One easy-to-access file could hand hackers or abusive partners vast amounts of sensitive detail about your Facebook activity.
The file, which can take less than ten minutes to create and download, contains all of your Facebook history, including photos, private messages and other highly intrusive information, such as:
- The names of the Facebook profiles you’ve visited and when
- Your entire Facebook search history
- Details of the Facebook polls you’ve taken part in and how you voted
The data is readily accessible to anyone who knows or steals your Facebook password, or who jumps onto a computer where your Facebook account is already logged in. The information can also be downloaded in plain, unencrypted HTML files, making them easy to distribute or share publicly.
Here I reveal exactly what’s in your Facebook data file, how that information could be abused, and how to download the file for yourself, so you can see what’s lurking in your own Facebook history.
1. Whose profiles you’ve been viewing – and when
Been checking out the profile of an ex-boyfriend or girlfriend to check who they’re dating now? Looked at the profile of a colleague from work? Facebook knows whose profiles you’ve been snooping on and all that information is trapped in your downloadable Facebook file in the about_you folder’s visited.html page.
Here, you’ll find a listing of all the people whose profiles you’ve visited in the past year, with the exact time and date of the last visit.
It could have potentially disastrous consequences if that information fell into the wrong hands. Would your current spouse be happy that you visited the profile of an ex last week? Would a jealous, abusive partner thrash out if they found you’d been looking at the profiles of other men or women?
There’s also the potential for law enforcement to request such information, meaning you could become a suspect for a crime if you were found to be regularly checking a profile of a stalking victim, for example. A Facebook spokesperson said: “we only disclose information about our users if it’s required by court orders or other requests (including criminal and civil matters) and if we have a good faith belief that the response is required by law”.
It begs the question: does Facebook really need to keep such potentially inflammatory data? Anyone who watched Netflix’s The Social Dilemma will remember a dramatized scene in which a member of the family was trying to go cold turkey on their social media, and the site gradually ramped up notifications from people it knew he’d be interested in to drag him back to the site.
If Facebook logs whose profiles you’ve visited and when you do it, it knows how to get you back to the site when it looks like your social media addiction might be waning.
Indeed, when asked why it collects such data, a Facebook spokesperson responded: “As we set out in our Data Policy, we use this data to deliver our service and personalize features and content for people. For example: understanding profile views helps us determine who you are likely to want to see more content from – e.g. if you regularly look at posts from your best friend or a family member, then Facebook will show you more of their posts higher up in News Feed.”
2. Your entire search history
Anything you’ve searched for on Facebook – people’s names, places or the names of groups, for example – are held in your Facebook data. My Facebook search history goes all the way back to 2013, so at least seven years’ worth. You’ll find it in the search_history folder.
Again, the consequences could be severe if this data were to leak to abusive partners or others. It could hold enormously sensitive information – searches for support groups for drug addiction, alcoholism or health conditions, for instance.
Unlike the profile views data mentioned above, which only logs the last time you visited each person’s profile, the search history lists repeat terms. So, if you’ve been repeatedly searching for a person – perhaps because they’re not in your friends list – it will all be contained here.
Privacy advocates say Facebook shouldn’t be harvesting such data. “There is no clear or obvious reason to retain information about whose profile you visit, nor your search history,” said Jim Killock, executive director of the Open Rights Group in the U.K.
“Data like this ought to be destroyed, unless there is a reason for it to be retained. There is plenty that could be incorrectly inferred or abused.”
3. Rejected friend requests/Removed friends
Facebook doesn’t only keep tabs on who you’re friends with, but who you definitely don’t want to be friends with.
The friends folder includes files showing both people you’ve removed as Facebook friends and people from whom you’ve rejected friend invitations. In my case, these files go right back to when I first joined Facebook in 2007.
Although it’s not the most sensitive data collected by Facebook, it could certainly cause embarrassment to someone if this file were to leak. Facebook doesn’t inform people when they are removed as a friend, for example.
It’s hard to understand why this information is retained for so long, if at all.
4. Polls you’ve voted on – and how you voted
In the murkily titled “other activity” folder you’ll find what could be a potentially explosive file: polls_you_voted_on. This not only lists all the polls you’ve participated in, but, crucially, the way you voted – which isn’t displayed publicly on Facebook polls. Although the exact poll question isn’t listed in the data file, there’s a link to the poll, allowing you to see the exact question.
In an election year, it’s easy to see how that information could be extremely valuable to Facebook and its advertisers.
When asked whether Facebook shares poll results with advertisers, a company spokesperson said: “As we set out in our data policy, Facebook only shares your information with advertisers if you give us permission. Advertisers can also receive your data when you choose to visit or use their services, or through third parties that they work with. We set out all the ways in which we use data in our data policy.”
Facebook’s data policy makes no specific reference to information collected in polls. The policy does state that “our systems automatically process content and communications that you and others provide to analyze context and what’s in them”.
5. Private chat history
Every single private message I’ve sent through Facebook Messenger since 2007 is contained in my Facebook data file. The stuff you didn’t want to make public is all there and all downloadable in one very convenient, unencrypted html file, should your account be hacked.
Needless to say, this will be the stuff that nobody would want to fall into the wrong hands, which makes it all the more extraordinary that it’s so easy to access…
How you can download your Facebook data – and how easy it is for someone else to
It’s incredibly easy – arguably too easy – to download all of your Facebook information.
To get your information, go to your Facebook Information page.
Here you’ll find links to most of the information mentioned above and lots more. You don’t have to re-enter a password to get to that page, so if someone were to access your account on a shared computer, say, they would be able to access it all.
That page also contains a link to download the information. This creates a huge HTML file (365MB in my case) that can be downloaded and read in any web browser. The data isn’t encrypted and you don’t need to enter your password to access the file, once it’s downloaded.
To be fair to Facebook, there are a couple of security measures in place here. As soon as a request is made to download the file, an email is sent to the account holder, which might tip them off before a hacker had a chance to access the file. It takes Facebook a while to pull all the info together and make it ready for download. However, in my case, 13 years’ worth of data – including high-res photos – were collated and made ready for download in only eight minutes. It’s perfectly possible that someone could have downloaded the file before you’ve even read the email alert.
When you actually come to download the file, you must also re-enter the account holder’s password. That will thwart people who’ve nipped onto your computer screen while you’re away from your desk or shared family computers, but if someone knows your password, it has been stored in a web browser on a family computer, or it has been captured by hackers, all that sensitive data is theirs to keep.
When asked what measures Facebook puts in place to prevent this data being downloaded by unauthorized persons, a Facebook spokesperson said: “We provide guidance and tools on how to keep your account safe and to protect yourself against malicious software that can potentially compromise your account. Where we detect suspicious activity that indicates an account may have been compromised, we will lock the account and ask the owner to verify their identity.”