On 9 April 2018, EDRi received an invitation from Facebook to attend a meeting to the loss of trust in Facebook, following the Cambridge Analytica scandal. The meeting was proposed for 26 April.
It struck us that, if Facebook wanted an honest exchange, it would be happy to answer some of the most obvious outstanding issues.
Encouragingly, Facebook said it would welcome the questions and said that they would still also like the meeting on 26 April.
The questions were sent on 16 April and… we never heard from Facebook again…
Here they are:
1. Facebook’s new policy is based on opt-in for facial recognition being applied to inform Facebook users of their faces appearing on photos uploaded by other users. Does this mean that Facebook will index all facial profiles on any photo uploaded, regardless of any consent by any person depicted? Please answer with “yes” or “no” and explain.
1b. More specifically, will Facebook refrain from analysing any photograph uploaded by any user for biometric data about persons depicted on those photos until it has received an opt-in by every person depicted on those photos? Please answer with “yes” or “no”.
2. You state the following: “Second, we’ll ask people who’ve previously chosen to share their political, religious, and “interested in” information in their profile to check that they want to continue to share it.”
Does the above mean that any of the above data will be deleted if Facebook does not receive an explicit consent to retain it? Please answer with “yes” or “no”.
If “yes”, what will be the cut-off date before Facebook starts deleting such data?
2.b If by “sharing” it is meant that the scope of the discontinuation is limited to sharing with other Facebook users and/or Facebook affiliates, how does Facebook consider that this complies with the requirements of art. 9 GDPR for processing these special categories of data?
3. Privacy International created a new Facebook profile to test default settings. By default, everyone can see your friends list & look you up using the phone number you provided. This is not what proactive privacy protections looks like. How does this protect users by design and by default?
4. According to your notification, a “small number of people who logged into ‘This Is Your Digital Life’ also shared their own News Feed, timeline, posts and messages which may have included posts and messages from you”. Why was this not notified to the appropriate national authorities immediately? Are other apps also able to share / receive messages from me?
5. If a similar situation to the one involving Cambridge Analytica were, despite your efforts, to arise again, who would be responsible, Facebook Inc or Facebook Ireland?
6. Why do privacy settings continue to only focus on what friends can & can’t see? If the recent FB scandal has showed one thing, it is that FB’s ad policies have far-reaching consequences for users’ privacy. When are you going to treat ad settings as privacy settings?
7. The GDPR includes new provisions on profiling and automated decision-making. How are you going to change your ad targeting practices to be compliant?
8. The Economist recently reported on how difficult it is for Europeans to download their personal data from Facebook, and Mark Zuckerberg’s testimony described your systems as more transparent than they actually are. How and when, if at all, do you plan to address these issues?
9. You claim to offer a way for users to download their data with one click. Can you confirm that the downloaded files contain all the data that Facebook holds on each user?
You claim to offer a single place to control your privacy. This does not seem to include ways to opt out of ad targeting or to avoid being tracked outside Facebook. Will you offer a single place where users can control every privacy aspect of Facebook, even for people who have no Facebook account?
10. The GDPR gives individuals the right to access and verify their profiles, including marketing profiles based on so called derived data (data that were not disclosed by the user but interpreted from his/her behaviour). Is Facebook going to give its users full access to their marketing profiles? Please answer with “yes” or “no” and explain.
11. Speaking about derived data and marketing profiles, does Facebook process for marketing purposes any data that reveal (directly or indirectly) political opinions of its users? Please answer with “yes” or “no” and explain.
12. Do Facebook apps use smartphone microphones in any way, without this being made clear to the user? If this were to happen, would you consider that lawful?
13. Facebook has voluntary agreements with the Swedish intelligence services to share data. How do you reconcile that with the GDPR?
We are expecting Facebook’s answers any day now…maybe not today, maybe not tomorrow, but soon. If not, we’ll always have Cambridge.
(Contribution by Joe McNamee, EDRi)