Though Zuckerberg’s hearings failed to reveal the larger threat that faces the common internet user, there were some instances where the grilling had the potential to open gaping holes within the layers of digital data processing across the internet. Cookies, in particular, are gathered and passed between companies regularly. Most of the big media outlets have the Facebook Pixel – the cookie engine – running on their site, which forms part of how their marketing works.
The scope of the Facebook Pixel cookie tool is something TechinDC touched upon a few weeks ago. This key marketing tool provides an added entry point for third parties and is used by hundreds of websites to find links between your Facebook Profile, external website usage and subsequent advertising. As a result of Mark Zuckerberg’s two Congressional hearings last week, more holes have since emerged in relation to third party data abuses sparking increased demand for answers on this matter.
During the Senate hearing, though the term ‘marketing’ wasn’t mentioned at all and ‘cookies’ only mentioned once – and by Zuckerberg at that – the issue of wider internet abuses did surface once by Republican Senator of Mississippi, Roger Wicker, in Tuesday’s hearing.
WICKER: …There have been reports that Facebook can track a user’s Internet browsing activity, even after that user has logged off of the Facebook platform. Can you confirm whether or not this is true?
ZUCKERBERG: Senator — I — I want to make sure I get this accurate, so it would probably be better to have my team follow up afterwards.
WICKER: You don’t know?
ZUCKERBERG: I know that the — people use cookies on the Internet, and that you can probably correlate activity between — between sessions.
We do that for a number of reasons, including security, and including measuring ads to make sure that the ad experiences are the most effective, which, of course, people can opt out of. But I want to make sure that I’m precise in my answer, so let me …
WICKER: When — well, when you get …
ZUCKERBERG: … follow up with you on that.
WICKER: … when you get back to me, sir, would you also let us know how Facebook’s — discloses to its users that engaging in this type of tracking gives us that result?
ZUCKERBERG: Yes.
Zuckerberg’s response suggests an uncertainty as to what exact information is trafficked during each user’s sessions. Whilst waiting for the Facebook legal team to explain the concept further, it is possible to explore this through the readily available and clearly defined Facebook Privacy Policy.
“Cookies enable Facebook to offer the Facebook Products to you and to understand the information we receive about you, including information about your use of other websites and apps, whether or not you are registered or logged in. “
The privacy policy here explicitly states that even if you are not logged into Facebook, the platform is still able to track your movements around other websites. This provides information to Facebook but will also allow websites using the Facebook Pixel, to gain enhanced information about users. On a similar note during Wednesday’s hearing, House Representative Jerry McNerney asked Zuckerberg, ‘are you suggesting that Facebook does not have browsing history?’ when addressing that this information was not available for users to see. Mark Zuckerberg’s answer stated that all the data that Facebook holds is available in the ‘download your data’ option, which McNerney just pointed to not being true; how does someone not registered with Facebook download their data from Facebook? The CEO’s deniability and apparent ignorance on this topic contrasts the terms and conditions above that explicitly say otherwise.
Knowing that Facebook does, in fact, hold personal data based on third party site access – both whilst being logged into Facebook or not, through the use of cookies – this then brings into question exactly what kind of data both Facebook and third-parties actually collect. Once again by referring to Facebook’s policy it suggests they, ‘use cookies to store information that allows us to recover your account in the event that you forget your password or to require additional authentication’. It goes on to suggest they even use cookies to prevent underage people from registering with Facebook, which would imply a monitoring of age.
What’s more, and available for each user to access, is the categories that Facebook place the user in – though concealed as a broader ‘category’, it is unclear to what extent these details are explicit from your personal data, or how the categories are really calculated.
To then flip the coin as to what third-party cookies pull from Facebook data, the Conde Nast privacy policy for instance will explain this further:
If you choose to access, visit and/or use any third party social networking service(s) that may be integrated with the Service, we may receive personally identifiable information and other information about you and your computer, mobile or other device that you have made available to those services.
In short, data collected by third parties becomes linked to Facebook profiles by ‘personally identifiable information’ then it becomes personal data. At this point, there is no clear consolidated writing between sites that documents what constitutes the differences however the links point to the fact that personal data is being abused as demographic marketing data, and users are none the wiser.
The profile that is thus shared throughout the internet is then passed between websites that have no correlation between their own terms and conditions. This is stated in Facebook’s terms, ‘information collected by these apps, websites or integrated services is subject to their own terms and policies’ and you can also see this in, for example, the security terms of The Guardian:
‘The companies that generate these cookies have their own privacy policies, and we have no access to read or write these cookies. These organizations may use their cookies to anonymously target advertising to you on other websites, based on your visit to the Guardian.’
Similar toFacebook’s regulations involving third-party apps, here both Facebook and The Guardian are placing the responsibility of the now external, personal data in the hands of a plethora of other third-party affiliated companies.
The connection with third-party companies has already been raised a number of times, with the hearings serving to outline the frequency of which Facebook has already come under fire and investigation into this matter. In a Reply All episode called “Is Facebook Spying on you?” that aired in November last year, the podcast investigated Facebook’s ability to analyse how a user manoeuvres around other websites through these cookies. What came of the radio show was a series of interviews in which people were convinced that Facebook was listening to their microphones and though inconclusive, the show did reveal how cookies can specifically target users to quite a terrifyingly accurate degree. This proved that, once again, the data being collected is not general demographic marketing information – it is personal data that links back to your personal social media platform and advertises specific things to you.
“It watches what you do and reports it back to Facebook. It can see how long you linger on a certain webpage, it can see if you purchase something, it can see if you put something in your cart on a website and decide not to buy it, it’s kind of, like, an internet surveillance camera.” – Alex Goldman
A hole appears which reveals a disparity between data sharing across platforms. Though each website has some degree of access to data sharing, neither takes responsibility for the data past its immediate use. In essence, any terms and conditions belonging to a platform that is accepted by the user (even if they aren’t read as Zuckerberg stated himself on Tuesday when he uttered ‘people just accept the terms of service without reading into it’) become void once that data is passed onto the next platform, possessing its own Terms and Conditions that the user originally didn’t agree to, but is assumed to be responsible for.
If the data is used by another site that’s one thing, but if it is combined with other data then we enter a realm where each set of terms and conditions only apply to the data gathered and passed on by that site, and only account for the data collected by that site. But no terms and conditions refer to the use of the ability to combine the data collected from both sites.
Others have since also picked up on the sprawling web that such a sharing mechanism, often the result of a single acceptance of ‘Terms and Conditions’ results in. This is demonstrated quite explicitly here, ‘once these personal data leave the publisher, via “bid request”, the publisher has no control over what happens next. I repeat that: personal data are routinely sent, every time a page loads, to hundreds/thousands of companies, with no control over what happens to them’. The profiling that you agreed to is essentially unlocked without your consent, shipped around and tucked away in a transformed form of a broader-internet profile.
The reason Mark Zuckerberg’s hearing is so important to every Facebook user reaches much further than the social-media profiles themselves. The CEO was unable to answer the majority of questions directly because the implications of the little ‘I agree’ box that everyone ticked spreads further than his own, very clear terms and conditions and seep into the depths of third party terms and conditions, and then again further afield. As a result, it isn’t just Facebook nor even just social media that needs to be held accountable here.
The result of these mechanisms is that the online behaviour that we all exhibit on some of the worlds most popular sites, is assimilated together with some of our most personal data from sites we consider discrete. Only for the combined effect to be a detailed, personal profile which was, at best, only passively and in-part agreed to.