Facebook Inc still pursuing dream of spying on users through their webcams and via their touch screens or mobile phones

The Daily Dot, 8 June 2017:

Your worst internet nightmare could be on its way to becoming a reality.

A newly discovered patent application shows Facebook has come up with plans to potentially spy on its users through their phone or laptop cameras—even when they’re not turned on. This could allow it to send tailored advertisements to its nearly two billion members. The application, filed in 2014, says Facebook has thought of using “imaging components,” like a camera, to read the emotions of its users and send them catered content, like videos, photos, and ads.

“Computing devices such as laptops, mobile phones, and tablets increasingly include at least one, and often more than one, imaging component, such as a digital camera. Some devices may include a front-facing camera that is positioned on the same side of the device as a display. Thus, during normal operation, a user may be looking towards the imaging component. However, current content delivery systems typically do not utilize passive imaging information. Thus, a need exists for a content delivery solution that takes advantage of available passive imaging data to provide content to a user with improved relevancy.”

This is the US patent application to which the article is referring.

TECHNIQUES FOR EMOTION DETECTION AND CONTENT DELIVERY

United States Patent Application 20150242679

Kind Code:

A1

Techniques for emotion detection and content delivery are described. In one embodiment, for example, an emotion detection component may identify at least one type of emotion associated with at least one detected emotion characteristic. A storage component may store the identified emotion type. An application programming interface (API) component may receive a request from one or more applications for emotion type and, in response to the request, return the identified emotion type. The one or more applications may identify content for display based upon the identified emotion type. The identification of content for display by the one or more applications based upon the identified emotion type may include searching among a plurality of content items, each content item being associated with one or more emotion type. Other embodiments are described and claimed.

Publication number	US20150242679 A1
Publication type	Application
Application number	US 14/189,467
Publication date	Aug 27, 2015
Filing date	Feb 25, 2014
Priority date	Feb 25, 2014
Also published as	US9681166
Inventors	Barak Reuven Naveh
Original Assignee	Facebook, Inc.
Export Citation	BiBTeX, EndNote, RefMan
Patent Citations (9), Referenced by (2), Classifications (6),Legal Events (1)
External Links: USPTO, USPTO Assignment, Espacenet

Facebook Inc appears to have been granted this related patent, Techniques for emotion detection and content delivery (US 9681166 B2- Publication date 13 June 2017):

ABSTRACT

Techniques for emotion detection and content delivery are described. In one embodiment, for example, an emotion detection component may identify at least one type of emotion associated with at least one detected emotion characteristic. A storage component may store the identified emotion type. An application programming interface (API) component may receive a request from one or more applications for emotion type and, in response to the request, return the identified emotion type. The one or more applications may identify content for display based upon the identified emotion type. The identification of content for display by the one or more applications based upon the identified emotion type may include searching among a plurality of content items, each content item being associated with one or more emotion type. Other embodiments are described and claimed.

BACKGROUND

Users of computing devices spend increasing amounts of time browsing streams of posts on social networks, news articles, video, audio, or other digital content. The amount of information available to users is also increasing. Thus, a need exists for delivering content a user that may be of current interest to them. For example, a user's interests may be determined based upon their current emotional state. Computing devices such as laptops, mobile phones, and tablets increasingly include at least one, and often more than one, imaging component, such as a digital camera. Some devices may include a front-facing camera that is positioned on the same side of the device as a display. Thus, during normal operation, a user may be looking towards the imaging component. However, current content delivery systems typically do not utilize passive imaging information. Thus, a need exists for a content delivery solution that takes advantage of available passive imaging data to provide content to a user with improved relevancy.

Facebook also appears to have been granted a US patent in May this year for Augmenting Text Messages With Emotion Information (US 20170147202 A1).

According to CBINSIGHTS this patent would; automatically add emotional information to text messages, predicting the user’s emotion based on methods of keyboard input. The visual format of the text message would adapt in real time based on the user’s predicted emotion. As the patent notes (and as many people have likely experienced), it can be hard to convey mood and intended meaning in a text-only message; this system would aim to reduce misunderstandings.

The system could pick up data from the keyboard, mouse, touch pad, touch screen, or other input devices, and the patent mentions predicting emotion based on relative typing speed, how hard the keys are pressed, movement (using the phone’s accelerometer), location, and other factors.

Would you trust these men with your personal health information?

The darknet vendor says they are “exploiting a vulnerability which has a much more solid foundation which means not only will it be a lot faster and easier for myself, but it will be here to stay. I hope, lol.” [The Guardian, 4 July 2017]

Left to Right: Minister for Human Services and Liberal MP for Aston, Alan Tudge

& Minister for Health and Liberal MP for Flinders, Greg Hunt

These two federal politicians have portfolio responsibility for some of the largest government databases in Australia.

One has portfolio responsibility for those sensitive e-health records which are due to be rolled out nationally on an opt-out basis by 2020.

This is how secure your personal information is on their watch…….

The Sydney Morning Herald, 4 July 2017:

The Australian Federal Police is investigating reports Australians' personal Medicare details are being accessed and sold on the dark web, an apparent breach that has been labelled an "internet catastrophe".

According to a Guardian Australia report, an online vendor can pull up the full Medicare card details of any Australian on request — and is selling them for around $30 each — indicating a security hole somewhere in the health system.

Human Services Minister Alan Tudge said the government was taking the matter seriously. 

The sales are reportedly listed on an undisclosed dark web marketplace, in which the vendor claims to be "exploiting a vulnerability" in order to run software that pulls the data. The vendor calls it "the Medicare Machine".

"Leave the first and last name, and DOB of any Australian citizen, and you will receive their Medicare patient details in full", the listing says, adding that the nature of the security hole being utilised means the vendor will be "here to stay".

In a statement, Mr Tudge said any authorised access to Medicare card numbers was "of great concern" and his department was also conducting its own investigation. 

Medicare's database was always a honeypot waiting to be exploited once governments embraced data matching, data retention and data sharing with much enthusiasm but little understanding.

Once someone decides they want your Medicare details ID theft is now just 0.0089 bitcoin away - as is your abusive former spouse/partner or that anonymous stalker or Internet troll that has been making your life a misery.

UPDATE

Anthony Baxter, 4 July 2017:

You supply the person with name, date of birth and gender and around $30 of Bitcoin they'll give you the person's Medicare number. This is pretty bad, as it allows idemtity thieves to forge them - a Medicare card is usually worth 25 points on the standard 100 point ID check here. The AU govt had no idea this was happening until the journo from The Guardian let them know.

It turns out there's a portal that any health care provider can use to look up Medicare numbers this way. In case you've lost your card or whatever. Likely it's someone who works for one of them selling access, or someone's popped a PC there (more on that to come).

When asked, the relevant government minister (the same guy who presided over the Census fuckup last year (update: I misremembered, that was a different clown), the accidental publishing of PBS data that was poorly deidentified and the ongoing Centrelink robodebt nightmare) claimed it's OK because you can't get access to someone's medical records through the shiny new online electronic health records system with just a Medicare number. Aside from ignoring the ID theft issue there's a liiiiiittle bit of an issue here.

Guess what information you need along with the Medicare number to pull someone's medical records? Did you guess "name, date of birth and gender"? Collect your prize.

According to https://www.itnews.com.au/news/govt-blames-medicare-card-breach-on-traditional-crims-467502 the folks who did the Privacy Impact Assessment on the electronic health records system were told it would be secure because you needed Medicare number as well as name/DOB/gender and weren't told you could use the latter to look up the former.

It Gets Worse.

In theory you can only look up this stuff from a secure endpoint, with a client side certificate installed. Which in practice means maybe 20K PCs scattered across every doctors office in the country. Worse still, many of these client certs were originally sent out via unencrypted email, and a nontrivial number were "lost". And you reckon all or even a significant fraction of these 20K boxes are running modern Windows with up to date patches? Me neither. I can't count the number of times I've been left alone in a room with an unlocked doctor's PC while he went to check something.

It (Incredibly) Gets Even Worse.

They have a Two Factor Auth system which doctors are supposed to use. One of the ways to get the 2FA key is, and I wish I was joking here, email.

So get access to a box running some XP/Win7 version that's ludicrously unpatched that's also logged into the doctors email, collect health care records. Australian government cannot computer.

At the moment the electronic health records thing is opt-in, at some point next year they'll be moving to an opt-out scheme with a window to opt-out. There's an email form here https://myhealthrecord.gov.au/internet/mhr/publishing.nsf/content/home where you can sign up to be notified when the window to opt the hell out is opened and I urge everyone to do so ASAP.

UPDATE

The Sydney Morning Herald, 5 July 2017:

The federal government was warned more than three years ago of security deficiencies surrounding personal Medicare data, with the Department of Human Services told it was not fully complying with spy agency rules.

Questioning the department's ability to keep the data safe from "security threats from external and internal sources", the government auditor made a series of recommendations in April 2014 but it is unclear if they were fully implemented.

The American Resistance has many faces and here are just seventeen of them (8)

According to the American Civil Liberties Union (ACLU):

In April 2017…. President Trump signed a law overturning strong, commonsense privacy rules that gave consumers control over what internet service providers (ISPs) could do with their data. The rules that were overturned would have prevented ISPs from sharing our browsing history with advertisers, forced ISPs to be clear about what information they’re collecting, and required ISPs to take reasonable steps to protect our data from hackers.

The response from many states was almost instantaneous. State legislators around the nation are now considering laws to restore the privacy protections that Congress and President Trump eviscerated……..

ALASKA

States where legislation has been introduced

Alaska’s HB 232, and the similar HB 230, prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer giving them consent to collect personal information.

HAWAII

States where legislation has been introduced

A proposed version of Hawaii’s SB 1201 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information. However, the current version of the legislation does not include any privacy language.

KANSAS

States where legislation has been introduced

Kansas’s HB 2423 prevents ISPs that do business within the state from collecting or otherwise storing the personal information from a resident of Kansas without express, written consent. It also prevents ISPs from refusing to provide their service to a resident of Kansas who has not given approval for the collection, storage or sale of their personal information.

MAINE

States where legislation has been introduced

Maine’s LD 1610 prohibits an ISP from using, disclosing, selling, or permitting access to a customer’s personal information without express, affirmative consent (absent certain emergency and other exceptions). The bill defines personal information as including web browsing history, app usage, and precise geolocation information, among other sensitive types of data. It prohibits conditioning the sale of a service, or changing a penalty for that service, if a customer does not provide consent. The bill also requires ISPs to take reasonable measures to protect customer’s personal information against unauthorized use, disclosure or access.

MARYLAND

States where legislation has been introduced

A bill was introduced just six days before the end of the legislative session and failed to pass through Maryland’s state legislature, SB 1200, due to the lack of time to consider the issue. It would have prohibited ISPs from selling or transferring a customer’s personally identifying information—which includes browsing history and IP address—for marketing purposes without affirmative consent from the customer (absent certain legal exceptions). It would have prevented ISPs from showing ads to customers from the ISP based on the customer’s browsing history, without affirmative permission. The bill would have prevented ISPs from conditioning service on a customer giving them consent to collect personal information. And the bill would have required the state’s Joint Committee on Cybersecurity, Information Technology, and Biotechnology to monitor enforcement of the act and provide recommendations on future changes needed to the law.

MASSACHUSETTS

States where legislation has been introduced

There are several internet privacy bills pending in Massachusetts. HB 3698 prohibits an ISP from collecting, using, disclosing, or permitting access to a customer’s sensitive propriety information without opt-in consent (absent certain emergency and other circumstances). Sensitive proprietary information includes financial and health information, information about children, precise geolocation, browsing history, and app usage, among others. The bill also requires that ISPs disclose, at the point of sale or during significant changes to their practices, the types of information the ISP wishes to collect, the purposes for which it would use the information, and the types of third-parties who would receive the information when asking the customer for opt-in consent.

S 2062 would prohibit ISPs from collecting, using, disclosing or permitting third-party access to a customer’s proprietary information, which includes web browsing history and app usage, without affirmative consent (absent certain emergency and other exceptions). It also requires the ISP to ask for opt-in approval when material changes are made to the company’s privacy policy, and it requires that customers be given a conspicuous notice of what information is collected, the purpose for which it would be disclosed, and the type of third-party it would be disclosed to. It also prohibits conditioning the sale of a service, or changing a penalty for that service, if a customer does not provide consent.

MINNESOTA

States where legislation has been introduced

A number of similar broadband privacy amendments were attempted in Minnesota. HF 2209 has a provision that prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. HF 2579, HF 2606, and HF 2309 have the same language but also prohibit conditioning the sale of a service on a customer given them consent to collect personal information.

NEBRASKA

States where legislation has been introduced

LR 136, designates the Transportation and Telecommunications Committee to conduct an interim study of the effects of the overturning of the FCC’s broadband privacy rule. If the study concludes that repeal of the rule does impact the privacy of Nebraskans, it may consider state legislative and administration options to restore privacy protections to consumers. The bill was introduced with bi-partisan support.

NEW HAMPSHIRE

States where legislation has been introduced

An amendment to HB 305, which was not adopted, prohibited ISPs from using, disclosing, selling or permitting access to a customer’s personal information without affirmative consent (absent certain emergency and other exceptions). The amendment defined personal information as the content of communications, demographic information, browsing history, financial and health information, information pertaining to children, app usage, and precise geolocation, among others. The amendment also required ISPs to take reasonable steps to protect customer personal information from unauthorized use, disclosure, or access.

NEW JERSEY

States where legislation has been introduced

SB 3156 requires ISPs to keep their customer’s personally identifiable information—which includes browsing history and precise geolocation—confidential unless the customers provide affirmative consent. It also provides that ISP give written notice of this requirement to each customer. The provisions of the bill do not apply to investigations undertaken pursuant to the “New Jersey Wiretapping and Electronic Surveillance Control Act. Importantly, an ISP cannot refuse to offer internet service to customers simply because the customer does not consent to disclosure of personal information.

AB 3027 instructs the Board of Public Utilities, in consultation with the Division of Consumer Affairs and the Department of Law and Public Safety, to undertake a public awareness campaign to promote consumer understanding of ISP’s information disclosure practices. The campaign would include information about state and federal privacy laws, the circumstances under which ISPs can disclose customer information, and guidance for how consumers can access and understand the privacy policies of ISPs. The bill does not specifically address how the campaign will be clear and accessible to the public.

NEW YORK

States where legislation has been introduced

New York has the most currently pending bills of any state. A 7191 and S5603 prohibit any ISP that do business within the state from collecting or disclosing a customer’s personal information—which includes browsing history and the contents of data-storage devices—without affirmative consent . However, the bills have a number of exceptions for the consent requirement, including provisions that would allow law enforcement to access customer data without a warrant. The bills also require ISPs to take reasonable data security steps and provide a cause of action for ISP violations of its provisions.

A 7236 and S 5576 require ISPs to obtain affirmative consent from a customer prior to using, sharing or selling that customer’s sensitive information, which includes browsing history, financial and medical data, biographical data, the content of communications, and internet usage. Non-sensitive data, which includes aggregate data or subscription data, does not require consent for disclosure. The bills also require ISPs to provide customers with a copy of a privacy policy that includes: data collection and use practices; the ISP’s relationships with third-parties, the purposes for which the ISP collects data; and information for how consumers can exercise control over their privacy. Any ISP that violates the provisions would be guilty of a misdemeanor and subject to fines.

A 7495 and S 5516 require ISPs to keep confidential, unless given affirmatives consent, customer information including biographical information, browsing history, financial and health information, and information about political affiliation, among others. The ISP is also required to provide written notice of the requirements of the bill to each customer.

S 3367 requires ISPs to keep all customer information confidential unless affirmative consent is provided. The bill also creates a find of $500 per offense for any ISP found to be in violation.

OREGON

States where legislation has been introduced

HB 2090, which has been passed by the Oregon legislature, makes it a violation of that state’s consumer protections law for a company to engage in practices that are inconsistent with its stated privacy policy.

HB 2813 prohibits an ISP from disclosing, selling, or permitting access to a customer’s personal information without affirmative consent (absent certain emergency or other exceptions). The bill defines personal information to include demographic information, browsing history, app usage, the content of communications, information about finances, health or children, and precise geolocation, among others. The bill also prohibits an ISP from conditioning service on or charging a higher rate to customers that do not provide consent for their information to be used. The bill requires ISPs to take reasonable measures to protect customer personal information from unauthorized use, disclosure, or access. And the bill gives a private right of action against an ISP that discloses or sell their information in violation of the bill’s provisions.

RHODE ISLAND

States where legislation has been introduced

HB 6086 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information.

SOUTH CAROLINA

States where legislation has been introduced

HB 4154 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information.

WASHINGTON

States where legislation has been introduced

HB 2200, which has already passed the House twice, prohibits an ISP from selling or transferring a customer’s proprietary information, which includes communications content, browsing history, precise geolocation, and financial and health information, among others, without opt-in consent. The bill also prohibits an ISP conditioning service on a customer’s consent to use their proprietary information, and further must disclose the terms and conditions of any financial incentive provided to a customer that consents to having their information used by the ISP.

SB 5919 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information.

VERMONT

States where legislation has been introduced

HB 535 directs the Attorney General, in consultation with the Commissioner of Public Services to adopt privacy and data security rules for ISPs. SB 147 uses similar language, but also requires that the rules adopted include disclosure requirements for ISP privacy policies, opt-in or opt-out procedures for obtaining customer approval to use and share sensitive or non-sensitive customer propriety information, and data security and breach notification requirements.

SB 72 directs the Attorney General, in consultation with the Commissioner for Public Service and industry and consumer stakeholders, to submit a recommendation or draft legislation regarding whether and to what extent the state should adopt privacy and data security rules for ISPs.

WISCONSIN

States where legislation has been introduced

SB 233 prohibits an ISP from using, disclosing or permitting access to a customer’s proprietary information without affirmative consent (absent certain emergency and other exceptions). The bill defines proprietary information as the content of communications or information that relates to the quantity, technical configuration, type, destination, location, or amount of use of an ISP’s service. The bill also requires that ISP provide notice to consumers about how they collect and use their information and it requires reasonable data security practices and notification of data breaches.

Quotes of the Week

“Director of Public Prosecution, Ms Marianne Ny, has today decided to discontinue the investigation regarding suspected rape (lesser degree) by Julian Assange.” [Swedish Prosecution Authority, media release, concerning the seven year investigation of Wikileaks founder Julian Assange, 19 May 2017]  

This is the single greatest witch hunt of a politician in American history! [U.S. President  Donald  J. Trump tweeting on 18 May 2017 after discovering that the official FBI investigation into Russian interference in the 216 presidential election had been widened]

If you can pay rent, buy food for a week, pay for phone etc and buy drugs on $267.80 a week, you should be made treasurer. [@mrumens, commenting on Turnbull Government plan to drug test unemployment benefit recipients, 11 May 2016]

This is a government of poor data ethics. Hand-waving at risks associated with sloppy data-architecture. Self-congratulatory culture of applause over a mediocre to disastrous experience of digital governance. Vindictive and retributory exploitation and commodification of citizen data. The Australian government isn’t a fit and proper data custodian.  [Internet activist and journalist Asher Wolf writing at medium.com on 9 May 2017]

The standout demographic characteristic of One Nation voters was their lack of education. The typical One Nation voter didn’t finish school, much less, as Marr put it, “set foot in a university”. [Mike Seccombe writing in The Saturday Paper, 6-12 May 2017]

You're not on Facebook? Why not?!

One of the many reasons some people are closing their Facebook accounts and walking away – excessive, obsessive data collection and the uses to which it is put.

News.com.au, 1 May 2017:

FACEBOOK has come under fire over revelations it is targeting potentially vulnerable youths who “need a confidence boost” to facilitate predatory advertising practices.

The allegation was revealed this morning by The Australian which obtained internal documents from the social media giant which reportedly show how Facebook can exploit the moods and insecurities of teenagers using the platform for the potential benefit of advertisers.

The confidential document dated this year detailed how by monitoring posts, comments and interactions on the site, Facebook can figure out when people as young as 14 feel “defeated”, “overwhelmed”, “stressed”, “anxious”, “nervous”, “stupid”, “silly”, “useless”, and a “failure”.

Such information gathered through a system dubbed sentiment analysis could be used by advertisers to target young Facebook users when they are potentially more vulnerable.

While Google is the king of the online advertising world, Facebook is the other major player which dominates the industry worth about $80 billion last year.

But Facebook is not one to rest on its laurels. The leaked document shows it has been honing the covert tools its uses to gain useful psychological insights on young Australian and New Zealanders in high school and tertiary education.

The social media services we use can derive immense insight and personal information about us and our moods from the way we use them, and arguably none is more fastidious in that regard than Facebook which harvests immense data on its users.

The secret document was put together by two Australian Facebook execs and includes information about when young people are likely to feel excited, reflective, as well as other emotions related to overcoming fears.

The Guardian, 3 May 2017:

For two years I was charged with turning Facebook data into money, by any legal means. If you browse the internet or buy items in physical stores, and then see ads related to those purchases on Facebook, blame me. I helped create the first versions of that, way back in 2012.

The ethics of Facebook’s micro-targeted advertising was thrust into the spotlight this week by a report out of Australia. The article, based on a leaked presentation, said that Facebook was able to identify teenagers at their most vulnerable, including when they feel “insecure”, “worthless”, “defeated” and “stressed”.

Facebook claimed the report was misleading, assuring the public that the company does not “offer tools to target people based on their emotional state”. If the intention of Facebook’s public relations spin is to give the impression that such targeting is not even possible on their platform, I’m here to tell you I believe they’re lying through their teeth.

Just as Mark Zuckerberg was being disingenuous (to put it mildly) when, in the wake of Donald Trump’s unexpected victory, he expressed doubt that Facebook could have flipped the presidential election.

Facebook deploys a political advertising sales team, specialized by political party, and charged with convincing deep-pocketed politicians that they do have the kind of influence needed to alter the outcome of elections. 

I was at Facebook in 2012, during the previous presidential race. The fact that Facebook could easily throw the election by selectively showing a Get Out the Vote reminder in certain counties of a swing state, for example, was a running joke.

Express online, 6 January 2017:

FACEBOOK siphons an enormous amount of data from its users – whether it's monitoring your mouse movements, tracking the amount of time you spend on any given post, or the subject of your photographs……

The US social network is constantly tracking information about its users – however, most users will not be aware of just how much data it can siphon from a single photograph.

Facebook hints at how much data it is able to detect when it suggests people who might be in the photograph, prompting you to tag their faces.

But in reality, the California-based social network is tracking much more than just faces.

When you upload a photo on Facebook, the social network scans the image and detects how many people are in the photograph, and whether it was taken indoors or outside.

Facebook is also able to identify humans, animals and inanimate objects.

It is not always accurate, but the social network is able to differentiate between people who are standing, or sitting down.

To find out exactly what Facebook is reading into your photos, software developer Adam Geitgey has created a useful Chrome browser extension that reveals the data Facebook is collecting from your images.

Show Facebook Computer Vision Tags reveals data that Facebook usually keeps hidden from its users.

The free Google Chrome extension can be downloaded from the Chrome extension store.

Facebook has implemented object recognition technology since April 2016, a spokesperson for the company told Metro.co.uk.

The Verge, 27 May 2016:

Facebook will now display ads to web users who are not members of its social network, the company announced Thursday, in a bid to significantly expand its online ad network. As The Wall Street Journal reports, Facebook will use cookies, "like" buttons, and other plug-ins embedded on third-party sites to track members and non-members alike. The company says it will be able to better target non-Facebook users and serve relevant ads to them…

Some of the data Facebook collects to facilitate ad placements, according to The Washington Post on  19 August 2016:

1. Location
2. Age
3. Generation
4. Gender
5. Language
6. Education level
7. Field of study
8. School
9. Ethnic affinity
10. Income and net worth
11. Home ownership and type
12. Home value
13. Property size
14. Square footage of home
15. Year home was built
16. Household composition

As explained on that shiny new portal, Facebook keeps ads “useful and relevant” in four distinct ways. It tracks your on-site activity, such as the pages you like and the ads you click, and your device and location settings, such as the brand of phone you use and your type of Internet connection. Most users recognize these things impact ad targeting: Facebook has repeatedly said as much. But slightly more surprising is the extent of Facebook’s web-tracking efforts and its collaborations with major data brokers.

While you’re logged onto Facebook, for instance, the network can see virtually every other website you visit. Even when you’re logged off, Facebook knows much of your browsing: It’s alerted every time you load a page with a “Like” or “share” button, or an advertisement sourced from its Atlas network. Facebook also provides publishers with a piece of code, called Facebook Pixel, that they (and by extension, Facebook) can use to log their Facebook-using visitors.

While you’re logged onto Facebook, for instance, the network can see virtually every other website you visit. Even when you’re logged off, Facebook knows much of your browsing: It’s alerted every time you load a page with a “Like” or “share” button, or an advertisement sourced from its Atlas network. Facebook also provides publishers with a piece of code, called Facebook Pixel, that they (and by extension, Facebook) can use to log their Facebook-using visitors.

17. Users who have an anniversary within 30 days
18. Users who are away from family or hometown
19. Users who are friends with someone who has an anniversary, is newly married or engaged, recently moved, or has an upcoming birthday
20. Users in long-distance relationships
21. Users in new relationships
22. Users who have new jobs
23. Users who are newly engaged
24. Users who are newly married
25. Users who have recently moved
26. Users who have birthdays soon
27. Parents
28. Expectant parents
29. Mothers, divided by “type” (soccer, trendy, etc.)
30. Users who are likely to engage in politics
31. Conservatives and liberals
32. Relationship status

On top of that, Facebook offers marketers the option to target ads according to data compiled by firms like Experian, Acxiom and Epsilon, which have historically fueled mailing lists and other sorts of offline efforts. These firms build their profiles over a period of years, gathering data from government and public records, consumer contests, warranties and surveys, and private commercial sources — like loyalty card purchase histories or magazine subscription lists. Whatever they gather from those searches can also be fed into a model to draw further conclusions, like whether you’re likely to be an investor or buy organic for your kids.

Wired, 28 December 2012:

In 2010, while researching his thesis, he asked Facebook if it could send him all of the user data the company had relating to his own account. Amazingly, he got a response.

Facebook was, in Schrems' words, "dumb enough" to send him all his data in a 1,200-page PDF. It showed that Facebook kept records of every person who had ever poked him, all the IP addresses of machines he had used to access the site (as well as which other Facebook users had logged in on that machine), a full history of messages and chats and even his "last location", which appeared to use a combination of check-ins, data gathered from apps, IP addresses and geo-tagged uploads to work out where he was.

As Schrems went through the document, he found items he thought he had deleted, such as messages, status updates and wall posts. He also found personal information he says he never supplied, including email addresses that had been culled from his friends' address books. European law is worded vaguely, but says that personal data must be processed "fairly"; people should be given comprehensive information on how it will be used; the data processed should not be "excessive" in relation to the purpose for which it was collected; it should be held securely and deleted when no longer needed. And each person should have the right to access all of their personal data.

Turnbull Government identifies a new source of revenue and there are no prizes for guessing from whom

Now that the Turnbull Government has embraced big data and begun collecting and collating information on all citizens across multiple agency platforms, there is a temptation to explore all the money-making potential of this data.

In March 2016 Treasurer Scott Morrison requested that the Productivity Commission:

Examine the benefits and costs of options for increasing availability of public sector data to other public sector agencies (including between the different levels of government), the private sector, research sector, academics and the community. Where there are clear benefits, recommend ways to increase and improve data linking and availability.

Upfront the aim to gather more information, limit ownership rights of citizens with regard to their own personal information and to sell-on data it collects on citizens is apparent, however it takes a few pages of the Commission’s report to discover that it probably also intends to make additional money out of the ordinary individuals who have been forced to supply government agencies with this same detailed data.

If the Commission recommendation (that a charge can levied by an agency when a citizen requests access to their data) is accepted then, by way of example, the door will have been opened to charge a cost to welfare recipients who request Centrelink statements of income required twice-yearly by social housing agencies, or who request their Basic Card transaction records for a specific period if there is a concern relating to a pension/benefit/allowance periodic payment or who request that data held in e-Health records be edited/corrected if it contains erroneous information.

Of course, this being a report whose terms of reference reflect the wishes of a right-wing federal government - the intention appears to be that all business or government agency charges to supply the individual with his or her own data will be set by those same businesses or agencies with little or no limit on the size these fees.

Australian Government Productivity Commission, Inquiry Report, Data Availability and Use: Overview & Recommendations, 31 March 2017:

Knowing when your data has been sold

One of the most potentially pernicious practices with data is the onward trade or disclosure of data to third parties, leaving consumers unaware of who knows what about them. The damage is often not so much in monetary terms but in the feeling of exploitation. This has great capacity to undermine social licence over time, if misused. Around half of all Australians surveyed by Office of the Australian Information Commissioner (OAIC) have expressed concern about unknown organisations having obtained their personal information.

We do not propose that consumers be advised on each occasion data is traded or otherwise disclosed to a third party — the burden on businesses using contractors and outsourcing aspects of their operations could be enormous. Moreover, consumers in some areas could be inundated. But advising on which organisations data has been traded or disclosed to is a reasonable expectation of what is, after all, a joint right to data. You should surely be informed that something in which you now have a joint right is traded or disclosed to a third party.

Accordingly, entities should inform consumers about their data being traded or disclosed by including in their privacy policies, terms and conditions or on their websites, a list of parties to whom consumer data has been traded or otherwise disclosed over the past 12 months. Such lists should easily accessible to consumers and updated in a timely manner.

Consumers may also be at risk of loss of data access on the wind up of a firm. In such circumstances, consumers should always be advised of who now holds their data if it is transferred (as an asset) by the insolvency practitioner; or dataset owner if the data is separately sold.

Costs, timeliness and transition

We recognise that there may be costs to business associated with their adherence to the Right. There are a number of aspects of the recommendation that seek to ensure these are manageable.

First, as noted above, it is expected that industry sectors themselves would determine the scope of data to be transferred, subject to approval by the ACCC.

Second, businesses and government data holders would be able to charge for costs reasonably incurred in transferring consumer data. We fully expect that there may be a tiered approach to such charges, namely that some digital data that is of high quality, readily available, and clearly identifiable with a particular individual (such as transactions data), should be made available at low or no cost and at relatively short notice. Data stored on different (yet still digital) systems, or that is of lesser quality may require additional effort to provide in a usable format and therefore could attract a higher charge and take longer. This would be for data holders themselves to determine and explain.

Our intention in recommending the creation of this Right is to enhance consumer outcomes, as a contribution to sustaining community support for the role data will play in the future. Business and governments as data holders would need to adjust to this Right. Neither should have interests in creating a process that was so costly as to prohibit its take up by most if not all consumers, as this would be counter to enhancing consumer outcomes and may eventually undermine the quality of data collections.

To make the process manageable, it is surely preferable to offer the parties affected in incurring expense the chance to meet the intent of the Right, namely enabling consumers to use their data. This is likely to involve degrees of iteration and transition. But the clear expectation is that there would be transparency on the part of businesses and agencies. Over time as systems evolve, the time taken and the cost involved should fall as these processes become part of each firm growing its business or government agency keeping faith with its clients, and while volume of data transferred might reasonably be expected to grow.

Similarly, it is expected that businesses and government data holders themselves would likely reap benefits from system transformation and better data management, such that all of the costs would not reasonably fall to consumers availing themselves of the Right.

Support for consumers in exercising their new Right

The ACCC would be the primary government entity charged with ensuring consumers are able to transfer their data and exercise their new rights. Specifically, any charges levied by data holders for access, editing, copying and/or transferring of data should be monitored, with the methodology used by a data holder recorded, transparent (such as on the data holder’s web page) and reviewable on request by the ACCC.

While recourse for consumers not satisfied with the way their new Comprehensive Right can be exercised could primarily be through the ACCC, we recognise there are other bodies — industry-specific ombudsmen, State and Territory fair trading offices, and the OAIC — that may have industry-specific skills and knowledge to deal with particular complaints. There should be a ‘no wrong door’ approach to this. This means the key regulators need to implement systems that enable consumer concerns to be handled with efficacy — not leave the consumer straddling a regulator abyss.

While the changes proposed aim to enable consumers to exercise more control over the collection and use of their data, the onus remains on individuals to make responsible choices regarding to whom they provide personal information in the first instance and for what purposes.