Facebook has been called on the carpet for how it has failed to protect the personal data of its users. But lost in the drama of congressional hearings is an understanding of the extent to which Facebook meticulously scrutinizes the minutiae of those users’ online lives.
Facebook’s tracking stretches far beyond the company’s well-known targeted advertisements. And details that people often readily volunteer — age, employer, relationship status, likes and location — are just the start.
The social media giant also tracks users on other sites and apps. It also collects so-called biometric facial data without users’ explicit “opt-in” consent, and helps video-game companies target “high-value players” who are likely to spend on in-app purchases.
The sifting of users gets into personal — even confidential — matters. The company has allowed marketers to target users who may have an interest in various health issues, like the 110,000 Facebook users who were listed under the category “diagnosis with HIV or AIDS,” the 51,000 people listed under erectile dysfunction, and 460,000 users listed under “binge-eating disorder awareness,” according to 2015 data submitted as an exhibit in a lawsuit. Facebook says it has since removed those “targeting options” and does not create targeted ad audiences involving users’ medical conditions.
“Facebook can learn almost anything about you by using artificial intelligence to analyze your behavior,” said Peter Eckersley, the chief computer scientist for the Electronic Frontier Foundation, a digital rights nonprofit. “That knowledge turns out be perfect both for advertising and propaganda. Will Facebook ever prevent itself from learning people’s political views, or other sensitive facts about them?”
On Wednesday, Facebook’s chief executive, Mark Zuckerberg, will face a second day of testimony on Capitol Hill regarding how his company conducts its business and how it has failed to protect the privacy of its users.
The hearings were spurred by revelations that Cambridge Analytica, a voter-profiling company, had inappropriately harvested the detailed personal information of up to 87 million Facebook users and that foreign agents have repeatedly used the social media platform to spread misinformation. Facebook executives have promised that the company is working to prevent similar missteps from happening again.
Consumer data mining is the engine that fuels advertising-supported free online services. If Facebook is being singled out for the practice, it is partly because it is the market leader and trendsetter.
“There are common parts of people’s experience on the internet,” Matt Steinfeld, a Facebook spokesman, said in a statement. “But of course we can do more to help people understand how Facebook works and the choices they have.”
Still, privacy advocates want lawmakers and regulators in the United States to have a more pointed discussion about the stockpiling of personal data that remains the core of Facebook’s $40.6 billion annual business.
While a series of actions by European judges and regulators are trying to limit some of the powerful targeting mechanisms that Facebook employs, federal officials in the United States have done little to constrain them, to the consternation of American privacy advocates.
Many other companies, including news organizations like The New York Times, mine information about users for marketing purposes. But privacy advocates say Facebook continues to test the boundaries of what is permissible. Some fault the Federal Trade Commission for failing to enforce a 2011 agreement that barred Facebook from deceptive privacy practices.
“Congress needs to begin to ask questions like, ‘Why did the F.T.C. allow this to happen?’” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a nonprofit group in Washington. “We most certainly have to take a different approach if we don’t want it to happen again.”
An F.T.C. spokeswoman said the agency could not comment on the case and referred to an agency statement in which it said it was committed to “using all of its tools to protect” consumer privacy and had opened a nonpublic investigation into Facebook’s privacy practices.
Facebook requires outside sites that use its tracking technologies to clearly notify users, and it allows Facebook users to opt out of seeing ads based on their use of those apps and websites.
That has not stopped angry users from airing their grievances over Facebook’s practices.
In 2016, for example, a Missouri man with metastatic cancer filed a class-action suit against Facebook. The suit accused the tech giant of violating the man’s privacy by tracking his activities on cancer center websites outside the social network — and collecting details about his possible treatment options — without his permission.
Facebook persuaded a federal judge to dismiss the case. The company successfully argued that tracking users for ad-targeting purposes was a standard business practice, and one that its users agreed to when signing up for the service. The Missouri man and two other plaintiffs have appealed the judge’s decision.
Facebook is quick to note that when users sign up for an account, they must agree to the company’s data policy. It plainly states that its data collection “includes information about the websites and apps you visit, your use of our services on those websites and apps, your use of our services, as well as information the developer or publisher of the app or website provides to you or us.”
In Europe, however, some regulators contend that Facebook has not obtained users’ active and informed consent to track them on other sites and apps. Their general concern, they said, is that many of Facebook’s 2.1 billion users have no idea how much data Facebook could collect about them and how Facebook could use it to influence their behavior. And there is a growing unease that tech giants are unfairly manipulating users.
“Facebook provides a network where the users, while getting free services most of them consider useful, are subject to a multitude of nontransparent analyses, profiling, and other mostly obscure algorithmical processing,” said Johannes Caspar, the data protection commissioner for Hamburg, Germany.
In February, for instance, a judge in Brussels ordered Facebook to stop tracking users on other websites. Facebook has appealed the decision.
And last Friday, the Italian Competition Authority said it was investigating Facebook for exercising “undue influence” by requiring users to let the company automatically collect all kinds of data about them both on its platform and off.
“Every single action, every single relationship is carefully monitored,” said Giovanni Buttarelli, the European data protection supervisor who oversees an independent European Union authority which advises on privacy-related laws and policies. “People are being treated like laboratory animals.”
Regulators have won some victories. In 2012, Facebook agreed to stop using face recognition technology in the E.U. after Mr. Caspar, the Hamburg data protection commissioner, accused it of violating German and European privacy regulations by collecting users’ biometric facial data without their explicit consent.
Outside of the European Union, Facebook employs face recognition technology for a name-tagging feature that can automatically suggest names for the people in users’ photos.
With facial recognition, brick-and-mortar stores can scan shoppers’ faces looking for known shoplifters. But civil liberties experts warn that the technology could threaten the ability of Americans to remain anonymous online, on the street and at political protests.
Now a dozen consumer and privacy groups in the United States have accused Facebook of deceptively rolling out expanded uses of the technology without clearly explaining it to users or obtaining their explicit “opt-in” consent. Last Friday, the groups filed a complaint with the F.T.C. saying that the expansion violated the terms of the 2011 agreement. Facebook sent notices alerting users of its new face recognition uses and said it provides a page where they can turn the feature off.
Facebook has other powerful techniques with implications users may not fully understand.
One is a marketing service called “Look-alike Audiences” which goes beyond the familiar Facebook programs allowing advertisers to directly target people by their ages or likes. The look-alike audience feature allows marketers to examine their existing customers or voters for certain propensities — like big spenders — and have Facebook find other users with similar tendencies.
Murka, a social casino game developer, used Facebook’s look-alike audience feature to target “high-value players” who were “most likely to make in-app purchases,” according to Facebook marketing material.
There is concern among some marketers that political campaigns or unscrupulous companies could potentially use the same technique to identify the characteristics of, for instance, people who make rash decisions and find a bigger and bigger pool of the same sort of people.
Facebook’s ad policies prohibit potentially predatory ad-targeting practices. Advertisers are able to target ads to users using the look-alike service, but they do not receive personal data about those Facebook users.
But Jeffrey Chester, executive director of the Center for Digital Democracy, a nonprofit group in Washington, warned that this “look-alike” marketing was a hidden, manipulative practice — on par with subliminal advertising — and said that should be prohibited.