Facebook is obliged to undertake operational changes in the face of what the company describes internally as a ‘tsunami of privacy regulations’: More and more countries are restricting how companies can use and store data about their nationals. And furthermore, they do so using different criteria in each case.

However, to achieve this, the company founded by Mark Zuckerberg must solve another more pressing problem: know where all the data it extracts from users will end up. Which it does not do, according to an internal Facebook document – prepared in 2021 by its engineers – now leaked to Motherboard:

“We don’t have an adequate level of control and explainability over how our systems use data. […] We cannot make commitments such as ‘we will not use X data for Y purposes’. And yet this is exactly what regulators expect us to do.”

The document established January of this year as the launch date for ‘Basic Ads’ (the option to receive non-personalized advertising on Facebook), however, four months later nothing is known about said service.

data traceability

Thus, as established, for example, by the EU General Data Protection Regulation, personal data must be collected for “specific, explicit and legitimate purposes, and must not be processed in ways that are incompatible with said purposes”. But, How is it possible that Facebook is not able to guarantee this?

“Imagine holding a bottle of ink in your hand, which is a mixture of all kinds of user data (third-party data, sensitive category data, data from the EU…). Then you pour that ink into a lake of water (our open data systems)… and it flows… everywhere. How do you get that ink back in the bottle? How do you organize it again, so that it only flows to certain permitted places in the lake?”

Facebook engineers call this the ‘data lineage problem’, which is also we could translate as ‘data traceability’, and the inability of Facebook to guarantee it only portends problems in complying with legal requirements. However, a Facebook spokesperson quoted by Motherboard said that the ink-and-lake analogy “lacks context.” […] it is inaccurate to conclude that it demonstrates any non-compliance”.

Of course, “open data systems” is the understatement of the year: Facebook has a history of unethical and/or careful use of personal data. Like the time they were caught using phone numbers that users had provided for a very specific purpose (set two-factor authentication in their accounts) for a very different purpose (power the ‘People You May Know’ functionality).

Image | Based on original from Freepik