This is a semantics argument. Facebook considers "your data" things you uploaded to Facebook intentionally.
They do not consider "things people learned about you by watching you" or "things people said about you" your data, they consider it their (the watchers or speaker) data.
It's not all that different from how photography laws work in different countries. If someone takes a picture of you, is it their picture, or your picture?
EDIT: Im in agreement this doesn't match up with GDPR. Outside of Europe, facebook can treat "Your Data" differently, and the button can function differently in different places.
If Alice wrote on Bob's wall, it should be a part of both Alice's and Bob's takeout. Similarly, if I am tagged in a photo, it should be a part of my takeout. Imagine if my email provider (Google Gmail) said you can only takeout the emails in your sent folder.
In fact, I'd argue if Alice has made their contact information (email, phone number, physical address) visible to Bob, it should be a part of Bob's takeout. Including Alice's location history (provided Alice shared it with Bob) would probably be pushing it a little but only because it becomes difficult to argue for people with whom too many people share data with but anything that Bob is explicitly and manually tagged and is visible to Bob on Facebook in should definitely be a part of Bob's download.
Facebook can't have it both ways: you can't make it easy (by default) to share and still use the data as a moat.
Following your metaphor, what about email between Bob and Carol which mentions Alice explicitly, using her name and email address? Should Alice be entitled to a copy of that private message between Bob and Carol?
Does information become yours if it is about you, even if you aren't a participant in it's creation or distribution?
It's easy to argue that advertising distribution lists are private conversations between FB and advertisers, and hard to argue that they're not. Saying I'm entitled to a copy of that conversation if I'm mentioned becomes a hard position to take.
So to be clear, you agree that advertising distribution lists shouldn't be included in the takeout request? GP's point was that you're not a party to the conversation in that situation either.
I don’t think I’m asking for much here. If I have access to it on Facebook on my profile, in my message box, or somehow associated with my profile, it should be a part of my takeout is all I’m saying. How is this controversial?
Obviously not. The cases are where parties are explicitly included: my timeline, tagged in photos, etc. Mention someone, w/o direct linkage doesn't include that communique in their dataset.
The posted story is about exporting the list of parties who UPLOADED your contact info to facebook. An advertiser who bought a list, and presses import.
Should you be able to ask for every photo ever taken of you? Lets say someone in public takes a photo, its their private work, copywritten, and never distributed to the public. Youre in the background. Can you request a full copy if their image?
Honestly, that would be pretty cool. And, in an interesting version of this world, a company like Facebook could have enabled such a self-awareness. And done it with the intent of allowing people that kind of self-growth.
It's odd that the imagined objective data-collection about one's self that many people dream about actually exists (and many could use for self-improvement), and it is instead only available to those wishing to extort us. And that that kind of socialized agreement that all may contribute to each others' growth is now impossible, but not for technical, but for weird policy/economic reasons. I'd love to be able to purchase every photo ever taken of me at Facebook's market info rate - what, $200?
Even if one were to agree that this would be reasonable, would you say facebook would be liable if the tool failed in some cases? And how do you enforce that, one way or the other?
Algorithms that recognize people in photos aren't (and probably never will be) 100% accurate, especially in this context (people in the background of photos will often be partially obscured, poorly lit, maybe really small/far away, etc.).
If that photo was sold to corporations and used for some revenue-generating service I would say yes, I should be allowed to see or request them...isn't that what Facebook is doing with the data? Distributing it publicly?
If Alice is moving her phone book between Apple and Google, we do want her data export to include Bob's phone number. Anything else would be absurd.
If Alice is sharing her facebook profile with an online personality survey, we don't want her data export to include Bob's phone number. That would be a huge invasion of Bob's privacy.
Alas, it's impossible to know what Alice is planning to do with the data when she downloads it.
Email is not a good analogue because it doesn’t have the concept of revocation or editing. Facebook posts can always be deleted... and Alice can always delete her post from your wall...
> I'd argue if Alice has made their contact information (email, phone number, physical address) visible to Bob, it should be a part of Bob's takeout.
What about Alice's friends-only posts? What about the comments on those posts? What about Charlie's posts, where Charlie is a friend of Alice and has set their posts to "visible to friends-of-friends"?
as basch said, that's not how copyright works in photography. If you're tagged in a photo as a subject of that photo, it is not your photo, and if you take a copy of it then that's a breach of copyright. It belongs to the photographer.
Our expectations don't match with actual law here.
We’re not talking about copyright, though - we’re taking about privacy rights, and - even if we discard compelling fair use arguments - everyone who uses Facebook gives them a license to distribute the photos they upload to the site to others for various reasons. Copyright law doesn’t really come into play, and of course much data involved here isn’t even copyrightable.
I think this is a country- and thus law-specific case.
In Germany, AFAIK, if the picture has less than five people on it, it is considered a photo of you, and both you and the photographer have a copyright on it.
EDIT: Maybe not the entire copyright, but you definitely have a say as the subject in such a photo, including barring it from the public against the photographer's wishes, if you please.
this is true, and we obviously have Model Release Forms for a reason, but the point remains that just because it's a photo of you, it's not your photo.
If you explicitly and manually tag me in a photo and it shows up on my profile, it should be a part of my takeout. I don’t understand what you’re having difficulty understanding. I never said use machine learning to comb through all photos ever uploaded to Facebook and add them to my takeout. I don’t think what I’m saying is controversial at all.
The entire music industry fought global legal battles for decades claiming that making a copy of something that someone else holds copyright on, even for your own personal use, is a crime.
I don't think you can waive copyright with a ToS, either. I could be wrong, though.
You don't "waive" the copyright, you just give Facebook a worldwide, royalty-free, irrevocable, etc, etc license to do whatever they need with the photo, including adding it to the data download archives of the persons pictured.
"Facebook considers "your data" things you uploaded to Facebook intentionally."
Thought experiment: How is Facebook different from a file hosting service.
Do file hosting services provide access to analytics? Do the hosting companies take the position that any information about who is accessing the user's files belongs to the hosting company, not the user? Can user's control how a file hosting service "promotes" their files.
Facebook has never been transparent about who is accessing "your data". Users have a limited view of who is looking at their profiles and posted content. A Facebook account amounts to a "personal website" for many people. It is their own set of globally accessible (but not necessarily "public") webpages, often displaying their own content, hosted on someone else's (Mark Zuckerberg's) public website, allegedly with per page "access controls". Free web hosting, with extremely limited analytics.
Imagine if a Facebook user could look at a log of every username and IP address that accessed her Facebook profile each day. Pre-Facebook, there were early "social networks" that revealed to each user the other users who had looked at their profile. It is interesting that Facebook has never done that. Perhaps having this information would be eye-opening for many Facebook users. Those accessing a user's Facebook profile and posted content may not necessarily be her "family", "friends", "colleagues" or "people [she] may know". Perhaps the reasons a user's profile is being accessed are not ones that the Facebook user might expect, nor agree with.
The only reason I know that they have my phone number, is because a couple of years back they decided that getting me to enable two-factor auth would be much easier if they prefilled the phone number field with my phone number
They probably got this phone number from the address books of any friend of mine with an android phone (as Android required accepting all permission request to use an app, until a couple of years ago),
When I go download my data from Facebook, the data doesn't show that they have a phone number linked to my account
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Facebook might not consider it data, but the GDPR does.
They do not consider "things people learned about you by watching you" or "things people said about you" your data, they consider it their (the watchers or speaker) data.
It's not all that different from how photography laws work in different countries. If someone takes a picture of you, is it their picture, or your picture?
EDIT: Im in agreement this doesn't match up with GDPR. Outside of Europe, facebook can treat "Your Data" differently, and the button can function differently in different places.