Huh. I would have expected the company to go with "we didn't say gay and we didn't use external information. We just noticed that users who like X page buy a lot of copies of Playgirl so we hooked you up".
Sounds like he managed to prove more in his case than is apparent from the article.
Privacy legislation has always been a bit iffy about the distinction between data and information. Depending on how this ruling treats that issue it could have knock-on effects.
Basically the issue here is that meta was almost certainly in possession of information on Max's sexual orientation and was using this information for advertising, but it's unclear if they had any data.
Privacy wise it is great that even partial information counts, but practically almost any data about a person is tainted with fractions of bits of information about their sexual orientation (or political views, or almost any of the protected classes of information). Without resorting to information theory I don't really see any way forward that doesn't end up in endless court cases over how much information is too much.
Then again we could just ban targeted advertising and avoid the whole issue in the first place. When differential privacy gets to a usable state we can worry about those instances where it would be nice to use some information for the public good without infringing privacy.
Rather it's that, in the course of evaluating this case, the court has been forced to make statements clarifying how certain rules and principles in GDPR are to be interpreted. And this has, in effect, narrowed the way Meta etc can use data.
Which for Schrems is really his ultimate goal anyway - his case is just a way to force the courts to rule / establish legal precedent on broader issues.
> Schrems had complained that Facebook had processed personal data including information about his sexual orientation to target him with online advertising, even though he had never disclosed on his account that he was gay. The only time he had publicly revealed this fact was during a panel discussion.
But processed what personal data? Where would Facebook even get reliable data on users' sexual orientation in bulk? It's not like you can buy that the way you can get credit scores or geographic locations. (Or can you? I've never heard of it.)
I'm very curious for the actual details here. And just because you get ads for products that seem to be marketed to the gay population, what leads the court to determine FB "identified" him as gay? My YouTube regularly has random ads in Spanish probably just because of some bug. Most ads seem to mistarget me, in fact.
I'd guess that it's inferred from the content you interact with. If you spend a lot of time liking fireman calendar photoshoots and give no likes to women in swimsuits, there's a reasonable inference to be made.
I'd also guess that Facebook can do this pretty reliably for gender and age, martial status, parental status, and lots of other things.
What if the underlying algorithm simply matches "users who like X also like Y" without having concepts like sexual orientation baked in. And it just happened that it accidentally suggested certain things gay people generally like, because Max Schrems liked that "X" once.
> If you spend a lot of time liking fireman calendar photoshoots ...
That could be incorrect if (say) someone was researching fireman calenders for some non-sexual reason. ie boss assigned them the task of writing an article about fireman calenders through history
I'd have to wonder what other weird things such a person would be labelled with, given that they'd probably be researching a bunch of topics every week or so. ;)
To add one row of anecdata: I recently got an ad on Instagram (= Meta) for an "only for gay men" holiday resort. I'm straight. Took a screenshot of it because I thought it was funny and I'd never seen it (nor such a place) before.
Facebook (and others) don't just track you on their website. They do so on every website that includes their "like button", "analytics", "ads" and such
Reading your reply I just became aware that I haven't seen a single thumbs up button outside Facebook for maybe ten years. In 2011 they were everywhere and I remember that I implemented them on my personal website. I'm a hobby dev, so that was a big deal for me. How curious!
So, you claim that you're not interested in software development, but somehow according to this data we have here, you spend an hour a day reading Linux kernel mailing lists.
Why do you think you can't buy that? These companies have been building up profiles on millions (billions?) of people for many years now. It is not unreasonable to think they could infer stuff that they don't directly measure. Nor that these profiles would be shared/sold.
The GDPR does not care about the specifics of tech.
The GDPR does not care if FB has a database column for “sexuality” or if FB never gathers that information directly. All it cares about is the fact that Facebook process personal data, and, using some of the data Facebook processes, sexuality can be inferred.
I think we in tech get hung up on technicalities, while the GDPR was specifically written to be as citizen-focussed and tech-agnostic as possible.
Regardless, this specific ruling seems a bit odd-it implies that FB took a fact he mentioned in a panel discussion (not on the platform), and used that information to serve him targeted ads based on his sexuality.
I have no idea of the mechanisms he supposes led to this.
Sure, Schrems' claims seem to hinge on the fact that the only evidence of direct self-identification by Schrems is that one instance of a verbal claim on a panel discussion. (That is not how sexual orientation works, by the way: it necessarily involves conduct, activity or interests...)
But if advertising works on a recommendation engine basis, or groups similar tastes together, then if someone uses the Meta platform enough, there will be circumstancial evidence that this person's interests and activities coincide with other gay people.
Perhaps the merit of the case rested with Schrems barely using Meta/FB, not providing any direct data or engagement, and only to discover that advertising was targeted. Of course, Meta is a vast platform, including comments sections and widgets and third-party cookies across many websites.
But Meta takes Meta's privacy very seriously, so perhaps nobody but the court will ever see what Meta and their partners learned about Schrems, or how they learned it.
If only the AP had gone web-first instead of staying legacy, we'd all probably be able to just follow a link to the actual case information instead of having to guess.
> it necessarily involves conduct, activity or interests.
nit: did you mean conduct (which connotes moral principles) or did you mean plain behaviour (which doesn't lump what you do together with if it's "right" or "wrong", according to some but maybe not some other rulebook)
> That is not how sexual orientation works, by the way
The way it works according to this judgement seems to be that if you don't explicitly tell FB something, they can't use the data anyway for targetting ads.
This sounds like it'll kill the vast majority of their inferred data points, as well as any ingested from 3rd parties.
Sounds fair enough to me. Glad I sold my FB shares last month.
> Wait so someone at Meta entered somewhere that this person is gay? Or was this based on, say, cookies and general browsing habits?
General browsing habits - he interacted with ‘gay content’ - websites, facebook groups etc. so could be targeted by advertisers that wanted their ads shown to people who interacted with that content.
I don’t think FB have a gay checkbox for targeting now but advertisers can choose websites and FB groups. Im not sure if this ruling effectively kills FB targeted advertising using data from outside FB or just if you're gay or not
The court decision pertains only to targeting advertising to the same user.
They didn't say that the data can't be collected. They didn't say the data can't be processed at all. They didn't say that the data can't be "aggregated and analysed" for some purpose other than "to offer him personalised advertising".
Meta does indeed offer controls to disable personalised and targeted advertising. If Schrems had disabled these settings appropriately, would Schrems have learned what Meta knew? It would seem that the targeting and personalisation is often the only way a user will find out what social media knows about us.
So IMHO, this is a sad, sad day for your privacy and Schrem's privacy, because if Meta can't reveal what they know about us through advertising and targeting, then Meta does indeed take Meta's privacy very seriously.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be
prohibited.
There is a list of exceptions, but I'm not sure any of them apply. I don't really see how what the court says matters all that much. They can't overturn the law.
How did Facebook determine that Schrems was gay? Do they even know he's gay? Just because they showed him an ad for something that gay people would find relevant doesn't mean they targeted him for being gay. Its possible he likes a lot of stuff gay people like. I get targeted by advertisements for institutions offering degrees in Christian studies or some such thing, even though I'm an atheist. But say I was a Christian, should I then deduce that Facebook knew I was Christian and used that information?
They are just spraying and praying with their ads on best guesses as to what is relevant to you.
You get targeted by advertisements for institutions offering degrees in Christian studies or some such thing, because you're an atheist.
I fixed that quote for you, because advertising is often targeted to the opposite demographic for various reasons.
Just try enjoying your favorite show on radio or regular TV, and you'll perceive ads for stuff you would never touch, but they are paying good $$$ to support that show you like, and to get in front of everyone possible, and perhaps wear you down with brand recognition and exciting jingles to influence your buying decisions in a moment of weakness.
However, targeted advertising may know exactly what you like, and be an effective means of call-to-action and conversion to sales.
On the back end, Meta advertisers fill out a list of audience interests and demographics. So yes, if the advertisements and their buyers were documented, Meta should also have sales info on the intended audiences.
It's a lawsuit because Schrems only needs enough of a basis to force the courts to consider certain issues, and to make statements about how GDPR should apply in principle in certain situations, in order to effectively restrict big tech's use of data.
It's a case brought strategically in order to trigger certain questions of interpretation of GDPR rules to be litigated.
Schrems' specific claim only needs to hold enough water to give him standing to get the case through enough filters in the court system to facilitate this.
Facebook didn’t determine he was gay, it’s just spray-and-pray by the algorithm exactly like you said. He’s just bringing the court case in bad faith to raise the issue and create another foothold for the EU to extract further billions in fines. The outcome will be more laws so nobody creates anything new in the consumer space or takes any risks that aren’t sanctioned by EU central planners ever again.
Knocking over US big tech companies for fines is literally the fastest growing EU industry by total profits.
I logged into Twitter after years and it was clear the ad algo was trying to determine my sexual preference - it would start by throwing in a hot girl, if I ignored then the image became a hot girl in bikini, then a hot girl's butt etc etc. Eventually it just showed me a fully nude girl with her legs open. In the middle, it threw in tweets about homo topics with images of dudes kissing.
These were always 1 tweet, below the fold, and once a day.
Eventually I just clicked one of the hot girls and I've never got anything since.
As far as I understand CJEU does not, at least not on this type of case where their opinion regarding EU law is asked by national court. Damages & fines are left to national courts, in this case Austria's Supreme Court (who might send it back to lower courts, I do not have any specific knowledge of Austria's court system).
Readit News
Sounds like he managed to prove more in his case than is apparent from the article.
Basically the issue here is that meta was almost certainly in possession of information on Max's sexual orientation and was using this information for advertising, but it's unclear if they had any data.
Privacy wise it is great that even partial information counts, but practically almost any data about a person is tainted with fractions of bits of information about their sexual orientation (or political views, or almost any of the protected classes of information). Without resorting to information theory I don't really see any way forward that doesn't end up in endless court cases over how much information is too much.
Then again we could just ban targeted advertising and avoid the whole issue in the first place. When differential privacy gets to a usable state we can worry about those instances where it would be nice to use some information for the public good without infringing privacy.
Rather it's that, in the course of evaluating this case, the court has been forced to make statements clarifying how certain rules and principles in GDPR are to be interpreted. And this has, in effect, narrowed the way Meta etc can use data.
Which for Schrems is really his ultimate goal anyway - his case is just a way to force the courts to rule / establish legal precedent on broader issues.
But processed what personal data? Where would Facebook even get reliable data on users' sexual orientation in bulk? It's not like you can buy that the way you can get credit scores or geographic locations. (Or can you? I've never heard of it.)
I'm very curious for the actual details here. And just because you get ads for products that seem to be marketed to the gay population, what leads the court to determine FB "identified" him as gay? My YouTube regularly has random ads in Spanish probably just because of some bug. Most ads seem to mistarget me, in fact.
I'd also guess that Facebook can do this pretty reliably for gender and age, martial status, parental status, and lots of other things.
That could be incorrect if (say) someone was researching fireman calenders for some non-sexual reason. ie boss assigned them the task of writing an article about fireman calenders through history
I'd have to wonder what other weird things such a person would be labelled with, given that they'd probably be researching a bunch of topics every week or so. ;)
Curious.
Stuff like that often ends up trawling through LKML posts trying to figure out wtf kernel might have a fix, potential things to try, and so on.
Probably also by people with zero interest in software development themselves.
The GDPR does not care if FB has a database column for “sexuality” or if FB never gathers that information directly. All it cares about is the fact that Facebook process personal data, and, using some of the data Facebook processes, sexuality can be inferred.
I think we in tech get hung up on technicalities, while the GDPR was specifically written to be as citizen-focussed and tech-agnostic as possible.
Regardless, this specific ruling seems a bit odd-it implies that FB took a fact he mentioned in a panel discussion (not on the platform), and used that information to serve him targeted ads based on his sexuality.
I have no idea of the mechanisms he supposes led to this.
I think of the story where Target was pushing diaper ads on someone before her dad (maybe even her?) knew she was pregnant
But if advertising works on a recommendation engine basis, or groups similar tastes together, then if someone uses the Meta platform enough, there will be circumstancial evidence that this person's interests and activities coincide with other gay people.
Perhaps the merit of the case rested with Schrems barely using Meta/FB, not providing any direct data or engagement, and only to discover that advertising was targeted. Of course, Meta is a vast platform, including comments sections and widgets and third-party cookies across many websites.
But Meta takes Meta's privacy very seriously, so perhaps nobody but the court will ever see what Meta and their partners learned about Schrems, or how they learned it.
If only the AP had gone web-first instead of staying legacy, we'd all probably be able to just follow a link to the actual case information instead of having to guess.
nit: did you mean conduct (which connotes moral principles) or did you mean plain behaviour (which doesn't lump what you do together with if it's "right" or "wrong", according to some but maybe not some other rulebook)
The way it works according to this judgement seems to be that if you don't explicitly tell FB something, they can't use the data anyway for targetting ads.
This sounds like it'll kill the vast majority of their inferred data points, as well as any ingested from 3rd parties.
Sounds fair enough to me. Glad I sold my FB shares last month.
General browsing habits - he interacted with ‘gay content’ - websites, facebook groups etc. so could be targeted by advertisers that wanted their ads shown to people who interacted with that content.
I don’t think FB have a gay checkbox for targeting now but advertisers can choose websites and FB groups. Im not sure if this ruling effectively kills FB targeted advertising using data from outside FB or just if you're gay or not
They didn't say that the data can't be collected. They didn't say the data can't be processed at all. They didn't say that the data can't be "aggregated and analysed" for some purpose other than "to offer him personalised advertising".
Meta does indeed offer controls to disable personalised and targeted advertising. If Schrems had disabled these settings appropriately, would Schrems have learned what Meta knew? It would seem that the targeting and personalisation is often the only way a user will find out what social media knows about us.
So IMHO, this is a sad, sad day for your privacy and Schrem's privacy, because if Meta can't reveal what they know about us through advertising and targeting, then Meta does indeed take Meta's privacy very seriously.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
There is a list of exceptions, but I'm not sure any of them apply. I don't really see how what the court says matters all that much. They can't overturn the law.
Deleted Comment
They are just spraying and praying with their ads on best guesses as to what is relevant to you.
How is this a lawsuit?
I fixed that quote for you, because advertising is often targeted to the opposite demographic for various reasons.
Just try enjoying your favorite show on radio or regular TV, and you'll perceive ads for stuff you would never touch, but they are paying good $$$ to support that show you like, and to get in front of everyone possible, and perhaps wear you down with brand recognition and exciting jingles to influence your buying decisions in a moment of weakness.
However, targeted advertising may know exactly what you like, and be an effective means of call-to-action and conversion to sales.
On the back end, Meta advertisers fill out a list of audience interests and demographics. So yes, if the advertisements and their buyers were documented, Meta should also have sales info on the intended audiences.
It's a case brought strategically in order to trigger certain questions of interpretation of GDPR rules to be litigated.
Schrems' specific claim only needs to hold enough water to give him standing to get the case through enough filters in the court system to facilitate this.
Knocking over US big tech companies for fines is literally the fastest growing EU industry by total profits.
These were always 1 tweet, below the fold, and once a day.
Eventually I just clicked one of the hot girls and I've never got anything since.