What you don't know about how Facebook uses your data

WASHINGTON — Mr Mark Zuckerberg, Facebook's chief executive, went to Capitol Hill this week to explain to members of Congress how the detailed personal information of up to 87 million Facebook users ended up in the hands of a voter-profiling company called Cambridge Analytica.

What Mr Zuckerberg got instead, as he testified before the House Energy and Commerce Committee on Wednesday (April 11), was a grilling about Facebook's own data-mining practices.

Representative Debbie Dingell (D-Michigan), for one, wanted to know about Facebook's use of different types of tracking software to follow consumers' activities on millions of non-Facebook sites all over the web.

"It doesn't matter whether you have a Facebook account," Ms Dingell said to Mr Zuckerberg. "Through those tools, Facebook is able to collect information from all of us."

Facebook meticulously scrutinises the minutiae of its users' online lives, and its tracking stretches far beyond the company's well-known targeted advertisements. Details that people often readily volunteer — age, employer, relationship status, likes and location — are just the start.

Facebook tracks both its users and nonusers on other sites and apps. It collects biometric facial data without users' explicit "opt-in" consent.

And the sifting of users can get quite personal. Among many possible target audiences, Facebook offers advertisers 1.5 million people "whose activity on Facebook suggests that they're more likely to engage with/distribute liberal political content" and nearly 7 million Facebook users who "prefer high-value goods in Mexico."

"Facebook can learn almost anything about you by using artificial intelligence to analyse your behaviour," said Peter Eckersley, the chief computer scientist for the Electronic Frontier Foundation, a digital rights nonprofit. "That knowledge turns out to be perfect both for advertising and propaganda. Will Facebook ever prevent itself from learning people's political views, or other sensitive facts about them?"

Many other companies, including news organisations like The New York Times, mine information about users for marketing purposes. If Facebook is being singled out for such practices, it is because it is a market leader and its stockpiling of personal data is at the core of its US$40.6 billion (S$53.1 billion) annual business.

Facebook uses a number of software tools to do this tracking. When internet users venture to other sites, Facebook can still monitor what they are doing with software like its ubiquitous "Like" and "Share" buttons, and something called Facebook Pixel — invisible code that's dropped onto the other websites that allows that site and Facebook to track users' activity.

Ms Dingell asked Mr Zuckerberg how many non-Facebook sites used various kinds of Facebook tracking software: "Is the number over 100 million?" He said he'd have to get back to her with an answer.

"There are common parts of people's experience on the internet," Matt Steinfeld, a Facebook spokesman, said in a statement. "But of course we can do more to help people understand how Facebook works and the choices they have."

While a series of actions by European judges and regulators are trying to curb some of the powerful targeting mechanisms that Facebook employs, federal officials in the United States have done little to constrain them — to the consternation of American privacy advocates who say Facebook continues to test the boundaries of what is permissible.

Facebook requires outside sites that use its tracking technologies to clearly notify users, and it allows Facebook users to opt out of seeing ads based on their use of those apps and websites.

That has not stopped angry users from airing their grievances over Facebook's practices.

In 2016, for example, a Missouri man with metastatic cancer sued Facebook. The suit, which sought class-action status, accused the tech giant of violating the man's privacy by tracking his activities on cancer centre websites outside the social network — and collecting details about his possible treatment options — without his permission.

Facebook persuaded a federal judge to dismiss the case. The company argued that tracking users for ad-targeting purposes was a standard business practice, and one that its users agreed to when signing up for the service. The Missouri man and two other plaintiffs have appealed the judge's decision.

Facebook is quick to note that when users sign up for an account, they must agree to the company's data policy. It plainly states that its data collection "includes information about the websites and apps you visit, your use of our services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or us."

But in Europe, some regulators contend that Facebook has not obtained users' explicit and informed consent to track them on other sites and apps. Their general concern, they said, is that many of Facebook's 2.1 billion users have no idea how much data Facebook could collect about them and how the company could use it. And there is a growing unease that tech giants are unfairly manipulating users.

"Facebook provides a network where the users, while getting free services most of them consider useful, are subject to a multitude of nontransparent analyses, profiling, and other mostly obscure algorithmical processing," said Johannes Caspar, the data protection commissioner for Hamburg, Germany.

In 2015, for instance, the Belgian Privacy Commission ordered Facebook to stop systematically using "long-term and uniquely identifying" codes to track nonusers without their "unequivocal and specific consent." The agency subsequently sued Facebook. In February, a judge in Brussels ordered Facebook to stop tracking "each internet user on Belgian soil" on other websites.

Facebook has appealed the decision. In his comments in the House hearing on Wednesday, Mr Zuckerberg said Facebook tracked nonusers for security purposes — to ensure they could not scrape public data about Facebook users.

But, in one presentation on the case, Belgian regulators wrote: "Tracking nonusers for security purposes is excessive."

And on Friday, the Italian Competition Authority said it was investigating Facebook for exercising "undue influence" by requiring users to let the company automatically collect all kinds of data about them both on its platform and off.

"Every single action, every single relationship is carefully monitored," said Giovanni Buttarelli, the European data protection supervisor, who oversees an independent European Union authority that advises on privacy-related laws and policies. "People are being treated like laboratory animals."

Regulators have won some victories. In 2012, Facebook agreed to stop using face recognition technology in the European Union after Caspar, the Hamburg data protection commissioner, accused it of violating German and European privacy regulations by collecting users' biometric facial data without their explicit consent.

Outside the European Union, Facebook employs face recognition technology for a name-tagging feature that can automatically suggest names for the people in users' photos. But civil liberties experts warn that face recognition technology could threaten the ability of Americans to remain anonymous online, on the street and at political protests.

Now a dozen consumer and privacy groups in the United States have accused Facebook of deceptively rolling out expanded uses of the technology without clearly explaining it to users or obtaining their explicit "opt-in" consent. On Friday, the groups filed a complaint with the Federal Trade Commission saying that the expansion violated a 2011 agreement prohibiting Facebook from deceptive privacy practices.

Facebook sent notices alerting users of its new face recognition uses and said it provides a page where they can turn the feature off.

Facebook has other powerful techniques with implications users may not fully understand.

One is a marketing service called "Look-alike Audiences," which goes beyond the familiar Facebook programs allowing advertisers to target people by their ages or likes. The look-alike audience feature allows marketers to examine their existing customers or voters for certain propensities — like big spending — and have Facebook find other users with similar tendencies.

Murka, a social casino game developer, used the feature to target "high-value players" who were "most likely to make in-app purchases," according to Facebook marketing material.

Some marketers worry that political campaigns or unscrupulous companies could potentially use the same technique to identify the characteristics of, for instance, people who make rash decisions and find a bigger pool of the same sort of Facebook users.

Facebook's policies prohibit potentially predatory ad-targeting practices. Advertisers are able to target users using the look-alike service, but they do not receive personal data about those Facebook users.

Jeffrey Chester, executive director of the Center for Digital Democracy, a nonprofit group in Washington, however, warned that this look-alike marketing was a hidden, manipulative practice — on a par with subliminal advertising — and said it should be prohibited. THE NEW YORK TIMES