Hacker News new | past | comments | ask | show | jobs | submit login
Facebook collecting people's data even when accounts are deactivated (digiday.com)
366 points by karlzt on Jan 6, 2022 | hide | past | favorite | 129 comments



It's worse than that. FB maintains "phantom accounts" for everybody whether you have a FB account or not.

I've never had a FB account, but some years ago I got an email from FB listing a number of my friends and family and saying, "All these people have FB accounts. Wouldn't you like to join FB?"

The email included a reply option labeled "don't contact me again," which I chose and then replied. But a few months later I got the same invitation.

Needless to say, I found that to be deeply disturbing, and it confirmed my determination to never subscribe to FB. Later I learned about the phantom accounts. I'm sure FB maintains a dossier on me to this day.


> The email included a reply option labeled "don't contact me again," which I chose and then replied. But a few months later I got the same invitation.

All that clicking that link told Facebook is that you're a real person who reads their emails. It's like when you pick up the phone for a telemarketer, now they know they can continue bothering you because you're a real person and you answer your phone.


Wonder if that’s a fake account creation edge using that, if that signal is interpreted that clearly. Setup a bunch of fake emails, upload your “contacts” to some compromised accounts, have them click on links in the emails to enroll in FB.


> It's like when you pick up the phone for a telemarketer, now they know they can continue bothering you because you're a real person and you answer your phone.

The few times a telemarketer reaches through to me on one of my phones, I've put them off by asking in a niche foreign language in that nation whether they speak that language. Most of the time, they immediately hang up and I never hear from them again. Sometimes, they repeat their script, then hang up. I've never had someone respond in that language (that would be a blast to address).


Another strategy that works well-enough is to ask for their company's legal information and a statement on how they obtained your personal information. I have yet to find a telemarketer who wouldn't hang up on me pulling that trick.


"Email verification."

Tech companies prey on people's sense of good faith.


Or worse, phone # for "security".


It will not stop there.

Expect to be asked to provide more "factors" in the future.


That's a technique for avoiding criminals outside the reach of US law...


Last time I got spam from an unwanted social media service (MyHeritage), I logged in, made sure to "unsubscribe" from all communication, and set the interface language to Chinese.

Guess who gets "smart matches" spam in Chinese.


I wonder if one could successfully apply for a restraining order against Facebook's messaging, on the theory that it's harassment.


Doable. But need $. It is restraining order not a lawsuit. It is harrassment basically if they send into your email inbox unwarranted. Same goes with robot calls, and it is hard to stop them not even with congress passing laws to deal with them. At this stage, we just have to ignore it. You might want to opt for text-based emails which wont trigger any html/css feedback to FB knowing you read it (maybe tutanota mail?)


Too lazy to internet search, can you apply a restraining order to an organization?


Most emails have unsubscribe button, it’s easier that restraining order I think.


Only if that the person sending you email abids by the "unsubscribe" and doesn't just use it to confirm that you use this email address.

I would lay money that Facebook just uses that unsubscribe as another data point.


but some years ago I got an email from FB

I'm curious how it got your email -- and decided to use it. I have several publicly visible emails, and they've received plenty of spam, but none from FB like that.


People allowing the app to access their contacts presumably. Contacts can contain email addresses as well as phone numbers.


I'm pretty sure FB accessed the contact lists of some of my friends. I've never installed the app or otherwise interacted with FB.

I also know that one of my so-called "friends" posted a group picture with me in it, and labeled the people in the picture. At one point I did a search to see what information was out there about myself, and that picture popped up associated with my name.

I guess that I'm just another casualty of the information age, in spite of my best efforts.


I have resorted to actively asking people to not tag me in photos.


We reach.

But with ML facial recognition I figure the jig is up.



Clearview is notable only for their brazenness. It's easy to code up face recognition these days if you have the data, and again, it's brazenness (in scraping) which is Clearview's main advantage here.

In general, AI that's hawked at CEO types and police is mostly snake oil, inferior to what you can make yourself if you read hackernews and are willing to dive into Arxiv.


I know someone that did the initial internal report to Apple about this years ago. This is exactly what it is. They use your contact data to create what are essentially graph nodes in a database, even if you've never signed up.

Not sure how much of that has changed since then. But contact data is by far the most valuable mined from phones. Facebook is no exception.


Probably FB has enough tech and data to recreate a virtual you as NPC in metaverse.


"'Login with Facebook' today to claim your NPC in the metaverse" /shivers


They do the same in WhatsApp, the app collects your personal data through your aquintances, and they hold your social graph even if you're not a WhatsApp user.


There's a reason Facebook paid billions for an essentially free (and ad-free) chat app and chose to leave it that way.


Didn't LinkedIn once (ten years ago) ask for your email login credentials when you signed up?

I know it suggested my ex-girlfriend as a connection when I opened my account, five years after we'd last talked.


Dude, sometime around 2010-2014, FB was asking users for the email accounts of their friends 'to contact them on their behalf'. I may have the dates wrong, but I remember being pretty pissed at the time, as my so-called 'friends' were feeding them not only my email but other info as well through polls and stuff. . I never used FB at all - yet I was getting emails as described by author, but years ago when they pulled that BS. I'm on Facebook and linked to it without ever opting in, because of what my own friends/family/coworkers give them.


From your friends and family's phones, where they have a contact card for you, nicely labeled.

There's a lot of data flowing around out there, and people overwhelmingly willingly hand it over. You'd think that there would be a law that, having collected that data, they would be required to hold it in confidence - Not for you, but as an agent of the friend who gave them that data. And there likely is, but good luck getting it enforced.


Facebook doesn't scrap random websites for contact info. They used to rely on connecting to your Hotmail/Gmail account about a decade ago, and parsing contacts from people "stupid" enough to install FB app on their smartphone when such things started to spread. Facebook certainly knows my phone number although i've never had a Facebook account: that's completely fucked up.


as far as receiving the email, it may have been one of their friends sent an invite, but the list of people they likely knew probably left a bigger impression than "so and so wants you to join facebook"

This is basically how LinkedIn grew their network - read your addressbook, put a "invite everyone you know" button in the on-boarding slideshow. Facebook just does the extra work of noticing your email in other people's address books, so they can tell you who your friends will be before you even sign up.


Nope, it wasn't an "invite" from any friend. It was an email from FB itself. My understanding is that this was a short-lived campaign of theirs that was discontinued after they got some blowback. But I'm sure they still maintain a dossier on me.


I've been receiving emails but of the joining as an employee variety. It started as LinkedIn recruiter spam which I ignored but then I discovered they had signed me up to one of their "working at Meta" newsletters. Not only creepy but a violation of LinkedIn's anti-spam policies.


By clicking "don't contact me again" you were actually confirm that email managed to get to a valid mail box. What you should have done is really report it as junk to your email provider so that they can block it in the future.


I've always suspected that Google does something like this with everyone a person emails via Gmail. I don't this, it just sounds like something an advertising company would do.


Is Facebook anything else than an advertisement company? I mean, apart from being a political police company working with intelligence services across the globe to crush dissent, obviously.


It’s probably because your friends chose to sync contacts and your phone was number was there.


> I'm sure FB maintains a dossier on me to this day.

I almost read that as FBI dossier. Similar idea, though presumably for advertising purposes.


FB is just another ad selling company. If you have an account it helps them know about you, if you dont have an account it makes sense they'll still have a profile for you.


FB wants to track all your networks, whether they are onsite or not. Once the databases via your email or other (Cell #) get shared amongst corporations, through agreements, buyouts, or 'hacked leaks' they get access to other info quite easily


[flagged]


> I have no idea if it's true.

Please avoid such comments, they just add noise and distract everyone from the original discussion.


That comment was very relevant, although not 100% true. Facebook does (or at least did) incentivize people to post photos of users who don't have a photo yet, and to "identify" people even if they don't have an account. That's part of their phantom profiles exposed by Max Schrems and friends.

To my knowledge, there is no monetary compensation involved (bounty) though.


So let’s say you run an e-commerce site. Someone adds a bunch of stuff to their cart. You want to remember this so that when they come back their cart is still filled in. Is that a “phantom account”?


That's generally done with browser cookies. But not such a phantom account. Nowhere near the same.


So let’s say the company wants to save the cart, the user’s favorites, and their search preferences so when they come back it’s still there. A cookie isn’t a database. So they store that info in a DB using the cookie id as the index. Is that a phantom account? You’ve got rows in a DB for a user who never signed up.


Generally when you want to save favorites, most, as far as I've used, storefronts require that you create an account before allowing those functions.


You can book a hotel room as a guest on many hotel sites


No. What are you getting at? Better to not be deliberately obscure about it.


And? In free countries, I don't need your permission to remember who you are and facts about you.


That's laughably incorrect. Whatever "free country" means, there are precise rules regarding the info you're allowed to keep and organize about me.


I'd rather not take the side of the person you're responding to, but it's unclear what you mean. You can certainly keep and organize as much info about your neighbor or the president of the USA as you want.


Facebook does not maintain "accounts" on non-users in a meaningful way and they have stated this multiple times to multiple regulators [1]. An email campaign being sent to an intersection of a bunch of users's contacts is not evidence of "phantom accounts".

[1] https://about.fb.com/wp-content/uploads/sites/4/2018/06/fina...


You mean the Facebook that paid $4.9 Billion to protect their CEO from government scrutiny? The facebook that stated multiple times to multiple regulators that they would not use whatsapp user data for ad serving purposes.... and then they did it anyway?

Pardon my skepticism if your only source of truth is "Facebook told regulators".


The choice is between multiple regulatory investigations not actioning this specific issue over multiple years of the some of the most intense global scrutiny on a company in recent history verses believing somebody's tangentially related anecdote.


You might be right or wrong, i dont know, bjt i can say with great certainty that a regulator doing nothing in the face of multiple credible accusations has no relationship to whether those accusations are true or not. Sometimes the regulator is overloaded/backlogged, sometimes they have been captured by the industry they regulate, sometimes there is pressure applied to not investigate, and do on. But it need not mean tbat there was no wrongdoing.


BS. I 'deleted' my Facebook account years ago, but my GF still gets "Wish $first_name a happy $year-1900+$suffix birthday!" emails every January 1. The emails still include a thumbnail of the photo from my account.

Facebook doesn't delete shit. If you work at Facebook, you need to evaluate the ethical course of your life and career and reconsider the choices that led you to this place. There are other employers that pay almost as well and that don't treat 1984 like a mission statement.


Expect Yann LeCun to appear at any minute to say he is practically a saint for working at Facebook that he is doing it for the betterment of humanity and not for money since he could "earn much more at many other companies"


Yeah...OP is a shill. And "Facebook" on a resume isn't a positive for many of us.


> Facebook does not maintain "accounts" on non-users in a meaningful way and they have stated this multiple times to multiple regulators

And surely they'd never mislead anybody regarding what data they keep.

Which admittedly makes it a bit hard to explain how, despite having completely deleted my account several years ago (yes, not just deactivated, I went through all the little guilt-trip pleas not to delete), they managed to accidentally (a bug, presumably) send me a Friend Suggestion email several weeks ago (suggesting someone I actually do know, no less) considering that by their own words they should have wiped both that email address and the social graph associated with it several years earlier...


Same boat - I get really frustrated by the “someone tried to access your account” emails from Facebook.

Oh, you mean the account that you confirmed as deleted 8+ years ago??


We trust what facebook says because it's a trustworthy company that never lied to anyone, right?


Yeah, it's not in the same table in the database as the regular accounts, so they don't have "accounts".

There's still a list of names and a bunch of data. No question.


And you believe Facebook's statements why?


Now imagine this company building the metaverse. I’m so scared about it.


A digital company store run by Facebook is pretty terrifying to think about. It'll be like if AOL actually ran the entire internet.


I trust AOL way more than I trust Facebook.


Well, one of them, anyway.


This is why I simply maintain my own FB profile but portray my interests so poorly it’ll never be of any value to Facebook advertisers.

It works, too, the ads I get are so wildly irrelevant it’s comical.


That’s naive. If you have a Facebook account they know every website you go to that has affiliate advertisement or a like button on it. I’m sure they also broker data from other companies and mine it from public sources. My uninformed guess is that < 10% of the data Facebook has on any given person comes from their actual interaction with Facebook.com.


Unless you are using Facebook containers in Firefox, or even self-destructing VMs to access it (as I do).


Or just use an ad-blocker extension like uBlock Origin, which blocks Facebook's trackers (and Google's, and others).


TikTok aside they must be one of the least trustworthy major social media companies


At this point I'd put TikTok ahead of Facebook/Meta as the US gov has TikTok on a much tigher leash.


This doesn't make sense for US citizens. In the worst case scenario, the government could seize a company's assets, including the data centers, which contains data on all its users.

In the case of FB, the US government would get that data. In the case of TikTok, it's the Chinese government who would get the data on you, the US citizen.

Objectively speaking, it would be strictly worse if lots of data on US citizens would end up in the hands of the Chinese government, because it's a foreign government and, as we know, information is power. Data on one person is not that useful, data on millions of US citizens, even when noisy, can be extremely powerful.

We also know at this point that a feature like News Feed can be trivially used to influence what information people see and how that information is presented, which then influences the people's opinion of matters in the world, even if the information is delivered via a fun, engaging or funny medium, it's still being absorbed by the brain and the end result is the same: successful control of the information dispersed to the masses.

It's one thing for the US government to influence its citizens opinion (all governments do this for various reasons, for example to cultivate feelings of patriotism and national pride), and it's a completely different ball game if the Chinese government can influence what US citizens think of certain matters. For example, they can try to sway the public opinion towards a political candidate that is more favorable for the foreign government, thereby meddling in a foreign election, only this time it's done with a ton of plausible deniability and the foreign citizens themselves are helping out.

This doesn't mean that Facebook is good, just that it is the lesser of two evils, and, in my opinion, it's a strategic mistake on the US's part to allow TikTok to be used en masse by US citizens. I would have banned it a long time ago.

You could also replace US and China with any other two states that can control what information billions of people see on a daily basis and I would argue the same point.


I'm not sure I buy that.

If we're talking about people who don't have accounts or don't view Facebook (which presumably people with deactivated accounts don't), then they're not looking at the News Feed (or whatever the TikTok equivalent is) and can't be influenced that way.

And practically speaking, there's very little China can do to an "average" American citizen based on browsing habits and stuff like that. Now if a person ever goes to China, then I agree they'd have a problem, but most Americans don't.

Meanwhile, there are plenty of ways for the US government to (legally) use the data Facebook has collected against its citizens.


Imagine China going internet-nuclear and releasing the browsing history of most Americans for the last N years as a giant torrent or searchable webpage, tied to names, accounts, spouses and addresses.


And? Most of that data is already floating around thanks to Facebook and Twitter "like" buttons; Google analytics; CDN Javascript hosting, ISP logs, etc.

And you can't even claim it's inaccessible and hidden away in Google and Facebook data centers, because there's no transparency into who has access to it, so we really don't know.


On the other hand, I trust the US government about as much as I trust the Chinese government, or any other government for that matter. None of them, when push comes to shove, give a crap about a plebe like myself. They’ll all use whatever they have on me to get what they want if I could be of any use in the future.


Would you rather have 2 enemies or one enemy?


Not really an option; when the government wants something they’re basically your enemy. Who cares if China knows everything about me, they can’t get to me, whereas the USA government just has to issue some legal threat and I can’t stop it. China isn’t my enemy and can’t do shit to me. The USA gov might be someday.


> China isn’t my enemy and can’t do shit to me

They're not your enemy _now_ and yes they can affect your life. You seem to be thinking about it as if someone in the CCP will wake up one day and decide to do something about "ok_dad". You're not alone in the country, right? There are other people that influence your life. While you may not be directly targeted, you can be indirectly affected by their ability to influence _other people around you_.

And when it comes to data, individual data is not that useful, it's aggregate data that's useful, which is why we _collectively_ have to prevent this from happening. For example, you don't have to give me your phone number, it's sufficient that your friend who called you gives me access to his contact list.

> The USA gov might be someday.

Two things can be bad at the same time. You could be enabling a foreign country to affect your life, and you could be targeted by the US government.


TikTok is a Chinese company and the USA has literally zero input or transparency into its operation.


You're right, but this is why the US is more likely to bonk them over the head, admittedly this is less of a threat now w/ Biden in Office, but still a threat.

TikTok's biggest short term threat is probably the CCP, which has been increasingly taking a hardline approach w/ their own tech companies (think Ant Financial, JD etc).


Come on.

The CCP is taking a hardline with companies domestically. There's a huge push to stop corrupting the youth, treat data responsibly, etc.

The CCP gives 0 shits what those companies do to the rest of the world, and are probably thrilled if TikTok causes political and social chaos in the US.


>> The CCP is taking a hardline with companies domestically. There's a huge push to stop corrupting the youth, treat data responsibly, etc.

Exactly, w/ 72% of their users being domestic[1], TikTok's biggest short term threat is probably the CCP.

>> The CCP gives 0 shits what those companies do to the rest of the world, and are probably thrilled if TikTok causes political and social chaos in the US.

You're not wrong.

[1] https://www.statista.com/chart/25867/percentage-of-tiktok-us...


Except there were legitimate threats of banning TikTok by Trump which ended with ByteDance making multiple reforms to increase legislative oversight.


Anti-Zuckerberg specific legislation might be good to start looking into, I think. Say what you will about "but corporate culture". Zuck is a known manipulator and liar and he has to be stopped before he does anything else that harms the world


This [0] talk from Computer Chaos Club also points out how all applications that use Facebook as authentication option (or even without it) MUST send user data to Facebook Inc. This of course doesn't require a user to have a facebook account.

[0] https://www.youtube.com/watch?v=y0vlD7r-kTc


FB is cancer. Metaworse.


We desperately need laws around this.


They are already known to not be in compliance with many laws that already exist.


We need enforcement, and we need fines high enough, to make this not worth it.


Fines? How about prison time for stalking?


Exactly. Always read "fines" as "business expenses" if it's in this context. Especially w.r.t FAANG, in which case it's laughably small business expenses. Occasionally they'll be serious but never enough..


Whatsapp (owned by Facebook) was fined 225 million Euros for GDPR violations, the largest GDPR fine to date. Of that, 75 million was specifically for harvesting info from contact lists.


It appears it's nowhere near enough though. Not to mention, Facebook (the main beneficiary of all the illicit data collection) gets away scot-free.


> harvesting info from contact lists

I'm certain LinkedIn was doing it as well, ie. dark patterns to upload contact list then aggressively harvesting new users.


Which ones?


I can't help myself but enjoy the way people think that "laws" is something like a Death Note of sorts. You write it down and the world automagically adjusts itself.


Sometimes you need to help the world adjust, with people carrying guns.


nah, nuke it from orbit, that's the only way to be sure.


I'm okay with the collateral damage this would cause.


Sure, whole countries would be in chaos... but only for a few days, I think. FB isn't doing anything original anymore. There's tons of clones and some are markedly better.

Yea, maybe a few businesses would fail, maybe some people would lose contact with old friends. But if fb is the only way you keep in contact with someone, do you really care about them?

Cost benefit analysis is easy to do, actually pulling the trigger is hard.


>actually pulling the trigger is hard.

I'll push the damn button, no problem. Just show me where it is. However, I'm guessing it's harder to find and is actually split into 7 horrocruxes.


Sure, you and I could push the button. But we're not in a position to do so.

Now, all the people in a position to do so are chained by perverse incentives to keep the whole shit show going.


Welcome to the Metaverse!


I deleted my Facebook account in 2008 and never went back. I deeply dislike and distrust Facebook.

That said, it is relevant that they only do this for "deactivated" accounts, and not "deleted" accounts. To give them the benefit of the doubt, those states are different, and if they communicated what they meant by each state, it would be fine with me if they continued tracking people until they actually deleted their accounts.

The problem is that they don't communicate it very well — they didn't back in 2008, and it sounds like they don't do it much better today. That's the sneaky part, not the tracking itself. Well, the tracking is sneaky, don't get me wrong, but if you're on Facebook in 2022, you must know about it and have accepted at some level that it is happening.

I also remember actually getting them to delete my account for good was not trivial. There was a waiting period, and a lot of different ways to accidentally opt out. To be honest, I initially read this article thinking it had been discovered that they were tracking "deleted" users in addition to "deactivated" users this whole time, and it didn't surprise me at all.


By various social interactions I've been basically forced to create Facebook account, as one of the groups use Messenger for catching up. The first friends suggestions were all people who have my mobile number in their addressbook. I haven't leaked to these leeches any other phone number than my own. Now having nothing in common with US of A my various data are owned by and traded by an American company with American intelligence agencies having direct access to them. Americans you suck.


Can you send Meta a GDPR request to find out everything they have on you? Curious if anyone has done this and gotten a result.


Facebook has been known to break the law and stall the release of all data they hold about your person. People often get an incomplete set of documents, and are ghosted when they insist on receiving the missing data categories.


Is there a way to enact the legal system in these cases? Otherwise, what's the point of GDPR?

I know ZuckFuckerberg is a scumbag, but is he really going to break the law?

/s


Like most scummy companies, they bet that you don't have the funds / care enough to sue them.

For example EBay sent an email to me (IP/DMARK/DKIM verified) that they had received the payment and were holding it for 'security reasons' and my account would be penalised if not shipped on time. A week later they sent an email saying that they have suspended the buyer for fraud and that I should contact the shipping company to have the item returned (was already delivered at that time). When contacting them (after 50 bot replies) they just denied sending anything (and that their signatures were spoofed), removed any info of the auction from my account, said their TOS exempts them from any damages, and told me not to contact them again.

Not going through a drawn out lawsuit over $150 where my only proof is crypto signatures as all info on my account was wiped..


Tangentially, I used DKIM signatures as proof (of them unilaterally canceling my order) in my charge back against Harbor Freight and either they just roll over on all chargebacks or it was enough proof to make them.


For a legit company that would be enough to at the very least call the tech department and investigate if the servers have been hacked. Given that their immediate response was to erase all info about the auction ever existing; they knew what was going on..


https://ruben.verborgh.org/facebook/

Facebook claims that the data they have on people cannot be understood by the average person, and because the GDPR requirements state that data needs to be given in an easily understood format, giving this data would violate the law. So they refuse to give it.

This was after months of simply ignoring the requests.

Seriously.


I check on this page every now and then hoping to find an update in favor of the author. Sad there’s been no update for such a long time.


And the GDPR archive is... funny. They're so hellbent on never ever letting anyone export their social graph in a usable format. So, if you request your friend list through the GDPR export tool, what do you think you get?

Names of your friends and timestamps of when you added them. That's all. This is just so ridiculously useless for anything but compliance.

Besides that, there are no user/group/post/whatever IDs anywhere. Everyone and everything is referred to by names and names only. It's hilarious.


That's what I did when I deactivated fb: names and contact information straight onto sticky notes, stuck to my monitor.


There was a negative connotation associated with the FB brand, which caused people to leave, so they rebranded and it's like they have a clean slate. [1] They now seem to be on a hiring spree again to get more people to build a bigger surveillance empire using heavy stock comp. Stock growth is dependent on their ability to keep the masses pacified while hoarding more data and targeting better.

From the Facebook SDK that is embedded on nearly every app that's constantly phoning home, to the largest social media apps, they hoard so much data. If GDPR doesn't unfaze them, I don't know what regulation will.

[1] https://www.businessinsider.com/facebook-employees-are-more-...


So they're going to argue that only elite superhumans who can pass a FB interview loop can understand some attribute-value pairs?

Wow, impressively scummy!


yes, you can request a takeout - i was able to do it.


A takeout is just the information you created and uploaded to Facebook, like your pictures, comments, statuses etc.

Facebook collects much, much more information about you that doesn't show up in their takeout system's output.


Equifax, Nexis Lexis, Clearview etc all collect your data without you ever making an account. And actually collect highly sensitive information.

What you describe is a feature of the US economy.


Isn’t this what all advertisers do? I’m sure google tracks some concept of you, whether or not you’ve opted into or deleted your account with them.


I prefer an article explaining how over why.


Feds need to raid them and their data centers, and their cloud providers.


Feds are fully plugged in and using the data for various purposes.


It's interesting how the phrase "data about people" gradually changed into "people's data."




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: