"This was a major breach of trust," conceded Mark Zuckerberg after it emerged that Facebook's policies had facilitated the misuse of user data. Speaking to CNN in 2018, the company's founder outlined "a basic responsibility to protect people's data", adding, "Our responsibility now is to make sure that this doesn't happen again."
Today, Privacy International (PI) – a charity that focuses on how technology impacts our human rights – is alleging that something similar has happened again: advertisers have misused users' data on Facebook and undermined their rights to privacy.
In October of 2019, PI began an investigation – published today – into advertisers that upload their customers' personal data to Facebook, using the site's "Download Your Information" (DYI) tool. "Looking at the limited and often inaccurate information provided by Facebook," PI said in their research findings, "it became quickly obvious that something was wrong."
Having used the DYI tool, seven PI staff members sent subject access requests to companies to obtain personal data that had apparently been uploaded to Facebook, which included "unique identifiers" such as phone numbers, emails, dates of birth, and gender. Every single staff member found "at least a few" brands or advertisers they had never heard of, which were not mentioned in the information downloaded from Facebook directly.
That presented an important question: if you've never even come across a brand before, how could they have your personal data?
This question, they say, kickstarted a "long and torturous" process involving numerous data subject access requests. In the end, they found "major problems" – the biggest being that some companies are advertising on Facebook using data they have no right to use.
"It highlights not only how little users can understand about what's happening behind the scenes, when it comes to online targeted advertising, but also exposes unlawful practices," PI concluded. "Again and again, there was no transparency or legal justification as to the uploading and use of this data. And that's just the start."
Brands found to have uploaded user data to Facebook without individuals' consent or knowledge included the dating app Happn (data from inactive users was found on Facebook) and artists (such as James Blake and Led Zeppelin) associated with the Universal Music Group.
There are some explanations as to how this could have happened, PI notes. A company could have bought out a rival and merged their data pools, been sloppy with their data or enlisted the services of a marketing agency which offered to combine huge lists of prospective clients. The opacity of Facebook makes it hard to untangle, but whatever the reason, says PI, "the result is problematic and raises questions under data protection law".
In response, Happn admitted that one PI staff member's information was still in a database shared with Facebook, when it should have been removed. Otherwise, they said that if Privacy International "requesters have seen Happn promoted content on Facebook while they were in the restriction list, it was not under any particular instructions from Happn".
Universal Music Group note that they "work with third party partners who are granted advertising access to artist Facebook accounts, along with the ability to 'Create Custom Audiences'. These partners often include management, record labels, tour promoters, ticketing companies, merch operators, agencies and others."
Facebook also blamed outside parties. "This report confuses the basic mechanics for how online advertising works in an effort to suggest an invasion of people's personal privacy by Facebook," a spokesperson told VICE News. "The truth is advertisers obtain people's information for these ads outside of Facebook – without us providing it to them. In fact, we show people how their information is being used for these ads, and then go a step further to provide an opt-out for seeing ads from specific advertisers or the ads targeted from a specific business's customer list."
Facebook makes money by selling targeted ads to its 2.6 billion monthly active users. When you become a user, you have a right to understand who is targeting you with ads and how they are doing that. Facebook knows this, which is why they have the "Why am I seeing this ad?" tool. Launched in 2014, it is designed to make this process more transparent. But PI argues that the amount of information shared is very limited and "usually insufficient".
The next option for someone wanting to exercise their right to know how they are being targeted is the "Download Your Information" tool. This ostensibly provides a more detailed description of why ads get served to users – but, says PI, in reality simply gives you a list of advertisers that have uploaded your data within the previous seven to 15 days. The next step is to check "Advertisers Who Uploaded a Contact List With Your Information" in advertising settings. However, Facebook currently doesn't tell users what information was uploaded, and only on rare occasions did advertisers tell PI what data they had used.
"We demonstrated [that] the information Facebook gives you about advertisers is often inaccurate," says PI. "The list of advertisers who have uploaded your personal data changes from one month to the other, with some of them simply disappearing, which means the list is not as extensive or complete as Facebook wants us to believe.
"Facebook sometimes only tells you that there was a CUSTOM interaction with a given app or website, leaving users in the dark as to how, when and where this interaction happened, and how consent was obtained."
The PI report also claims Facebook makes it difficult for users to seek information about companies using and profiting from their personal data.
"Our investigation demonstrated how difficult it is to contact an advertiser when the only information Facebook gives you is a link to their Facebook page," it notes. "As a user, it should be easy to contact the company responsible for the advertising and question why they have data about us. But with the little information Facebook gives, your only options are to either contact the Facebook page (which requires you to use Facebook further) or search the name of the company to look for contact information. This is not an acceptable situation."
PI now demands that the "Download Your Information" tool is further developed to make it comprehensive, accurate and fit for purpose. They also want the tech giant to provide users with complete information about the data uploaded by advertisers and how it was obtained in the first place.
On top of that, they're urging Facebook users to look at the list of advertisers using their data (through Settings) and to send their boilerplate message to every advertiser they've never heard of. That way, they hope, companies will reconsider their current practices and start to obtain consent for the use of data.