Home Affairs CommitteeWritten evidence submitted by Facebook [EC 21]

Further to your letter of 25 March 2013, I have provided further information from Facebook relating to your inquiry:

1. Facebook user numbers in the EU: Facebook does not provide public data on the number of active Facebook users in the European Union as a whole. However here are the monthly active user numbers for the largest five markets in the EU made public at the time of our most recent quarterly results:

UK 33 million.

France 26 million.

Germany 25 million.

Italy 23 million.

Spain 18 million.

2. HTC phone and pre-installed Facebook features: In retrospect, Mr Ruane’s question was probably prompted by press speculation about a product launch, which was pure speculation on the day of the hearing itself. On 4 April 2013, Facebook announced the launch of Facebook Home. This will come preinstalled on HTC phones in the US. It can be turned off at any point by the user and can also be uninstalled at any time. When Facebook Home is active, we will log information about the user’s activity on Facebook’s suite of products. In addition to the standard information we log with all our apps, we will also log notifications and app information when they interact with Facebook Home. We do not log or track the user when they use apps independent of Facebook on the phone.

3. People reporting crime on Facebook: While Facebook makes it easy for people who use our service to report potential abuse or violations of our terms of service, we do not have any specific data which relates to the Committee’s question about reports of crime. Instead our Help Centre advises users to contact local law enforcement if they wish to report a crime. An example of that advice is shown in the screenshot below, from the Help Centre, relating to human traffic:

4. Data collected when people use other sites: All the questions raised under this point are addressed in considerable detail in two reports of the Office of the Irish Data Protection Commissioner (I-DPC) in December 2011 and September 2012, which can be accessed at the links below, including detailed, independent technical appendices. Both reports and their technical appendices were published in full.

http://www.dataprotection.ie/docs/Facebook_Ireland_Audit_Report_December_2011/1187.htm

http://www.dataprotection.ie/docs/Appendices_to_Facebook_Ireland_Audit_Report_Dec_2011/1

188.htm

http://www.dataprotection.ie/docs/21–09–12--Facebook-Ireland-Audit-Review-Report/1232.htm

In summary:

Facebook’s Data Use Policy states that we delete or anonymize data collected through social plugins on other sites within 90 days. This has been verified by the I-DPC.

The I-DPC reviewed Facebook’s data security operations and concluded that: It is important to state at the outset that as could be expected FB-I places an enormous and ongoing focus on the protection and security of user data. Our audit has confirmed this focus. (December 2011 report, para 3.9.4)

And further: The majority of the controls described by FB-I appeared to this Office to be effective. It can be reasonably concluded that if large-scale, frequent data breaches were taking place on Facebook’s corporate networks, that this would be widely reported, particularly considering Facebook’s global profile. Since this is not the case, the information security controls in Facebook appear to be preventing these types of incidents. (ibid, para 3.9.6)

Facebook does not share information collected via social plugins with third parties over and above the information shared by an individual making use of those websites. This extract from our Help Centre makes this clear and explains the reasons we collect this information:

What information does Facebook get when I visit a site with the Like button or another social plugin?

If you’re logged in to Facebook and visit a website with the Like button or another social plugin, your browser sends us information about your visit. It’s important to note that Facebook is not retrieving this information. Rather, since the Like button is a little piece of Facebook embedded on another website, the browser is sending information about the request to load Facebook content on that page.

We record some of this information for a limited amount of time to help show you a personalized experience on that site and to improve our products. For example, when you go to a website with a Like button, we need to know who you are in order to show you what your Facebook friends have liked on that site. The data we receive includes your user ID, the website you’re visiting, the date and time and other browser-related information.

If you’re logged out or don’t have a Facebook account and visit a website with the Like button or another social plugin, your browser sends us a more limited set of information. For example, because you’re not logged into Facebook, you’ll have fewer cookies than someone who is logged in. Like other sites on the internet, we receive information about the web page you’re visiting, the date and time and other browser-related information. We record this information for a limited amount of time to help us improve our products. For example, we sometimes find bugs in the systems we’ve built to gather aggregate data on how people are interacting with sites that use the Like button or other social plugins. It’s helpful to be able to reference this anonymized information when investigating these bugs so we can find their sources and fix them quickly.

As our Data Use Policy indicates, we use cookies to show you ads on and off Facebook. Regardless of whether or not you’re logged in, we don’t use the information we receive when you visit a site with the Like button or another social plugin to create a profile of your browsing behavior on third-party sites to show you ads. However, we may use anonymous or aggregate data to improve ads generally and information we receive to study, develop or test new and existing products or services. We delete or anonymize the information we receive within 90 days, and we don’t sell it to advertisers or share it without your permission.

5. Do Not Track (DNT): Facebook believes in the importance of user control of data about them and therefore we are supportive of the efforts of stakeholders, including at the World Wide Web Consortium and the Digital Advertising Alliance, to develop a standard for DNT that will enable people to control their information as they browse the web. We are actively involved in those industry-wide discussions, which cover many difficult technical questions that will need to be resolved before any DNT standard can be adopted.

6. Review processes for Facebook apps: Facebook provides extensive information to users in respect of applications, including the data being shared with each application upon its installation. Applications can only be installed once the user has given permission for such sharing. The policies which developers have to comply with are clear and we take a number of steps to enforce them. Our actions in this respect were audited by the I-DPC and this excerpt from the audit report summarises the I-DPC’s assessment:

“The role of Platform Operations is to enforce Facebook’s Platform Policy, interacting with developers of third party apps and developers using the social graph, ie, social plugins, to ensure adherence to Platform Policy. An examination was conducted of the work queues of the Platform Operations Team. It was noted that Facebook has now introduced a number of automated tools, developed in Dublin, to proactively and automatically identify and disable applications engaged in inappropriate activity such as spamming friends or friends of friends, excessive wall posting, etc. The Team also responds to specific user complaints regarding the behaviour of applications and enforces a graduated response against the application and the application provider depending on the nature of the contravention of the Platform policy. We examined one complaint from a user in relation to unauthorised use of Intellectual Property by another developer which was received on 9 November and action was taken to delete the application within 2 hours. The account of the developer was disabled and all other applications which they had developed were also subjected to review. We also examined a phishing complaint received from a user who reported an application trying to retrieve their email and password. The application was immediately disabled and further action taken. It was also pointed out that in line with Facebook’s real name culture that all applications (even those developed by the large games developers) must be developed by and attributable to an identifiable user on Facebook.” (December 2011 report, para 3.6.5)

7. Reports of hijacked accounts or scams: Anyone believing that their account has been hijacked or hacked is advised on our Help Centre to go to: www.facebook.com/hacked where they can manually lock down their account with immediate effect, reset their password and take other steps to secure their account. Any user reporting that their friend’s account may have been hacked is provided with the same advice—ie their friend should take these steps. We also take a number of preventative steps to guard against the possibility of an account being hacked:

Recognised devices: Facebook allows people to register devices that they use Facebook on regularly.

Remote log-out: If someone forgets to log out of Facebook, they can remotely log off any live session they have running by accessing this tool in their security settings.

Secure browsing: Facebook encourages all users to turn on secure browsing for added protection (add “s” to the end of http in their browser address).

Login notifications: We send notifications every time an account is accessed from an unsaved device.

Login approvals: If someone logs in from an unsaved device, we will send a code to their registered mobile phone to authorize that log-in.

8. Hacks against Facebook: Security is a top priority for us, and we devote significant resources to protecting people’s accounts and information. We maintain a strong relationship with security experts around the world and work closely with them in the rare instances in which they find vulnerabilities on Facebook. We’ve created a simple form for these people to contact us that we link to both from our Help Centre and from the “Whitehats” tab on the Facebook Security Page https://www.facebook.com/whitehat. We also recently rewrote our responsible disclosure policy to make it even easier for researchers to let us know when they find a vulnerability, so we can fix it quickly and before it is exploited.

I hope that this further information is useful to the Committee.

Simon Milner
Policy Director, UK
Facebook

April 2013

Prepared 29th July 2013