No, Facebook is not telling you everything

Facebook "Download Your Information" feature only gives you part of the picture. Information about advertisers uploading lists with your personal information is limited in time and prevents users from exercising their rights

Key findings
  • Despite Facebook claim, "Download Your Information" doesn't provide users with a list of all advertisers who uploaded a list with their personal data
  • As a user this means you can't exercise your rights under GDPR because you don't know which companies have uploaded data to Facebook
  • Information provided about the advertisers is also very limited (just a name and no contact details), preventing users from effectively exercising their rights
  • Recently announced Off-Facebook feature comes with similar issues, giving little insight into how advertisers collect your personal data and how to prevent such data collection
Long Read

In 2018, following the Cambridge Analytica scandal, Facebook announced the “Download Your Information” feature allowing users to download all the information that the company have on them since the creation of the account. All of it? It doesn’t seem so. Concerns were quickly raised when Facebook released the feature, that the information was inaccurate and incomplete.

Privacy International recently tested the feature to download all ‘Ads and Business’ related information (You can accessed it by Clicking on Settings > Your Facebook Information > Download Your Information). This is meant to tell users which advertisers have been targeting them with ads and under which circumstances. We found that information provided is less than accurate. To put it simply, this tool is not what Facebook claims. The list of advertisers is incomplete and changes over time.

Ads section on Facebook “Download Your Information” page.

“Advertisers Who Uploaded a Contact List With Your Information”

Among the data downloaded, users can see which advertisers have uploaded a list that contains their personal data. On the advertiser side, Facebook calls this the “Custom Audience Tool”, it allows a company to upload a list of “customers” in order to target them (or avoid them). To be effective, this contact list needs to contain a unique identifier for the person (see Facebook’s documentation). This is usually an email address, a phone number, an Advertising ID or a users’ Facebook UID, but it can go way beyond that. In the template provided by Facebook, advertisers can also include all sorts of information they might have, such as name, gender, country, street, zip code, age or even date of birth.

Contact list template provided by Facebook

This advertiser-facing feature assumes that companies are in posession of this information because of an existing relationship with you. Under GDPR, this means that the company uploading this information must have a legal basis for pocessing this data. From a user’s perspective, it means we should be able to properly check which companies think we are their “customers”. This is cleary part of our rights under data protection law to information about what data a company has on us.

Convenience for advertisers, opacity for users

Unfortunately for the users, how this tool is exactly used to exploit their data is obscure and opaque. Facebook’s "Download Your Information" tool is supposed to let you see the companies that uploaded a list containing your data from the moment you created your account. Yet, after testing this feature at different points in time, we found out that it is not the case.

Download your information page with dates going from account creation to date of download

Indeed, we’ve found that the list provided by Facebook varies from one month to the other, removing some companies that were appearing previously and adding new ones. This goes hand in hand with a recent move by Facebook to limit the number of advertisers displayed on the site (without downloading anything, by visiting your Ads preferences when your are signed in) to the last 7 days.

Altogether, this means that there is no way for users to know all the companies who uploaded a list with their data to Facebook. This prevents people from exercising/using their rights under GDPR - despite there being a clear obligation to facilitate the excercise of these right…

This is an issue we see both at the back end (in the download your informaiton tool) and the front end in the ads that we see , where there is a lack of transparency from Facebook on how advertisers target you. The lack of information and difficulties in exercising rights, renforces an opaque environment where people are unaware of how their data is gathered, shared and used to profile and target them.

Off-Facebook activity, a new widow to the opacity

On 28 January 2020, Facebook announced the roll-out of another new feature called Off-Facebook activity. This tool is meant to let you “see and control the data that other apps and websites share with Facebook”.

Unfortunately, this tool is once again a tiny sticking plaster on a much wider problem. While we welcome the effort to offer more transparency to users by showing the companies from which Facebook is receiving personal data, the tool offers little way for users to take any action.

Do we Facebook? Do we?

First, the information provided about the companies is again limited to a simple name, preventing the user from exercising thier right to seek more information about how this data was collected. As users we are entitled to know the name/contact details of companies that claim to have interacted with us. If the only thing we see, for example, is the random name of an artist we’ve never heard before (true story), how are we supposed to know whether it is their record label, agent, marketing company or even them personally targeting us with ads?

Second, the details about the data transfer are extremely limited. Using Facebook’s Download your Information once again only provides limited information about what Facebook receives (some event are marked under a cryptic CUSTOM). There is also no information regarding how the data was collected by the advertiser (Facebook SDK, tracking pixel, like button…) and on what device, leaving users in the dark regarding the circumstances under which this data collection took place.

Example of an off-Facebook activity detail in a downloaded archive

Finally, this tool illustrates just how impossible it is for users to prevent external data from being shared with Facebook. Without meaningful information about what data is collected and shared, and what are the ways for the user to opt-out from such collection, Off-Facebook activity is just another incomplete glimpse into Facebook’s opaque practices when it comes to tracking users and consolidating their profiles.

So what?

Social media, and Facebook in particular, are going through a trust crisis. Years of failures and abuses have raised concerns about their ability to harness the power they give to advertisers (be they policital or private) and to be transparent with their users in any meaningful way.

In this context, failure to provide meaningful information doubled with innacurate and thus misleading information about the “Download Your Information” tool (the information you download is supposed to be exhaustive) is yet another breach of trust.

The online advertising is already a hot mess (see our work on AdTech) and while regulators are expected to take action we need the companies dominating this business to lead by example. Facebook should ensure the tools it offers to its users are accurate and effective. The current state is unacceptable.