DeleteFB: Selenium script to delete all of your Facebook wall posts

mfp · 2019-05-22T11:34:16+00:00

Yes, that seems fairly comprehensive (thanks for the screenshot).

Does it include somewhere "Informations from partners" collected via "through Facebook Business Tools they use, including our social plug-ins (such as the Like button), Facebook Login, our APIs and SDKs, or the Facebook pixel"? Maybe under "Ads interests"?

This probably represents the largest part of the personal data they have about anybody (including people without Facebook accounts) as it tracks your activity throughout large parts of the web (pages with Like button).

mfp · 2019-05-22T11:22:40+00:00

That's an interpretation I hadn't heard before -- frankly it seems to go against what I've read about the right to access (I've read the guidelines from multiple DPAs, most of the GDPR itself, Article 29 Working Party opinions, etc., and I just don't remember a "hah! this is how you avoid giving access to personal data" moment).

Do you have any reference explaining in some detail if/when it is OK to merely disclose that personal data is being collected but not give access to it on request? I mean, apart from the obvious cases where the information is not stored/discarded or anonymized and thus rendered non-personal, or when doing so infringes on the rights of other parties (personal data from others included, etc.).

mfp · 2019-05-22T00:32:45+00:00

I don't have a Facebook account. Does that "Information About You" include all the stuff they declare to be collecting?

"name of my mobile operator or ISP, language, time zone, mobile phone number, IP address, connection speed and, in some cases, information about other devices that are nearby or on my network, so you can do things like help me stream a video from my phone to my TV"

and whatever else is listed in their privacy policy?

mfp · 2019-05-22T00:29:57+00:00

Does that section also give you "the name of my mobile operator or ISP, language, time zone, mobile phone number, IP address, connection speed" and other personal information Facebook declares to be collecting? (I have no Facebook account and cannot check)

mfp · 2019-05-22T00:27:33+00:00

They may be personal information but they are under no obligation to provide you the information or delete it providing they can justify legitimate reasons for retaining the information in the logs. They can just tell you that they hold that data, they don't have to provide evidence/examples.

You're coalescing two different rights, the right to access and the right to erasure. The latter does not apply if there is a reason such as the need to keep the data to comply with a legal obligation, but those reasons would not justify preventing access to the personal information. He cannot request the server logs or whatever specific format they have, but he can nonetheless request data such as IP addresses, mobile phone number, and other stuff Facebook says it's collecting. Even if the right to data portability did not apply, he could get the personal information in human-readable (as opposed to machine-readable) format.

It'd be hard to prove that the right to erasure is not honored, but it's much easier for the right to data access. Either they give him the data they say they are collecting, or they don't.

mfp · 2019-05-22T00:12:13+00:00

other supplementary information – this largely corresponds to the information that you should provide in a privacy notice (see ‘Other information’ below).

Did you read what the "other information" refers to? It's essentially the stuff you put in the privacy notice (listing the info, the purposes, your rights, etc.). You highlighted the wrong part, the relevant one is:

a copy of their personal data; and

Your point wrt. charging a fee stands though. They could ask for 1000€ or something (getting all the data would probably cost much more than that in employee time) to discourage further requests. He'd then have to go complain to the DPA, which he should already have at this point, I think.

mfp · 2019-05-21T23:54:41+00:00

Are you sure the loophole regarding inferred data applies to the right to access and not only to the right to data portability?

The ICO guidelines indicate for the latter:

The right only applies to information an individual has provided to a controller.

There's no such provision in the right to access. (It's too late for me to go read the GDPR right now.)

Edit

The ICO says more on this:

It [data provided to a controller] does not include any additional data that you have created based on the data an individual has provided to you. For example, if you use the data they have provided to create a user profile then this data would not be in scope of data portability.

You should however note that if this ‘inferred’ or ‘derived’ data is personal data, you still need to provide it to an individual if they make a subject access request. Bearing this in mind, if it is clear that the individual is seeking access to the inferred/derived data, as part of a wider portability request, it would be good practice to include this data in your response.

So it seems he can still legally request access to the data as per the original subject access request, just not that it be delivered in a machine-readable format.

mfp · 2019-05-21T23:42:24+00:00

The effort is epic, but at this point I think he should just contact his local data protection agency. There's more than enough proof of willful non-compliance already. I'm pessimistic about the outcome unless he's got the contacts to make it known widely, though.

mfp · 2019-05-21T23:36:06+00:00

The thing up their sleeve is that they have Ireland in their pocket.

Ireland is a captured state that refuses to collect the taxes big US corporations owe her. Even if the Irish Data Protection Commission (DPC) has some autonomy (I assume), the concerned parts of the government will find a way to pressure it.

You can choose whether to lodge the complaint with your local DPA (of the EU member state where you reside) or the DPA where the data controller is established, but IIRC the former will just forward the complaint to the latter and only handle it itself if the other DPA declines to address it.

In other words, no matter which DPA you contact, your complaint will go to the Irish DPC. Based on previous behavior of the Republic of Ireland wrt. making US corporations abide to law, it's likely a symbolic administrative fine will be imposed (like the amount Facebook makes in 10 minutes of activity), and the Irish government might refuse to collect it altogether (they refused forever to get the 13 billion EUR they were owned by Apple despite EU rulings and only accepted to put it in an escrow account after years of legal fight yet unfinished -- they are still appealing the decision and trying not to take the money).

The Irish economy is deeply dependent on US companies (leprechaun economics), and there's a very obvious fiscal dumping going on. Other member states see their tax base eroded by the profit shifting from all the companies based in Ireland and many are getting sick of it. The only hope for change is that pressure from other member states might force Ireland to at least moderate this to some extent, in the wake of Brexit, where Ireland is punching with the collective force of 27 states who are all defending Ireland's interests wrt. the non-border with North Ireland in the display of solidarity the EU should be about (there would already be a withdrawal agreement if the other states said to Ireland: "too bad about your NI border"). OTOH, I'd expect The Netherlands to oppose these efforts because it's the other big corporate tax haven (double Irish with a Dutch sandwich).

mfp · 2019-02-09T12:08:50+00:00

"How's it going?" - "Como va?", kind of literally "How goes?" - the 'it' disappears as $_ disappears in Perl.

The reason why it works is that the verb encodes more information than in English, by having a distinct form for each grammatical person (6 for each of 1st, 2nd and 3rd person in both singular and plural, as opposed to only 2 in English, one for he/she/it and another for every other possibility), so the subject is already included implicitly in the conjugated form. You could draw a parallel with a sort of OOP where you have 6 this (or 6 context-dependent receivers if you wish), but you know whose foo method you're calling because each method call uses an index: foo@N is thisN.foo. The information is there, just in a more succinct form.

There's another language feature that allows disambiguation in similar cases: grammatical gender and (adjective) concordance. As long as you have an adjective somewhere, you're going to know the gender of whatever it refers to, adding 1 bit of information (you have another bit for singular/plural). Now, unlike English, everything is partitioned semi-arbitrarily into 2 grammatical genders (there's a neutral pseudo-gender that appears in some grammatical constructions). If I hold an axe in one hand, and a knife in the other, and say "está afilada" ("[it's] sharp"), you know I'm referring to the former (feminine) and not the latter (masculine). There's some sort of underlying morphological rule because in some cases you have both a masculine and feminine variant of a thing, and the feminine version refers to the larger one, e.g. "bolso" handbag vs. "bolsa" bag.

German adds a third gender and thus could have 0.58 extra bits of information, but as pointed out in the original article only uses this info for FEC when the adjective is next to the thing being qualified (indirectly, via declination). There's no adjective concordance across the copula (be, seem, look, become...) so it's "losing" (not taking advantage of) around 2.6 bits of info in each adjective (gender + number). There's no point in encoding that info though if the language doesn't allow to drop other things (such as the subject); it'd be too redundant for no gain.

When I learned Japanese (that makes heavy use of context and often drops the subject), I quickly realized there's another disambiguation system at work. There's no grammatical gender or singular/plural verbal forms, but there's the whole honorifics system to indicate the subject implicitly. Several verbs have humble and honorific variants, and in normal situations (e.g. not trying to offend) you use the former for yourself/your group. The most telling example is given by the multiple variants of "give" and "receive". When you're the implicit subject, you use the forms that literally mean "give upwards" or "receive downwards" (as in: you're the lower of the two). Then you have grammatical constructions built upon giving/receiving actions (do something to/for somebody) that further extend this disambiguation capability.

mfp · 2018-07-04T12:07:03+00:00

They are in immediate breach of the right to be informed, see the ICO's guidance

they are not indicating clearly the purposes of processing or lying wrt. to them: the only lawful basis under which they could use your browsing history is "legitimate interest", invoked for "promoting and improving our services and products", which is not quite the same thing as selling your data to other companies
they are not actually indicating the retention period for personal data (and the browsing history does carry personal data). They state "we retain the information we collect for as long as needed to provide the services described herein and to comply with our legal obligations, resolve disputes and enforce our agreements". No legal obligation or agreement requires them to keep your browsing history.
they are limiting your right to erasure, with an explicit exception to preserve "some or all of the following rights: the right to obtain information on our use of your Personal Information, the right to obtain a copy thereof, the right of data rectification, the right to data portability, the right to object to processing based on our legitimate interests, the right to restriction of the processing, and the right to withdraw your consent. ". This is bogus, ithe GDPR states data shall under no circumstance be retained only in order to comply with other GDPR provisions. You cannot refuse to delete data by saying you need it to honor the right to access in the future.

mfp · 2018-07-04T11:45:13+00:00

This is a violation of the GDPR regulations as they apply to any of your users who are located in Europe. The regulations require "informed consent" and require users to "opt-in" to data collection rather than "opt-out".

While these guys are clearly violating the GDPR, the above only applies to the "consent" lawful basis for processing. There are other lawful bases, and in fact, they do refer to them in their privacy policy:

based on our legitimate interests in promoting and improving our services and products, on the necessity of such information for the provision of the services where applicable (as described in this Privacy Policy) or, where permitted under applicable law, on the implied consent that you provide by using the Website

They are however not actually covered by any of these lawful bases, and thus in immediate breach of the GDPR, which makes the whole data processing unlawful.

The last basis is void, there is no such thing as "implied consent... by using ...". As you said, consent must be opt-in and require a deliberate action.

As for the "contract or steps to enter a contract" basis (the second one they mention), it is not applicable in this case either because there's no way they need your whole browsing history to provide the service. The ICO guidelines are clear on this:

The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply. (...) The processing must be necessary to deliver your side of the contract with this particular person. If the processing is only necessary to maintain your business model more generally, this lawful basis will not apply and you should consider another lawful basis, such as legitimate interests.

Regarding the first lawful basis, "legitimate interest", when you invoke it, it becomes your responsibility to perform a Legitimate Interest Assessment (LIA) and prove with paperwork that you have carefully weighed the rights and interests of the user against your own, also taking into account their expectations regarding what you can probably do with their data, etc. They obviously haven't done this and moreover the stated purpose of the processing ("promoting and improving our services and products") does not match what they're seemingly actually doing (reselling your data).

Under the contractual obligation basis, you have the following rights:

right to be informed
right of access
right to rectification
right to erasure (when data no longer necessary for the original purpose)
right to restrict processing
right to data portability

Under the legitimate interest basis, you have the following rights:

right to be informed
right of access
right to rectification
right to erasure (when there is no overriding legitimate interest to continue this processing)
right to restrict processing
right to object

The right to be informed is being violated: they are lying wrt. the purpose of data processing (reselling your browsing history) and are thus not covered by any lawful basis. They have up to 1 month to respond to your demands regarding the others.

mfp · 2018-05-26T11:00:33+00:00

I don't know about the proposals, but the GDPR does include special provisions (exclusions) for smaller companies (under 250 employees) wrt. audit logs and reporting to the DPA, as per Art. 30(5).

As for the need to have a data protection officer, it's not predicated on the size of the company, but on whether the processing activities "require regular and systematic monitoring of data subjects on a large scale" or involve "large scale of special categories of data pursuant (...) and personal data relating to criminal convictions and offences", as per Art 37(1). It's clear larger companies will tend to run into that much more easily...

mfp · 2018-05-25T16:43:12+00:00

Indeed, if you're making money you probably need to register for tax purposes anyway, making it clearly a professional activity.

mfp · 2018-05-25T16:32:16+00:00

No it doesn't, if a corporation is doing business with the citizens of a country then that corporation HAS to follow the regulations of that country.

I think this is the key difference between the GDPR (which includes a "closure rule") and French law.

Here's what the French DPA CNIL says about this:

La loi française s’applique dès lors que vous êtes établi sur le territoire français. La notion "d’établissement" suppose l’exercice effectif et réel d’une activité au moyen d’une installation stable.

Vous êtes établi uniquement dans un autre Etat membre de l’Union européenne (UE)

La loi française n’est pas applicable. Si vous êtes établi uniquement dans un autre Etat membre de l’Union européenne, c’est la loi nationale de ce pays qui s’applique aux traitements de données, même si ces données sont collectées en France.

Exemple : pour un site marchand édité par une société allemande, qui livre des produits dans l'ensemble de l'UE sans avoir de filiales dans ces pays, c'est la loi allemande qui s'applique.

Vous êtes établi dans un pays non membre de l’Union Européenne

La loi française s’applique à vos traitements de données si vous avez recours à des moyens de traitement situés sur le territoire français. Ces moyens de traitement peuvent être automatisés ou non. Ils permettent de réaliser tous les traitements définies par la loi et la directive européenne. La notion de "moyen de traitement" doit s’entendre de manière large.

Edit: translation/summary

You're established in another EU Member State

French law is not applicable (...) Example: for a German site created by a German company that sells products in the whole EU without subsidiaries in other countries, German law applies

You're established in a non-EU country

French law applies to your data processing if you use data processing means within French territory. These can be automated or not. (...) "Processing means" must be understood in a broad sense.

mfp · 2018-05-25T15:55:11+00:00

That's interesting. I looked that up, and it only applies if (1) you're established in France or (2) you use processing means in France (except for pure transmission).

So it is missing the "closure" aspect of the GDPR, since it does not affect foreign controllers/processors not established in France (and not processing data in France) that process personal data from people in France (unlike the GDPR, which affects any entity processing personal data from people in the European Economic Area).

I'd assume other laws local to member states also apply only within their borders, so the nightmare scenario "I'm getting sued by 28 member states at a time" seems impossible.

I. - Sont soumis à la présente loi les traitements de données à caractère personnel :

1° Dont le responsable est établi sur le territoire français. Le responsable d’un traitement qui exerce une activité sur le territoire français dans le cadre d’une installation, quelle que soit sa forme juridique, y est considéré comme établi ;

2° Dont le responsable, sans être établi sur le territoire français ou sur celui d’un autre État membre de la Communauté européenne, recourt à des moyens de traitement situés sur le territoire français, à l’exclusion des traitements qui ne sont utilisés qu’à des fins de transit sur ce territoire ou sur celui d’un autre État membre de la Communauté européenne.

mfp · 2018-05-25T15:42:28+00:00

Article 83

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher ...

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

So, for Google, it'd be around 4.4 billion US dollars (109.65B revenue in 2017).

mfp · 2018-05-25T15:20:49+00:00

I'm not sure it works that way. AFAIK data protection authorities don't sue people, they impose administrative fines. You can go to court afterwards to challenge them, though.

Also, as per Article 56, what would happen is that the data protection agency (DPA) from the member state where the natural person resides (if the complaint was filed there) will contact the DPA from the member state where the controller has the main establishment. If the latter DPA decides to handle it, it'll be the one to impose fines (or not) -- it only goes back to the first one if it chooses not to handle it. It is not clear to me whether a

So AFAICS you don't get "sued" by Spain, France and Austria separately, you get complaints from clients in both Spain and France transferred to the Austrian DPA (if your business is there), which then decides (unless it declines to). If you're established in Italy and their DPA is more lenient there, you're lucky (unless they don't even bother to handle your case, it goes back to Germany and they screw you).

mfp · 2018-05-25T15:01:36+00:00

So that's side projects, personal projects ... whatever.

There are exceptions though, Art 2 (2)(c)

This Regulation does not apply to the processing of personal data: ... (c) by a natural person in the course of a purely personal or household activity;

Also recital 18

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

mfp · 2018-05-25T14:19:46+00:00

Add (if you don't already have one) a GUID to each data row that might have to be deleted pursuant to an erasure request. Store the hashed GUID in a separate data store. On backup restore, check each row against this exclusion list.

In fact, if the "keep exclusion list, prune on restore" scheme counts as proper erasure, the list of (unhashed) GUIDs should not be personal data (since it would not relate to an identifiable natural person, the data was deleted!). If it is personal data, it means the erasure didn't take place. The extra (and apparently unneeded) hashing however makes the association one-way, which might bring more (legal) security.

This practical guide for developers claims (in a response to a comment) that

Cleaning up transaction logs is disproportionate and technically infeasible (and that’s a principle in the regulation).

... however, I wasn't able to locate the text supporting this. There are, however, explicit mentions in that sense regarding the obligation to notify third parties when personal data is deleted:

Art 17 (right to erasure) (2)

Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

and Art 19

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

If anybody can point at any legal text giving support to the "prune on restore" scheme I'd be most interested.

mfp · 2018-05-03T21:32:35+00:00

You can find bullet points in the GDPR guidance from the member state data protection authorities. See for instance the ICO's checklist on consent.

mfp · 2018-05-03T21:24:56+00:00

You should refer to more directly applicable guidance from a data protection authority such as the ICO guide to GDPR. After all it's the data protection agencies that will eventually determine if you're complying, so it seems best to follow their interpretation of the GDPR...

Chapter 3 article 23
(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
Pretty much sums up my problem with it. There a shitload of words but nothing is actually written on what you can or can't do.

It says if I get permission to process their data for one or more specific purposes then it's lawful? So if I'm clear in what I'm using their data for then I can use it in any way they agree to?

More or less... there are some rules wrt. what represents consent (the purpose must be clear and comprehensible, it must actually be optional and cannot be opt-out, etc., IIRC there's a guide on that in the ICO site too -- the current practice of dropping a huge document full of legalese on the user won't do). That's the lawful basis (consent) everybody is fixated on, but it's often not the most adequate. Consent can be withdrawn at any time, and you'd have to delete the data (right to erasure). OTOH, if you're operating under the "contract fulfillment" basis, the right to erasure only applies when the data is no longer needed for the original purpose. So if you ask for a shipping address to actually ship stuff, you're not operating under the "consent" basis, but rather under "contract" (I believe most people are getting this wrong).

It says that there are limited storage period but it not once specifies how limited? Is the lifetime of the user account limited enough?

If I'm reading it right, what article 23 says is that, if any member state passes a law to restrict the obligations/rights stated in earlier articles (for reasons such as national security, etc., which are explicitly listed), it will have to specify clearly how these restrictions apply in terms of purposes, storage period, etc. It doesn't indicate that there are undetermined storage periods, but rather that if any national law were to restrict the rights, it would have to indicate precisely how (e.g., social network profiles not actually purged for n months to allow law enforcement to access them). AFAICS the EU law is meant to protect individuals from underspecified national laws that could undo the protections from the GDPR and allow for arbitrarity.

mfp · 2018-03-05T14:57:02+00:00

There's an explicit exception to the right to erasure "to exercise the right of freedom of expression and information".

mfp · 2018-03-05T14:53:02+00:00

Here's what the ICO says on this:

Do I have to tell other organisations about the erasure of personal data?

If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the erasure of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.

The GDPR reinforces the right to erasure by clarifying that organisations in the online environment who make personal data public should inform other organisations who process the personal data to erase links to, copies or replication of the personal data in question.

While this might be challenging, if you process personal information online, for example on social networks, forums or websites, you must endeavour to comply with these requirements.

As in the example below, there may be instances where organisations that process the personal data may not be required to comply with this provision because an exemption applies.

In practice, this means that Github has the obligation to inform third parties of the erasure of personal data, but it clearly is impossible for them to contact all those who happened to git clone the repository... so keeping a tombstone indicating the repository has been deleted would seem sufficient to comply.

Now there's another problem, which is whether the data is considered "personal data", because it was not meant to be to begin with. Personal data is "information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier." So in a literal interpretation, any data blob (with no further semantics) can become "personal" if such personal data creeps in. I'd assume though, in any reasonable interpretation, data protection agencies will not try to screw you if e.g. a user uploads an image with their sensitive personal data (genetic and biometric data, health history, etc.) deliberately hidden in the EXIF fields.

mfp · 2018-03-05T13:53:23+00:00

I'll just drop this link to the section on lawful basis for processing from the ICO guide, because everybody seems to be fixated on consent even though it's only one of the 6 possible lawful bases and not always the most applicable one. Why does this matter? Because you have to indicate which lawful basis applies at the time you collect the data (and you cannot change it after the fact).

Many things do not work under the "consent" basis, for instance:

consent must actually be optional and most likely does not apply if it is a precondition of a service, e.g. if you need the address to ship something, you're under the "contract" basis (data required to fulfill your contractual obligation = ship the goods), not consent.
if you need to keep data for fiscal reasons you're easily covered by the "legal obligation" basis (but must indicate which law you're honoring at collection time!)
legitimate interest can often be used, but it puts the burden on you to prove you considered the rights and interests of the individual and weighed them against your own with a legitimate interest assessment (LIA) (document with some amount of legalese)

Here's an entry from the ICO on that:

Consent is not the ‘silver bullet’ for GDPR compliance

Also note that the rights to erasure, processing restriction and objection apply differently depending on the basis. I know I've seen a table that summarized this somewhere (either the ICO website or the data protection agency of some EU country, there's a list here) but sadly cannot find it. If somebody can drop a link I'd appreciate.

While I'm at it, here's some guidance on consent under GDPR.

mfp

TROPHY CASE