other information (such as racial or ethnic origin, philosophical beliefs or trade union membership) is subject to special protections under EU law. Source, June 2, 2018

Deleting content is so fundamental to user privacy that some compromise guaranteeing when user data is deleted entirely should to reached.

We collect the content, communications and other information you provide when you use our Products … [including] what you see through features we provide, such as our camera. Facebook, June 2, 2018

It is unclear how user privacy is affected when using Facebook’s camera and other internal services compared to the standard camera software on smartphones. The statement could mean that Facebook performs greater data analyses on pictures taken by its in-app camera.

The Data Policy statement is a treasure of information. Just about devices Facebook collects:

Device attributes: information such as the operating system, hardware and software versions, battery level, …

Device operations: information about operations and behaviors performed on the device, such as whether a window is foregrounded or backgrounded …

Identifiers: unique identifiers, device IDs, and other identifiers, such as from games, apps or accounts you use, and Family Device IDs …

Device signals: Bluetooth signals, and information about nearby Wi-Fi access points, beacons, and cell towers …

Data from device settings: information you allow us to receive through device settings you turn on, such as access to your GPS location, camera or photos.

Network and connections: information such as the name of your mobile operator or ISP, language, time zone, mobile phone number, IP address, connection speed and, in some cases, information about other devices that are nearby or on your network …

Cookie data: data from cookies stored on your device, including cookie IDs and settings … Facebook, June 2, 2018

I intentionally included most of the details above to highlight how overwhelming the data collection is. It is unclear to me why all this information is necessary to run a social network if user privacy is one of the core values of Facebook as Mark Zuckerberg claims:

Our goal is to make it so that people can share with exactly the people they want to — Mark Zuckerberg, 2010

Advertisers, app developers, and publishers can send us information … These partners provide information about your activities off Facebook — including information about your device, websites you visit, purchases you make, the ads you see, and how you use their services — whether or not you have a Facebook account or are logged into Facebook. Facebook, June 2, 2018

Facebook collects data from other sites as well, that should be obvious to users. Especially so if people use the ubiquitous Facebook login feature to sign into other sites. The key here is the phrase whether or not you have a Facebook account or are logged into Facebook. So Facebook at least attempts to track everybody online with of without a Facebook account. Again, it is unclear to me how this is necessary to run a social network that values peoples privacy.

I see at least two outcomes that can pressure Facebook to alter its privacy behavior: regulators and lower usage if its products. I am skeptical on both fronts. The Facebook hearings did not produce much more than a respectable performance by Mark Zuckerberg using the opportunity to market his company in the face of sometimes clueless US lawmakers. Regarding the second point, Facebook users somehow increased the usage of the product after the Cambridge Analytica scandal.

If Facebook wants keep its users’ trust (which it appears not have lost so far considering the post-Cabridge Analytica usage), it should offer a paid service. This will have two benefits:

  • Paid accounts will offer a completely ad-free network with no user privacy leakage or unecessary internet tracking.
  • Free accounts will be clearly distinguished for what they are not: a charity. Free accounts exist for Facebook to run a profit-maximizing business. Users will knowingly exchange their private information for a service they enjoy. As long as both parties are aware of the consequences, they should be free to do so.

Author website: adamnovotny.com