During his appearances before Congress earlier this week, Facebook CEO Mark Zuckerberg repeatedly insisted that Facebook doesn't share user data with outside companies (though until recently it would allow advertisers to pay to use data from "third party" providers while targeting ads on Facebook's platform) and that the company allows users to delete their data any time.
But as Kevin Roose, a personal tech columnist for the New York Times, pointed out in a recent column, this is an overstatement, at best - and an outright distortion, at worst.
Roose describes himself as an irregular Facebook user, someone who rarely logs in and rarely posts, but occasionally uses his account to keep up with friends and family. Yet, when he downloaded the entire cache of data that Facebook had collected on him over the years, he was alarmed to discover that the company had kept data that he believed he had deleted long ago.
Of course, Roose isn't the first person to point out the dizzying amount of data that Facebook and Google collect on their users (both companies have made the caches available to download in the wake of the Cambridge Analytica scandal).
But Roose's examination of his data shows how Facebook refuses to delete data from its servers as a general rule - even when a user deactivates their account or deletes - for fear that it might become useful for targeting ads at some point in the future.
How Facebook collects and treats personal information was central this week when Mark Zuckerberg, the company’s chief executive, answered questions in Congress about data privacy and his responsibilities to users. During his testimony, Mr. Zuckerberg repeatedly said Facebook has a tool for downloading your data that “allows people to see and take out all the information they’ve put into Facebook.”
But that’s an overstatement. Most basic information, like my birthday, could not be deleted. More important, the pieces of data that I found objectionable, like the record of people I had unfriended, could not be removed from Facebook, either.
"They don’t delete anything, and that’s a general policy," said Gabriel Weinberg, the founder of DuckDuckGo, which offers internet privacy tools. He added that data was kept around to eventually help brands serve targeted ads.
Beth Gautier, a Facebook spokeswoman, put it this way: “When you delete something, we remove it so it’s not visible or accessible on Facebook.” She added: “You can also delete your account whenever you want. It may take up to 90 days to delete all backups of data on our servers.”
Digging through your Facebook files is an exercise I highly recommend if you care about how your personal information is stored and used. Here’s what I learned.
As Roose swiftly discovered, Facebook had the 764 names and contact information of everybody in his phone's address book, because he had uploaded it when he set up Facebook Messenger.
When you download a copy of your Facebook data, you will see a folder containing multiple subfolders and files. The most important one is the “index” file, which is essentially a raw data set of your Facebook account, where you can click through your profile, friends list, timeline and messages, among other features.
One surprising part of my index file was a section called Contact Info. This contained the 764 names and phone numbers of everyone in my iPhone’s address book. Upon closer inspection, it turned out that Facebook had stored my entire phone book because I had uploaded it when setting up Facebook’s messaging app, Messenger.
This was unsettling. I had hoped Messenger would use my contacts list to find others who were also using the app so that I could connect with them easily — and hold on to the relevant contact information only for the people who were on Messenger. Yet Facebook kept the entire list, including the phone numbers for my car mechanic, my apartment door buzzer and a pizzeria.
Roose also identified several instances where Facebook kept information ostensibly to help improve its user experience - like keeping his entire address book or keeping a history of every device and browser from which he has ever logged in - but had kept the data long after he had deleted it.
Facebook also kept a history of each time I opened Facebook over the last two years, including which device and web browser I used. On some days, it even logged my locations, like when I was at a hospital two years ago or when I visited Tokyo last year.
Facebook keeps a log of this data as a security measure to flag suspicious logins from unknown devices or locations, similar to how banks send a fraud alert when your credit card number is used in a suspicious location. This practice seemed reasonable, so I didn’t try to purge this information.
But what bothered me was the data that I had explicitly deleted but that lingered in plain sight. On my friends list, Facebook had a record of “Removed Friends,” a dossier of the 112 people I had removed along with the date I clicked the “Unfriend” button. Why should Facebook remember the people I’ve cut off from my life?
But perhaps the biggest disappointment for Roose was the list of advertisers with which Facebook had shared his contact information. The list contained dozens of advertisers Roose had never heard of - a result, the company said, of advertisers compiling data from third party sources and sharing it with Facebook.
What Facebook retained about me isn’t remotely as creepy as the sheer number of advertisers that have my information in their databases. I found this out when I clicked on the Ads section in my Facebook file, which loaded a history of the dozen ads I had clicked on while browsing the social network.
Lower down, there was a section titled “Advertisers with your contact info,” followed by a list of roughly 500 brands, the overwhelming majority of which I had never interacted with. Some brands sounded obscure and sketchy - one was called "Microphone Check," which turned out to be a radio show. Other brands were more familiar, like Victoria’s Secret Pink, Good Eggs or AARP.
Facebook said unfamiliar advertisers might appear on the list because they might have obtained my contact information from elsewhere, compiled it into a list of people they wanted to target and uploaded that list into Facebook. Brands can upload their customer lists into a tool called Custom Audiences, which helps them find those same people’s Facebook profiles to serve them ads.
The upshot of all this, Roose says, is that even if you're not an active Facebook user - even if you've never clicked on a single ad - advertisers could still possess reams of data about you. Because once one brand has your data, there's not much stopping them from sharing it as widely as possible.
Or, as Roose puts it, the advertising industry has eyes everywhere.