Facebook CEO Mark Zuckerberg made several assertions about Facebook’s data collection and privacy controls during two days of hearings on Capitol Hill.
Those included claims that Facebook lets you download your data and take it elsewhere; that users can turn off data collection for advertising purposes; and that Facebook tracks users even when they’re not on Facebook itself, but only for “security purposes.”
In all these cases, the situation is not as clear-cut as Zuckerberg made it sound. Here’s a look at his statements.
Zuckerberg: “People have the ability to see everything they have in Facebook, take that out, delete that account and move their data anywhere that they want.”
The facts: That’s only partly true.
You can indeed download a subset of the information it has collected on you. But the resulting file mostly contains a jumble of contacts, messages and advertisers who have been allowed to target you through Facebook.
That makes the information mostly useless if you hoped to use it to join a different social network, because it’s incomplete and not organized in a way that another service could easily import.
Experts say Facebook has made it technically untenable to take your data elsewhere. University researchers have tried to figure out how to make that data portable, but failed because Facebook keeps changing the public-facing software required.
There are other issues that make true data portability vexing. Zuckerberg alluded to one on Wednesday: Who owns material shared across a social network to multiple users? “Let’s say I take a photo and I share it with you. Now is that my photo or is it your photo?” he said.
Zuckerberg: “There is a setting so if you don’t want any data to be collected around advertising, you can turn that off and then we won’t do it.”
The facts: There is no such single setting on Facebook.
You can limit ad targeting, but it requires several steps, which you may have to repeat from time to time. By default, Facebook shows you ads based on interests you’ve expressed over the years and the companies you have “interacted” with — for instance, by sharing your email or phone number, visiting their website or using their app.
You can turn off such targeted ads with a single option in your Facebook settings. Doing so means, for example, that you won’t get an ad on Facebook for a pair of shoes you just looked at on a shopping website, though you’ll still get generic ads.
But that doesn’t stop the data collection. Facebook also adds targeting categories based on your demographic information, such as whether you might have a child, your birthday and age, what mobile device you use and even your political leanings — whether or not you’ve explicitly shared any of that on Facebook.
Turning off those categories is a chore, as you have to select them one by one in settings. And if you like a new page, click on a new ad or add your email to a new business’s contact list, the whole thing starts over.
Zuckerberg: “There may be specific things about how you use Facebook, even if you’re not logged in, that we — that we keep track of, to make sure that people aren’t abusing the systems.”
At a different point in the hearing, he said: “In general, we collect data of people who have not signed up for Facebook for security purposes.”
The facts: Facebook collects data on your online habits wherever it can find you, and very little of it appears to be for security purposes.
Facebook pays third-party websites and apps to let it place tracking code across the internet and mobile devices. That code can be embedded in browser files called “cookies,” invisible screen pixels, or Facebook’s familiar “like” and “share” buttons.
That code then reports back to Facebook on your surfing habits to help it better target ads. Along with Google, Facebook is consistently among the top three data-collectors in the field, said Reuben Binns, an Oxford University computer scientist who researches these beacons.
In February, a Belgian court ruled that Facebook had violated European privacy law with such tracking because it hadn’t obtained consent either to collect or store the data.