Facebook privacy targeted by Austrian law student
By Craig Timberg,
VIENNA — To carry on his war against Facebook, Max Schrems figures he needs at least 200,000 euros — about $250,000 — no small sum for a law student scraping by on a government stipend.
But like those he is targeting, Schrems, 25, is a creature of the Internet age. He envisions a fundraising campaign that could go viral: If 10,000 people give 20 euros each, Schrems figures, he will have enough to take the world’s most effective user revolt against Facebook to the next level — in a court of law.
Schrems contends that Facebook collects too much information on its users, keeps it too long and uses it for purposes that violate European privacy laws. As evidence, he points to the 1,222 pages of data the social media company catalogued on him before he formally requested his file from Facebook last year.
The account it offered of his life — every friendship declared, every photo uploaded, every “poke” or comment or invitation sent or received over three years of casual use — sparked an online sensation when he posted it on a Web site he christened “europe-v-facebook.org.” Within a few months, 40,000 users had requested their own data, overwhelming Facebook’s system for handling requests under what until then had been a little-known provision of European law.
A year later, regulators are engaged, and the social media site has made a series of changes to its privacy controls.
Yet Schrems and his small band of supporters are still bridling for a definitive legal showdown that could lead to sharp new limits on how Facebook and other Internet companies collect and use the personal information of their users, in Europe and beyond. At the core of the fight is one of the overarching questions of our time: Who has rights to the trillions of bits of data users create online every day?
“We’re right now defining what our world is going to look like in 20 years,” said Schrems, who has sandy brown hair and a faint resemblance to Facebook founder Mark Zuckerberg.
The issues raised by Schrems speak to the dilemma facing the company as it seeks to meet Wall Street’s demands for greater profitability in the aftermath of a troubled initial stock offering in May. Advertisers want access to more data for better targeting of their messages, but users have rebelled when they think Facebook has gone too far in sharing their information.
The company has disputed the most sweeping of the allegations by Schrems and says it collects only the data it needs to keep the social media site working smoothly. It also has added controls and changed some features, announcing last month that it was blocking a tool in Europe that sought to identify the faces of users whose photos are uploaded to the site.
Facebook officials have met with Schrems personally and had extensive contact with European officials. Richard Allan, the company’s top policy executive in Europe, said the reaction provoked by Schrems shows the responsiveness of the regulatory system.
Facebook has taken steps toward addressing concerns from regulators in Ireland, where Facebook headquarters its European operations, said Gary Davis, the deputy data protection commissioner in Ireland. “They’re highly engaged, there’s no question,” he said. “Facebook wants to be in a position that is in compliance with European law.”
Schrems, however, has not been impressed with Facebook’s concessions or the toughness of the Irish regulators. (Washington Post Co. chairman and chief executive Donald E. Graham is a member of Facebook’s board of directors.)
Not long ago, an aggrieved law student in Vienna would have had few tools for battling regulators in another country, or a big, rich company on another continent. But there are few borders in Schrems’s world.
He can file lawsuits under the umbrella of European law, using money raised online from supporters anywhere in the world. Anyone looking to follow the action need only keep an eye on the group’s Web site or, yes, on its Facebook page — an irony not lost on the company.
“We’ve created the perfect tools for any campaign to use, including against us,” Allan said.
U.S. technology companies often struggle to adapt to the more expansive privacy expectations in Europe. Schrems said he first noticed the cultural differences during a year as a high school exchange student in Florida, where he was amazed to see that most Americans don’t have the thick hedges favored by Austrians to limit views into their homes.
But it was his second stint in the United States, as an exchange student at Santa Clara University School of Law in Silicon Valley, that focused him on technology issues. When a Facebook official made a guest appearance at a class, he botched a description of European privacy law, Schrems said. That emboldened him to challenge the company — a move he called somewhat un-Austrian.
“Most people would never do that. They’d write a paper about it,” Schrems said. “I totally picked that up in the U.S.”
The first step was requesting data from Facebook, something he knew the company was legally obligated to produce.
He and two friends sent their requests to the corporate offices in Dublin. Schrems then pestered the company with a series of e-mails — 22 in all, he said — before finally receiving a CD in the mail with a document file. Two of his friends also got files (one was 882 pages, the other 1,142).
Schrems knew Facebook kept large amounts of information on its users, but the sheer volume of his file still amazed him, he said. Pictures uploaded from smartphones included precise global positioning system coordinates, the identities of anyone tagged in the photos and the moment — down to the second — when the shutter clicked. Information that users thought they had deleted survived in Facebook files.
Based on the documents, the German newspaper Taz made a diagram of Schrems’s social life, with distinct clusters around different phases — his time as an exchange student in the United States, his stint as a volunteer with an ambulance corps, his current life as a law student living in an apartment in Vienna.
“That’s basic FBI stuff,” Schrems said. “Thirty years ago, you [would] put up a pin and look for the connections. Now you know in a click.”
As attention grew, Schrems drafted complaints alleging 22 privacy violations by Facebook: keeping messages after senders deleted them, sharing personal data with outside app developers, allowing users to be “tagged” in photos without their permission, and more. Then he sent them to the Irish data protection commissioner. The Irish regulators opened a formal investigation resulting in a 149-page audit. Schrems, meanwhile, became a minor celebrity in Europe. Using little more than his laptop computer, he e-mailed news releases to hundreds of journalists and also updated his group’s Web site and Facebook page.
“It’s the only way to be successful in these times,” said Andreas Kezer, 26, who graduated from law school and is part of Schrems’s group. “It wouldn’t make sense to communicate with pigeons.”
One consequence of Schrems’s activism is the ease with which Facebook users can now download data the company has collected about them. It could not easily send CDs to each of the 40,000 people who requested their information as part of his campaign, so it created online tools available to users worldwide.
Allan, the Facebook policy official in Europe, said the volume of data — although startling to some users — simply shows how the service works. Without a record, for example, that a user has “un-friended” another user, there’s no way to keep the service from suggesting the same person as a friend in the future.
The company doesn’t relish the possibility of an ongoing fight with Schrems but says it has worked hard with Irish regulators to address concerns he and others have raised. “There are some critics who we have who will never be happy, no matter what we do,” Allan said.
Schrems doesn’t see himself as a malcontent. European law, he says, requires that information be collected only for particular, explicit purposes approved by users, then deleted as soon as it’s no longer needed. Keeping massive catalogues of personal data for years, he says, is a clear violation.
European law, however, gives Schrems no way to sue Facebook directly. To keep the campaign going, Schrems can appeal the ruling of regulators to a circuit court in Ireland. The case — against the regulators, not Facebook — eventually could reach the European Court of Justice in Luxembourg.
“Europe v. Facebook” as an organization can’t file a suit against regulators; only an aggrieved citizen such as Schrems can. That means that, should Irish regulators prevail, he could be personally liable under European court procedures for all of the legal costs of both sides.
Hence the estimate of 200,000 euros, although Schrems increasingly wonders whether it could be more along the lines of 300,000 euros. It’s a big bet for an aspiring lawyer with few financial resources of his own and, so far, no job at a firm. Last month, he added a yellow “Donate” button to the Web page.
“The problem now is they are enforcing only 20 percent of the law,” he said. “That’s something where you can’t just let it sit there without a decision.”