Facebook’s New Privacy Policy: A Briefing for Internet Users

NPO_Radio_1_logo_2014.svgOn Tuesday 23 December, Dutch public radio interviewed me along with privacy commissioner Jacob Kohnstamm, and journalist Rachid Finge about the implications of Facebook’s new privacy policy that you’re basically forced to accept from 1 January 2015 if you continue using the service, as well as the myths surrounding this update. I was going to translate the discussion into English, but decided to write a longer briefing piece based on the interview’s topic instead, which may serve to help people make up their mind whether they want to accept Facebook’s new terms. This piece is about the state of American privacy policies for European users, the fragile state of our laws that are lagging behind technology by several decades, and some efforts of politicians to deal with the potentially troubling financing models of the Internet. And – since we’re currently at a very important crossroads to collectively influence the future of Internet privacy – some possible solutions.

I’ve compiled some main points in bullet points, but added the longer briefing below that I would encourage you to read before 1 January 2015.

Disclaimer: The below is mainly an explanation and only my point of view where explicitly stated. The dilemmas resulting from internationally conflicting privacy laws are some of the topics that I’m currently researching, and I haven’t yet formulated conclusions. Neither should this be considered legal advice: it is an explanation of current law and regulation for interested Internet users who may or may not be lawyers.


  • Facebook is updating its privacy policies and asking Internet users for their implicit consent of some new methods of data collection and use (by continuing to use the website), instead of explicit consent in the form of an ‘I Agree’ button, as required by European law.
  • The new privacy policy is easier to read, but is unclear about the many data collection, processing and marketing activities with personal data. It gives you control over you data in what appear to be a so-called Privacy Theatre (see below for explanation), but enables the collection of your whereabouts at all times and access to your mobile phone by combining data from the recently purchased Whatsapp with your Facebook data. This is likely due to the Internet’s current financing model: targeted advertising.
  • Privacy regulators are threatening Facebook with financial penalties, which they’ve recently started handing out to other Internet companies for similar violations. It seems that these penalties serve to get Internet privacy onto the policy agenda more than hurting the companies financially.
  • Facebook (along with several other American Internet companies) settled in Ireland for corporate tax reasons, but is now also enjoying the relatively weak Irish privacy oversight to sideline European privacy laws to some extent.

My main interview points:

  • It is alleged that Facebook is breaching European Union law by asking you to implicitly agree to its new end user license agreements (such as the data/privacy policy). This should be done explicitly, for example by clicking ‘I Agree’ after having been presented with the new terms.
  • Ordinary users currently cannot understand how their data is actually collected and used. They would therefore click ‘I Agree’, anyway, without understanding the wider context and effect of what they agree to. The longer term effects of the market for personal data that finances much of the Internet as well as the free services we use to support our daily activities is difficult to comprehend. The dangers range from acute and immediate to more abstract and hypothetical (but no less real, albeit in a not-too-distant-future). The short-term benefits of using online services, however are usually more apparent.
  • Current practices by companies significantly reduce the legal protection of European citizens on the Internet. Current privacy laws may be out of date, but current practices place companies above legislators. We are seeing some useful action from regulators, but until the European Data Protection Regulation is in force – which updates our current privacy law – the law will remain largely ineffective.

Possible user actions:

  1. If you’re fine with the ever-expanding collection of your data, keep using Facebook after 1 January 2015. Many people are – and will be – OK with this, but I’d still recommend you carry on reading to become a more informed Internet user.
  2. If you do have issues with the current state of personal data collection, let Facebook know here that you’re an unhappy or vigilant user. User trust is Facebook’s main asset. If they lose substantial user trust (and thus user numbers decrease significantly), the company will be forced to listen and change their personal data collection, processing and marketing.
  3. Let politicians know that Internet privacy is a topic that needs to be taken seriously. European politics can shape Internet privacy right now (literally over the next few months), so it is important to let individual politicians know that this is a policy field they should engage with actively.
  4. Collective demands: options 2 and 3 are nice, but individual complaints are not as effective as coordinated (though civilised) action. Join and support digital rights organisations such as EDRi, Open Rights Group, Bits of Freedom, Electronic Frontier Foundation, etc. for a few euros/pounds/dollars per month and let them know Internet privacy is the reason you’ve joined. This will shape their agenda and focus over the next year. These organisations have much experience speaking to Internet giants and politicians, so are in a good position to represent Internet user’s concerns.



Introduction: Privacy Policies, Financing the Internet and the Greatest Lie Ever

Free online services like Facebook are mainly financed by selling tailored advertisements to their users. By logging into Facebook, sharing content like status updates and pictures, browsing the web and also by merely using apps like Whatsapp on our phone, we generate data about ourselves. The more data you provide – willingly or unwittingly – about your life, your activities, social relationships and your interests, the more accurate your profile becomes. Competition in the targeted online advertising market drives down prices, so companies need more data about users to be able to increase or merely maintain profit margins. Recording, analysing and marketing every aspect of your life has become the financing model of the Internet as we know it.

When you join online services, you are most likely asked to lie about having read the exasperatingly long ‘terms of service’, ‘privacy policies’, or ‘data use policies’. These documents can be several dozens of pages long and are usually written in unnecessary difficult legalese, which appears to be engineered to confuse and exhaust readers. Collectively clicking the ‘I have read and understood the terms of service’ or the ‘I Agree’ buttons is probably the biggest collective lie ever told. If you don’t agree, you are excluded from using these services, so most Internet users don’t bother reading and just want to log in to start sharing holiday pictures and collecting ‘likes’, without regard for how this data will actually be used.

Facebook’s new terms of service that will come into force on January 1st for all its users world wide are a great case in point to lay out how these policies work, what they enable, how they reduce scrutiny and why you may become worried about the future of your privacy, even if you have nothing to hide.

Facebook is a very innovative company that is constantly introducing new ways to collect and analyse personal information in order to keep up in the Internet financing scramble and to boost its advertising revenues. Privacy laws generally require users to agree to new channels of personal data flows, which is usually facilitated by an update in the terms of service or privacy policies. Facebook took this opportunity to respond to critics and made its forthcoming terms of service more readable to average users. Although such a move should normally be applauded, Facebook’s new data policy is a great example of Privacy Theatre (from the German “Datenschutztheater”), trying to gain user trust with relatively meaningless privacy controls over who can view your pictures, and being as vague as possible about its vast data analytics, profiling, behaviour prediction and the marketing of your life.

The vague wording of the new policies has led to many myths and much speculation by self-proclaimed social media experts that are distorting media coverage of these new terms of service. I will not dispel these untruths in this post, but give a basic and understandable explanation about why Facebook’s new terms are reason to worry. Hopefully this will make Internet users more informed, but also guide media coverage in it’s attempt to cover the weird and wonderful world of Internet law and politics.


(Information) Privacy

To comprehend why changes in a privacy policy are important to understand for a user’s perspective, we should attempt have a common definition of the concept of privacy first, however difficult it is to agree on the exact wording.

Privacy itself is a vague concept, which has been found to be difficult to define precisely by scholars, legislators or concerned Internet users discussing Facebook’s new privacy policy in the pub. It is more useful to focus on the subset ‘Information Privacy’, which deals with information about people, and forms the basis for much privacy law and regulation. The most useful explanation of Information Privacy is given by Professor Helen Nissenbaum, which I rephrase for my Ph.D. research as:

“A violation of information privacy occurs when personal information moves across contexts and is used in a manner that was not explicitly known when the information was initially given.”

With current computational capacity and based on current technological forecasting, it is safe to say that collected personal information will now be stored and accessed indefinitely. It is actually cheaper, easier, more efficient and – above all – more profitable to store and analyse all collected personal information forever. Thereby, the information ecosystem in which we live will never forget many of our actions, and all will be used to analyse and predict our behaviour, or make decisions about individuals.

Add to these databases all information about your whereabouts (with whom, where for how long), all communications (with whom, but also contents), information left on funny online quizzes or useful websites (e.g. for wedding planning), and information on the websites you visit, some companies are getting a very clear picture of your life.

In short, some hypothetical – but not unrealistic – scenarios of information privacy violation harms:

In the short term you’re confronted with adverts of products that an algorithm has predicted you will be interested in, based on comparisons with similar people (such as the example of a major chain store in the US sending promotional baby products to a secretly pregnant 16-year olds parental house).

In the medium term institutions such as governments, insurance companies and banks refuse you certain services based on the profile that they were able to purchase from companies like Facebook,[1] or differentiate their pricing based on what they predict your financial position is.

In the longer term, when companies like Facebook have gone bankrupt and the vast databases containing all our information have been sold to the highest (as yet unknown) bidders or claimed by more oppressive governments, blackmail is a rampant feature in society. You may decide not to join the new political organisation, because you know that someone, somewhere, has information with which they will stop you from challenging existing power structures. To most people, it is not worth the risk to express strong opinions due to the chance of a backlash, so self-censorship becomes the norm, afraid the all-encompassing databases will be used against you.

This last example may be farfetched, but if the sentence “information (or knowledge) is power” holds true, it is not unrealistic. Go download see this documentary “Terms and Conditions May Apply” to learn more about recent violations of Internet privacy that will blow your mind, here’s the trailer:

Personal information collection, storage, processing and dissemination by Internet companies create a power imbalance between individuals and the existing institutions. To quote Murphy’s Law: “What can go wrong, will go wrong.” We don’t have to look too far in history to see countless examples where an information imbalance and misuses of power have led to disastrous situations and individuals found themselves powerless. The amount of information available today (and in future) on almost every individual is incomparably huge compared to the information that has been misused in the past.

Much more has been researched and written about the effects and harms of ubiquitous information collection by governments and companies like Facebook. This section served to show what potential scenarios we can realistically expect. Let me know if you wish to discuss or know more about the literature on potential privacy harms (including the ‘unknown unknowns’).


New Data Collections by Facebook

Facebook already collects, processes, stores and uses a lot of data from its users; see their Data Use Policy for an overview. This includes basic information that you provide or upload yourself. The data is enriched with information from every website you visit that provides a  button or other monitoring tools. The ‘like’ button is not merely a simple image link, but the cover of an elaborate data collection mechanism that tracks nearly all of your moves online. Your online behaviour outside Facebook is further identified by data it receives from third parties, so you can assume that most of your web browsing is tracked, recorded and analysed. Further, information about your computer, tablet or phone is also transmitted.

The reason for Facebook to update their privacy policy is to enable new data collections to occur. The main new methods for information collection that Facebook appears to seek your implicit consent for are the following:

  • Tracking of your location at all times via the Facebook (or Whatsapp) app on your mobile phone, and then storing this information for further analysis. In the radio interview I stated that this is probably the biggest cause for concern, as Facebook will now be able to infer which activity you undertook with whom at which exact moment in time, using sophisticated data analytics and data fusion techniques. This goes way beyond the information that you trustingly give to Facebook – location data is hugely sensitive information that is very easily analysed.
  • Combining data gathered through apps like Whatsapp and Instagram with your existing Facebook data, whereby Facebook gains access to parts of your mobile phone, most notably your contacts.
  • Information about payments made through the Facebook platform, to enable its forthcoming e-commerce feature, which makes sense if they want to offer product via their website, not really a problem here I think.

Facebook is letting its users know that they implicitly agree to these new methods of information collection, processing, storing and dissemination of personal data if they log into their account from 1 January 2015. This is important to keep in mind for the legal explanation in the next section.

Many myths exist about what is data collected and how it can be used. For example, Facebook states that you give it a license to use your copyright protected information, possibly to serve social advertisements (such as using your name to promote a brand that you ‘like’). This has been the case for many years: you’ve always owned the copyright to pictures and texts, but you also granted Facebook a license to use your content in whichever way it fancies. This is partly necessary to display your uploads to your friends in their feeds. I highly doubt Facebook will ever use your pictures on a billboard to promote a brand, because that would have a huge impact on general user trust. However, copy/pasting a notification that you forbid the use of the content that you upload to Facebook is useless in many ways: you’ve already given them a license when you lied about reading the terms and conditions, and it only shows Facebook how ignorant their users really are.

My experience and advice would be not to actually read the privacy policy yourself if you’re interested in how Internet companies use your data. Make sure you think a bit further than the Privacy Theatre that you’re confronted with in the policies, though, because some (not all!) Internet companies want to collect every last bit of information about you to remain relevant in the ever more competitive targeted advertising market.


Conflicting International Privacy Law Systems

Before explaining the legal status of the new privacy policy, it is necessary to give a brief background of the conflicting international privacy law systems, since the American and European systems differ significantly:

Europe considers the protection of information privacy to be a fundamental human right, contrary to the US where privacy is a right that is mostly left to parties to contractually agree upon. European law also gives Internet users many statutory rights, such as the right to have data corrected, deleted, or to object to certain methods of data collection.

In Europe, each transaction of personal data is regulated a 1995 directive on the protection of personal data,[2] which is based on legal frameworks from the 1970s (pre-internet adoption). Both legal systems require consent from users to the collection of personal data. However, European citizens must give explicit consent (for example by clicking ‘I Agree’ to privacy policies) for new information transactions. In the US, it is sufficient to agree to a privacy policy once, and allow a clause in the policy that states that companies like Facebook are free to change the policy as they see fit.

So, if Facebook wants to adhere to European law, it cannot ask users to implicitly agree to the new privacy policy by continuing to use the service after 1 January 2015: it must ask users to explicitly agree by clicking a button. This small requirement will likely not change much as most Europeans will carry on the lie that they have “read and accepted” the new privacy policy. However, it does serve to inform the interested and vigilant user of the changes, instead of implementing new data collections and surveillance methods without warning.


Legal and Political Reality: Facebook Above the Law?

Facebook and other Internet companies have tried to sideline the more restrictive European privacy law by binding their users to US law in the terms of service to which nearly everyone agrees. However, it is not that easy to sign away fundamental rights in Europe. Because European citizens enjoy a human rights protection of information privacy, such clauses are ineffective in theory, and European courts should still be able to rule on privacy breaches by American companies on Europe citizens.

Facebook has tried to argue that European law is not applicable, because all data processing takes place on their servers that are based in the United States. However, the privacy law working group that advises the European Commission (the so-called “Article 29 Working Party”) has frequently stated that European law should apply when data is collected by means defined by Internet companies, such as through apps or ‘cookies’ on European phones, computers and tablets based in Europe. In 2014 several courts in European Member States and even the Court of Justice of the EU have (finally) ruled that European law is applicable for violations of European Internet user’s rights.

Companies like Facebook are trying to activate a loophole in European law, however. When these companies collectively settled their European headquarters in Ireland for corporate tax reasons about a decade ago, it appears that weak regulatory oversight was part of the motivation. Internet companies are claiming that if European law is applicable, they’re only subject to regulatory oversight by the Irish due to the location of their headquarters. Conveniently, Irish regulatory oversight is relatively unsubstantial, see for example their office (on the right):

European privacy regulators typically employ dozens if not hundreds of people. Until his retirement in September 2014, Billy Hawkes operated the de facto European Internet privacy oversight from this tiny office that is located next to a small convenience store about an hour’s drive away from the central Irish government. The former Irish privacy regulator gave Facebook the privacy-thumbs-up in audits and compliance checks with some obvious recommendations, which s striking because several other European privacy regulators are standing in line to fine these companies heavily for privacy violations, based on the very same data protection law.


European Privacy Investigations and Penalties

About two years ago, national privacy regulators in several European countries began cautious but ambitious investigations into some Internet companies’ personal data practices. Several courts in Europe have strengthened these investigations by ruling that European law is applicable to Internet privacy cases. The Dutch privacy regulator has now made a first move by fining Google €15 million if they don’t comply with European law by the end of February 2015. Facebook is the next target in the Dutch regulator’s crosshairs.

A penalty of €15 million will not be a particularly thorny issue for Internet giants, which are amongst the most wealthy companies in the world. The penalty is not entirely toothless either, however, for the following reasons:

  • It shows that European privacy regulators need more enforcement possibilities to safeguard Internet privacy. The current draft update of the European privacy law would allow significantly larger fines, that would make European’s privacy concerns a boardroom issue in Silicon Valley. It’s no surprise that this legislative update is rather a hot potato in Brussels at the moment and is constantly being delayed due to (extremely) heavy lobbying.
  • The penalty signals to politicians that there is a serious privacy issue on the Internet, and may encourage them to get involved, even if they don’t understand the details.
  • The penalty signals to Internet users (via the media) that these frequent updates to privacy policies are not to be taken lightly.
  • And Internet companies will now understand that the loopholes and circumventing of European law has come to an end. With the legislative update of European privacy looming, they may start to consider privacy issues more seriously. Some companies already do, and should be applauded for their efforts to meaningfully engage with critics.

There’s a lot more to be done. Legal compliance with out-dated laws will not be sufficient to maintain user trust over the next few years, I predict. Internet privacy is becoming an ethical issue that will require constant scrutiny, as well as an understanding from several disciplines, such as Internet engineering, sociology, the social sciences, ethics, etc. I have posited some thoughts on the future of privacy law and engineering in a recent interview with Imperica.


Continue to Use Facebook?

The radio interviewer asked whether the interviewees will use Facebook in 2015, when the new terms come into force. I answered that I will, because it is one of my fields of research. There is more to it, though. Facebook offers me easy access to all my friends and family, who live all over the world. I am genuinely concerned about the privacy issues, however, and will keep working to ensure Internet users can trust the Internet, it’s services and the mobile phones, laptops and tablets we use for everything we do. A secure balance can and will be found, but we’re still a long way from finding it.

Finally, the reporter suggested that I should become a politician to work on these issues. I think, however, working closely with data driven companies such as Facebook or government agencies like the NSA and GCHQ will yield better results than joining the political game. Being an Internet researcher gives me the independence to write these types of pieces and work with organisations that seek advice.

[1] It is not yet possible to buy information directly from Facebook, but personal information can be bought easily and cheaply in a huge grey (or rather: Black) market. In it’s scramble for financing, it is not unthinkable that Facebook will not allow this within the next few years.

[2] Try making sense of that!