Facebook users would need to be paid more than $1,000 to deactivate their account for one year, a study published on Plos One from December 2018 has found. The benefits and utility of the service is undeniable, given its ubiquity and market value. Users have connected with friends and families, shared billions of photos and created countless events.

Despite this, in the wake of recent data breaches, fake news and political manipulation, now is as good a time as ever to inspect exactly what is being given up in exchange for use of this otherwise-free service.

What Facebook Know About You

It turns out the social ad business knows an awful lot about each of its users, which can be split into the following categories:

  1. Information actively and freely shared
  2. Information passively gathered directly from user interaction
  3. Information passively gathered from tracking tools around the internet
  4. Information acquired through other Facebook-owned applications
  5. Information paid for from third-party organisations

Let's briefly examine each category.

Actively-Shared Information

Some data is freely-shared to Facebook when you use the platform:

  • Your email address and phone number when you signed up
  • Every status update, comment and message shared
  • Every photo uploaded
  • Every event RSVP
  • Every update that you started to write out but decided to not publish
  • Every person you know and have as a friend on the platform

So far, this should be inherently obvious to anyone who has used the systems, as these constitute the main reasons to use the app in the first place.

Passively-Shared Information

When using the web-based application, Facebook save various pieces of metadata about your interactions:

  • Every time you log in, including your timezone
  • The IP address of your device
  • The type of device you are using
  • The type of browser you are using

Some of this will be required to make the offering better, such as optimising the look and feel on different devices and protecting accounts against security concerns.

From the Android application, they can:

  • Identify which other apps are installed and running on your phone
  • Read other accounts on the device (e.g. Google account details and others)
  • Read all calendar events
  • Record your precise location
  • Read your text messages (SMS and MMS)
  • Read your phone status, identity and call log
  • Read the contents of additional storage media
  • Record audio
  • View your network connections
  • Record battery usage statistics

Suddenly, there is a strong twist away from aggregating information required to run an optimised service, towards data-slurping everything they can because they can (and because they make money on it).

As far as I am concerned, the social network should never be allowed to read your call log, upload your contact book and see which other applications are installed. Any small convenience you may gain from each of these permissions is not worth the downside.

For example, when it comes to reading your text messages there is a tiny benefit that can be gained in being able to automate the process to validate your phone number when they send you an SMS verification code. However, trading this less-than-five-second convenience for a limitless permission to read all previous and future messages seems unwise from the user and deceptive from Facebook.

There are also more acute details to consider when it comes to Facebook uploading and analysing a user's contact list on their phone. Of course, they do this so they are able to more accurately and more quickly create friend suggestions - which has its utility - but it's not obvious who owns the data in a contact list to consent to such an action. What if my friends don't want Facebook to know their name, phone number and associated details like their email addresses and physical locations? There is no way for my contacts to opt-out of such data collection or even know it has taken place.

Internet Tracking Tools

Web organisations can include JavaScript code called Facebook Pixel to improve their marketing campaigns and understand visitor behaviours. The code snippet tracks the behaviour of Facebook users across 25% of the top one million non-Facebook websites, gathering insights such as:

  • Which other websites you visit
  • How long you spend on these other websites
  • Your interactions on the websites (purchases, contact form submissions and other "goals")

Similar tools are available from other organisations to track people across the internet, but few are in the same league as Facebook with this - a noticeable exception being Google Analytics.

Fortunately, it is possible to opt-out of these tools with the various cookie-consent popups or by using ad-blockers, but in practice relatively few people do so.

Facebook-Owned Apps

Until recently there was a Facebook Research app, where they would monitor web and mobile activities of 13-35 year olds in return for up to $20 per month. They got away with this by sidestepping Apple's policies on enterprise certificates and Apple eventually removed the app from the App Store.

The enterprise certificates allowed Facebook to read all web data that should have been private and encrypted. To use an analogy from Wired, comparing web traffic to letters:

Facebook not only intercepted every letter participants sent and received, it also had the ability to open and read them. All for $20 a month!

Media outlets at the time validly sensationalised the fact Facebook was tracking teenagers who would unlikely understand the implications of such a trade, both in terms of the immediate impact and any future considerations.

Facebook has been working with data brokers since 2012 when it signed a deal with Datalogix and has since partnered with Acxiom, Epsilon, BlueKai and many more. These brokers sell personal information to Facebook for a fee and Facebook adds it to their already-large corpus.

Most of this data is offline data, with information about how you go about your private life. The New York Times reported back in 2013:

... She knows, for instance, that if she uses her supermarket loyalty card to buy cornflakes, she can expect to see a cornflakes advertisement when she logs in to Facebook.

Again, it's possible to opt-out by either not using store cards (and not accruing any associated discounts and bonuses) or by writing to the data brokers directly. Very few people try to opt-out from the brokers and fewer are successful.

Data Aggregation

All of this data is combined using billion-dollar algorithms to create and enhance unique profiles for each user.

You can view your own profile by going into your Facebook settings in the ad preferences section. Your profile is categorised into interests and hobbies, news and media, people and celebrity, and much more.

A Pew study from January, 2019 shows 59% of US adults agree the profile Facebook holds on them is a true representation of their interests. Political affiliation labels scored more highly with 73% agreement.

A Web of Profiles

Combining these individual profiles forms a complex web of interconnected, personal profiles where algorithms predict real-world user interaction.

As an example, their systems are so advanced at facial recognition and understanding friendship groups that they can predict when you've been tagged in a photo uploaded by someone else. Although this is technologically exceptional, this is also incredibly scary when it comes to personal privacy.  They can work out where you have been - including the location, time and who you were with - when someone else uploads a photo that you happen to be in. This allows them to monitor even the most passive Facebook user (including people who have since left the platform).

Facebook is a Data Company Disguised as a Social Network

With all of this data collection in mind, it's clear that Facebook is primarily in the business of data aggregation and manipulation much more any other operation. The problem is that very few realise this because of the behind-the-scenes, passive nature of most of its work.

The Pew study earlier showed 74% of US adults were entirely unaware the business tracks their traits and interests. In other words, three out of four adults do not know the extent to which they are being monitored by Facebook systems.

Astonishingly, even the U.S. congress does not know how Facebook operate and make their money:

Senator asks how Facebook remains free to users

Growing The Business

Facebook has a fiduciary responsibility, enshrined in law, to maximise profits for its shareholders. Coupled with acquiring new users, the main strategy for Facebook to improve is to continually aggregate ever-increasing amounts of data about users and improve its ad platform.

As a society, we should not be comfortable with working with this type of organisation when comparing the negative aspects of the privacy violations with the convenience and benefits of the service. With this in mind, there has already been a shift to this type of mentality with an increased demand in secure messaging apps and end-to-end encryption, as seen in a 2018 Digital News Report:

We continue to see a rise in the use of messaging apps for news as consumers look for more private (and less confrontational) spaces to communicate

However, the ad business prepared for this trend by acquiring WhatsApp and it has enjoyed a sevenfold increase in monthly active users between April 2013 to December 2017. Amazingly, research by DuckDuckGo reported only half of U.S. adults know that Facebook own WhatsApp. (Facebook recognised WhatsApp was growing in popularity at least in part because of their research apps tracking users mobile phone activities).

For Facebook, acquisitions like this are double-edged. They eliminate the competition but they cannot directly read the contents of message and use the information for ad targeting because all messages are end-to-end encrypted. However, they can read all metadata surrounding user interactions, including:

  • Who you send messages to
  • When you send your messages
  • Usage and log information
  • Device information
  • Contact information
  • Cookies
  • Status updates (including when you were last online)
  • Location information

From this, it should be clear there is still a large opportunity for data harvesting even without the specific contents of messages, especially when the metadata is combined with a user's profile from Facebook.

Similarly, in another effort to complete market monopolisation, Facebook acquired Instagram and has seen it grow just as spectacularly. Again, 57% of respondents do not know Facebook owns Instagram.

A good example of  the corporate ignorance of privacy and tracking concerns may be best exemplified by the following "we're moving away from Facebook post" by Playboy - announced on Instagram:

The Merging Platforms

Facebook, WhatsApp and Instagram currently all operate as separate businesses, using disparate pieces of technology. However, after many years of speculation, it has been announced that they are finally to merge and share a common platform. High-profile exits of both the Instagram and WhatsApp founders suggested this was coming, on top of the fact that spending billions of dollars on data-rich companies would likely lead to this anyway.

For those unconcerned with the technological minutiae of such a merging, this announcement means more data sharing between the platforms and more intelligence about how people live their daily lives. Primarily, all in the effort to sell more ad spaces and generate more ad dollars.

Time To Leave Facebook?

Companies exist primarily to generate profits for shareholders, so I do not entirely blame Facebook for their actions. However, I would comment that they should be more transparent in their real business model as it would likely put off a lot of people. Zuckerberg will often remark that all of this information is available in their Terms of Service but the legalese is the best place to hide the details of just what they are up to because few people will check.

As an alternative, I would argue that it is more useful to take more personal responsibility when deciding which organisations we all want to affiliate with. Given the knowledge of the extent of the monitoring systems in place, I hope that you as the the reader will reconsider being part of the ad-slinger network, or otherwise reducing the amount of access they have to your data. This complements the Millennial mindset where organisations are assessed not only the their prices, but also on the political, social and environmental responsibilities adopted.

To the credit of Playboy, this is the message they were trying to get across by leaving Facebook in that they made a decision based on their assessment of the systems and the information they had at the time, so more power to them.

For me, given the foundation that Facebook is a company dedicated to finding out everything it can about me, my friends, my family, and each and every one of us - including the minutiae of daily life such as which cereals we like - it is not an organisation I trust or want to affiliate with. Especially not just so I can message people that I can contact in other ways already.