Folks, I’m gonna be honest with you. Over my (short) tenure covering digital privacy, I’ve seen my fair share of deeply shitty tech companies pulling deeply shitty stunts in attempts to profit off our personal data. Facebook is one of the names that comes up most frequently here, and that’s partially because their privacy policy is crafted so well to tell you things without actually telling you things.
In the aftermath 2018 Cambridge Analytica scandal, people began digging into the company’s ongoing shady privacy practices and found a company that deliberately spied on underage teens, covertly used uploaded selfies to build out facial recognition systems, and kept records of countless people’s calls and texts without their knowledge. Then came Mark Zuckerberg’s year-long apology tour. Then came Facebook’s ongoing attempt to redo its labyrinthian privacy policies into something more “black and white.”
As it stands now, Facebook’s mammoth Data Policy clocks in at over 4,200 words, and any attempt to read the tome in full means sacrificing close to 20 minutes of your day, per a recent New York Times analysis. Sprawling and incomprehensible privacy policies aren’t anything unique to Facebook. What is unique is that a lot of the company’s policies are largely written in words the basic person can understand. If you sit down for about half an hour with a cup of coffee in one hand and a full printout of Facebook’s policies in the other, you’ll probably come out with a decent idea of how the company’s money-for-data machine works.
Or at least, that’s what you’ll think. Facebook’s privacy policies are a master class in divulging just enough to satisfy most people’s curiosities about the company’s creepiest practices, without giving them enough details to actually protect themselves. It’s a privacy policy loaded with dead ends and tech tangents designed to give you the illusion of control — but that’s it.
That said, I’m an optimist. Maybe the company is too busy with its antitrust suits, multiple international probes, and the whole Elon Musk thing to bother making policies any more transparent than they actually are. Or maybe Facebook just doesn’t know where to start. Thankfully, I have some ideas!
Defining What a ‘Facebook Product’ Is
When most people think about the so-called Facebook Family of Products, chances are that they’re thinking of some of the highly profitable (and highly scrutinised) acquisitions that Facebook’s made over the years. Instagram, for example, is definitely a cut-and-dried Facebook Product. Same with WhatsApp, Oculus, and Giphy.
Here’s the first part of Facebook’s massive Data Policy:
This policy describes the information we process to support Facebook, Instagram, Messenger and other products and features offered by Facebook (Facebook Products or Products).
Chances are, most people just blow right past that link without clicking on that hyperlink. If you do, you are greeted with a page telling you that, yep, the company’s Data Policy applies to all those names above, and also to a suite of so-called “Business Tools” you’ve undoubtedly never heard of. If you want to know what the hell those tools even are — or the kind of data these tools collect — you’ll need to dig through page after page of even more wordy nonsense in order to get that answer. And what those pages will tell you is that the vast majority of sites on the web and apps you can download are, in a sense, a Facebook Product.
Let me explain. When Facebook talks about its Business Tools, it’s talking about tiny pieces of Facebook-created tech that advertisers can use to target people on Facebook or Instagram based on their behaviour off of those platforms. Some of these products include tidbits like the Facebook Pixel or the Facebook Software Development Kit (SDK) that certain brands and businesses can freely onboard if they want to give Facebook data about how you’re acting on their site or in their app. If you’ve ever read a story about any app sharing any kind of data with Facebook, you probably have these tools to thank.
In the company’s defence, later chunks of the privacy policy go on to vaguely define different third parties that share vaguely defined bits of data with Facebook, and even started giving us the chance to see what this data looked like with the “Off Facebook Activity” tool the company rolled out last year. Facebook even told us we could full-on delete the oodles and oodles of data about each of us that these companies were uploading onto Facebook’s marketing machines.
But because the tool doesn’t actually disclose what kind of data these third parties are sharing, or even disclose the tools they might have used to share it, Facebook’s promise that we can now “delete” this data also ensured that there’s no way of stopping that exact data from being uploaded again.
A good first step that Facebook could take is literally just tacking a list of all the data hoovering “business tools” onto its Data Policy literally anywhere. For reference, I cover this company’s privacy practices for a living and it took me a solid fifteen minutes to find which dusty corner of Facebook’s platform was actually housing something close to a comprehensive list (spoiler: it’s here — deep within the company’s developer documentations, and not linked anywhere near the Data Policy).
Clarifying What ‘Off-Facebook’ Means
Aside from the data that third parties share with Facebook about the apps we download and sites we visit, the company has an entire program designed to help businesses bring data about in-person customer interactions onto Facebook’s platform. They can either do this directly, or with the help of even more partners that Facebook picked out specifically for this purpose.
I know that description invariably brings up the image of a sprawling panopticon featuring thousands of Zuckerberg faces leering everywhere you go — but I promise this is way, way more dull.
Here’s a personal example: I live in a neighbourhood with a ton of pet stores, and those pet stores run ad campaigns on Facebook and Instagram all the time. Let’s say after seeing one of those ads, I step into a shop to buy, I don’t know, a new leash for my cat. If the person running this cat-leash operation wants to know if I — or anyone else — was driven into his store after seeing one of his many, many ads running across Facebook’s properties, he can just hash the basic bits of payment data we all left behind, and pop those strings of code directly into Facebook’s ad-serving systems.
These systems do their best to match each of the day’s purchases with the Facebook accounts of the people who made them and lets Mr. Leash know if these accounts have stumbled upon one of his Facebook ads over the past month and a half or so. The company actually suggests uploading as much data as possible as part of this process, and preferably uploading on a daily basis so that data can be matched most “effectively.”
When you multiply this daily data dumping process by god-only-knows how many small stores per day, it becomes pretty clear that Facebook, in a sense, has acquired some degree of eerie omniscience–and that’s ignoring the data this program can pull from your customer service calls, bank deposits, or visits to the dentist. All of these businesses are complicit in tracking your “Off-Facebook Activity,” but good luck actually telling them you want to opt-out.
Explaining What a ‘Third Party Partner’ Is
Everything described thus far doesn’t include companies “selling” our data to Facebook — it’s being “shared.” In the pre-Cambridge Analytica era, this sharing overtly went both ways: small businesses would pour their customers’ data onto Facebook’s universe of sites, and Facebook would, in turn, pour that data into a handful of data-brokering partners so that more businesses could reach this same customer base. Notably, Facebook cut off data access for these so-called “Partner Categories” in mid-2018.
But that doesn’t mean that Facebook’s necessarily stopped covertly sharing–not selling, remember — data with these sorts of partners. The Data Policy makes that clear:
We work with third-party partners who help us provide and improve our Products or who use Facebook Business Tools to grow their businesses, which makes it possible to operate our companies and provide free services to people around the world.
We also impose strict restrictions on how our partners can use and disclose the data we provide.
To which I ask: whomst? Whomst are these third-party marketing partners Facebook is still working with? Why doesn’t it offer a page spelling out some of these major names, the same way Partner Categories had their own dedicated page before the program came to a close? What’s so hard about… naming a few companies?
On one hand, adding all of these details in would make Facebook’s privacy policies longer, denser, and overall more of a slog to read than they currently are. But they’d also give us a document that better explains to regular people exactly how their data is handled, which means they could have more than half a chance in actually opting out of the company’s clutches. If nothing else, it could teach all of us why simply deleting your Facebook account will never be enough.