back to article Facebook faces UK data probe

Facebook is facing investigation by UK data protection watchdogs after a complaint from a British user who tried, and failed, to delete his account. Facebook accounts can be "deactivated" but not actually deleted. Your profile remains in the Facebook servers but cannot be accessed by anyone else. The Information Commissioner …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Unhappy

    Data Deletion

    I believe this is an important issue, there are many social networking sites that refuse to let you delete your profile, or have the delete link very hard to find. Some let you mark as inactive, others you literally have to try to blank out all the lines and hope for the best.

    Maybe they dont want people to leave so their base of users appears to constantly be growing, or maybe its an aspect which has been overlooked due to them not realising people want to leave. A bit like uninstallers that have been chucked together in minutes and leave all sorts of rubbish on your pc as the developers (or their managers) never figured someone would actually want to use the uninstaller.

  2. Anonymous Coward
    Anonymous Coward

    Server Location?

    Facebook servers are over in the good ole US of A aren't they? Does the ICO cover non-UK systems/companies?

  3. Hindy
    Thumb Down

    Similar problem on My Space...

    I'm having a similar problem with My Space. Except they won't even prevent access to my account. I've request it to be cancelled using the links on the site, e-mailed them, and also put the 'remove profile' comment in my profile, which is meant to flag to them that a parent has took over a childs account. I've had nothing back from them in the 2 months I've been trying.

  4. Anonymous Coward
    Stop

    I've tried and heard nothing yet...

    I have a deactivated account that has been deactivated now for a few weeks. In deactivating the account, I demanded that Facebook remove all my data and all copies of my data and that they do not sell or pass it on to anyone. I've not heard anything from them yet, and if I try to login to my account, I simply get sent the reactivation email, thus showing that they've not bothered.

    Perhaps I should join in the complaint?

  5. Anonymous Coward
    Stop

    Juristicion

    Facebook servers are in the US; UK Data Protection Act does not apply.

  6. Anonymous Coward
    Unhappy

    (untitled)

    I really think this is a feature we should be able to demand.

    Such is the risk we take whenever we are online.

  7. Anonymous Coward
    Anonymous Coward

    I overwrote mine

    I wrote over everything in my old Facebook profile with garbage, deleted all of the pictures, removed all of my photo/video tags, saved it and left it for a few days, and then deactivated it.

    I then started a new one up with a false name, and a false DOB that was near enough to my real birthday that people who know me will be reminded that it's my birthday soon, yet it doesn't risk leaking my actual personal info.

    I'm paranoid about my footprint and where it goes.

  8. Anonymous Coward
    Anonymous Coward

    Doing Business

    However, if they do any business in the UK / hold assets then the data protection laws may very well apply.

  9. Andy Kay

    Edit your details

    can you not just edit your personal details to e.g. Joe Bloggs, 1 Made-up Street, London etc... then they can keep the incorrect information on their database for as long as they like!

    can I have my nobel prize now?

  10. Anonymous Coward
    Stop

    @AC

    "Facebook servers are in the US; UK Data Protection Act does not apply."

    If you were really an expert on this, I suspect you'd know how to spell "jurisdiction"...

  11. Steve
    Thumb Up

    location of servers

    I'm not sure it matters.

    If the company operates at all in the UK then they have to comply no matter where the data is stored, since they sell UK advertising space they must have a UK subsidiary which becomes responsible for the data protection.

    Anyway, the US thinks that it's laws apply anywhere in the world, why shouldn't the UK follow suit.

  12. Biton Walstra

    Forums the same?

    This is also true for lots of Forums around the Globe.

    So when registering with Forums keep your personal data as less as possible or make up some names. ID theft is every where around the corner.

    In most cases they only need your name, dob, mothers maiden name to do the trick...

  13. Anonymous Coward
    Anonymous Coward

    Deleting does not delete on facebook

    I discovered some time ago if you delete a photo on facebook it is not actually deleted - it just no longer appears linked to profiles.

    Try noting down the link address to a given photo, delete it, and then go to that address - it still works.

    the link to a photo I posted then I deleted on facebook is still working months later.

  14. Matthew Hale

    It's easy..

    ....just don't be such a sad b*stard and stay away in the first place! No problem, see?!

  15. Steve Power
    Thumb Down

    Re: Similar problem on My Space...

    I had the same problem with myspace with the delete account link not working. Three emails later, I eventually threatened them with the Information Commissioner and a day later my account had magically been deleted (although I was sent an email informing be that I breached their terms of service). Clearly UK data protection law is not compatible with mySpace's regeme.

  16. Anonymous Coward
    Thumb Up

    Your Data is protected

    There is a data protection covenance between the US and the EU it is called the safe harbour act here is a brief overview, but any google will find it under the term 'safe harbour'. :

    The safe harbor provides a number of important benefits to U.S. and EU firms. Benefits for U.S. organizations participating in the safe harbor will include:

    All 25 Member States of the European Union will be bound by the European Commission’s finding of adequacy

    Companies participating in the safe harbor will be deemed adequate and data flows to those companies will continue;

    Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted; and

    Claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions.

    Any US company dealing with EU countries basically needs to be a signatory of this to take personal data for EU citizens... interestingly you can sue in America for failure to comply

  17. Anonymous Coward
    Black Helicopters

    Consipracy theory anyone?

    It's because the company that runs Facebook belongs to the FBI.

    Of course they don't want anything deleted, they have a database of names and faces.

    All it now takes is for a bit of software to correlate the facebook database with a video stream and you've got an easy way of keeping track of everyone.

  18. Bruno Girin

    Classic problem

    This is a classic problem for any system that needs to manage user data, whether it'd be a social networking website or a company's accounting system. All those systems end up linking events and a lot of different things back to users. Quite often, this data is still needed even if a user leaves the system (or the company) to keep the integrity of the DB. And if the system is very user centric (as a networking site would be), deleting a user can become a nightmare. Hence why a lot of sites never implement it properly as they are too busy trying to get a system out of the door and never think that people might actually want to stop using their service. The 'delete user' function is always in the 'wish list' category of features because it's a difficult feature to implement properly and it brings no business benefit. That is, until it becomes a priority 1 requirement due to legal requirements or very bad customer feedback.

    I had exactly the same problem the other day with a piece of software I downloaded a trial for. I tried it, realised it didn't do what I wanted but the uninstaller failed. So it's still installed and using space on my hard disk. And this convinced me to never buy anything from the company that wrote it.

    Or the same as this ordering system one of my colleagues was telling me about yesterday. It could do everything: create an order, amend the order, change delivery details, the whole lot... except cancelling the order: they had forgotten about that business case. Surely, you'd never want to cancel your order Sir?

  19. Brian Miller
    Gates Horns

    Just break the rules

    If you really want your profile to be removed just host some barely legal porn or commercial advertising. Even better advertise commercial porn.

    this will ensure that they actually remove you as a user.

  20. Anonymous Coward
    Anonymous Coward

    Wheres the tinfoil hat icon?

    I heard facebook was made by ex CIA people to gather people information, and give it to corporations and governments.

  21. Dave

    Re: MySpace

    I had to threaten them with legal action TWICE before they got off their fat a*** and deleted it. I reckon its only a matter of time before there is a proper clampdown on the data protection of these sites - what if you are trying to delete your childs account or what if your account is hijacked?

  22. Anonymous Coward
    Anonymous Coward

    It always helps to know someone who works there...

    ... Knowing someone at FaceBook or MySpace helps. Appealing to their sense of assisting friends tends to get your stuff deleted when you ask them to. Of course, that does not mean that all traces, including backups, are deleted, but at least friends make sure it's done. :-)

    That said, that is a primary reason why I do not join FaceBook, even though many friends have begged me to join. I don't trust a platform like FaceBook, especially when you open up people's profiles to third-party applications.

    At the moment I have a guarantee against MySpace, and that's good enough for me.

  23. Law
    Paris Hilton

    easy enough

    Change your profile information, delete all your friends, then just put in lots of naked pics of women and men on there plus many MANY colourful swearwords..... I bet within a day your account is deleted.

  24. julian

    Re: Juristicion

    Not sure you're correct on this. Facebook's service is available to UK users and therefore UK jurisdiction might well apply - for UK users.

  25. Anonymous Coward
    Anonymous Coward

    INSTRUCTIONS

    You CAN request deletion but you'll need to jump through a few hoops:

    1. The crucial bit: First delete ALL of the info in your profile. Pics, feeds, friends - THE LOT. Anything that can be deleted, delete it.

    2. Next you'll need to deactivate the account.

    3. Now send them an email (privacy@facebook.com) informing them you are aware that they offer a 'deactivate' option but that this is not enough and that you'd prefer that all of your details were erased off the server.

    A couple of days later you should get an email informing you that the account details have indeed been removed.

    That's 'all' you need to do. Yes, a 'delete' button would've been easier.

  26. Anonymous Coward
    Alert

    Ask them to delete your account ..

    .. and you get told to remove the data yourself.

    E-mail sent to Facebook

    "I deactivated my account on Facebook however I am concerned that my

    personal data is still stored on your servers.

    Please can I request that you erase my details from your servers?"

    Facebook reply:

    "If you deactivate, your account is removed from the site. However, we

    save all your profile content (friends, photos, interests, etc.), so if

    you want to reactivate sometime, your account will look just the way it

    did when you deactivated. If you do want your information completely

    wiped from our servers, we can do this for you. However, you need to

    remove all profile content before we can do this. Once you have cleared

    your account, let us know and we'll take care of the rest."

    Completely unacceptable.

  27. Niall
    Flame

    To coin a phrase

    FaceFucked: The state one attains after providing personal information to a third party who them assumes ownership of said information.

  28. Thomas Martin
    Unhappy

    Data is never deleted

    We all know data is never deleted. Once it is set on a computer, many copies will exist for any reason. The main reason is backup copies made daily. Our company has a year's worth of backups. Those can be copied into archives and those archives permanently archived. So in the end, we have over 1000 possible copies.

    We as users of these "free" places should be aware that once we put out information, we lose the ability to know WHO sees it, who HAS it and WHERE in the universe it goes.

    Deleting data went out years ago.

  29. Dan
    Pirate

    YouTube

    I believe the same situation is true with YouTube, deleted videos and even video taken down due to a copyright violation aren't actually deleted but merely excluded from the site. There are/were a few sites that have work arounds that enable you to still view "deleted" YouTube content.

  30. Anonymous Coward
    Happy

    Correct

    Posted by AC : "It's because the company that runs Facebook belongs to the FBI."

    I can confirm this. This is why every decent IT professional steers well clear of this site. They all know that FBI == FaceBook International.

  31. David S
    Flame

    I can kind of see their point...

    "If you do want your information completely wiped from our servers, we can do this for you. However, you need to remove all profile content before we can do this."

    I imagine this probably results from the desire to cover their own asses; deleting an account which has been actively cleared out is safer than deleting a carefully-crafted account which is full of whatever these people have on their accounts, when there's a chance they might have stepped away from their machine for five minutes to grab a cuppa (say) and the "Delete" button was pressed by their oh-so-funny flatmate...

    Making the user jump through a hoop or two to confirm intent can sometimes be justified. Just saying.

  32. Anonymous Coward
    Anonymous Coward

    Read the Terms of Service before you sign up

    It's amazing how many people fail to read the Terms of Service. From http://www.facebook.com/terms.php:

    -----

    When you post User Content to the Site, you authorize and direct us to make such copies thereof as we deem necessary in order to facilitate the posting and storage of the User Content on the Site. By posting User Content to any part of the Site, you automatically grant, and you represent and warrant that you have the right to grant, to the Company an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to use, copy, publicly perform, publicly display, reformat, translate, excerpt (in whole or in part) and distribute such User Content for any purpose, commercial, advertising, or otherwise, on or in connection with the Site or the promotion thereof, to prepare derivative works of, or incorporate into other works, such User Content, and to grant and authorize sublicenses of the foregoing. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content. Facebook does not assert any ownership over your User Content; rather, as between us and you, subject to the rights granted to us in these Terms, you retain full ownership of all of your User Content and any intellectual property rights or other proprietary rights associated with your User Content.

    -----

    Although the Privacy help is somewhat contradictory:

    http://www.facebook.com/help.php?page=9#

    If you're worried about who can see you and what they can see, remember that you have complete control over this and can edit your settings as you see fit from the Privacy page. If you still want to leave Facebook, you can deactivate your account from the "Settings" tab on the Account page.

    Deactivation will completely remove your profile and all associated content on your account from Facebook. In addition, users will not be able to search for you or view any of your information. If you reactivate your account, your profile will be restored in its entirety (friends, photos, interests, etc.).

    -----

    In either case, I think it's only appropriate that users take responsibility for their own data seriously. My dad always told me that unless you want the whole world to know something, never write it down. I think the same applies.

    And, even if you had told Facebook to delete/deactivate your account, you still could have to contend with web crawlers, content indexers, and caches such as archive.org or google.com.

    Caveat Emptor.

  33. John Benson
    Alert

    on anonymity

    I used to worry about whether it was in my best interests to cultivate anonymity on the Web. I opted for the straightforward approach of using my real name and email addresses while minimizing data traces that could be used to take over bank accounts etc.

    One salutary effect of this is that I measure my words and try to say what I really think instead of just venting since I must stand behind what I say (that is, show some consistency and even-handedness) to remain credible in this age of pervasive digital memory. Eventually I'll be signing my public utterances with a digital key so that impostors can't falsely attribute opinions to me.

    Although there needs to be an open anonymous channel for whistle-blowing, I think that most conversation on the Net needs to be traceable and authenticatable because handles bring out the anonymous troll in pretty much everyone. Additionally, the proliferation of email handles makes it much easier to mount Astroturf campaigns and speak as many more people than you really are. Traceability and authentication is also a requirement for confidence in commercial dealings, and between conversation and commerce I think I've accounted for the majority of Internet use.

    That said, leaving compromising data traces on social networking sites seems the height of folly since we truly live in an age in which what only seems to be transmitted in private will be shouted from the rooftops if someone finds it interesting. The bottom line is that the Internet is mostly public record with a lot of commercial data retention and data mining, all laid open to the scrutiny of the authorities. To pretend it is anything else seems rather ingenuous, so it is wise to act accordingly.

    In addition, I view the social networking site phenomenon with considerable alarm, since the connectivity data is not merely interesting to sociologists but also useful in the prevention of freedom as well as terrorism. I feel the same about the online addressbooks and correspondence in those "free" email accounts provided by the commercial data miners. Google already tipped their hand in the People's Republic of China, and at some point we'll all be repeating Frank Zappa's chorus: "And they said it couldn't happen here......"

  34. Andrew Woodvine

    Safe Harbor & The Data Protection Act

    If Facebook have opted to abide by the Safe Harbor arrangement then they have agreed to comply with an EU Directive on personal data and not the Data Protection Act.

    It is against the Data Protection Act to retain personal data for longer than is necessary. If Facebook was registered as a Data Controller in the UK then I guess that being unable to delete your account would result in a breach, as it could be argued that Facebook were keeping data longer than is necessary.

    I've checked on the ICO's site though and Facebook are not on the register of data controllers, so I am unsure as to the grounds for the ICO to investigate.

  35. J.Butler
    Thumb Down

    Same with XBox.com

    .... I even wrote to them to ask them to remove me and was informed there was no functionality for removing people. Apparently there is someone there who can manually remove people.. but he's far too busy to deal with members of the public!

    I'd say this is par for the course with virtually every place that asks you to register, unregistering doesn't help you users count much does it?

  36. RW
    Mars

    Who pays for social networking sites?

    "There's no free lunch." Who, then, pays for these "free" social networking sites?

    The answer seems obvious to me: Facebook, MySpace, et al are clearly tentacles of "marketing", that same bunch of dimbulbs who brought us the TJX mess. They want to amass as much information as they possibly can so they can ram "tailored" ads down our throats.

    And don't kid yourself about Google and their acquisition of, inter alia, blogger.com; nor Ebay, for that matter. Those guys are saving everything scrap of information they can accumulate about you and have no intention of deleting it, lest they damage its value to marketers.

    In my more lucid moments, rare as they are, I suspect that the surveillance state Britain has become and the US would like to become are actually nothing more than highly advanced schemes to the same end, viz collection of marketing information. Once the Bush administration has compiled Total Information Dossiers (tm pending) on the entire population of the US (and as much of the rest of the world as they can manage), it'll all be auctioned off to the highest bidder, the better to sell us Chinese-made gewgaws constructed of deleterious substances.

    Myself, I don't let many sites set cookies on my machines, and those that do have to be satisfied with session cookies. The few exceptions are personal profile sites where I've actually *paid*. Interestingly when I tried using session cookies with Google, it didn't work: Google, in some particulars, demands *real* cookies, not session cookies. For that reason, I deleted my blogs from Google and closed my account, and won't let Google put any cookies on my machines for any reason.

    If a site won't work under these restrictions, I go elsewhere.

    Principle: Protection of privacy has to start with the individual not cooperating.

  37. Anonymous Coward
    Pirate

    Force them

    I had an account with a popular job networking site. I joined it in a moment of stupidity only to find later I'd rather do without it. They made it difficult to delete my profile so I contacted them and told them I was going to add abusive, racist rhetoric to my profile. They ignored me, so I did. I made a nice crazy racist nazi site and was really getting into the swing of it when they finally twigged and removed it.

    Presently I'd consider adding lots of nice information about bomb making, beheadings, paedophilia and generally anti-Bush content. I'm pretty sure they'll prick up their ears and remove your account nice and fast. And until you do, you can have lots of fun with it.

  38. Anonymous Coward
    Go

    Amnesia

    Actually, its for your own good if they don't allow you to delete your data.

    Without that data, were you to get retrograde amnesia, you'd never know about that time you skipped work and went to the Halloween party dressed as a faerie. (yeah I'm lookin' at you jobless guy from Boston)

    That's something that you should never forget, lest you be bound to repeat it.

  39. Anonymous Coward
    Anonymous Coward

    Shit!

    http://www.guardian.co.uk/uklatest/story/0,,-7091090,00.html

    Maybe Facebook and co. should just copy these guys? Unwanted data retention? Problem solved. Send it to the NAO.

  40. Jay Zelos
    Coat

    It's all in the paperwork

    "My dad always told me that unless you want the whole world to know something, never write it down."

    I know a tax advisor who gives the same advice.....

  41. Richard Neill

    Backups?

    How exactly are you supposed to delete user data from your backups? If you keep nightly backups of archived data on something like a CD-ROM (or even in a tarball on disk), then the best the site can do is delete a user from the live version. There's also the Internet Archive, which specifically exists to prevent the problem of dangling links.

  42. Anonymous Coward
    Anonymous Coward

    title

    Has anyone tried to have photos taken down on someone elses profile because they (not the profile owner) holds copywright?

    Or perhaps that is the way you can do it.

    Dear Facebook,

    All the photos and videos I uploaded were taken by my brother. He didn't give me copywright so I had not right to put them on the site. You therefore have no rights to keep or use them and in doing so you will in breach of copywright law. The legal copywright holder demands they be completely deleted.

    Thank you

    Anon Coward

    hmm. Perhaps you could sign up with RIAA and say any videos are music videos and facebook is stealing them the scury pir8s

  43. Gower

    Anti Facebook Slurs

    I quite often write in the "user is" section anti facebook slurs no swear words but theories (mostly stimulated by Reg reading) user is sure that Facebook is a huge Market research project etc. and they get removed...

  44. John
    Pirate

    Facebook, Myspace, Sadville etc...

    Ha ha, sucked in!

    Just stay away, its actually quite easy to do.

  45. Brett

    @Gower

    Its only a slur if its not true.....

  46. Tony
    Stop

    Foxy knoxy

    Why would any sane person put themselves on these site? Aside from giving all your private info to god knows who, look at Foxy Knoxy.

    I have no idea whether she did it but how long did it take the global media to get all the dirt on her and a load of dubious pictures - all of 5 minutes at best from her Facebook proifle. Now everyone in the world who receives any form of media knows about her and has several dodgy pics of her imprinted in their mind. She's toasted herself if she goes to trial.

    Anyone who uses Facebook and thinks it is private or secure or you have any control of data you send them is bonkers - even more bonkers than the halfwits at HMRC.

  47. Jim McLachlan
    Flame

    Not joining or visiting is not good enough

    Watch out people. Especially those sarcastic ones amongst you who think that only the saddos that publish all their details will fall into the clutches of the Web 2.0 data hoarders.

    I wouldn't touch one of these personal information suppliers with a long, insulated, anti-bacterially protected stick. However, Facebook got my details because one of their victims decided to "invite" me using their e-mail address gathering system.

    Having read their privacy policy and finding that it is the responsibility of the inviter to tell the invitee that they can request their details are removed (even though they don't tell the inviter to tell the invitee this fact), it still took several e-mails to break through their auto-denial responders. They kept insisting that I didn't have a Facebook account.

    Eventually, I got confirmation that my details had been removed. Somehow, I don't believe them.

  48. Cameron Colley

    Surely they tell you this when you sign up?

    I'm pretty sure that, when I signed up to myspace (under an assumed name to gain access to someone else's content), they made it clear that the data could not be deleted so, if I wanted to clear the profile I would need to overwrite anything I wanted to get rid of.

    Personally though, I've no idea why people sign up to these sites -- there are other ways of staying in touch with people, some of them using the internet, that don't require you to give your name, date of birth, plans for the weekend and bra size so they can do what they like with it.

    Re: on anonymity

    I prefer to remain anonymous because, while the opinions I express on the internet are generally my honest and considered, I understand that anything posted on the internet could potentially be here for a long time -- and that any future employers, governments, or partners may read my comments. People who have strong convictions and opinions will always be better to post anonymously.

  49. peter koy
    Thumb Down

    Facebook - FBI??

    Is that proven?

    They only have my fake details, but plenty of people use their real names and DoB info...

  50. jolly
    Paris Hilton

    Some sort of outer join perhaps

    If deleting data would mess up db integrity (if that really *is* the reason) why not just use outer joins in the SQL code. Just a thought.

  51. Anonymous Coward
    Black Helicopters

    @Peter Koy - Facebook - FBI??

    "Is that proven?"

    Yep, 100% verified!

    "They only have my fake details..."

    Makes no difference, if you are using the same keyboard entering fake and real data, even on different websites: Every keyboard writes letters with a unique 'signature', and thus FaceBook International/FBI can match fake and real details.

    Wrapping more than. 4 inches/10 cm of the the cord of the keyboard in tinfoil blocks the unique signature of the keyboard.

    If you are using a wireless keyboard (or mouse) only a tinfoil hat helps.

  52. Daniel B.

    Facebook

    So it seems a good thing I didn't bite into it. I actually didn't even budge on creating a Facebook account, because I thought I already had one ... I was confused by the Facebox service. Mind you, all of those services are the same shite, only packed differently.

    The first one I remember was hi5, which was kind of fun; then a lot of these thingies started sprouting overnight so badly it just wasn't fun anymore. I kept myself only using the live spaces (only because I use messenger) and hi5 ... just because its there. I was fortunate to get a referral on LiveJournal (an older, but less Web2.0-ish blog service) though I haven't used that one too much.

    Bleh.

  53. Richard Hicks

    Reason for clearing profiles...

    Perhaps the reason for asking users to clear profiles of all data, is because they have set up a script to check physical files vs database entries. Any orphaned files... delete. Certainly seems an easy way to 'circumvent' not having an account deletion procedure at launch, as someone suggests above.

  54. Marc Jones
    Happy

    I deleted my account!

    I requested to have my account deleted and all information erased a few days ago. I got a reply asking if I was sure, telling me to remove whatever is in my profile and then letting them know. I got a confirmation email yesterday saying that all my information had now been removed from their servers! So I guess you can delete your account :)

This topic is closed for new posts.