[Air-L] Facebook's New Privacy Policy (Version from September 7): What Has Changed?

Christian Fuchs christian.fuchs at uti.at
Sat Sep 17 08:33:12 PDT 2011

What is Facebook’s New Privacy Policy All About? More Complexity, More
Intransparent Data Storage, Continued Internet Prosumer Commodification,
Ideological Pseudo-Participation, and a Reaction to the Privacy Complaints
Filed by “Europe versus Facebook”.


On September 7th, 2011, Facebook changed its privacy policy, replacing the
policy that was updated on December 22, 2010.

The policy’s length increased from 35 709 characters to 40 085 characters
(from approximately 11 single-spaced A4 pages to 12), which shows that the
complexity of the regulations increased.

Facebook continues to collect data about user behaviour from other websites.
New policy: “Sometimes we get data from our advertising partners,
customers and other third parties that helps us (or them) deliver ads,
understand online activity, and generally make Facebook better. For
example, an advertiser may tell us how you responded to an ad on Facebook
or on another site in order to measure the effectiveness of – and improve
the quality of – those ads”.

Old policy: “Information from other websites. We may institute programs
with advertising partners and other websites in which they share
information with us:

    We may ask advertisers to tell us how our users responded to the ads
we showed them (and for comparison purposes, how other users who
didn’t see the ads acted on their site). This data sharing, commonly
known as “conversion tracking,” helps us measure our advertising
effectiveness and improve the quality of the advertisements you see.
    We may receive information about whether or not you’ve seen or
interacted with certain ads on other sites in order to measure the
effectiveness of those ads.“

The content of this regulation has not much changed, but Facebook now
claims that it collects information about users from other websites in
order to “make Facebook better”. It is intransparent to the single user,
which data from which websites Facebook stores about him/her. If a lack of
data storage transparency “makes Facebook better” is a question of
interpretation. The question is if it makes Facebook a privacy-respecting
platform or not.

The regulations about the storage of location data have been expanded,
which reflects the increasing importance of mobile Internet use and
therefore of mobile targeted advertising for Facebook:
New policy: “We may put together your current city with GPS and other
location information we have about you to, for example, tell you and your
friends about people or events nearby, or offer deals to you that you
might be interested in. We may also put together data about you to serve
you ads that might be more relevant to you. When we get your GPS location,
we put it together with other location information we have about you (like
your current city). But we only keep it until it is no longer useful to
provide you services”.
Old policy: “When you access Facebook from a computer, mobile phone, or
other device, we may collect information from that device about your
browser type, location, and IP address, as well as the pages you visit“.

Another new quality of Facebook’s privacy policy is the “instant
personalization” feature. Facebook shares certain user data with other
platforms, with which it has entered business partnerships. The first time
a user goes to the partner website, the platform should inform him/her
that it uses Facebook information about the user. In Facebook’s privacy
settings, one can turn off instant personalization for all of Facebook’s
partner sites. This is, however, a opt-out solution, which shows that
Facebook wants to share the information it collects about users with
partner sites so that they can also use the data for targeted advertising.
This circumstance is typical for the networked character of Internet
commerce and shows how strongly advertising culture shapes social media
and the World Wide Web (WWW). If a user at some point of time decides to
deactivate instant personalization, but used a Facebook partner site that
employ instant personalization before, the data that the partner site uses
is not automatically deleted: “If you turn off an instant personalization
site after you have been using it or visited it a few times (or after you
have given it specific permission to access your data), it will not
automatically delete your data. But the site is contractually required to
delete your data if you ask it to”. This means that the user has to
explicitly write to Facebook’s partner sites to delete personal data.
Furthermore, it is not transparent to a single user, which data exactly
Facebook partners store about him or her. Facebook’s instant
personalization feature increases the non-transparency of data storage.

The description of how targeted advertising works on Facebook has changed,
but not the content of the description. Facebook still makes use of all
user data, user communication data, user browsing behaviour, and even data
collected from other websites in order to sell these data as commodity to
advertising clients that serve targeted ads to users. Facebook thereby
makes profit, the users create value, are not paid for this work and their
data becomes a commodity. I have termed this process Internet prosumer
commodification (see the articles here, here and here). Facebook’s
advertising settings have remained unchanged. There is no opt-in
advertising and targeted advertising is always activated. The only opt-out
options concern social adverts and the use of names and pictures in
third-party advertisements.

Regulations about targeted advertising in the new privacy policy: “We do
not share any of your information with advertisers (unless, of course, you
give us permission).When an advertiser creates an ad on Facebook, they are
given the opportunity to choose their audience by location, demographics,
likes, keywords, and any other information we receive or can tell about
you and other users. For example, an advertiser can choose to target 18 to
35 year-old women who live in the United States and like basketball. Try
this tool yourself to see one of the ways advertisers target ads and what
information they see at: https://www.facebook.com/ads/create/ If the
advertiser chooses to run the ad (also known as placing the order), we
serve the ad to people who meet the criteria the advertiser selected, but
we do not tell the advertiser who any of those people are. So, for
example, if a person clicks on the ad, the advertiser might infer that the
person is an 18-to-35-year-old woman who lives in the US and likes
basketball. But we would not tell the advertiser who that person is.
After the ad runs, we provide advertisers with reports on how their ads
performed. For example we give advertisers reports telling them how many
users saw or clicked on their ads. But these reports are anonymous. We do
not tell advertisers who saw or clicked on their ads.
Advertisers sometimes place cookies on your computer in order to make
their ads more effective. Learn more at:
Sometimes we allow advertisers to target a category of user, like a
“moviegoer” or a “sci-fi fan.” We do this by bundling characteristics that
we believe are related to the category. For example, if a person “likes”
the “Star Trek” Page and mentions “Star Wars” when they check into a movie
theater, we may conclude that this person is likely to be a sci-fi fan.”

Regulations about targeted advertising in the old privacy policy:
“Advertisements. Sometimes the advertisers who present ads on Facebook use
technological methods to measure the effectiveness of their ads and to
personalize advertising content. You may opt-out of the placement of
cookies by many of these advertisers here. You may also use your browser
cookie settings to limit or prevent the placement of cookies by
advertising networks.  Facebook does not share personally identifiable
information with advertisers unless we get your permission. [...] We don’t
share your information with advertisers without your consent. (An example
of consent would be if you asked us to provide your shipping address to an
advertiser to receive a free sample.) We allow advertisers to choose the
characteristics of users who will see their advertisements and we may use
any of the non-personally identifiable attributes we have collected
(including information you may have decided not to show to other users,
such as your birth year or other sensitive personal information or
preferences) to select the appropriate audience for those advertisements.
For example, we might use your interest in soccer to show you ads for
soccer equipment, but we do not tell the soccer equipment company who you
are. You can see the criteria advertisers may select by visiting our
advertising page. Even though we do not share your information with
advertisers without your consent, when you click on or otherwise interact
with an advertisement there is a possibility that the advertiser may place
a cookie in your browser and note that it meets the criteria they

The policy regulation concerning deletion of an account has been changed.
The major change is that Facebook now says that all information of an
account will be deleted at latest 90 days after the user deleted the
account, whereas the regulation in the old policy was somehow unclear,
saying on the one hand that data is deleted, but on the other hand “that
Facebook we may retain certain information to prevent identity theft and
other misconduct even if deletion has been requested“.

New policy: “When you delete an account, it is permanently deleted from
Facebook. It typically takes about one month to delete an account, but
some information may remain in backup copies and logs for up to 90 days.
You should only delete your account if you are sure you never want to
reactivate it. You can delete your account at:
Old policy: “When you delete an account, it is permanently deleted from
Facebook. [...] Additionally, we may retain certain information to prevent
identity theft and other misconduct even if deletion has been requested.
[...] Limitations on removal. Even after you remove information from your
profile or delete your account, copies of that information may remain
viewable elsewhere to the extent it has been shared with others, it was
otherwise distributed pursuant to your privacy settings, or it was copied
or stored by other users. However, your name will no longer be associated
with that information on Facebook. (For example, if you post something to
another user’s profile and then you delete your account, that post may
remain, but be attributed to an “Anonymous Facebook User.”)  Additionally,
we may retain certain information to prevent identity theft and other
misconduct even if deletion has been requested. If you have given third
party applications or websites access to your information, they may retain
your information to the extent permitted under their terms of service or
privacy policies.  But they will no longer be able to access the
information through our Platform after you disconnect from them. Backup
copies. Removed and deleted information may persist in backup copies for
up to 90 days, but will not be available to others“.

On August 18, 2011, members of the initiative “Europe vs. Facebook” that
was founded by Austrian law students filed a complaint against Facebook to
the Irish Data Protection Commissioner. Facebook Europe is legally
registered in Ireland. The initiative members made 16 complaint points and
asked the Commissioner to check Facebook violates European data protection
laws in these 16 privacy areas.

One point of complaint is that Facebook engages in excessive processing of
data. One of the complainers demanded from Facebook to send him the data
it stores about him. Although he had deleted his account, he received a
print out with 1 200 pages of personal data stored about him by Facebook.
This topic is addressed in the complaint under point 15: “After using
facebook.com for 3 years, Facebook Ireland gathered more than 1.200 pages
of personal information about me (in fact Facebook Ireland might hold a
much bigger amount of data, see Complaint 10), even though I have deleted
just about everything I could (e.g. all my posts, all messages, and many

The Irish Data Protection Act says that data “(iii) shall be adequate,
relevant and not excessive in relation to the purpose or purposes for
which they were collected or are further processed, and (iv) shall not be
kept for longer than is necessary for that purpose or those purposes“ (DPA
§2 (1) (c) (iii) (iv)). The EU Data Protection Directive regulates that
”Member States shall provide that personal data must be: [
](c) adequate,
relevant and not excessive in relation to the purposes for which they are
collected and/or further processed” (Directive 95/46/EC of the European
Parliament, §6 (1) (c)).

Another complaint is that Facebook does not use opt-in options and thereby
may breach the regulation that users have to give consensus to the
processing of their personal data. This regulation is specifically
important among other topics also for targeted advertising, which is
organized without opt-in on Facebook. “2A. (1) Personal data shall not be
processed by a data controller unless section 2 of this Act (as amended by
the Act of 2003) is complied with by the data controller and at least one
of the following conditions is met: (a) the data subject has given his or
her consent to the processing or“ (Irish Data Protection Act, §2A (1)
(a)). “Member States shall provide that personal data may be processed
only if: (a) the data subject has unambiguously given his consent”
(Directive 95/46/EC of the European Parliament, §7 (a)).

Facebook’s change of the data deletion regulations from rather ambiguous
and unclear formulations to a clearer version may reflect the circumstance
that a complaint against its privacy practices has been filed. This might
be a direct reaction to the complaints filed by “Europe versus Facebook”,
which were however filed on August, 18th, 2011, whereas Facebook changed
its policy on September 7th. Therefore the old privacy policy is subject
of the complaints. Furthermore it looks like many of the privacy areas
addressed by the complaints have not been cleared out by the new privacy
policy. “Europe versus Facebook” is not only a highly important
initiative, it also shows that companies are unlikely to voluntarily
protect users’ privacy, but to be only willing to do so if they feel the
threat of the state’s law enforcement capacities. The profit motive is so
inherent to companies that they always tend to put profit interests above
users’ privacy concerns. The only two alternatives are to make use of the
law for enforcing privacy protection and to support the creation of
alternative non-profit platforms.

Facebook has changed the content sharing options, it is now relatively
easily possible to define with whom one wants to share content and to
share it only with customized users. This change is also reflected in the
privacy policy (in the section titled “Control over your profile”). It is
likely that it has been taken because Google in June 2011 introduced its
own social networking site Google+, which poses competition to Facebook
and is based on the “friend circles” concept that allows customization of
content. Other new regulations include a section about tagging (“Tags”),
the possibility for other websites to provide a login into their sites by
enabling users to log in with their Facebook accounts (section “Logging in
to another site using Facebook”), social plugins (section “About social
plugins”), sponsored stories (section “Sponsored stories”), and featured
content (section “Featured content”).

A new regulation is that Facebook says that it allows users to vote
privacy changes under certain circumstances: “Unless we make a change for
legal or administrative reasons, or to correct an inaccurate statement, we
will give you seven (7) days to provide us with comments on the change. If
we receive more than 7000 comments concerning a particular change, we will
put the change up for a vote. The vote will be binding on us if more than
30% of all active registered users as of the date of the notice vote”.

This regulation is extremely unclear. One can interpret every imaginable
privacy policy change as legal change, administrative change or change of
an inaccurate statement. It is therefore arbitrary and unclear, on which
changes Facebook users are able to vote or not. Furthermore no link for
comments is provided. It is also unlikely that 30% of all registered users
will ever engage in a vote because privacy policy matters are a complex
issue. It looks like Facebook wants to respond to the criticism that users
have no decision-rights about the privacy of their personal data, but at
the same time wants to immunize itself against loosing control of decision
making power.

We can summarize the changes of the Facebook privacy policy that took
effect on September 7th, 2011:

* The change of Facebook’s privacy policies has come shortly after members
of the initiative “Europe versus Facebook” filed privacy violation
complaints against Facebook to the Irish Data Protection Commissioner.
* The length and complexity of Facebook’s privacy policy has increased.
* Facebook has introduced new features like instant personalization that
have increased the non-transparency of data storage. It is not clear for a
user, which data Facebook stores about her/him, with whom Facebook shares
user data, and which data exactly Facebook partners store.
* Facebook continues to receive data about users from other websites.
* Facebook continues to commodify user data by using targeted advertising.
It does not use opt-in for advertising, targeted ads are automatically and
always activated. Internet prosumer commodification continues to be
Facebook’s capital accumulation model.
* Facebook has implemented a user participation mechanism in privacy
decision-making that is formulated in an extremely shallow way so that
this regulation seems to be an ideological pseudo-participation strategy.

More information about the Air-L mailing list