What’s in your Facebook data? More than you think

Mark Zuckerberg is expected to testify today before Congress about his company’s role in the 2016 election, Cambridge Analytica, and his rather lax attitude toward the data of Facebook’s 2 billion members. (He kinda sorta answered questions from the press last week.)

To get myself in the mood—and to prep for my permanent exit from the social network—I’ve been combing through all my Facebook data. It is equally amusing and appalling, and I recommend that everyone does it, whether they’re planning to leave or not.

Not surprisingly, Facebook collected a ton of information about me over the past 11 years, nearly all of which I willingly (stupidly?) volunteered. As dossiers go, Facebook puts Christopher Steele’s to shame. It is frighteningly thorough.



READ MORE ON FACEBOOK AND PRIVACY

Ready to #DeleteFacebook? Follow these 7 steps
7 ways to boost your Facebook privacy
How to block Facebook (and others) from your microphone
Facebook, EFF security experts sound off on protecting the vulnerable
Facebook’s Stamos on protecting elections from hostile hackers (Q&A)
How to recover from a Facebook hack


That’s no accident. As the Electronic Frontier Foundation’s Andrés Arriata notes, “Facebook is just one example of a much larger problem: Online platforms and companies overwhelmingly operate with a surveillance-based business model that relies on gathering as much information on users as possible.”

And as the Cambridge Analytica scandal shows, this information can be used and abused in all kinds of ways—like inferring things about me based on my social-media activity that could determine my ability to get a loan, insurance, or a job, as well as for whom I might be inclined to vote.

Facebook also has information I have no recollection of volunteering, which is another big concern.

What Facebook knows about you

Under the presumption that you’ve been carefree when uploading your personal information to Facebook, the breadcrumbs of data Facebook has collected include:

  • Your first status update, and all the subsequent ones you’ve posted on what Facebook used to call your “wall” (my first post was on May 23, 2007);
  • All the profile information you’ve submitted, including places you’ve lived, places you’ve worked, and people you’re related to;
  • Every person, place, or thing you’ve “liked,” including books, music, movies, TV shows, and games;
  • Every photo or video you’ve uploaded, along with comments about and reactions to them;
  • Every app you’ve installed on the platform (mine totaled 333, most of them simple log-in apps for external sites);
  • Every person you’ve “friended” or “defriended,” along with every friend request you’ve ever sent or received (and if you’re me, mostly ignored);
  • Every event you’ve marked as being “interested” in or “attending”;
  • Every group you ever joined (or were added to without your permission);
  • Every chat conversation you’ve participated in (99 percent of which I have no recollection of); and
  • Every date and time you logged in, which includes the device you’ve used, its Internet Protocol address, and its geographical coordinates.

It’s not terribly surprising that Facebook has retained any of this information. But you might be surprised by the number of Facebook advertisers that apparently have your contact information, or by the hundreds of email addresses and phone numbers in your Facebook contacts list. (I do not remember ever uploading mine.)

Let’s look at the advertisers.

Ads to the bone

The data download shows a list of every advertising topic you fit into, every ad you’ve clicked on (exactly one for me), and “Advertisers with your contact info.” This is where it gets interesting.

You can see your advertiser profile by visiting the Facebook home page, and clicking the Down arrow on the far-right side of the blue bar at the top. Select Settings, then Ads. On the next page, click “Advertisers you’ve interacted with.” You’ll see a list of ads you’ve clicked on, ads you’ve hidden, Facebook pages you visited, websites or apps you’ve used, and advertisers who have your contact information.

Facebook advertisers who have Dan Tynan’s contact info. Screenshot by Dan Tynan/The Parallax

According to Facebook, some 146 advertisers have my contact info. Of that list, I have done business with no more than 15. The rest are completely new and strange to me, including a mental-health clinic in Long Beach, Calif., a home mortgage bank in Indianapolis, a vitamin supplements maker in Cambridge, England, an IT staffing company in Red Bank, N.J., and a consulting firm in Brabant, Belgium.

There’s a mess of IT recruiters, many located in Europe. And there’s a gaggle of crowdfunding sites, supermarkets, publications, and pages for aging rock stars.

I polled roughly 30 of my friends and colleagues about their advertiser profiles. About half of them were similarly surprised by the advertisers on their lists, including Airbnb, Cyndi Lauper, Sally Beauty, Uber Eats, and Viking River Cruises.

I reached out to a dozen companies listed as having my contact information to ask if they did, in fact, have it. Half had responded by publication time. None had my data, they told me, and all of them seemed just as perplexed about this as I am. Here’s an excerpt from a response I received from the vitamin supplements maker:

“We firmly believe we’ve never had your details. We are completely sure we haven’t obtained your details via third-party lists uploaded to Facebook. We are genuinely as concerned about this as you are. We do not understand how we can appear on a person’s profile, as a company holding a person’s personal details, when we believe we don’t.”

I asked a handful of privacy experts how this might have happened. None got back to me by publication time. My best guess is that Facebook obtained this information from third-party data brokers, and the lists weren’t very accurate. When I asked Facebook, I got this deeply unsatisfying response, attributable to an anonymous company representative:

“The businesses could have acquired your information directly or through another entity with whom you’ve shared information. This is common industry practice. For example, your credit card loyalty program could share your information with a hotel chain or other major travel companies, and run ads on Facebook. Because custom audiences are hashed, we can’t verify ourselves what type of personal info that advertiser gave to us (i.e., email or phone number) to make the match.”

The odds of my credit card loyalty program selling my information to a bunch of IT consultants in Belgium are virtually nil. And this response doesn’t explain why Facebook would tell me these advertisers had my contact info, when that’s not necessarily the case. But I think that it might explain why, while I was in the middle of writing this, Mark Zuckerberg announced that Facebook would no longer be using third-party data for targeting ads.

Contact low

The other weird and troubling thing I found in my Facebook data file was a list of phone numbers and/or email addresses for 309 of my contacts. (Some colleagues reported a similar surprise.)

It is a motley assortment of names and numbers. Some date back to 2008, and some are recent. About half are people or businesses I was in contact with when I lived on the East Coast; the rest are from the West Coast.

(To see which of your contacts Facebook has squirrelled away, you’ll need to visit your own Manage Invites and Imported Contacts page, then scroll down to ‘Contacts Imported.’)

I have no idea how this contact info made its way into my Facebook data, because I never synced my contacts on my iPhone, and there are far more than 309 numbers in my address book. (My alternate Facebook identity, or fake account, has more than 500 contacts, all from an ancient Yahoo mail account that is not the address I use to log in. That’s an even bigger puzzle.)

Facebook had matched some of the numbers in my phone’s address book to existing Facebook accounts, because the names were slightly different (like adding a middle name).

But some of the contacts aren’t in my phone and have never been Facebook friends of mine. Some, like my former physician, now retired, are not on Facebook at all. But, somehow, Facebook has his phone number. Sorry, Doc.

How did those contacts make their way into my Facebook data? Who knows. At some point on some old phone, I might have unwittingly agreed to sync my contacts when I installed Facebook or Messenger. Facebook also collected a lot of data from Android phones, including entire call histories; I used to have an Android phone, but haven’t for the past four years.

But even that does not explain the seemingly random collection of numbers Facebook has been storing, nor how it associates me with numbers of total strangers. Again, Facebook’s largely off-topic response:

“This happens when you choose to upload your contacts to Facebook. This is completely optional, and you can turn it off at any time (more here). You can also delete contacts that you’ve previously uploaded (more here). We sync this information in case someone you’re friends with decides to join Facebook.”

Perhaps this is what Facebook executive Andrew Bosworth was referring to when he wrote about “questionable contact-importing practices” in his now-infamous 2016 memo.

Here’s the thing: It doesn’t matter. Facebook has been an irresponsible steward of my data for some time now. It’s like inviting a friend to sleep on your couch, and he ends up emptying your fridge and rifling through your medicine cabinet while you’re at work. Yes, you invited him in, but you didn’t expect or deserve that treatment.

For some people, Facebook is the Internet. Nothing will persuade them to leave, and they may not be able to leave. But if you’re weighing your options, you’ll want to take a hard look at the data you’ve shared, as well as your privacy settings. You might be unpleasantly surprised.