Facebook Doesn't Know What It Does With Your Data, Or Where It Goes

em1ly shares a report from Motherboard: Facebook is facing what it describes internally as a "tsunami" of privacy regulations all over the world, which will force the company to dramatically change how it deals with users' personal data. And the "fundamental" problem, the company admits, is that Facebook has no idea where all of its user data goes, or what it's doing with it, according to a leaked internal document obtained by Motherboard. "We've built systems with open borders. The result of these open systems and open culture is well described with an analogy: Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) ... and it flows ... everywhere," the document read. "How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?" (3PD means third-party data; 1PD means first-party data; SCD means sensitive categories data.)

The document was written last year by Facebook privacy engineers on the Ad and Business Product team, whose mission is "to make meaningful connections between people and businesses," and which "sits at the center of our monetization strategy and is the engine that powers Facebook's growth," according to a recent job listing that describes the team. This is the team that is tasked with building and maintaining Facebook's sprawling ads system, the core of the company's business. And in this document, the team is both sounding an alarm, and making a call to change how Facebook deals with users' data to prevent the company from running into trouble with regulators in Europe, the US, India, and other countries that are pushing for more stringent privacy constraints on social media companies. "We do not have an adequate level of control and explainability over how our systems use data, and thus we can't confidently make controlled policy changes or external commitments such as 'we will not use X data for Y purpose.' And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation," the document read. In other words, even Facebook's own engineers admit that they are struggling to make sense and keep track of where user data goes once it's inside Facebook's systems, according to the document. This problem inside Facebook is known as "data lineage."

Then maybe stop collecting data?

[kge]

Until you know how to handle it properly..

Re:Then maybe stop collecting data?

[Anonymous Coward]

Facebook's own engineers admit that they are struggling to make sense and keep track of where user data goes once it's inside Facebook's systems, according to the document.

Create a fake document and let it accidentally "leak".

Hey, Mister Regulator. Don't worry about us. Look at this document that accidentally leaked. We're so incompetent that we don't even know what is done with all the data we collect. No need to do anything bad to us. We're not bad guys. We just don't know what we're doing.

100% fake bullshit. Plausible Deniability. Nothing more.

From 2017 through 2020 Facebook had total revenue of just over 250 Billion US Dollars. Almost all from advertising. Advertisers don't pay that kind of money to someone who doesn't know EXACTLY what they are doing.

Re:

[gtall]

"Advertisers don't pay that kind of money to someone who doesn't know EXACTLY what they are doing."

I don't believe this. The advertisers could simply be looking at what their ads produce in terms of business as opposed to what happens without the ads. They don't really need to give a flying rat's ass about whether Facebook knows what its doing.

Re:

[whitroth]

You're wrong. A lot of ads are from small businesses, and they're paying for clicks, and *hoping* that fecesbook knows what they're doing.

Based on the smallest sample - me - they don't have a freakin' clue. They're putting them out based on one datapoint, and telling the advertiser how great they are.

For example, I posted for everyone's appallment a link to an ad from one of the highest-end retail clothing stores, where they were selling a pair of jeans so ripped and damaged that any normal person would hav

Re:Then maybe stop collecting data?

[pjt33]

Hey, Mister Regulator. Don't worry about us. Look at this document that accidentally leaked. We're so incompetent that we don't even know what is done with all the data we collect.

I don't know whether US regulators give a free pass for incompetence, although I doubt it, but European regulators should (and under pressure from Max Schrems probably will) treat this kind of incompetence as grounds for massive repeating fines until Facebook gets its house in order. It's a clear admission of failure to respect about half of the principles of GDPR (processing only with lawful grounds, transparently, for the purposes stated, where necessary for the purposes stated).

Re:

[rickb928]

I can apply the same filter to all this as I would in a meeting with sales & marketing. If they said they needed sensitive data, but already had lost track of the data they currently had, weren't entirely sure where it was being sent or with whom it was being shared, and couldn't report on it, the rest of the team would say 'no', except for the few, who would say 'hell no'.

I can readily imagine how this happened at FB, and it doesn't matter. Incompetence, in this instance, cannot be mistaken for malice.

Re:

[Geoffrey.landis]

...If they said they needed sensitive data, but already had lost track of the data they currently had, weren't entirely sure where it was being sent or with whom it was being shared, and couldn't report on it, the rest of the team would say

..."yeah, figures, that's about par for the course.

admitting that they don't actually know what they're already doing... now that's unusual.

Re:

[AvitarX]

They don't need to know where the data comes from to be able to retrieve the data.

The way I read the summary is Facebook gets data from multiple sources, attaches it to users, and then doesn't know where it came from.

Re:

[HiThere]

And, a key point here, they don't know how much of it is accurate. It's better for ad sales if they pretend it's all accurate.

Re:

[AvitarX]

That's true too.

As long as the advertisers get good results they don't really care.

Re:

[jellomizer]

"Advertisers don't pay that kind of money to someone who doesn't know EXACTLY what they are doing."

I guess you live in some fantasy world, they may pretend they know what they are doing, but in term of business everyone I have met including CEO of very successful orgs. Are mostly playing it by ear as they go along. They don't know what they are doing, they are just trying what they think is the right thing to do, if it works they take the credit, if it fails they find someone to blame.

When a big wig ask us

GDPR fail

[bagofbeans]

This means that FB cannot operate legally in EU.

Re:

[tsa]

Have they ever?

Re:

[rgmoore]

I can easily believe that Facebook takes no steps to keep data separate after acquiring it. It's of a piece with Zuckerberg's famous quote that privacy is over and we have to live with it. The company doesn't just have an inadequate process for keeping different kinds of data separate; they don't grasp why that would be necessary. If I were a privacy a regulator, that would make me want to completely destroy the company and salt the earth where it used to stand.

Re:

[Wycliffe]

We're so incompetent that we don't even know what is done with all the data we collect.

Advertisers don't pay that kind of money to someone who doesn't know EXACTLY what they are doing.

They aren't saying they don't know where it is going. They are saying the exact opposite. They say it is currently going everywhere and they don't know how contain it. Instead of nice neat silos, they have an ocean of information that flows everywhere and goes everywhere just like the water that flows in the Mississippi eventually finds itself in the rivers in China.

Re:

[znrt]

100% fake bullshit. Plausible Deniability. Nothing more.

i don't think so, they are openly admitting that they are incompetent and are unable to steward the private information they collect, something they have been denying for ages, in court and even in congress (which, granted, is a clown show but still). incompetence is no excuse, this is tantamount to criminal negligence.

Re:

[Tony Isaac]

Oh, the problem is not ignorance! Facebook simply doesn't care what happens to your data, as long as somebody pays for it!

Re:Then maybe stop collecting data?

[AmiMoJo]

In Europe the usual solution to this type of situation is to require ALL the data to be deleted. At Facebook, and at anyone they shared it with. Any company that ever did business with Facebook will need to either carefully audit every bit of information on their systems so that they can trace it back to a non-Facebook source, or delete all of it.

Re:

[Ostracus]

That's a lot of exabytes [techradar.com] to delete.

Re:

[rgmoore]

Sucks to be anyone who doesn't know how to compartmentalize private data, then. If the companies don't want to abide by the law, it's their problem when the government comes after them, not the government's.

Re:

[Aighearach]

It's hard to come to any other conclusion than that; they'll have to delete their historical data, and start over, and this time keep track of what they did with the data.

I don't have any sympathy for them, because they should have thought in the first place, "What if we need to know later?" But they made a different call, and the sooner they bite the bullet and start over... the more historical data they have in the future.

Re:

[hey!]

Well, technically they can't say if that they're handling it *improperly*.

Why go looking for problems when the only result is that someone will make you fix them?

Seems logical

[Registered Coward v2]

They built their systems when there was no meaningful rules, and grew so fast that stuff just happened without any real thought to developing ways to track what goes where. No they are so big and the links so convoluted no one can figure them out. No one saw the need to establish some sort of system to track what went where, and if they did any attempt likely failed for lack of interest. This is not a Facebook unique problem, I've worked with companies who had no idea how their processes actually worked and how stuff flwed through the system. Facebook would be a dream client as you could spend years for tons of their money helping them figure it out.

Re:Seems logical

[AleRunner]

They built their systems when there was no meaningful rules, and grew so fast that stuff just happened without any real thought to developing ways to track what goes where.

That makes it sound like this was accidental. Facebook came into the same market as Google (allowing advertisers to use user data for targeting) and set out to compete. At that time, Google was doing careful data partitioning and (to a large degree - there are always possible leaks) ensuring that advertisers could use the data without accessing it. Google did the targeting according to the advertiser's request. It was only later, around 2012 that Google merged data between different services [washingtonpost.com] (interestingly - I found it easier to find this information via Bing than Google - there are certain things people don't seem to want remembered).

Facebook entered that market with the explicit "special sauce" which was that they gave much better access to the data. Where google would make it difficult to work out which users were in your class of users, Facebook at times would directly allow people to query that on their APIs and use that for election manipulation (look up Cambridge Analytica). When people found out that Facebook data was being used illegally they would be "shocked, totally shocked" and say that it was a breach of contract. This was true. Their contracts made it 100% clear that nobody else could know how you used their data and they were quite clear about the huge liability people would have if they were found out.

This "problem" they have is entirely deliberate and malicious.

Re:

[DarkOx]

Facebook gets a lot hate; but honestly I am not so sure many of us would have done it differently.

Google was run by I think more forward looking people who envisioned a big continuing business.

Zuck has lightning in a bottle. He recognized that and monetized it an exploited it as quickly as possible. Clearly a lot of decisions where based on this will print money today! By the later 2000s if not the middle it should have been apparent to everyone at FB that enormous regulatory, and legal liabilities that we

Re:

[HiThere]

The problem was, indeed, entirely deliberate. I doubt, however, that it was malicious. Uncaring, yes, but that's really a very different thing.
OTOH, perhaps I shouldn't be so certain about the lack of malice, given: https://www.businessinsider.co... [businessinsider.com]

Re: Seems logical

[reanjr]

The more people involved in a decision, the more likely at least one of them is acting maliciously. It sounds like Facebook handed over the keys to anyone who asked for them. Lots of those people (developers, exectutives, advertisers) were almost certainly acting maliciously.

Re:

[rickb928]

"here is rampant greed and corruption, much worse than I've ever seen in my life."

This is because your life, and mine, are short. Don't get too deep into a 'it was worse' discussion, for that road leads to much uncomfortable truth.

Not that today is a golden age of morality and good, but, it may well have been worse, depending on your perspective.

UK rules were in place when FB was born

[Bruce66423]

There were also EU rules. Both however had limited fines associated with them - the odd million, chump change for FB. Now however the GDPR has TEETH, so it is likely that prosecutions attracting fines of significant percentages of worldwide turnover are likely to ensue. After all, someone has got to fund the universal health care in Europe; US tech firms, I'm sure, will be happy to help ;)

Poor babies...

[Kokuyo]

You thought you were above borders and country laws and now it bites you on the ass.

I'm sorry, but my empathy is currently not available to take your call.

Re:

[bill_mcgonigle]

> You thought you were above borders and country laws and now it bites you on the ass.

No Facebook employee will ever face jailtime for any law they violate.

They can do whatever they want because they're wealthy.

Live By The Sword...

[Saffaya]

Die By The Sword.

If you believe that

[MeNeXT]

I have land for sale in a dried up lake bed that will never flood.

Their business is data on individuals. They harvest that data and monetize it. It's amazing how detailed they can get when someone want's to pay for it. I don't buy it.

Here is my analogy. The were caught polluting the lake with ink and are now claiming that the damage is done so they should still be allowed to continue polluting. How about if their business model can't work without polluting the lake then they close their business.

Re:

[jonadab]

> Their business is data on individuals. They harvest that data and monetize it.

Sure, and the same is true of Google. But Google is generally competent. They know what they're doing, and they know how they're doing it, and it's organized and optimized. Google, to my knowledge, has NEVER been caught deliberately violating their own stated privacy policy; whereas Facebook has a long history of getting caught doing stuff (with user data) that their own policy specifically said they wouldn't do.

When Micro

A free tip

[Teun]

I considered selling them this tip but hey, the poor smucks need it:
Follow the money!

Implausible Deniability

[gosso920]

What does Facebook do with your data? It sells it. Where does it go? Into databases of the companies that made the purchase.

Nuke it from orbit

[reanjr]

Nuke it from orbit. It's the only way to be sure we got all the data.

Impossible

[RandCraw]

FB's entire business is selling your name, behavior, and demographic profile to others so they can market and sell to YOU. Thus, *every* FB product contains a way for the seller to contact or track you. That identifier + personal info is what the EU demands to know, as well as who bought it and how they use it. The audit trail of accountability only *begins* with FB.

Get used to it Mark, soon there'll be no place to hide what you do to your customers and there's nothing you can do to stop it.

Money

[jebrick]

I'll bet they know how much money they have made from your data.

Let's extend the analogy

[jdharm]

The ink belongs to your neighbor who loaned it to you to fill out some documents for him he hired you to write up. The documents got done and he wants his ink back. Now you're just staring at him blankly and pointing to the lake you just dumped his ink into.

He gave you the ink to get his work done, not to do with as you please.

Re:

[jonadab]

This analogy breaks down because data, unlike ink, doesn't get "used up" when you do something with it. You still have the original data. If ink worked like data, then when the owner of the ink asked for their ink back, you could in fact return it to them 100% in tact, _despite_ the fact that you've also contaminated a large lake with it and furthermore have also sent it all (perhaps down pipelines or in tanker trucks) to eleven other companies.

The problem Facebook is having is more along the lines of "Go

I could not possibky be

[Otis B. Dilroy III]

Less sympathetic.

All we know is

[hdyoung]

that somebody paid for your data. We’re 100% sure that happens every time.

Re:

[HiThere]

Yeah, they know who they sold it to. They don't, however, bother to track where it came from. (I believe them, but I don't feel this exonerates them, or should limit the penalties.)

Data really does want to be free

[sheph]

Since the early days of the Internet I've always understood that if you don't want something public then don't put it on the Internet. Regardless of what Facebook does or doesn't do to protect your data it's only as protected as Facebook itself. All companies are compromised at some point. Facebook allows an enormous amount of data to freely flow from its API. They sell your data to other people. Any hope of containing that data went by the boards as soon as the user gave it to Facebook. Regardless of what they do now the cat's already out of the bag.

Disturbing

[NormAtHome]

It's actually more disturbing that they have no idea where all your data is than how much data on you they actually have.

"Privacy engineers"

[FritzTheCat1030]

"The document was written last year by Facebook privacy engineers"...Facebook has privacy engineers? Is that what they are calling their unpaid interns these days? How much "engineering" does a policy of "you don't have any privacy" need?

Re:

[splutty]

The privacy engineers need to engineer documents and arguments proving that no one needs privacy.

Disingenuous as best

[haggie]

Facebook knows where they collect data, they know where it is stored, and they know where it is flowing. Why? Because that is how they make money. The sale of the data that YOU provide them.

Their ONLY fear is that the "tsunami" of protections will shrink or eliminate some of those revenue flows and expose them to liability in markets where they violate the protections.

So Facebook is a criminal enterprise?

[gweihir]

(Under the GDPR...)

Makes sense to me.

Glad I got away from it.

[muh_freeze_peach]

Facebook brought out the absolute worst in my friends and family. I had to leave because it just got too toxic. That was in 2016. I am still in the Meta data pool as I like to post pictures of mushrooms and insects on instagram, but IG isn't pumped full of political crap. At least it isn't forcing it on me like facebook did. Ah well, seems like my consumer habits will feed the beast that kills me.

Black market

[0vi_king]

It goes to even WORSE people after FaceBook is done squeezing it.

As usual

[nospam007]

Sufficiently advanced incompetence is indistinguishable from malice.

How I read it

[kaatochacha]

"We've got pockets with open borders. The result of these open pockets and open theft is well described with an analogy: Imagine you hold stolen money in your hand. This money is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.) You put that money into a lake(our open data systems; our open culture) ... and it flows ... everywhere," the document read. "How do you put that money back into the bank?"