I know a lot of people in the security industry, and I know a lot of people who enjoy Facebook. However, there's not much overlap between these groups. As someone who's part of both groups, I'm a bit of an oddity. Many security experts either always steered clear of the social network or are currently advocating deleting it. I follow security topics and products closely, and I also use Facebook, carefully. I don't see any need to delete my Facebook account. But now that Facebook has made it so easy to download everything the social network has about me, I went ahead with that process. Perusing the resulting archive, I ran into some surprises, both positive and otherwise.
I'm Careful, Really I Am
I've known for years that with Facebook, I'm not the customer, I'm the product. I keep my profile private except to friends. I don't post a lot in my visible profile, and not all of what I display is true. For example, while it's true that I studied Existentialism in college, I'm not actually a Pastafarian; I have not been "touched by his noodly appendage." I never wildly click links that seem shady. And I maintain a security suite that warns if a dangerous link gets past my radar.
I never play Facebook games; you'd be surprised, or appalled, at how much data games can gather. I had to silence one family member because of a Farmville account that kept pinging me to come play. I've been known to try some silly quizzes, but only the ones that ask you questions to figure out, say, which Game of Thrones character will kill you. Those quizzes that offer to scan your Facebook data and give you a result? Those are poison! I don't touch them.
I never use Facebook (or my email account) to log into websites. Doing so makes your Facebook password a single point of failure. One exposure and all your accounts are wide open. Instead, I use a password manager to create strong, unique passwords for every site.
But being careful myself isn't enough. Sloppy security on the part of my friends can potentially make some of my information public. So I tightened up my settings to keep Facebook from sharing my data. I went all-out, choosing the option to totally disable the sharing platform. Facebook offered dire warnings about how doing so would disable my apps, and keep me from logging in using my Facebook credentials. I smiled and went ahead. Now I'm fine, right? Well, maybe.
Download Your Archive
These days, it's easy to download an archive of all the data Facebook has on you. (At least, they say it's everything…) Well, it's fairly easy. You do have to go through several steps, which are in place to prevent someone else from stealing your archive. Here's how I did it, and how you can get your own archive.
- Log into Facebook, click the down-triangle icon at top right, and choose Settings.
- On the General Settings page, click the last item, the link to download a copy of your data.
- Facebook warns that collecting data may take a while. Click Start My Archive.
- On the next page, click Start My Archive again, and wait for a notification that it's done.
- Download your Facebook archive.
Note that you'll have to supply your Facebook password twice during this process, because this is sensitive information. Facebook also warns that you should protect the downloaded data, as it contains sensitive material. Your best bet would be to encrypt the data when you're not actively studying it.
No Surprises, to Start
Once you unzip the downloaded archive, you'll find you have a folder containing a file INDEX.HTM plus folders named html , messages, photos, and videos. Ignore the folders for now; just launch INDEX.HTM and start exploring.
You start at the Profile page, with general information about you and your Facebook account. This includes the exact moment you started with Facebook (Thursday, June 28, 2007 at 8:15 a.m. PDT in my case) as well as your address (if you entered it), birthday, gender, hometown, and so on. It doesn't distinguish between public details and those you've made private.
My archive also lists everyone I've identified as family members, all three dozen of them. Family connections are a big part of what keeps me on Facebook. The lists of Music, Books, Movies, Restaurants, and Websites I've liked are short; I don't tend to give likes in those areas. But the list of Other likes is more interesting. Apparently, I've liked more than 60 pages, ranging from Notorious RBG to Thic Nhat Hanh to 'The Official Petition to Establish "Hella-" as the SI Prefix for 10^27.' At least Facebook doesn't have a hellabyte of data on me...
This page also lists all the Groups I belong to. It's a bigger list than I expected, mostly because at least half of them haven't had any activity for years. I'm not sure there's any benefit in actively disengaging from moribund groups, though.
Friends and Not-Friends
Clicking the Friends link got me a list of all my Facebook friends, sorted from newest to oldest. No surprise there! But scrolling down farther, I found a lot more. It also lists: Sent Friend Requests, Received Friend Requests, Declined Friend Requests, and Removed Friends. That's right. Facebook knows everybody you've unfriended, and ever friend request you've denied, or ignored.
I dumped the list into Excel for analysis, because that's what I do. I found that several dozen of the entries appear in more than one category, and that some of these duplicates seem to tell a story. Some years ago, I purged my friends list down to something manageable, but later added some of the purged folks back. And there they are—Removed Friends, but later, Friends. Others were persistent folks, Declined Friend Request followed later by Received Friend Request (which I ignored).
Possibly the most interesting category involve people who showed up in the Received Friend Request list and no other. That means I received the request and just ignored it, without actively declining. I confess to friend-request overload. And after ignoring requests for a while, it gets tough to actively go through and decline the unwanted ones. To the 70 people in that category—sorry!
At the tail end of the list, I found a couple other minor categories. I have exactly one Followee, meaning there's one semi-public figure that I follow without actually being FB friends. You may have more. Facebook's analysis of my friend collection places me in the Friend Peer Group called "Established Adult Life." Why? Perhaps for advertising?
Who Are These Contacts?
The Friends page makes sense, though it includes more information than I thought it would. But the Contact Info page totally mystifies me. It lists hundreds of people, in no apparent order, along with one, two, or three phone numbers. Who are these people, and where did they come from? The list even includes entries for people no longer living, some of them deceased before I ever joined Facebook.
I dumped this list into Excel as well, and checked off any that I might have actually called on the phone. That accounts for just 10 percent of the list. About 6 percent of the contacts appear twice, most with the same phone number. Almost all of the names seem at least vaguely familiar, but not through Facebook.
For a sanity check, I used an Excel formula to flag every name from my Friends list that also appears in the Contacts list. That accounts for 11 percent of my friends. Looking the other direction, because there are more Contacts than Friends, just 6.5 percent of my Contacts match the Friends list.
I don't know for sure how Facebook got this list of contacts and their phone numbers. I must have given it permission to see my contacts on some platform, but even then, I mostly keep email addresses (notably absent from this list), not phone numbers. It's a puzzlement!
My Whole Timeline at a Glance
At first, I was unimpressed with the page reached by clicking Timeline. Like many, I frequently post an image with a snarky comment. The Timeline view skips the images, and the snarky comments alone don't make sense. Then I hit Ctrl+End, to go to the end of the page. Wow!
Every post I ever made on Facebook is here in the timeline. I don't know if it's even possible to go this far back within the Facebook user interface. If it were possible, it would take hours, maybe days, of scrolling down, down, down. I found the nearly ten-year-old posts fascinating. The post "feeling chilled after biking 10 miles in the rain Sunday to watch the Amgen riders start the first 100-mile ride" reminded me of the thrill of watching the opening of the first Amgen Tour of California bicycle race. And I was proud to remember my grown daughter's high-school success, Grand Prize in a regional animation contest.
Even in this convenient one-long-page form, paging through the entire Timeline would be too much to handle. But if you want to check just when a certain event happened, an event you posted on Facebook, you can easily search the page for details. In effect, it's an index for your entire Facebook history. What an unexpected treasure this is.
Every Photo, Awkwardly
Clicking Photos gets you a similar list, a timeline of every photo or album you ever posted. It includes the date for albums, and any comments, but not the text you shared along with the album. When you click through to the individual photos, you don't see the dates, unless the photo itself has comments. Facebook reports a raft of (to me) pointless information. Camera make and model. Orientation, width, and height. F-stop, ISO, and focal length. In my oldest photos, these are all the more useless because they're often either blank or zero. I couldn't figure out why some iPhone photos include a modicum of information, while others get nothing.
Some photos appear automatically in predefined folders such as Mobile Photos, Timeline Photos, and Profile Pictures. As with photos in your handcrafted folders, these display the non-useful camera data, followed by any comments. Any post that went along with the photo doesn't appear, nor is there any indication of a date, unless in the comments.
For a few photos, Facebook provides a link titled Facial Recognition Data. Clicking the link brings up a set of incomprehensible numbers and raw data. The fact that all of these were photos of Halloween pumpkins doesn't inspire confidence.
In my view, Facebook could handle this a lot better. Suppress the camera data except when requested. Include the date for any photo. And when I snap a photo and post it, include the text of the post with the photo.
Clicking Videos, as expected, gets a list of all the videos you've posted, from newest to oldest, with a 284 by 160 pixel thumbnail. You also get the video's date and time, and any comments. When I clicked on a video, though, I got a surprise.
The Facebook archive stores videos as 400 by 224 MP4 files; it doesn't link to the full-size video that you posted. When I launched one of those, I found that the sound worked fine, but the video itself just showed shifting bands of color. I tried a half-dozen videos, and the same thing happened with all of them.
That was under Firefox. When I opened the same page in Chrome or Edge, the video played back just fine. Internet Explorer didn't try internal playback, but instead suggested opening the video in the Movies & TV app. Movie & TV blew the video up to full screen, making it blurry, but it worked. I'm not sure what the problem is with Firefox, but there are plenty of other browsers for viewing your archive.
What if your real urge is to find the full-scale original video that you uploaded? You can't get there directly from the archive, but it can be a help. Check the date under the desired video, then open the list of videos right in your Facebook account online. Make a guess as to how far you should scroll down. Click a video and check the date in the post that appears. Scroll up or down as necessary to bracket the desired date. It's not ideal, but also not too difficult.
Ads and More Ads
Facebook exists to tempt you and other users with ads. Every time you click an ad, that's another data point for your profile. The first thing you see when you click the Ads link is a list of all the topics Facebook thinks interest you. In my case, the list runs to more than five dozen items. Some make sense: coffee, California, computer security, network security, journalism, Alejandro Jodorowsky. Others have me head-scratching, things like water, landform, watermelon, and Order of Interbeing (what?). But those are the topics that inform just what ads Facebook inflicts on my feed.
More interesting is the following section, Ads History. This is simply a list of ads and sponsored posts you've clicked on recently. I'm not sure of the time period; the oldest one in my feed is from about seven weeks ago. It could also be a fixed number of the most recent ad-clicks. In my archive the total number lists comes out at the suspiciously round number 100. Yes, I confess, I clicked 100 ads. To be fair, I avoid clicking unsupported "Sponsored posts," but I do sometimes click ads shared by friends.
At the very end, the archive lists "Advertisers with your contact info," eight of them, in my case. I recognize most of them, though I'm not sure how they got my contact info, or what it means that they did. But a couple are completely unfamiliar. I'm very deliberately not Googling these, figuring that doing so might just give The Watchers more information.
A Mess of Messages
Not surprisingly, Facebook keeps a record of every conversation you hold using Facebook Messenger. All those conversations show up when you click Messages. And the resulting page is almost completely useless.
In my archive, there is a list of almost 200 names and name-groups, in no discernible order. To see a conversation, you click the name. Quite a few have no conversations associated with them at all. Others are attempts at Messenger chat from people I don't know. There's no way to tell if a given name or group leads to an actual conversation.
Checking on names where I know I have a Messenger history, I found that indeed it lists every exchange, back to the very first. The messages show up in reverse chronological order, so to read a single conversation, you must scan the date/time stamps to find the initiating message and then read from bottom to top. What a mess! And if you remember that you had a conversation on a certain topic, but forget who you were chatting with, forget about it. There's no way to search except by opening every name and searching.
Facebook, this could be so much better! Give us a list of names, yes, but show the number of messages associated with each. Let us sort by name or by number of messages. When we open the list of messages for a given person, show them in oldest-to-newest order, and use some visual cue to show the start of each new conversation. Finally, let us search across all messages. Now that would be a useful list of messages!
Events and Pokes
I'm sure you've received invitations to plenty of events via Facebook. If I get an invitation to a truly personal happening, I make a point of actively choosing accept or decline. But if I'm just not interested, perhaps because the event is impossibly distant, or sounds boring, I don't usually do anything. Surprise! The Events page lists every event invitation you ever received, even those that you totally ignored. I don't see a lot of value in this list, but it seems harmless.
Likewise both useless and harmless is the list of pokes. Who pokes anybody these days?
I figured that clicking Security would show my Facebook Security settings, perhaps with a history of changes. Boy, was I wrong!
This page starts with a confusing list of Active Sessions. It listed 17 active sessions, one (correctly) identified as Facebook for iPad and 16 marked Unknown. Who knows what to make of that?
The following list of Account Activity proved even more obtuse. A seemingly endless list of entries reports, in painful detail, on events like Session updated (these are the vast majority, for me), Web Session Terminated, and Login. The one slightly interesting entry accurately reported the date and time of the last password change. These entries only go back about two years.
Next up is a list of Recognized Machines, including entries for two iPads and two iPhones. Which ones? I've had several. The date/time stamps were no help; all four say they were created December 31, 1969 at 4:00 p.m. PST. That date seems unlikely. None of the last-modified dates are newer than 2014, and the entries include no identifying device information, beyond the IP address.
I found little use for a list of logins and logouts during the previous year. A list of Login Protection Data reveals cookies and IP addresses used or updated in the last year. The list ends with estimated locations based on IP addresses, just simple decimal latitude and longitude, with no link to a map view.
At the very, very end is a short section that might be useful to some. The Administrative Records section lists things like changes to your password, changes to your security answers, and something called "Checkpoint completed."
So, OK, it's true that Facebook keeps painfully detailed information about your logins and devices. You can look at it until your eyes cross. A security expert might dump this data to detect possible hacking, but the average consumer will find little of interest.
Things I Didn't Know Facebook Knew
Before my recent experimentation, I hadn't really thought about what-all data Facebook keeps about me. Clearly, it has to retain my posts and pics, and I know it uses some techniques to decide which ads it'll show. Downloading and paging through my Facebook archive was a real eye-opener. I ran into real surprises, some positive, some negative, some just…surprising.
- The Timeline archive can be a fantastic index for your entire Facebook history. It's well-nigh impossible to scroll back a few years in your live Facebook feed, but in the archive, you can easily search the entire timeline.
- Facebook doesn't just know my friends. It knows everyone who's asked to be a friend, even if I ignored the request. It knows everyone I've unfriended, and every friend request I've rejected. Maybe that's not so bad, but I was surprised.
- The archive's list of videos displays nicely from newest to oldest, with a date/time stamp for each video. But you don't get to see the actual post, the video displays in a tiny rectangle, and it seems not to work in Firefox.
- Some items in Facebook's list of "my" ad topics make sense; others seem off the wall. The revelation that I've clicked 100 ads in less than two months is an eye-opener.
- Something I did, at some past time, gave Facebook permission to grab all kinds of unrelated contact info. Weirdly, it only shows phone numbers, even though I've never called 90 percent of those people, and a fair number of them are dead. Unsettling.
- Your archive lists everyone with whom you've ever chatted using Messenger, which sounds like it would be handy. But the information is disorganized and hard to follow, and there's no way to search your messages.
If you haven't yet done it, scroll back to the top of this article and follow the instructions to download your own archive. Page through it, think about it, do your best to get past the poorly designed parts. The archive isn't just evidence for you of what Facebook has on you. You can also make it a useful resource, assuming it doesn't inspire you to simply delete Facebook.
Presuming you're keeping Facebook, I strongly advise that you bite the bullet and disable the platform that lets Facebook share your data. Yes, that means you give up your games and apps, those nasty little spies. And you must log in to websites using unique passwords. But these are good things! With these precautions, you can keep using Facebook and still keep (most of) your privacy.