Facebook now tells each of its users which advertisers are tracking them individually through so-called Custom Audiences. This change was most likely brought by my legal actions against Facebook, conducted through PersonalData.IO. This change opens up exciting new possibilities for investigative journalism and the #MyData movement, explained below.

Original request

On December 15th 2016, I asked Facebook, through PersonalData.IO, the following:

Dear Facebook, I wish to get access to any information Facebook has on the presence of any identifier associated directly or not with my account within particular Facebook custom audiences. In essence, this would allow me to understand how marketers might be able to target me with Facebook-based advertisements.

What such a request looks like on PersonalData.IO (old version). Note that just getting an email address on the Facebook side already took a humongous amount of effort.

This is my legal right, under European (or in my case Swiss) transparency laws, and international agreements regarding transatlantic data transfers.

Litigation

After some inappropriate responses, I initiated a litigation in the United States on the matter with third-party TRUSTe, under the CH/US Safe Harbor transatlantic agreement on the protection of personal data. The procedure is free for the individual (but costs to Facebook). I was eventually told, on February 7th 2017:

You can use our [data export] self-service tool to access your data any time, free of charge. This includes all Custom Audiences associated with your account.[1]

Facebook’s data export tool

That data export self-service tool was itself imposed by the Irish Data Protection Commissioner on Facebook, itself forced to act by data protection scholar Max Schrems. It is my understanding that this tool is offered to all Facebook users, not just European ones (please confirm in the comments!).

Comparing such export conducted December 5th 2016 and February 13th 2017, I indeed see that a new section was added in the file ad.html.

A list of advertisers with my contact info (this is approximately a third of the list in my case)

My conclusion is that Facebook modified its export tool so it could claim in the arbitration procedure that it was already compliant. Technically, by the time they responded, this would be true. But of course they only modified the tool so they could claim that and look good in front of the arbitrator.

I have one remaining question on this new feature at this stage: did Facebook make such data available to US citizens as well? Normally the contractual authority for any user outside of North America is Facebook Ireland, so it could be that Facebook only provides this data for those users. Feel free to try it out for yourself and comment!

Opportunities

Now that Facebook shares this data, what can be done? Well, you can start retroactively investigating instances where Facebook personalisation had a role.

Of course, you won’t understand deep questions through a simple list of advertisers with your data (although you could start…). There are, however, two important consequences to this change. The first is that Facebook becomes an environment you control a little bit more, where academics or journalists can conduct more accurate experiments and more easily validate intermediate hypotheses. Civil society will have to rely less on blind, almost shamanic belief in Facebook’s claims. The second impact is that if Facebook can be compelled to provide this, it can be compelled to provide much more. Follow the original request for more efforts in this generic direction, and see my appeal for suggestions below.

An obvious event worth investigating would be the US election. There has been extensive reporting on the micro-targeting that took place, from a top-down perspective. I am proud to say that an article for which I did research contributed a lot to this discussion. While journalists are used to investigate top-down, it is much harder and uncommon to investigate bottom-up: what did Facebook look like to individuals during the election?

See, for instance, this article by Carole Cadwalladr, outlining the lack of accountability:

Contrary to what is said here, the data is being monitored and recorded. It was just not accessible to individuals, even though it is their right to access such data.

For political investigations, one can even ask Facebook more pointed questions, like this one on the use of the Lookalike Audiences tool for political purposes.

A second opportunity is in the MyData space: all those advertisers have my data, and I didn’t necessarily know about that. But now I do, and I can go do subject access requests for my personal data to them. In a sense, Facebook is the advertising watering hole where everyone shows up at night. I myself might be prey, but at least I have finally been given a flashlight…

Follow ups

By now, the dynamic is interesting: I ask Facebook for some information I feel they should disclose. They ignore me. I initiate a lawsuit in the U.S. and a complaint in Ireland. They are forced to respond, and promptly modify the tool to make the lawsuit obsolete. One billion users have an easier time exercising their rights. That’s fine, but the process can be sped up! How about crowdsourcing the questions that we want to ask Facebook?

Facebook now discloses the advertisers who have your contact info. What else should they be disclosing about this situation?

Certainly, I will ask in followup questions about:

Whether and how that data was actually used by Facebook (number of ads shown, number of ads clicked, which ads, etc);

How much money was made by Facebook through each connection;

When the data was added by the advertisers;

How the data is actually exchanged between advertisers and Facebook (if there is an event to refer to if I want to do Subject Access Requests to those advertisers);

What are the contact details for each advertiser;

Which Custom Audience I was placed in specifically;

your suggestion!

If you have any other idea, add it in the comments, or send it to me on Twitter.

Thanks for reading! My name is Paul-Olivier Dehaye, I am a mathematician at the University of Zurich, and the co-founder of PersonalData.IO. I have also written about forcing online advertising companies to be more transparent about their practices, and sousveillance capitalism.

References

[1] To access the self-service tool: