back to article Chap asks Facebook for data on his web activity, Facebook says no, now watchdog's on the case

Facebook's refusal to hand over the data it holds on users' web activity is to be probed by the Irish Data Protection Commissioner after a complaint from a UK-based academic. Under the General Data Protection Regulation, which came into force on 25 May, people can demand that organisations hand over the data they hold on them …

  1. Doctor Syntax Silver badge

    The report just says he's asking for browsing activity off Facebook. It's not clear whether he also has a FB account or whether he's a non-account holding innocent bystander.

    1. big_D

      That doesn't make any difference under the eyes of the law. They are collecting the information, so they have to hand it out in a reasonable time. They also have a legal requirement to hold the minimum amount of data on a person in order to provide their service.

      If they have so much data, that they themselves can't access it all in a timely manner, then it breaks that part of GDPR as well.

      1. Aqua Marina

        Can we please have the same for Google and Apple? Pretty please!

        1. bombastic bob Silver badge
          Devil

          Can we please ALSO get the same with MICROSOFT (in addition to Google, Apple, others) ?

          You know, that 'Microsoft Logon' that they strongarm* you into using, JUST so you can access your _OWN_ Windows 10 PC? What info is being stored along with THAT??? Hmmm???

          Yeah I think the U.S.A. needs a GDPR, too. And _ONLY_ 'opt-in' authorization for data collection. And the ability to edit/erase the data. And so on. It can't be THAT hard for FB and the others to write a simple generic SQL query web interface to do this. It's just they don't wanna unzip their pants and let people see what's REALLY behind the curtain...

          * last time I had to build a Win-10-nic VM with a very recent downloaded ISO image from MSDN, I ran into the same 'how do I prevent having to use a Micro-$#!+ login" problem... as I'd forgotten the 2-step hoop jump you have to do to make this work. Eventually I remembered, but it _IS_ strong-arming when you force people to do this JUST to avoid your tracking/slurping/cloudy/online logon for a LOCALLY INSTALLED COMPUTER. In other words, they *NEVER* *FIXED* *THIS*.

          1. TheVogon

            "You know, that 'Microsoft Logon' that they strongarm* you into using, "

            My Windows 10 seems to work just fine with a local user account and password only. Using a Microsoft ID / the Windows Store is optional.

            1. Tony Paulazzo

              My Windows 10 seems to work just fine with a local user account

              But to be fair there's a huge 'sign-in with MS account or create one' and a tiny line near the bottom of the screen with 'local account login' that in no way implies MS is trying to hide the option.

              As for the GDPR and tracking details, someone needs to create an 'easy to ask for all my data' website for all Europeans to really fuck MS, Google, Facebook et al.

              It would be really funny.

      2. ratfox
        Paris Hilton

        If he doesn't have an account, it might be difficult for Facebook to identify his data, though. They might well have a complete history of what AnonymousUser142857 has done the web, but I'm not sure how they could connect that with Joe Bloggs from Ipswich. Google certainly also creates a profile of users that have no account, but the My Activity website only works if you are logged in to a Google account.

        Which leads to the depressing idea that you have to create an account with them so that they can tell you exactly what they know about you. On the other hand, depending on what the law says, that might mean that they are not allowed to create a profile of you if you don't have an account with them. Hmmmmm...?

        1. Gotno iShit Wantno iShit

          They might well have a complete history of what AnonymousUser142857 has done the web, but I'm not sure how they could connect that with Joe Bloggs from Ipswich.

          Dear Faecbook, please provide a copy of and then delete all data held by yourselves regarding the owner of phone IMEI aa-bbbbbb-cccccc-ee. Regards, Joe from Ipswitch.

        2. JohnFen

          "If he doesn't have an account, it might be difficult for Facebook to identify his data, though"

          If that's actually true, it's a very strong argument that Facebook (and Google, etc.) needs to stop collecting and storing this data entirely. Or, at a minimum, stop storing it.

      3. David McCarthy

        I have this notion that GDPR says you have to tell people what data you're collecting and why. This would apply wether or not you have an account. This clearly isn't happening.

        Also, only the necesary data should be collected (by default) to enable the service to be provided (to the individual). If they don't have an account, or are not logged in ... then Facebook isn't providing a service ... and so shouldn't be collecting ANY data.

        1. Mike 33

          You can argue that on a website with a 'like button' or 'login with Facebook', that Facebook is providing data processing and the site itself is the data controller...

          Which potentially also means you can request the information from the website owner itself...

          1. Anonymous Coward
            Anonymous Coward

            > You can argue that on a website with a 'like button' or 'login with Facebook', that Facebook is providing data processing and the site itself is the data controller...

            Nope. That "like" button being on some site or another is irrelevant: that only determines how you end up accessing Farcebook's systems and is no different than, say, landing on the Farcebook site from a search engine results page vs typing the hostname on the address bar. Either way, your browser will be opening a connection to Farcebook and they will be collecting or storing information directly from/to your systems. That information may (will) include the site that you had visited, but that's it.

            TL;DR: the website hosting the like button is neither a data controller nor a data processor in relation to data held by Farcebook about you.

            For OAUTH2 logins that's slightly different, but that's not important right now.

        2. GeekyDee

          Dear user,

          We collect everything because we can and noone can stop us as we have all the money

          Regards, Mark

      4. Remy Redert

        It does matter if they can't prove informed consent was present when they gathered this data. Of course that's separate to his request for all the data they have on him.

        Get all the information they have, then sure then for the data they have because you never have consent.

      5. StewartWhite

        Re. "If they have so much data, that they themselves can't access it all in a timely manner, then it breaks that part of GDPR as well.", it' ain't necessarily so. In the UK the ICO has already ruled that Queen Mary University London (QMUL) did not have to comply with a request to provide the raw data used to produce the results of the discredited PACE trial. This was under the Freedom of Information Act rather than GDPR but it's quite conceivable that the precedent will remain in the UK. The spurious argument that the ICO accepted was that the database is very large (it isn't), that the process involved in extracting the information would be too onerous (it wouldn't) and that they would be "creating the data" (they wouldn't). Facebook could be able to use this kind of perverse logic with the additional points that their dataset is far larger and more complex than QMUL's.

        "QMUL explained to the Commissioner that the relevant raw data is held in a very large database of 3000 variables with 640 rows. It went on to explain the steps required in order to provide the information to the complainant. The Commissioner considered the explanation of the steps required to locate, retrieve and extract the information. He determined that the application of section 12 was not appropriate in the circumstances of the case. QMUL was, in fact, stating that it would be

        ‘creating’ the information and the information was therefore ‘not held’."

        https://ico.org.uk/media/action-weve-taken/decision-notices/2015/1043578/fs_50557646.pdf (section 12)

        1. Anonymous Coward
          Anonymous Coward

          @StewartWhite

          The argument that they have so much data and its not indexed properly in Hive is in fact false.

          FB does in fact have the ability to index and access the data quickly. However, they don't want to do it.

          Yes, I am posting anon because I am both familiar with their environment, as well as a 'Big Data' expert. They could easily afford the cost of adding indexing as well as converting the data that they store in Hive. Actually the truth is that Hive is the SQL-lite language which is used to query data that is stored in files on HDFS which could be raw log files but are really parsed files stored in parquet. They could use HBase (which they have) to be secondary indexes, and then join them against the primary or base table. (The underlying storage mechanism is abstracted so you can have one table in Parquet, another in Hive's native ^A, ^B format, or comma delimited or even HBase. )

          The whole section of the article on the 'Hive mind' is pure spin by FB and it falls flat. While its true that they don't have the capability to do these queries in a timely fashion, its more due to a lack of CPU than a lack of technology or money. They could and probably have already expanded in to a compute / storage model and using Kubernetes can spin up compute clusters that can run their 'hive' or SparkSQL queries against the data.

          So I call BS on FB.

          1. Mark 85

            Re: @StewartWhite RE: Anonymous Coward

            If what FB says were true, then why would they store all that data in their "Hive"? Hives cost money, so obviously, it's BS. FB has become the new Big Brother.

            1. Anonymous Coward
              Anonymous Coward

              @Mark 85 Re: @StewartWhite RE: Anonymous Coward

              Hive is a query language that gets translated in to a map/reduce job.

              The data is translated from a log message in to a semi-structured state, stored potentially a couple of different storage formats... (csv, parquet, hbase, orc, etc ...) Stored on HDFS. The key is that these files are stored in a key/value manner with further partitioning within a hierarchy of directories.

              Its not always the most efficient and there are other tools that can be used in a combination w Hive to improve performance. Like using spark, presto, drill, hbase, tez, etc ...

              So while what they said is partially true, the key is that they could spend money and could manage their data centers better. But then again FB has this inbred desire to use FOSS only with few exceptions.

              1. whitepines

                Re: @Mark 85 @StewartWhite RE: Anonymous Coward

                Don't see where FOSS is the problem here. Facebook could either buy proprietary tools or pay developers to write new FOSS ones. The problem seems to be getting them to pry open their wallet to follow the law. Hopefully that will be dealt with in an example-setting way (fines, efc.)

          2. JohnFen

            Re: @StewartWhite

            "So I call BS on FB."

            At this point, I pretty much assume that anything Facebook says is BS.

          3. Anonymous Coward
            Anonymous Coward

            Re: @StewartWhite

            Bingo! Saved me a ton of typing. I've been working with databases since 1975, can't say I've missed many since especially when I like to collect and learn about the new types. Given that Hive is explicitly scale-out by design, the only thing that'd be holding them back from such queries would be a lack of infrastructure. Well, guess what Facebook, you need to buy some more to meet the letter of the GDPR. I almost have sympathy for them. Almost.

            Filing this one away for when/if we get the new law here in California up and running. I'm not exactly expecting that to happen without a fight.

          4. Byham

            Re: @StewartWhite

            As Facebook uses the information generated on each user to provide close to immediate tailoring of the 'FB Experience' with ads, news, and, other information suited to the identity logged in - then I agree it is obvious BS that they cannot access the information - they act on it at every single login and possibly on every single transaction. They may not be able to easily go back to each of the interactions that were used to build the information/picture of the identity - but they and all their advertisers have immediate real time access to the information about each and every identity logging in. Otherwise it does not support the purpose for which it was collected and therefore does not meet the requirements of GDPR.

        2. Anonymous Coward
          Anonymous Coward

          > In the UK the ICO

          ...are worse than toothless: they have a tendency to side with companies against consumers. To dissimulate a bit, they do the occasional slapping of fine on either some nobody or another governmental organisation (so that's consumers footing the bill again), but they're never going to touch anyone of any size.

        3. Alan Brown Silver badge

          " In the UK the ICO has already ruled that Queen Mary University London (QMUL) did not have to comply with a request to provide the raw data used to produce the results of the discredited PACE trial."

          The ICO has issued a number of flawed decisions, but an ICO decision is far from the end of the line - it's not even precedent setting on the NEXT decision they make (never mind they're not a court of law).

          There are ICO appeal procedures and then the law courts - and the courts have been less than kind to the ICO's strange interpretations of the law in the past, with particular criticism given to the way they side with orgs declining to disclose data. (Judges understand the principles of FOI far better than the ICO - remember that most ICO employees handling cases are underpaid, underqualified, overworked civil servants and that's exactly the way Whitehall wants it)

          1. Ben Tasker

            The ICO has issued a number of flawed decisions, but an ICO decision is far from the end of the line - it's not even precedent setting on the NEXT decision they make (never mind they're not a court of law).

            Not to mention the complaint has gone to the Irish Data Commissioner, so the ICO are entirely irrelevant here anyway.

    2. Anonymous Coward
      Anonymous Coward

      Whats to stop a criminal pretending to be someone else and asking for all the data Facebook hold on them?

      Seems like identity theft could get a huge boost if it becomes too easy to access this info.

      1. big_D

        Given that you have to be able to identify yourself in the first place, you would have already had to have stolen their identity.

      2. JohnFen

        "Seems like identity theft could get a huge boost if it becomes too easy to access this info."

        Yet another excellent reason why these companies need to stop storing all this data.

    3. Ian Michael Gumby
      Boffin

      @Doctor Syntax

      The report just says he's asking for browsing activity off Facebook. It's not clear whether he also has a FB account or whether he's a non-account holding innocent bystander.

      It doesn't matter.

      Under GDPR, any data collected by FB on a non-account holder would be a violation since the non-account holder has no way to 'opt-in' to their capture and retention of his data. Where they may claim you approved is that the site you visited had a banner than said that they use cookies therefore if you visit the site, you agree to their capturing data on you and imply that it carries to their third parties like FB.

      (And that's questionable at the start) or if they use .js from FB which has nothing to do with the cookies.

      So the UK has every right to go after them.

      If he is an account holder, then under the GDPR they have to detail what details they collect and how they use it so that the user/punter/shill has the option to 'opt-in' giving them an informed consent to track him.

      That's not so clear therefore it too is against the law.

      Either way you cook it... its still tainted meat and you will get sick. ;-)

      1. tallenglish

        Re: @Doctor Syntax

        I think the way they may weasle out of it is the site that has FB links has to have shown the GDPR accept all request and part of that is allowing 3rd parties to use the data from that site and in this case, FB is the 3rd party.

        So ironically FB will blame everyone else, in the "you must have clicked accept all on xyz.com website to view it and part of that acceptance is to allow FB to track you while using that site".

        What I am not sure about is the legality of how they merge those site tracking to one unique ID or if they do at all - if they do then the must have some identifyable info about the user and could easilly grant the request (albeit data taking a long time to collate), if not then it is fully anonymised then it only allows for custom advertising to that website based on what type of users are visiting it and that wouldn't require GDPR data given to any one user I think.

        Question is what are they slurping, are they infuring things like sex and other preferences by the type of site visited (like men mainly go to car websites) and sexuality based on what you search for in pornhub, etc?

        1. Anonymous Coward
          Anonymous Coward

          Re: @Doctor Syntax

          > I think the way they may weasle out of it is the site that has FB links has to have shown the GDPR accept all request and part of that is allowing 3rd parties

          That would be extremely dodgy from a compliance standpoint. But then again, lots of people are just playing dumb anyway.

  2. Anonymous Coward
    Anonymous Coward

    'It's not clear whether he also has a FB account or whether he's a non-account'

    "Info collected on folk outside the social network 'not readily accessible'" ... "Michael Veale, who works at University College London, submitted a SAR to the social media giant on 25 May asking it to hand over the information it has collected on his browsing behaviour and activities off Facebook."

    1. Doctor Syntax Silver badge

      Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

      Yes. All it says is off Facebook.

      Let's back up two paragraphs before what we both wrote about: "The crux of the issue is the data the firm slurps up via its Facebook Pixel, the widely used tracking code on multiple websites"

      Note that these multiple websites extend far beyond those Facebook runs.

      Now look at the next paragraph; it makes the point that the tools Facebook provides are "to access the data collected on the platform [i.e. Facebook's own platform] – for instance, ad preferences" and not those collected off it, i.e. those collected by the means described in the preceding paragraph.

      And that's what "off Facebook" means. It gives no indication as to whether he has an account with them or not because he's not asking about data collected on the platform.

      1. djack

        Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

        Why does it matter whether he's a member or not? It's personal data that they have collected about him.

        From a technical aspect, if he's a member it should make it easier for them to extract and collate the relevant data. If he's not a member, they have no justification or permission whatsoever for collecting and processing that data in the first place.

        1. Doctor Syntax Silver badge

          Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

          "Why does it matter whether he's a member or not? It's personal data that they have collected about him.

          From a technical aspect, if he's a member it should make it easier for them to extract and collate the relevant data."

          I'm just thinking it terms of how this can play out. If he doesn't have an account FB can present a defence along the lines of "we don't know who he is". If he has an account this defence is less likely to succeed and if the case then exposes the amount of data collected off-platform it makes it less easy for them to defend against a subsequent claim by a non-account holder.

          1. djack

            Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

            Let's take the thought exercise a bit further ..

            They have a bunch of data that is classed as personal. You may even go so far as being able to deanonymise some of it making it potentially identifiable (don't ask me how, but the deanon crowd can be scarily inventive when they get a hold of big datasets).

            For any particular data element, they can say that they don't know who it is about. Therefore there is no way that they can evidence any informed consent for the collection and processing of said data. The individual is not (necessarily) a user of Facebook so there is no way that the data is collected as an essential part of any service provided to the individual. Therefore, as far as I can see, they would have no legal basis to keep hold of the data and should therefore delete it.

            That will probably save them megabucks in storage costs ;)

            1. big_D

              Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

              djack, what you say is true. But does it outweigh the money made from selling targeted adverts?

              Until big fines start getting handed out, the cost of storing the data will always be miniscule, compared to its possible use, whether that use is legal or not.

              1. djack

                Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

                But that's the thing with the GDPR, the potential fines are quite large.

                If someone has the will (and I'll admit it's probably quite a big if) then this sort of case could cause some massive changes of behaviour in the tracking and advertising industry. Probably just for European end users though. It will either cost a shed load in fines or a shed load in lawyers fees (and then hopefully a shed load in fines on top! - Hey, I can but dream)

                1. Charles 9

                  Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

                  "But that's the thing with the GDPR, the potential fines are quite large."

                  Until some genius finds a legal way to weasel turnover numbers...

                  1. DCFusor

                    Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

                    Charles, that was kinda my point above, which collected some downvotes...maybe some SJWs feewings were hurt or something.

                    Point is - it's obvious where the power lies here. Any fines of any transnational never amount to even a day's cleared profits, as the Reg writers themselves often point out. Which shows who is in actual control, and the rest is theater.

                    These days, if you want to keep your data - which has value, like other stuff, you have to earn it by perhaps blocking the collection of it...even if you don't have a FB or Google or whoever account -

                    You might have to lift a finger or spend a little skull sweat, as you can count on the fact that those who are making money aren't going to figure out how to defeat themselves for you with "that one weird trick".

                    Sorry if I come across as too cynical. Being an old fart in this world,, and having touched matters of high finance, politics, and computer science, well, it'll get to ya if you keep your eyes open and "follow the money". Cui bono - except now you don't even have to buy it directly - you can be monetized without your own direct input. (taxes pay for it, the things you buy,...and so on)

                    1. Byham

                      Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

                      "Point is - it's obvious where the power lies here. Any fines of any transnational never amount to even a day's cleared profits, as the Reg writers themselves often point out. Which shows who is in actual control, and the rest is theater."

                      I would think that a fine for example of 30% of annual turnover would make even Facebook sit up and take notice. The levels of fines especially from the European Court systems as well as the levels of potential enforcement are not something that any transnational will take lightly.

            2. Lyndon Hills 1

              Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

              The individual is not (necessarily) a user of Facebook so there is no way that the data is collected as an essential part of any service provided to the individual.

              The 'service' is not being provided to the individual, it's being provided to advertisers.

              1. djack

                Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

                The 'service' is not being provided to the individual, it's being provided to advertisers.

                Hence they have no defence of it being stored as an essential part of the service to the subject.

            3. Anonymous Coward
              Anonymous Coward

              @Djack Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

              Sorry mate it doesn't work that way.

              They may anonymize and aggregate data that they sell, but the raw data that they capture and retain... isn't anonymous and is still kept because it has value.

              But keep trying.

          2. KLane

            Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

            If this stored data can't be queried efficiently, then what does Facebook use or archive it for? I suspect if a TLA asked for it, there would be no difficulty coming up with it.

            1. PurpleLace

              Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

              I think it's more the manner in which it's queried.

              In the sense that for an advertiser, you know that user I'd "xyz" likes this and that and so can target adverts.

              But that doesn't necessarily mean that for a Facebook user or non Facebook user that you could very easily associate a user id with a an actual identity provided as part of the SAR. Especially if what they say about the two platforms being unrelated (if I remember the article correctly)

            2. Anonymous Coward
              Anonymous Coward

              Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

              There's a huge financial difference between a few subject requests from the various TLA's and, potentially, millions of data subjects for Facebook. Then the question for them becomes, which would you rather pay? More for infrastructure to comply or 4% of turnover for the rest of the firms existence? Now that's an interesting economic calculation in the realm of game theory right there!

              1. Charles 9

                Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

                "More for infrastructure to comply or 4% of turnover for the rest of the firms existence?"

                Ever heard of The Cost of Doing Business? If they can find a way to reduce their legal turnover (I don't think there's a fine in the world that can't be finagled--that's what lawyers are for, partially), they could just pay the fines so as to keep going.

          3. Anonymous Coward
            Anonymous Coward

            @Doctor SyntaxRe: 'It's not clear whether he also has a FB account or whether he's a non-account'

            Sorry but from a technical aspect, there is no defense.

            Regardless of your status as a member or not, FB captures and performs work on the data in order to build a profile. Its not until the later stages that they are able to match this information against a FB user.

            Think of it this way.

            You use Dr. Syntax here.

            You may have your favorite fetish site where you go by igor

            Your real name may be Christopher Robbins and on FB you go by the ailas Chris McDougal.

            (I don't know I'm just making this example up ...)

            So even if they can't match Christopher Robbins to a FB user, there is still data on you and it has value.

            What they do with it is a mystery and under GPDR, its still illegal because they didn't get an explicit , informed, consent.

            FB really doesn't have a strong leg to stand on in either case.

        2. DCFusor

          Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

          djack - of course they have no justification. But this isn't the 1950's - they have "feelings" and "are offended" they can't make money by selling whatever they *want* to collect about you to people who *want* to buy it - and after all, they did half the work finding that stuff out about you - you only did the unpaid other half by giving it to them....

          This is the new age - feelings matter more than what we used to think of as right and wrong. It is what it is. I don't have to like it, and neither do you, but that doesn't make people's lack of old-school morality revert to a good state. And might always meant right - it's just that these days, the might is more transparently NOT resident in governments - who are owned in fee simple by these big transnationals.

      2. big_D

        Re: 'It's not clear whether he also has a FB account or whether he's a non-account'

        Given that he talks about the tools on the site not providing enough information, it sounds like he has an account. But it doesn't matter, even if he didn't, they would still have to hand over the information under the law.

  3. Anonymous South African Coward Bronze badge

    Luuuuverly fresh and hot popcorn orders being delivered via non-trackable drones.

    Our unique technology will pop the popcorn prior to delivery, so you'll get it instantly fresh and hot without having to faff around with cold or stale popcorn!

    Also offered are a range of assorted sprinkle flavours!

    Place your order NOW to avoid disappointment!

    1. MudFever

      If I see that drone flying over my property it will not make the delivery...

      1. onefang
        Mushroom

        "If I see that drone flying over my property it will not make the delivery..."

        You'll pop it with extreme prejudice?

      2. nsld
        Alert

        Yee Haw

        Paddle faster, I hear banjos.......

      3. Anonymous Coward
        Anonymous Coward

        Yep. Skeet, with prizes!

        1. Charles 9

          Aren't you concerned those devices will have GPS trackers and cameras? Meaning if it gets shot down, it'll be able to let the shipper know WHERE it went down...and send the police over there with THEIR shotguns? Last I checked, the plods don't take kindly to guns being fired willy-nilly (due to Disturbing the Peace issues and tragedies caused by falling bullets).

  4. Anonymous South African Coward Bronze badge

    This is going to be very interesting going forward.

    Now if only you can find out how to block that faceboob pixel from "phoning home"...

    1. big_D
      Boffin

      Look on Github, there is a nice list of domain names for Facebook, with the host address set to either 0.0.0.0 or 127.0.0.1. Just pop that list into your hosts file and Robert is your mother's brother.

      1. John Brown (no body) Silver badge

        "Just pop that list into your hosts file and Robert is your mother's brother."

        You seem to be assuming that the OS or apps honour the hosts file. That's not always true.

        1. big_D

          It certainly works under Windows and Linux, none of my browsers will display any Facebook related site.

          1. Danny 2

            @big_D

            Windows 10 ignores host file blocking of Microsoft metric sites, which is why nobody could block Microsoft monitoring and updates. Now I have no reason to suspect they have offered that opt-out to other companies or TLAs, but I have no reason to trust in it, and it is certainly something they could sell to Facebook or whoever.

            1. TheVogon

              "Windows 10 ignores host file blocking of Microsoft metric sites, which is why nobody could block Microsoft monitoring and updates."

              Windows 10 has perfectly capable inbuilt firewall service that will happily block all of those.

        2. JohnFen

          This is correct, and is why everyone should be using a standalone firewall rather than relying on the OS of each machine.

      2. Anonymous Coward
        Anonymous Coward

        > Just pop that list into your hosts file

        Use a firewall for heavens' sake. The hosts file is not meant for that.

        1. big_D

          @AC re: use a firewall

          On a laptop going out and about? I don't have access to all the firewalls I come across and pluggiing them all into the software firewalls of the PCs I use is also laborious.

          1. Danny 2

            @big_D

            Software firewalls won't cut it if the OS is compromised. You could crippleware your laptop through a designer Pi hardware firewall on the go. I know it is not ideal but it is do-able. While it is fun to discuss technical things some of us could do, the issue in the article is how this affects everyone else who can't do.

          2. Anonymous Coward
            Anonymous Coward

            > On a laptop going out and about?

            Especially on a laptop going out and about!

    2. Oliver Mayes

      I set up a Pi-Hole a couple of weeks ago. 10 minute setup, and it's sat there silently filtering all of that crap from my home network every since.

      1. Anonymous Coward
        Facepalm

        I set up a Pi-Hole

        Which is running as root

    3. Alan Brown Silver badge

      "Now if only you can find out how to block that faceboob pixel from "phoning home"..."

      It's called "Disconnect for Facebook" amongst other things.

      However as you have to use as the _only_ available method to explicitly block FB from snooping in your activities, it's more or less proof that FB are NOT indulging in "informed consent" when it comes to their data gathering activities.

      Consent is not fungible. Someone else cannot give it to a 3rd party on my behalf.

  5. Anonymous Coward
    Anonymous Coward

    The article confirms why Zuck acted so naive / dumb in-front of EU / US lawmakers

    He knew tackling data-privacy for non-users / logged-off-users was going to kill Facebook in red-tape. The only solution is for regulators worldwide to force Zuck to purge the HIVE from day-zero to now. Then force Facebook to come up with an alternate solution. Anything else is just unworkable.

    1. Anonymous Coward
      Anonymous Coward

      'Facebook: Information in Hive not readily accessible'

      I wonder what those fields of computers in Utah are for... Seriously, I'm pretty sure 'Palantir Peter' Thiel knows how to access the HIVE, and gets full-access to his pentagram pc...

      1. big_D

        Re: 'Facebook: Information in Hive not readily accessible'

        I wonder what those fields of computers in Utah are for... Seriously, I'm pretty sure 'Palantir Peter' Thiel knows how to access the HIVE, and gets full-access to his pentagram pc...

        That sounds like the plot to Cypher from 2002 with Nigel Bennet, Lucy Liu and Jeremy Northam.

        1. Destroy All Monsters Silver badge
          Thumb Up

          Re: 'Facebook: Information in Hive not readily accessible'

          That sounds like the plot to Cypher from 2002 with Nigel Bennet, Lucy Liu and Jeremy Northam.

          Peter Thiel had the balls to mess up pig-disgusting Gawker good and not let up until it was a bloody heap, so I would pay for that movie if he revvs up a helicopter and blows the hell out of the Zuckerburg at the movie's end.

        2. Aristotles slow and dimwitted horse
          Thumb Up

          Re: 'Facebook: Information in Hive not readily accessible'

          Good movie that one.

      2. Anonymous Coward
        Anonymous Coward

        @AC Re: 'Facebook: Information in Hive not readily accessible'

        Sorry mate, had to down vote you for conflating the NSA in Utah and FB which has their own data centers.

        Yes the information in Hive is readily accessible. However the queries will suck up quite a bit of resources doing full table scans. They shouldn't be using Hive, however... they could be using Hive on Spark, Presto or yeah... still be using Hive.

        Who ever peddled this story is hoping that there aren't people reading it who actually know Hadoop or FB's internals.

        Posted Anon for some very acute reasons.

        1. Ben Tasker

          Re: @AC 'Facebook: Information in Hive not readily accessible'

          Yes the information in Hive is readily accessible. However the queries will suck up quite a bit of resources doing full table scans.

          You seem to think this lack of resources should be the user's problem. It's not. If Facebook cannot comply with the legal requirements of GDPR then it's very much their problem. At the very least they'll need to start working towards an architecture that does allow them to comply (because, let's face it, they're not going to stop collecting that data in the first place).

          Who ever peddled this story is hoping that there aren't people reading it who actually know Hadoop or FB's internals.

          If you read the article it addresses the GDPR related aspects of the difficulty in gaining access to the data, in various places including this:

          Moreover, he pointed out that if the request is excessive, it is only because the amount of data collected and sent to Facebook is too large for one of the biggest companies in the world to retrieve.

          "Which seems to be a breach of [GDPR's requirement for] data minimisation rather than my fault as a data subject requesting this data," he observed.

          If Facebook are collecting reams of data, so much so that it's almost impossible for them to fulfil an access request for it, then that has connotations about whether they're actually collecting the bare minimum required to provide their service.

          They've also rendered themselves unable to fulfil a legal requirement, so of course there will be an investigation. Rightly or wrongly, the internals of Hadoop are largely irrelevant to the law - if it means you can't comply, the view will likely be you should use a technology that _does_ allow you to comply.

          1. big_D

            Re: @AC 'Facebook: Information in Hive not readily accessible'

            In fact, for GDPR compliance, it is recommended that IP addresses in log files be "annoymized" - E.g. the least significant octet should be removed.

          2. John Brown (no body) Silver badge

            Re: @AC 'Facebook: Information in Hive not readily accessible'

            "If Facebook are collecting reams of data, so much so that it's almost impossible for them to fulfil an access request for it, then that has connotations about whether they're actually collecting the bare minimum required to provide their service."

            Subject access requests aside, it may be worth remembering that from FBs point of view , the "service" is providing advertisers with as much targeting data as possible. The phrase "bare minimum" then takes on an entirely different connotation that it would have if only taken in the context of the general public "users" of FB

            1. Ben Tasker

              Re: @AC 'Facebook: Information in Hive not readily accessible'

              Subject access requests aside, it may be worth remembering that from FBs point of view , the "service" is providing advertisers with as much targeting data as possible.

              And from the law's point of view (i.e. the PoV that matters), the service is providing users with, well, Facebook. That's the service being provided to the user.

              It doesn't matter that Facebook's customers are the advertisers, their data collection should be minimised based upon the service provided to users.

    2. Anonymous Coward
      Anonymous Coward

      Divided Loyalty

      There's a big problem here... Data protection is at odds with what most Governments and Facebook secretly want... A 'God-Log' of everyone's activities - forever... (Nod to UK / US / Auz and all the other encryption-backdoor-brigade etc). So, which governments are going to give regulators enough teeth to tackle the problem?

      There's no real solution to the 24/7 surveillance economy, except parking a big truck of fertilizer next to the HIVE along with all its backups of backups... F*ck.... Just realized just by writing this, I'm probably now on some Pre-Crime list. <Knock Knock> Yikes :XD

      1. Harry Stottle

        Re: Divided Loyalty

        yes to this and...

        Had the plaintiff been (instead) a "person of interest" to the FBI and they'd requested his entire history, I somehow doubt that FB would have dared give them the same response...

    3. Anonymous Coward
      Anonymous Coward

      @AC ... Re: The article confirms why Zuck acted so naive / dumb in-front of EU / US lawmakers

      The only solution is for regulators worldwide to force Zuck to purge the HIVE from day-zero to now.

      Uhm... easier said than done.

      Data stored on HDFS (including HBase) is not mutable.

      So to purge the data would mean to filter the data and not copy the rows in to the new file and delete and replace the old file. (This is actually what happens with compaction in Tez , HBase and MapR-DB. )

      At the same time FB doesn't want to do this because it also opens up their data collection to more eyes so that people can see exactly what they capture.

      And that's only part of it.

      Now they will also have to go thru every set of data which is a derivative of the initial logs and filter that data. Also not that easy because of the 'full table scans' (file scans) and compaction process. It could force FB to be ground to a halt just to handle these requests.

      So its both a loss of revenue and an expensive task.

      1. Ben Tasker

        Re: @AC ... The article confirms why Zuck acted so naive / dumb in-front of EU / US lawmakers

        The only solution is for regulators worldwide to force Zuck to purge the HIVE from day-zero to now.

        Uhm... easier said than done.

        Data stored on HDFS (including HBase) is not mutable.

        He said purge all the data. That's fairly straight forward: hdfs dfs -rm -r "/*"

        If they want to keep specific bits of data, then yes that's trickier, but that's explicitly not purging from day-zero to now.

      2. John Brown (no body) Silver badge

        Re: @AC ... The article confirms why Zuck acted so naive / dumb in-front of EU / US lawmakers

        "So its both a loss of revenue and an expensive task."

        Ok, that's the upsides, what are the downsides?

  6. adam payne

    However, the firm declined to do so, effectively saying it was too difficult to locate the info within its humongous data warehouse.

    Come on FB you knew this was going to happen and you are telling us that you have no easy way of doing this or that you didn't invest in the infrastructure to make this possible.

    noting that this kind of architecture was necessary due to the sheer volume of data created

    The sheer volume of data slurped.

    Facebook simply does not have the infrastructure capacity to store log data in Hive in a form that is indexed by user in the way that it can for production data used for the main Facebook site

    You say you can't locate the information but then say you don't have the capacity to do it. Anyone would think that you're making excuses because you want anyone to know the sheer scale of your slurping.

    1. Giovani Tapini

      Am I understanding this right...

      Is FB basically saying that it does indeed collect lots of browsing data across multiple websites outside of Facebook. That this data is then used to increase or decrease scores (e.g. gender, political affiliation etc.) and then discarded leaving just the new scores?

      This could explain their excuse, but makes the issue worse as there is no data to correct or remove only my personal scorecard which doesn't really enable "corrections" just resets.

      Am I off track? it is a Friday afternoon after all.

      1. SolidSquid

        Re: Am I understanding this right...

        Sort of, except they don't delete the information afterwards. They just store *all* of it, including the user ID, against those categories, meaning searching by username is an incredibly slow and laborious process (which is entirely their fault, so can't really see it as a good excuse)

      2. Anonymous Coward
        Anonymous Coward

        @Giovani Re: Am I understanding this right...

        Maybe you are correct.

        However... most likely not. They don't disclose what they capture because if you don't have a FB account, the data isn't thrown away.

    2. Wibble

      If you can't obey the law, then you should delete it all.

      What value does this data have outside of slurp central?

    3. Anonymous Coward
      Anonymous Coward

      @Adamn Payne

      There is some truth to what FB is saying.

      They have these 'mega clusters' of thousands of nodes of Hadoop with all of the data stored on HDFS.

      So they have massive amounts of data coming in and because of their NIH (Not Invented Here) syndrome, they write all of their own tools to help manage the data. They provided Hive and Presto to Apache.

      The issue is that when they run a query, it takes up resources which they may not have. Presto has a cluster of machines that are dedicated to running their queries while Hive will run the query as a YARN job and will get queued up with other jobs.

      Because the access pattern of these queries are not their normal use case, they will not be optimized and will end up with full table scans.

      Because they are ad-hoc and not part of their daily business, these queries will require resources that FB did not plan for or allocate.

      So yes, these types of queries will be the proverbial straws that break the camel's back.

      And here lies the problem. They are being truthful that they can't easily provide the information, even if they have the information. <u>HOWEVER</u> they are also being less than honest.

      To your point, they have the funds which could be used to expand the cluster, or rather provide infrastructure to run the queries against their massive data lake. They will take a hit in terms of data processing because of how Hadoop locks the data to a single reader.

      They will have problems with requests to delete this information. Also to filter future requests not to capture the data in the first place. Again, they can do it if they toss more money at it and redesign portions of their infrastructure.

      The point is that its a massive lift and expenditure that hurts them. So they don't want to do it.

      And you are spot on over the sheer amount of data they slurp. Just like Google, many web sites have FB javascript modules on their site. Something El Reg could do a story on if they wanted, but would get complaints from a couple companies in Silly-cone valley if they did.

      Just saying! ;-)

      Also posted Anon for the obvious reasons.

      1. Anonymous Coward
        Anonymous Coward

        Re: @Adamn Payne

        If you believe the numbers reported by the Apache Presto web site, the data warehouse amounts to 300PB and some 1,000 employees run 30,000 queries a day yielding 1PB in data per day. The certainly have an "interesting problem" here. They need to ramp up employees as well as infrastructure if this is the case.

  7. Stratman

    Am I to assume from all this that Facebook stores data on those who do not have an account with them?

    I have never had a Facebook account, do not have one now and can't foresee me ever having one, so if they do hold data on me I wonder from where they received consent? What information would I need to give them in order for them to positively identify me in a GPDR request?

    1. SImon Hobson Bronze badge

      Am I to assume from all this that Facebook stores data on those who do not have an account with them?

      Correct. It is safest to assume that they do have a highly detailed profile of you, all slurped illegally. Lets look at the ways they will have obtained that :

      Firstly, there is the nagging to users to "just upload your contact list and we'll automatically invite them all to link up with you". Most users will have no clue that to upload such a list would be illegal itself, and it's just "so easy" to let FarceBork do all the work for them. So now they have (some subset) of name, phone number(s), email address(es), home address, work address(es), date of birth, date of marriage, spouse's name, and possibly more.

      By powerful analytics, it's not hard to link multiple such entries - so if one person gives them you name, mobile number, home address & email, but another gives them name, mobile & work details, they can put them together.

      Then there's all those websites that include FarceBork tracking stuff. They can, and do, follow you around the web - linking all (well a significant proportion of) those sites and pages you visit to some identifier. At some point you are bound to do something that will let them link this identifier to your profile - and bingo, they know who you are, who you interact with, what sites/pages you visit (and from that, what your interests are and what medical complaints you might have).

      And then you have )so called) friends and family posting photos and comments that reference (and name) you. So now FarceBork have your photo and can (using face recognition) start picking you out in other photos even if you aren't named.

      And yes, all this is done without any consent whatsoever. To see an example (from a few years ago), look up the details of Max Schrems case. He posts examples of the details they admitted to holding on him even without an account - and it was quite detailed.

      Furthermore, there are sites where I've read the supposedly GDPR compliant page on cookies where I find advice that to opt out of such tracking I can follow a link and opt out. This falls over for two reasons: firstly it is not allowed to have an opt-out, secondly it just doesn't work if to opt out you have to create a FarceBork account - and hence both agree to the slurping and give them your details !

      Light at the end of the tunnel, but basically FarceBork's business model (and a lot of Google's) is toast provided the regulators keep their nerve. In the long run, expect to see subscription options that will allow you to have "slurp free" access to services. Anything else could kill them as it's not allowed to make use of a service conditional on being slurped.

      1. stiine Silver badge
        Unhappy

        re: slurped illegally

        Unfortunately, its only been illegal since GPDR came into effect. Prior to that data it was simply evil..

        1. SImon Hobson Bronze badge

          Re: re: slurped illegally

          No, it was illegal prior to GDPR - it's just that the UK ICO couldn't touch them as it came under the jurisdiction of the Irish equivalent, the Irish outfit didn't have the balls or resources to tackle them, and in any case the penalties were just not enough to matter.

    2. Anonymous Coward
      Anonymous Coward

      GDPR Legitimate Interest Clause

      @Stratman "I have never had a Facebook account, do not have one now and can't foresee me ever having one, so if they do hold data on me I wonder from where they received consent?"

      Other companies that you may have an account with contract out work to Facebook, handing over customer personal information. Under GDPR, they can now justify this under a clause called "Legitimate Interest". This doesn't seem to be widely known about, so it's worth having a read up about it.

      I've seen marketing and product development used as a "Legitimate Interest" under GDPR to justify handing over customer information to Facebook, unauthorized. To be clear, this covers Facebook combining the data with the data they already have.

  8. MrWibble

    Wait... A database which is designed to track individuals and serve them specific ads, cannot return the information that it is tracking?

    It's either broken, or someone's telling porkies.

    1. DJO Silver badge

      Why not both?

      They could easily be incompetent and dishonest.

  9. Trollslayer
    Flame

    Let the fines begin!

    Up to four percent of turnover.

    1. DJO Silver badge

      Re: Let the fines begin!

      It's 2% and that's only after repeated naughtiness.

      The penalties that can be handed out under GDPR start low but increase for every repeat offence so an accident will get a slap on the wrist and a small fine, but regular "accidents" will attract the full force of the law - Assuming the local regulators (ICO - I'm looking at you) are up to the task.

      1. Anonymous Coward
        Anonymous Coward

        Re: Let the fines begin!

        No it's up to 4% (or 20 million euros but the higher would apply) of global turnover.

        It also doesn't require 'repeated naughtiness'. The fine is discretionary and based on a case by case basis depending on the level of personal data that is abused and the number of data subjects.

        Facebook already has a few privacy complaints against them at the moment as well - noyb issued one straight after GDPR came into effect.

        1. Charles 9

          Re: Let the fines begin!

          Bet you they just find a way to weasel their turnover numbers. It's just tax avoidance by another name...

        2. DJO Silver badge

          Re: Let the fines begin!

          No it's up to 4% (or 20 million euros but the higher would apply) of global turnover

          That's the penalty for a tier 2 infringement, this kind of issue is a tier one infringement which is up to €10 million, or 2% annual global turnover – whichever is higher.

          The determination of penalty level takes into account previous behaviour of the organisation or data processor but that can only be applied to actions since the introduction of GDPR so while it might not explicitly specify a penalty escalator that is what'll happen, except for really egregious offences.

          1. Anonymous Coward
            Anonymous Coward

            Re: Let the fines begin!

            No it can be regarded as the higher tier, hence 4%.

            Until there is some precedence then no-one knows how the levels of fine will be handed out. Sure it is not very likely to be a super high one in the early days but that is up to the specific bodies to decide.

  10. JimmyPage

    Elephant in the room ?

    Whilst it's right and proper there should be privacy safeguards in place for people that have Facebook accounts, how about the same for people that don't have Facebook accounts, but that Facebook knows about (and can sell the data on to other parties) ???????

    I'm not explaining how again.

    1. big_D

      Re: Elephant in the room ?

      It is simple, if you aren't on Facebook, you haven't given them permission to slurp your data, therefore it would be illegal for them to do so...

      1. Anonymous Coward
        Anonymous Coward

        Re: Elephant in the room ?

        What if it's the third parties they sell it to doing the linking?

        1. SolidSquid

          Re: Elephant in the room ?

          Can't remember the exact details, but either facebook needs to have them sign a contract agreeing they won't do that, which this would violate, or facebook is in breach of gdpr for not properly protecting the data they collected

        2. big_D

          Re: Elephant in the room ?

          What if it's the third parties they sell it to doing the linking?

          If you haven't given them permission to pass on your data, selling it / sharing it with third parties would be illegal*.

          *This article is talking about the situation in Europe, so the answers also relate to EU law.

  11. Anonymous Coward
    Anonymous Coward

    "Web browsing history is staggeringly sensitive / Very clearly personal data"

    So, the most delicate information that's ever been compiled on anyone whose every used the internet is actually blocked - GDPR PERMISSION DENIED -. What a clusterfuck this is turning out to be. No wonder Zuckerberg point-blank lied about 'Shadow-Profiles' in front of Congress!

    What use are Privacy-Controls when Zuck has built an NSA class database, but claims its too hard to retrieve & DELETE info on individual users. Clearly Facebook AI isn't up to the job either. The internet is just a surveillance cesspit now. A golden-age of Spying / Surveillance / Espionage at a Sovereign / Commercial and Consumer level. #UNPLUG

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: 'Facebook will become more powerful than the NSA in less than 10 years — unless we stop it'

        It's already starting to mature - and hence ossify.

        You won't catch the cool kids on it anymore ...

        1. Kevin Johnston

          Re: 'Facebook will become more powerful than the NSA in less than 10 years — unless we stop it'

          But you have to keep in mind, it probably gathers more data from 'other' websites than from Facebook.com (or local variants). Doesn't matter where the cool kids go, Facebook is watching them.

  12. Joe Harrison

    Facebook a minor problem

    Don't let them misdirect your attention, the real problem is The Register's data slurping! They totally are the eye at the top of the triangle they know everything about you. How do I know this.... I read stuff on this site all the time and guess what I SEE LOADS OF ADVERTS FOR COMPUTERS! Do the math.

  13. Anonymous Coward
    Anonymous Coward

    Evasive action

    Install Noscript (Be selective of which domains you allow, if a website doesnt work without scripting enabled on the TLD you're visiting, go elsewhere)

    Delete cookies upon broswser closing

    Dont install Flash

    There are other ways and means of tracking such as screen resolution, user-agent string, the list is quite long, but enough of these datasets creates a fairly unique fingerprint.

    Just blocking Javascript and deleting cookies should be enough

    I wish I could transport back to the nineties, the internet was so much better then, before it became commercial

    1. big_D

      Re: Evasive action

      Not quite, it won't stop them serving the "Facebook Pixel", that is a JPG.

      You need to block all their domains (I believe around 1,500 domains at last count). On a PC, the easiest way is to slap them into your Hosts file.

      Try: https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all

      I have done the same for doubleclick, Google-Analytics and various (thousand) other tracking sites.

      NoScript only helps so far (and I've been an avid NoScript user for well over a decade).

      1. Charles 9

        Re: Evasive action

        "You need to block all their domains (I believe around 1,500 domains at last count). On a PC, the easiest way is to slap them into your Hosts file."

        IF you have access to it. You can't do that on Android without rooting it (which breaks things), and you can't run a filtering VPN if you're running another VPN already (Android last I checked won't allow you to chain VPNs).

        And then there's the issue if Facebook decides to forgo DNS and hit straight to IP addresses or finds other ways to defeat firewalls by hooking up with commonly-visited sites that typically get whitelisted, to the point you either bend over or get off the Internet.

    2. Mage Silver badge

      Re: Evasive action

      I think uMatrix is better than noScript. However I don't see how you can block detection of client with blocking only cookies & JavaScript. I do block all 3rd party Cookies and lots of JavaScript. I'm sure Facebook can still track, but not as well as Google can.

  14. wyatt

    Interesting indeed. We've a big upgrade contract being discussed at the moment which will also include record tagging so that if a customer requests their data, it can be located easily. Part of this work is also historic work going back over the last 7 years worth of data, a very expensive bit of software and work.

    We're also discussing removing data under the 'right to be forgotten', not easy when the systems involved are designed to not have data removed from them.

    1. Anonymous Coward
      Anonymous Coward

      Yup, have been working for the last 8 weeks on the same problem... and Hive/Hadoop really wasn't built for this kind of activity, it is a pain of note!

      1. Anonymous Coward
        Anonymous Coward

        @AC

        Yup, have been working for the last 8 weeks on the same problem... and Hive/Hadoop really wasn't built for this kind of activity, it is a pain of note!

        You need to hire an expert and consider tools like spark to help speed things up.

  15. Wolfclaw

    So the essence of this, is whether GDPR will be enforced and fit for purpose, or will FB get away with it and give a green light to all major data companies to hoover up what they like, so long as they hide it in a hive ?

  16. Anonymous Coward
    Anonymous Coward

    Wont be a problem for Facebook in the UK - they can just point at the home office excuse for retaining all that biometric data

  17. MrReal

    Stopping facebook spying on your web activity

    More useful would be a list of IP addresses that facebook use to spy in a user.

    This is my working list for my host file. Please add any that are missing:

    127.0.0.1 www.facebook.com

    127.0.0.1 connect.facebook.net

    127.0.0.1 staticxx.facebook.com

    127.0.0.1 5-edge-chat.facebook.com

    127.0.0.1 s-static.ak.facebook.com

    127.0.0.1 fb.me

    As far as I know this is the only way to escape their reach, but all suggestions welcome!

    Ah - from another post on here: a far better list to block!!

    https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all

    Should be in the ARTICLE itself.

    1. antman

      Re: Stopping facebook spying on your web activity

      https://github.com/jmdugan/blocklists/blob/master/corporations/facebook/all

      That's a useful list to find the FB domains but trying to keep up with their host names (they could change) might be a never ending task. What you want is something that sits between the browser and the net where you can enter *.fbcdn.net, for example and block the whole domain. Proxomitron was good for this years ago, not sure what's avaiable these days as I only block scripts now.

      1. Mark 85

        Re: Stopping facebook spying on your web activity

        There's also this one: https://someonewhocares.org/hosts/ Best to use both as there are gaps in one that are filled in by the other.

        The sad part is that it's pretty much like playing Wac-a-Mole with the speed setting locked into "warp speed ". You block one, two more pop up.

  18. GnuTzu
    Megaphone

    "...big platforms relating to tracking are too big or complex to regulate..."

    Yup--that should be refuted. Legitimizing any such claim would be permission to deliberately build systems that lack the necessary capabilities--including those for law enforcement." We must require that tracking systems have the capabilities to be audited for any manner of tyranny!

    And, any tracking data that is not attributable to specific individuals will have to be provably so--also subject to audit--as statistical databases are known to be problematic with regard to these things.

  19. Mage Silver badge

    Pixel?

    Also the "recommended" Facebook button/icon offered to website builders has javascript etc to track. Facebook will also know the previous URL.

    I'm sure that after a while Facebook / Google etc have a very complete profile. Think how many people use same name on different forums that also have every form of Google and Facebook tracking.

    They'd know which area you live in, though geoip can be wrong. What sites you use, how often and when.

  20. FlippingGerman

    Did FB even read GDPR?

    Doesn't look like it. Or perhaps they think they can get away with it? I rather suspect the ICO and EU equivalent are itching to give someone a massive fine.

  21. Anonymous Coward
    Anonymous Coward

    I hear the sounds of..

    hundreds of FB lobbyists with suitcases full of cash marching off to influence lawmakers and the collective head scratching of 3 letter government agencies trying to figure out a way to block this as a matter of "National Security" without making it too obvious.

  22. tallenglish

    Front for the NSA

    I agree with some others that this info is really only useful to organisations like the NSA and CIA to track users.

    I am sure they have backend access to all the buckets in Amazon, Google docs and tracking data, FB user base and this supposidly anonymous data so they could tell you more about yourself than you know yourself.

    Snowden likely only knew small part of the state sponsored spying in the USA, why else are they so paranoid of others like Russia (takes one to know one).

  23. Anonymous Coward
    Anonymous Coward

    things NoScript handled while I read that article...

    theregister.co.uk, regmedia.co.uk - allowed

    facebook.net, twitter.com, dpmsrv.com, outbrain.com, google-analytics.com, googletagmanager.com - blocked

    It's kinda funny how that works. Are your decision makers not communicating with your humble hacks, Reggie? Would it make any difference?

  24. Anonymous Coward
    Anonymous Coward

    My DNS just has blackhole entries for the root domains

    *.fbcdn.net

    *.facebook.com

    etc.

    Don't forget to block those nice 'free' fonts from google as well...

    fonts.googleapis.com

    or as it's stored in my blackhole list:-

    *.googleapis.com

    The powershell script is from https://cyber-defense.sans.org/blog/2010/08/31/windows-dns-server-blackhole-blacklist/

    I've been using it since early 2011, needed a few tweaks to prevent unintended blocks (youtube etc.) and there are curated lists available of advertising / malware domains (same thing really) to get you started.

    To pre-empt the expected 'what about usage on public connections' question - simple, no personal details are used or stored on devices used outside of our control, personal devices are on a separate vLAN to work devices and all devices used in public are either hobbled to prevent use outside of their intended work purpose (no browser etc.) or only connect to our own 'walled garden' via VPN.

  25. Ken Hagan Gold badge

    "It's also hard to tell how well ad or tracker blockers work without this kind of data."

    It's also hard to tell whether FB is actually capable of targetting ads as well as they claim when selling ad-targetting as a service to their customers. Now ... we wouldn't want *that* kind of information getting into the public domain now, would we?

  26. Sean o' bhaile na gleann

    A while back, I added a comment to a similar article "Fork it! Google fined €4.34bn over Android, has 90 days to behave". I'll repeat it here because I believe it to be applicable in this case, too:

    "I may be missing something here, but what, in practical terms, could the Competition Commission do if Google said 'No'. Not going to argue… not going to appeal... just 'No, not going to pay'."

    (and this time I'll add: "or just ignore the situation - don't even bother to respond")

    Change "Competition Commission" to "GDPR" (or whatever the authority's name is) and "Google" to "Facebook", and the same question holds.

    Yes, I can already hear people proposing responses to such an event along the lines of "shutting the gate" on Facebook - requiring all ISPS to block them, etc. Well, we all know that such a restriction would last, oh, thirty seconds or so, give-or-take 25, before someone developed a workaround and published it.

    Don't get me wrong - I fully agree with almost everyone here, that Facebook, Google, etc should not be collecting data on me and selling it on or otherwise making use of it **unless I say it is OK to do so** (and they would have to work extremely hard to make me say that).

  27. Danny 2
    Joke

    Why Does it Always Rain on Me?

    Is it because I Facebooked when I was seventeen?

  28. Jtom

    Two things:

    It sounds like FB is trying to say if you collect no data, you are following the law; if you collect some data, you must follow the law, and provide a copy of it to the ‘owner’; but if you collect a lot of data, you may ignore the law, and refuse to provide a copy to the owner. Good luck with that logic if it ever hits a courtroom.

    Secondly, if a non-subscriber discovers FB have been electronically following him without his knowledge or permission, sooner or later this will be charged as a criminal complaint of stalking, and the perpetrator does not need to know the name of his victim to be guilty.

  29. DebitShield

    ‪Prediction: fb will pay a token gesture fine to clear media interest but it won’t go any further due to fb providing Gov with covert intel on people/groups of government interest. ‬

  30. Keith Tayler

    Keith Tayler

    I made the same request last June and as yet have heard nothing. It has not surprised me as I have never managed to get a reasonable response from FB. For years I have complained about scam ads, "news" feeds and no timeline feeds but have been brushed off by an algorithm. However, it is always worth complaining because it all forms part of 'my' data which might be useful in the future.

  31. bdg2

    Great. Now they're going to outlaw collection of anonymized data and make them individually identify us instead. :-(

  32. Anonymous Coward
    Anonymous Coward

    Zuckerborg

    You wrote Zuckerborg. Ha ha.

  33. Jake Maverick

    Was always taught that the law was effectively the same under the Data Protection Act. But the DPA Registrar nor the Information Commissioner actually did anything to enforce it or even investigate. Couldn't even get the data that local council or past employers were holdingon me to name few examples...I even went to court over it, to no avail....just ignored So I'm very doubtful this will actually go anywhere either.....expect the response to be something along the lines of going to take couple of years, but ahem..Brexit so we not going to bother.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like