I’m no longer active on Facebook, but at the moment, oddly, it’s my main goto option to find out at least some of the companies that share my data.
Facebook lets you see who shared your data with them. There are two interesting pages, buried and well-hidden, worth checking: Off Facebook activity and Businesses who uploaded and used a list.
Want to see which companies are sharing your data? continue reading.
This one is very interesting and I recommend visiting the link to check our your own list. I won’t share the screenshot, but from what I gathered, all this information was leaked via apps on my iPhone, before I’ve disabled ad tracking. I’ve written about it before: Does Apple care about your privacy? and I recommend reading it, if only to know how to disable ad tracking on your Apple devices.
My list can be divided to roughly 3 categories:
- Companies I know and use. Amazon, Uber, etc. So whilst they know me and I did give them my details, I never explicitly gave them consent to share my details. With Facebook or with anyone…
- Companies I’ve heard of, but never signed-up for, used nor shared any details with. How the f*** do they even have my details? not to mention share them with Facebook (or who knows what other companies)
- Companies I’ve never heard of, but the name alone looks really dodgy. “Mindshare Biddable Digital” … you can imagine what a company with this name is doing.
- Dave M. Rogenmoser. He probably deserves his own category. I don’t know him, never heard about him, and frankly now want nothing whatsoever to do with him. Dave, if you’re reading this, WTF are you doing sharing people’s personal details with Facebook? especially people who you don’t know and definitely didn’t give you consent to share details of.
Ok, so this was 4 categories I guess… Although Dave might more realistically fall into the 3rd one.
What does it mean?
In case you can’t read the text on the image, this is what Facebook tells us about it
These businesses uploaded a list to Facebook. Lists can contain contact information, for example an email address or phone number that is hashed so that Facebook does not learn any new identifying information about you. Lists can also contain advertising identifiers instead of contact information. Information from lists is matched against our existing list of users. The identity of users is not revealed to the business during the matching process.
Facebook uses these lists only to match the information to your profile and to deliver the ads chosen by the advertiser. Facebook does not keep the information shared in these lists. Advertisers can use lists to show you more relevant ads or to exclude you from ads that may be less relevant to you. For example, if you’re already a member of a gym then the gym could choose to exclude you from ads about becoming a member.
Facebook doesn’t learn any new identifying information about users when lists are uploaded. Learn More
So, let’s decipher things a bit here, shall we?
Technically, it’s true that Dave and his friends don’t share my personal details directly. i.e. they won’t upload my actual email address to Facebook. They will upload a hash of my email. But then, Facebook obviously holds its own giant list of hashed emails and other personal details, so then when two hashes match, Facebook knows that it’s me. That’s the way they can show me this list of companies.
So is this data sharing? I think every reasonable person would think so. Obviously now Facebook knows more about me. At the very least my (forced) association with those companies. Their claim that “Facebook doesn’t learn any new identifying information…” is technically true, but practically false, because this association is super valuable. Not only for allowing advertising to place ads, but I imagine to increase the richness of the user profile and what Facebook knows about you.
I’m not 100% sure about this, but I think that’s another thing to worry about: Lookalike audiences. When companies upload lists of emails to Facebook, they not only do it in order to target those users directly, but rather to also discover similar people. People who are likely to be interested in their ads.
So whilst Facebook doesn’t reveal any extra information about me directly with advertisers who upload my details, these companies get a huge “prize” for sharing my data with them: These companies are then able to target ads to people with similar interests to mine.
Add the fact that now Facebook knows more about us, because they not only see how we interact on Facebook or sites that use the Facebook like buttons etc, this practice feeds even more knowledge (and golden opportunity) to Facebook. So if they know X people who (like me) use Amazon, Uber, and Share Now, perhaps they are also likely to be interested in using Grab? So both Facebook and those companies have a clear interest sharing my data. But are they allowed to?
Legitimate business and consent
Let’s leave Facebook out of it for a moment… Are these companies allowed to share information about me with any other company (Facebook or otherwise), without my explicit and informed consent?
I’m not a lawyer, but here’s recital 40 of the GPDR:
In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
The way I understand it, personal data should be processed either based on “some other legitimate basis”, or on the basis consent.
Legitimate basis, in very simple terms, is when the data is necessary to provide the service. For example, if I sign up to Amazon, they need my email to send me order confirmations. That’s a legitimate basis. But using my email for marketing or advertising stops becoming a legitimate basis. Why? because it is not required to provide the service that Amazon provides me.
So if Amazon wants to send me ads, or share my email for other purposes that aren’t realistically legitimate, they are required to ask for my informed and explicit consent.
“But hey! They didn’t share your personal data! They only shared a hash…”
Technically they “only shared a hash”, but this hash identifies me clearly. I believe it falls under personal data under the GDPR as well.
According to the GDPR, Personal information is (emphasis mine):
… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
It gets even stranger
If I dig a bit deeper into my list of companies, I saw that one of them actually shared my details with Facebook in order not to show me ads. This is actually one of the examples that Facebook gives when they explained about the Gym.
It’s definitely good for the Gym (they will not waste money on advertising someone who is already their member)
It’s definitely good for Facebook (they will sell more targeted ads, increasing the value of their platform to advertisers)
Is it good for me? some might say yes, because I won’t see the Gym ads any more. But at what price? I will still see other ads. And now Facebook knows that I’m a Gym member. I’m sure lots of advertisers would jump on the opportunity to sell me some Gym gear. I think I’m much worse-off here.
What can we do about it?
If you have a Facebook account, I highly recommend checking those two pages I linked to and seeing which companies are sharing your data.
The thing I wonder about most though, is what other companies my data is being shared with. Companies I have no way whatsoever to see such a list…
I guess the best thing to do is to contact these companies and ask them to stop it. Or to file a GDPR complaint. I would also recommend checking out NOYB (None Of Your Business). It’s a privacy non-profit organization that does some great work in this area. Sign up and become a member if you want to support their work further.