back to article Irish privacy watchdog sticks GDPR probe into Facebook after that online giveaway of 533 million profiles

Ireland’s Data Protection Commission this week launched an investigation into whether Facebook failed to adequately protect users' personal info – and whether it fell foul of GDPR – when a package of 533 million profiles was given away for free online. Phone numbers, email addresses, birthdays, and marital status had been …

  1. Doctor Syntax Silver badge

    "Phone numbers, email addresses, birthdays, and marital status "

    At the same time the IDPC might ask FB and the rest why birthdays and marital status is held. I understand that there may be requirements to know that an individual is over a certain age but that's simply a Boolean parameter, a date is not required.

    Perhaps el Reg could also ask them. Lately Google has taken to nagging about needing a date of birth on "my" phone account alleging this to be a legal requirement but somehow overlooking any citation of the statute or explaining why it things this can only be satisfied by a date. Given that no actual name is attached to the account it's a little OTT but it seems, at least for the time being, satisfied with the date of the start of the Unix epoch .

    1. a pressbutton

      "why birthdays and marital status is held"

      ...So you can target your adverts a bit less inefficiently?

      1. Doctor Syntax Silver badge

        Not a legal requirement. In fact, in this jurisdiction, a legal disrequirement.

    2. Kevin Johnston

      Googlified

      I have had the nagging too but it seems that any date which defines you as over 13 years old is good enough. I also tried to find out what legislation demanded this with no success and since an acocunt is required to be able to use an Android-based phone it seems to be aimed at reducing sales since there will be little this provides which Google didn't already have in other forms

      1. katrinab Silver badge

        Re: Googlified

        It is the Children's Online Privacy Protection Act 1998. A US federal law that applies to American companies interacting with children anywhere in the world.

        1. Doctor Syntax Silver badge

          Re: Googlified

          And does that require an actual date of birth as opposed to over x years old? ANd why not cite it as part of the request?

          It's an interesting situation. US federal law may require them to ask some minimal question. I'm damned if I can see any US law applying to me, here, which compels me to answer.

          1. schultzter

            Re: Googlified

            It's more convoluted than that. They need to maintain parental consent and can't advertise to kids under the age of 13. So kids are expensive and un-profitable! Something similar exists in most countries so they leave it as an exercise to the reader to infer how & why the question is being asked that way they avoid stating it explicitly and constraining themselves to it.

    3. LDS Silver badge

      It's Facebook... it does retain everything it thinks could be useful to sell ads and bring more people in to sell mode ads.

      How could you suggest "your friend X has a birthday and just left her fiancé (and is open to new relationships) - here some ads about birthday cards, flowers, restaurant/hotel bookings and condoms/baby apparel" - there's real money to be made there!

      1. Imhotep Silver badge

        Purchased Data

        Facebook also buys information on you from other sources, so odds are they know if you own a home, your income and other info.

        And this information is not covered by any of their Facebook wording, since it was not obtained through Facebook, but through outside sources.

        1. Dave559 Silver badge

          Re: Purchased Data

          How would they know that such data is "you", however?

          Users give them a name, a date of birth (neither of which may be entirely accurate), and an email address (and anyone with any sense will spin up a new one; yes, I know).

          I know that the USA has shamefully poor data non-protection laws, but can companies really ask random other companies (and credit check agencies, etc) for everything that they have about an identifiable real-world person based just on a (potentially) matching email address and no more?

          Most online advertising works on the basis of an id that the ad server has, usually based on cookies, and getting information about what sites that id visits through their embedded ads reporting back (which is what allows them to gradually surmise interests and then attempt to serve more "relevant" ads). But, as far as I am aware, they don't know who that id belongs to, unless they are both the ad server and the organisation that the real-world person has an account with (which in the case of Facebook, Google, Microsoft (do they have an ad division?), and Apple) they (each respectively) are.

    4. Phil O'Sophical Silver badge
      Coat

      satisfied with the date of the start of the Unix epoch .

      I'd have tried something older, maybe 17-Nov-1858, just to see what broke.

      1. Andy The Hat Silver badge

        Circumstances meant I helped an elderly relative set up a current account. The system was ok and apart from one hiccup the account appeared ok ... except it wasn't. Turned out the "hiccup" caused the account setup to fail. Much toing-and-froing over the next few days established that the person had lived in the same house for a long time and the "how long have you lived in your property" field wouldn't validate 85 years!

        1. Phil O'Sophical Silver badge

          Incoprrectly picky website validations

          I've had similar problems trying to hire a car in France. I got my UK driving licence when I was 17½ , 17 being the minimum age in the UK, but in France you have to be 18 or older. When I complete an online car hire form with my DoB and license date it often insists that there is an error. Since the DoB is perhaps the more critical date I usually have to lie about when I got my licence.

      2. Gene Cash Silver badge

        Android data widgets do break for anything pre-01-JAN-1900. Sigh.

        1. Kevin Johnston

          Well, now we know what tio use as DoB. Will Google notice that all their customers were born on 1st Jan 1900 do you think?

    5. iron Silver badge

      Google has legal requirements to prevent children from seeing apps that are not suitable for them and have several different age classifications, not just child=true/false. How do you propose they do that without at least a year of birth?

      Those legal requirements are in every global juristiction. Which statute would you like them to cite? Laws from USA, UK, France, Germany, Italy, Switzerland, South Africa, Ukraine, Malaysia, etc, etc, etc? Listing them all is not feasible and writing a separate prompt depending on what country your device appears to be in may be wrong and would utilise developer time that could be better spent elsewhere.

      1. don't you hate it when you lose your account Silver badge

        ?

        would utilise developer time that could be better spent elsewhere.

        To do such a complex job would obviously bankrupt the company. Sorry but that's just a crap cop out.

      2. Ben Tasker Silver badge

        > How do you propose they do that without at least a year of birth?

        So request a year of birth rather than a full DOB?

        Given that, rightly or wrongly, a DOB is often used as a verification step on calls to financial institutions, utilities etc, collecting it unnecessarily so that it can leak later is unwise.

        > what country your device appears to be in may be wrong and would utilise developer time that could be better spent elsewhere.

        > ...

        > Google has legal requirements

        That's very much Google's problem to solve, not their users. They've opted to save the developer time and annoy users instead - you can't really complain when those users express that they're annoyed by it.

    6. hoola Silver badge

      The trouble is that this information has been lost and is now in the hands of even more people who should not have it.

      The penalties for losing the data and potential impact of that on the people it affects never are never proportionate.

      Once the information has been exposed, that is it. You cannot undo it, get back etc because most of it is unique and personal to the people affected.

      If we had fines in there billions and prosecutions for CEO, directors, president etc then the just might be slightly more focus on not losing the stuff in the first place.

      So much data has been lost the the people involved in matching and aggregating different data sets probably have more information than anyone.

    7. Dave559 Silver badge

      birthdays and marital status

      "At the same time the IDPC might ask FB and the rest why birthdays and marital status is held."

      Those data are held if people willingly provide them as part of their profile, which many people do (so that friends can wish them "Happy Birthday" on the appropriate date, and to fend off (or attract) potential suitors as appropriate).

      I think you do have to provide date of birth, for "proof" [sic] of age, as you say, although I'm sure that's just so that Facebook can say it has taken steps to check that it is not allowing under-age children to set up accounts.

      It's an interesting argument whether having users just tick a box saying "I am 13 or older" or "I am 18 or older" would be seen to "cover their ass" in the event that Facebook (or any age-restricted site) would get in trouble under the various internet age restriction laws around the world. I suspect that absolutely all of them ask for and store the date of birth so that they can be seen to be "doing the right thing" in a more emphatic way than just an "I am 18 or over" boolean in the DB?

  2. Anonymous Coward
    Anonymous Coward

    Finally a way to tax FB?

    "or up to four per cent of their previous year’s global annual revenues,"

    1. uncle sjohie

      Re: Finally a way to tax FB?

      The GDPR also allows a non-profit organization to make claims on behalf of groups of people, similar to what are called "class action" lawsuits in the US. And the GDPR governing body of the EU country is to take in account the way they became aware of the breach, the way the company treated the problem, how they communicated with the persons involved, etc. I'm not sure the 4% is a sum for all of a year, or the max for one single infringement. Maybe the Irish will go easy and stop at 25 cases...

    2. marcellothearcane
      Unhappy

      Re: Finally a way to tax FB?

      And everyone else is paying 30%+ tax...

  3. tiggity Silver badge

    data slurp

    I do not use FB (obviously!)

    But its my understanding these style of social media try to get a user to import their contacts e.g. phone contacts

    I would be happy if this is not the case any more with GDPR, I know it used to be.

    e.g. many family members have my contact details & visa versa (as obviously may want to contact each other for reasons from catchup chat through to family emergency depending)

    I'm obviously happy with family members having those details but I'm MASSIVELY not happy about that data subsequently getting slurped by FB, Twitter, etc. as no way have I consented to that. Especially as numpty relative may well have added my birthday to phone contact details (as they obviously know my birthday & then get reminders) and so FB could get that and other stuff they may have recklessly added about me.

    So, even though I never use my real birthday anywhere (bar legally required e.g. bank, doctor) there's a chance FB could get my real birthday (useful for impersonation attacks) & even more horrendous details (some phone contact apps store relationships, so via numpty family members FB could potentially get standard security questions such as mothers maiden name (stupid question anyway, lots of kids of unmarried mothers where maiden name = current name)

    1. Anonymous Coward
      Anonymous Coward

      Re: data slurp

      But its my understanding these style of social media try to get a user to import their contacts e.g. phone contacts

      I would be happy if this is not the case any more with GDPR, I know it used to be.

      e.g. many family members have my contact details & visa versa (as obviously may want to contact each other for reasons from catchup chat through to family emergency depending)

      Ah, but here you have stumbled upon a fun backdoor of the GDPR: if a company asks you for your personal information it has to explain why it wants them and that data is subject to (happily ignored) rules, but there's nothing in the law for when they ask your friends for your details. That's why outfits like Facebook and LinkedIn are so happy that you tell them who you know.

      Also, if ANY of the people that has your details uses WhatsApp, Zuck already has your details. The first thing WhatsApp does when it starts up is exporting your entire address book to WhatsApp data grabbing facilities - as a matter of fact, you will find that WhatsApp will refuse to work if you don't give it access to your address book. Facebook asking your for your phone number is only ID confirmation, the main purpose for asking is certainly not protecting you.

      1. Pseu Donyme

        re: GDPR backdoor

        It doesn't matter how personal data was obtained: it falls under the GDPR by simply being personal data* so Facebook needs Article 6** lawful basis for processing*** it. It is hard to see how there could be such a lawful basis for using data slurped from phone/address books for Facebook's own purposes (or even for slurping it in the first place).

        * definition : GDPR Article 4(1) : ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

        ** https://gdpr-info.eu/art-6-gdpr/

        *** definition : GDPR Article 4(2) : ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

      2. GloomyTrousers

        Re: data slurp

        > WhatsApp will refuse to work if you don't give it access to your address book

        Are you sure about that? I was forced to install it for... reasons... but never granted it access to my address book and it works fine. This is on Android.

  4. Pascal Monett Silver badge

    Another win for GDPR

    My am I happy to live in the EU these days. Between Max Shrems and the European Court of Justice, there's no better place for a lover of privacy and Democracy.

    Those multinational behemoths will bow to the Will of the People.

    Some day.

    1. Anonymous Coward
      Anonymous Coward

      Re: Another win for GDPR

      Those multinational behemoths will bow to the Will of the People.

      Some day.

      I applaud your optimism, but don't share it.

    2. Alumoi Silver badge

      Re: Another win for GDPR

      Don't hold your breath!

      1. Stoneshop Silver badge
        Pirate

        Re: Another win for GDPR

        Indeed. Start with holding Zucky's breath instead, for, oh, ten minutes or so, and continue down the hierarchy as long as you like.

  5. anothercynic Silver badge

    Please fine them the 4%. Please please please

    Hit them where it hurts.

  6. ComputerSays_noAbsolutelyNo

    Rules vs. use

    I understand all who say "just don't use FB", while I agree and I also do not use FB itself, that misses the point.

    Who can actually say what else belongs to FB, instagram and whatsapp are well known for belonging to the zuckerverse, however, there could be more apps and services which have been gobbled up.

    So instead of shifting the burden to the customer (learning which services are bad and avoiding them totally is hard), we have a perfectly good reason to shift the burden to the services (since the privacy of the less-concerned people is worth protecting too).

    Simply saying "just don't use FB" is akin to not minding missing traffic regulation by saying "just don't use the streets", which simply doesn't cut it. At least for the wider public. Individuals might be successful though.

    1. Evil Scot

      Re: Rules vs. use

      Yes.

      A significant factor in VR platform selection.

    2. iron Silver badge

      Re: Rules vs. use

      > Who can actually say what else belongs to FB

      Anyone who reads the news. FB must disclose any companies they buy or invest in and that is always reported on El Reg and dozens of other sites, many of them nothing to do with IT.

  7. Mike 137 Silver badge

    Reality check

    "Companies can be fined up to €20 million ($24.1m), or up to four per cent of their previous year’s global annual revenues, depending on which is higher, if they have violated GDPR"

    They seldom if ever are though, even if that's the initially specified penalty. Practically every major fine so far has been negotiated down to coffee money on appeal - if for no other reason that the resources of the offender are so vast that they could bankrupt the regulator by prolonging the legal process. So "compromise" is usually reached that effectively lets the perp off the hook.

  8. Pseu Donyme

    According to the Dutch DPA merely failing to notify those whose data was leaked in a timely fashion was worth a fine:

    https://www.theregister.com/2021/04/01/booking_dot_com_fine/

    In this case the number of persons affected is orders of magnitude higher and so should be the fine.

  9. Anonymous Coward
    Anonymous Coward

    FB [etc) ask for personal data, people provide it

    They willingly feed the money making troll.

    It’s a scam

    You’re the product

    They make bank

    You get fleeced

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021