MN, FB, marketing companies and our data

[OhYouBadBadKitten]

Hi MN,

Several people expressed concerns about privacy when you introduced the logging in via fb ability. I've a few questions to ask at this point and as there will be other people here who are far more expert in online data on here, these are questions best asked in public. You will know me as a long termer here, who clearly enjoys using this site.

Firstly, with regards to GDPR, how will you be complying with the requirements of new legislation?

How much data do you hold on us? Who do you share it with and how is our information held?

When we fill out daft and not so daft marketing surveys on here, what are the data protection requirements incumbent on both yourselves and the marketing companies?

Have Cambridge Analytica ever been one of the companies that have gathered data through you, either overtly, or covertly under other trading names?

Have any other analytical companies gather political or other information on users, other than for marketing products purposes?

Please can you reiterate and summarise what permissions are given to facebook when logging into this site. Are these permissions limited to data held only by the user, or to their friends list as well?

How absolutely sure can you be that facebook have not also gathered information from mn beyond the permissions explicitly given? Are these reassurances purely given by facebook, or have you looked specifically about the data protection side with your own experts?

How does mn benefit from logging in through fb? Did they approach you for this, or did you approach them? Do you hold any data about users from their fb profiles?

I realise this is a long list of detailed questions that may take time to answer them. But I do feel they are important questions. Thank you.

Ha! hilarious x post.

Thank you Kate :) I appreciate that some of these questions may take time to be answered if they are to be answered in full.

Good grief, 15 hours to say "I'll have to ask someone".

You should have posted in aibu

FB itself sees and uses everything you post. Regardless of your privacy settings
...and keeps it even if you delete it

Hi thanks for the questions. I'll go through them systematically and anything I can't immediately answer we'll get back to you on tomorrow. First re GDPR, here's what we're going to be doing: When people register we''ll be explicitly asking users for consent for any personal data they give us eg Age, Pregnancy, Kids.

We'll also be mailing all existing users alerting them to our privacy policy changes with a link to their accounts to update/remove any data they wish.

We're also updating our T&Cs with our technology vendors to help make sure they're compliant (and we only work with those we believe are trustworthy.)

You can see what data we hold and how we use it in our privacy policy which is linked to at the bottom of every page. We're going to be looking at this page to make sure it's crystal clear - please do shout if you think there's anything that requires better explanation.

We follow data protection requirements with regards to any other data we collect such as for surveys which generally involves making sure we only hold the data for the time needed to process the info. With survey data this will usually be a maximum of 3 months and there are specifically appointed Data champions within every Mumsnet team to check these processes are routinely followed

We have never worked with any political marketing company or analytics company including Cambridge Analytica and would never and have never sold personalised data or emails. That said Mumsnet is a open site and clearly (as seen regularly in the Daily Mail) conversations are public and may be harvested by other publications, sometimes with the aim of scoring a political point.

We introduced Facebook login with only one purpose in mind and that was to make the login process easier - there is no benefit to Mumsnet beyond a better experience for our users and we have no direct arrangement with Facebook - it's something you can embed automatically. I'll need to get back to you on what Facebook's terms and conditions if you login via the Facebook link as I'm not sure off the top of my head. We'll also look into how widely it's being used as a login route - I suspect it's quite popular.

Broadly speaking we understand that anonymity is an important part of what Mumsnet offers and we take the responsibility to protect your data seriously. We have always set a high bar for how we handle user data - for example we don’t sell email addresses and always asked for clear permission before passing on an email address (eg when entering a competition). The only reason we collect data is because we'd like to make a better more relevant user experience in terms of the tools, content and ads shown but to be honest we haven't really got there yet (I still get shown a link to an ovulation calendar on the home page and I'm a bit beyond that stage).

GDPR seems to me a sensible way of formalising how publishers/businesses behave with regards to data to me. We already do many of the things suggested as best practise but there are certainly things we'll be tweaking and improving - do let us know if you think there are things we could make clearer.

Many thanks

@OhYouBadBadKitten

Hi MN,

Several people expressed concerns about privacy when you introduced the logging in via fb ability. I've a few questions to ask at this point and as there will be other people here who are far more expert in online data on here, these are questions best asked in public. You will know me as a long termer here, who clearly enjoys using this site.

Firstly, with regards to GDPR, how will you be complying with the requirements of new legislation?

How much data do you hold on us? Who do you share it with and how is our information held?

When we fill out daft and not so daft marketing surveys on here, what are the data protection requirements incumbent on both yourselves and the marketing companies?

Have Cambridge Analytica ever been one of the companies that have gathered data through you, either overtly, or covertly under other trading names?

Have any other analytical companies gather political or other information on users, other than for marketing products purposes?

Please can you reiterate and summarise what permissions are given to facebook when logging into this site. Are these permissions limited to data held only by the user, or to their friends list as well?

How absolutely sure can you be that facebook have not also gathered information from mn beyond the permissions explicitly given? Are these reassurances purely given by facebook, or have you looked specifically about the data protection side with your own experts?

How does mn benefit from logging in through fb? Did they approach you for this, or did you approach them? Do you hold any data about users from their fb profiles?

I realise this is a long list of detailed questions that may take time to answer them. But I do feel they are important questions. Thank you.

Thank you Justine, you didn't need to start answering them at such an ungodly hour! I'll have a good read in a short while.

My concern is this: I log in only via FB and I’m an active user of the politics threads. Anonymity is important to me - that’s the only reason I participate this way - so should I be concerned?

I’d stop logging in via Facebook whatever the answer is theclaws. Facebook haven’t shown themselves to be responsible guardians of your data - quite the opposite - so would take that precaution anyway.

Thank you once again Justine :)

I've read your response carefully and the privacy policy. The privacy policy was written clearly. I've a few further questions to raise. I may raise more later after I've had a ponder and time to digest your response. (I'm late for work, eep)

We're also updating our T&Cs with our technology vendors to help make sure they're compliant (and we only work with those we believe are trustworthy.)

Will you be conducting audits to ensure that technology vendors are compliant? How do you assess whether a company is trustworthy?

We'll also be mailing all existing users alerting them to our privacy policy changes with a link to their accounts to update/remove any data they wish.

Will this include data collected in the annual mumsnet polls? What about data passed on to third party organisations through the use of surveys such as the ‘what kind of laundry person are you’?

We have never worked with any political marketing company or analytics company including Cambridge Analytica and would never and have never sold personalised data or emails.

It is good to hear that you have never worked with any political marketing company. I do seem to recall before the general election questions about which way we will vote. For instance: www.mumsnet.com/Talk/politics/1812250-MNHQ-Group-3
I appreciate that in the forum these were anonymised responses, who was collecting this data?

I do notice that marketing analytics companies are used, as one would expect when targeting adverts.
Does mumsnet keep a list of companies you work with? Who decides which analytics companies are used? You or the advertising companies you work with?

I look forward to hearing more about facebook logins. For instance an alarming number of companies ask for access to photos and timeline posts.

In particular I am looking forward to the answer to: How absolutely sure can you be that facebook have not also gathered information from mn beyond the permissions explicitly given? Are these reassurances purely given by facebook, or have you looked specifically about the data protection side with your own experts? with regards to both facebook and google.

I'd like to see this question also further clarified please:

When we fill out daft and not so daft marketing surveys on here, what are the data protection requirements incumbent on both yourselves and the marketing companies?

While I trust MN to be reasonable and law abiding custodians of my data, FB have shown repeatedly that they are untrustworthy. So I wouldnt ever log in via FB, or google. Once you involve a third party your control of the data becomes limited.

I've been looking through the FB developers policy developers.facebook.com/policy/#data
There are a few things that really stand out, but one in particular

We can analyze your app, website, content, and data for any purpose, including commercial.

So it looks as though that means that by allowing a log in through facebook then all of its content can be used for commercial purposes by facebook.

Is this an accurate understanding?

Great thread, OYBBK.

So it looks as though that means that by allowing a log in through facebook then all of its content can be used for commercial purposes by facebook.

One other question: how far does that go? Let’s say I log in via email and OYBK via FB. OYBK and I then get into a heated debate about the price of gerbil grooming equipment that strays into name calling territory, political slurs and fisticuffs. What gets analysed? Only her posts? Mine too? My data in relation to hers?

I guess what I’m asking is even if log in via email, is my data given to FB because of the point raised by OYBK above? Because it says ‘your website’ not individual posts.

Another quick question for MN - what is your retention schedule for inactive accounts?

Survey data is kept for three months post completion as mentioned but is any other non-live data kept?

@ohfortuna

If you log into Mumsnet with Facebook that means that Mumsnet has access to your Facebook activity and profile and vice versa, both companies can then build a much more sophisticated and detailed profile of you this information can also be sold on to third parties. Don't give you this option to make life easy for you they give you this option because it's very profitable for them

This isn't actually right. We deliberately don’t ask for any profile info from Facebook - all we get is verification that the user is logged in and authenticated with Facebook and the user’s email address.

We could have asked to get access to the user’s profile information, but when we implemented social login we chose to get the bare minimum from Facebook, which is the email address. This was because we didn't want anyone to think their anonymity might be compromised on Mumsnet (with personal data from Facebook). And we don't sell anything on to third parties. No profits from data selling here!

Good questions moonlight. If a member has deactivated their account, how can they give consent or not for retention of their data?

Kochab. Yikes! So from now on, do we need to ascertain who has logged in how before we get into discussions? Perhaps we need to add tags to our user names so we know people are safe to talk to?

ohyoubadbadkittenemaillogin

I'd definitely like an understanding as to whether that clause applies to facebook log ins.

Yeah - thinking that the mere existence of the FB login allows FB carte blanche to look at the website as a whole, regardless of who logged in with what.

I trust MNHQ. I do not trust FB.

Justine, we are getting a clear picture that you don't sell our data (other than by when we answer third party surveys, to whom you must be granting permissions) but I think our big concerns are

a) are third party organisations such as facebook helping themselves to analytics data by dint of agreements such as the clause I highlighted above (and any other such clauses with others that we may not know about with other third parties)?

b) this one fell out of my brain. It will come back to me

Some more answers OYBBK
Re tech vendors we are requesting a right to audit within our agreements with our technology vendors and if we had any concerns we would request an audit. When choosing 3rd-party vendors we will take into account their business model, willingness to contract on data management details, quality of their people, how established they are in the market, their technology platform and references from other clients.

Our privacy policy will cover those other uses of data you mention. If you have consented to providing poll answers or passing data to a third party organisation in the past, we may no longer be storing the information you provided as we store this information only for as long as needed. The third party organisation will not be covered by our privacy policy so you're right to identify this as a risk but, again, we do choose who we work with with care but we can't guarantee they'll behave as well as we would with your data.

Re internal MN polls re voting intentions like the one you mentioned this was to inform our own policy work with regards to things like policy asks for manifestos and also to track MN voting intention over the course of a campaign. We only ever looked at and used this data in aggregate it was always anonymised. This is true of all our internal polls save for the fact that we may sort into broad groups to analyse trends - eg to show that young mums might have a different response to older mums on MN but again we only used this in anonymised form to inform our policy and media responses. Data protection requires that we only keep this info for the time needed to process it so that's our policy and we delete individual responses regularly and at least every 3 months.

Yes, we do use marketing analytics companies and we keep a list of the providers and analytics tools that we use and we'll publish this list in our forthcoming updated privacy policy. We decide the companies we use - not the advertisers. Who we use is chosen by the Commercial and adops teams based on their knowledge and experience.

Re Facebook we are not required to give Facebook any data in order to use their login service and we don't but you raise a valid point about what Facebook can track if you enter Mumsnet via Facebook and we'll nail this down and add it into our privacy policy too.

Your questions are very useful and apposite ones I think for all users so we'll look to include them in a data/GDPR FAQs page so they can be regularly referred to and kept up to date. Many thanks and do please continue to ask.

@OhYouBadBadKitten

Thank you once again Justine :)

I've read your response carefully and the privacy policy. The privacy policy was written clearly. I've a few further questions to raise. I may raise more later after I've had a ponder and time to digest your response. (I'm late for work, eep)

We're also updating our T&Cs with our technology vendors to help make sure they're compliant (and we only work with those we believe are trustworthy.)

Will you be conducting audits to ensure that technology vendors are compliant? How do you assess whether a company is trustworthy?

We'll also be mailing all existing users alerting them to our privacy policy changes with a link to their accounts to update/remove any data they wish.

Will this include data collected in the annual mumsnet polls? What about data passed on to third party organisations through the use of surveys such as the ‘what kind of laundry person are you’?

We have never worked with any political marketing company or analytics company including Cambridge Analytica and would never and have never sold personalised data or emails.

It is good to hear that you have never worked with any political marketing company. I do seem to recall before the general election questions about which way we will vote. For instance: www.mumsnet.com/Talk/politics/1812250-MNHQ-Group-3
I appreciate that in the forum these were anonymised responses, who was collecting this data?

I do notice that marketing analytics companies are used, as one would expect when targeting adverts.
Does mumsnet keep a list of companies you work with? Who decides which analytics companies are used? You or the advertising companies you work with?

I look forward to hearing more about facebook logins. For instance an alarming number of companies ask for access to photos and timeline posts.

In particular I am looking forward to the answer to: How absolutely sure can you be that facebook have not also gathered information from mn beyond the permissions explicitly given? Are these reassurances purely given by facebook, or have you looked specifically about the data protection side with your own experts? with regards to both facebook and google.

I'd like to see this question also further clarified please:

When we fill out daft and not so daft marketing surveys on here, what are the data protection requirements incumbent on both yourselves and the marketing companies?

That's really helpful Justine, I do appreciate you taking your time to answer my questions in detail. I especially appreciate your transparency in being willing to list the analytics providers and tools on an FAQ. I think that's a really good idea.

I think therefore, that the big remaining concern is the one that you are going to look into is to how much facebook (and google) are learning about mumsnetters as individuals and as a whole by people logging in through those platforms. Are they obtaining information about people that can be tied to their facebook profile, or in general?

This is obviously a very large concern that I suspect many people will have, not just about here, but any other websites that people log in to through these platforms. For instance at least one online petition platform allows log in through facebook. Can you imagine how that could be manipulated?!

We would really appreciate an update when you have one. What sort of timescale do you think this will be in?

Thank you Justine. Appreciate the answers and again, MN itself isn’t my worry.

My main worry would still be Facebook /google logins. As far as I know, their algorithms are almost all proprietary and secret so I’m not sure how far you will get with grilling them on what they collect. I have a sneaky suspicion that once that login option is there, they can analyse as they want. I could be wrong.

This has all been in my mind quite a bit recently with a few recent incidents (LMs twitter list of transphobes for example just from today.) it does make me pause when I think about what collected crosslinked data can do and who has access to it.

@KochabRising

Thank you Justine. Appreciate the answers and again, MN itself isn’t my worry.

My main worry would still be Facebook /google logins. As far as I know, their algorithms are almost all proprietary and secret so I’m not sure how far you will get with grilling them on what they collect. I have a sneaky suspicion that once that login option is there, they can analyse as they want. I could be wrong.

This has all been in my mind quite a bit recently with a few recent incidents (LMs twitter list of transphobes for example just from today.) it does make me pause when I think about what collected crosslinked data can do and who has access to it.

Understood. I'm out at a conference all day tomorrow but we'll certainly get back to you by Friday latest with everything we know about Facebook and Googles' interaction with Mumsnet. Thanks.

I think therefore, that the big remaining concern is the one that you are going to look into is to how much facebook (and google) are learning about mumsnetters as individuals and as a whole by people logging in through those platforms. Are they obtaining information about people that can be tied to their facebook profile, or in general?

Isn't this self-evident to some extent? The fact that a particular FB user is a MN user adds to FB's picture of that person. FB doesn't offer any service unless it is of benefit to FB in some way.

What I'd want a positive reassurance of is that there is absolutely no way of FB finding out the MN user name of that person when they log in via FB, because that would give FB access to everything they say on MN.

I've never understood how FB log in (to any site, not just MN) is a secure process. If nothing else, it links a RL identity to an anonymous one, thus rendering anonymity a bit useless

This might be of interest, from last year:

Facebook can track your browsing even after you've logged out, judge says

Judge dismisses lawsuit accusing Facebook of tracking users’ activity, saying responsibility was on plaintiffs to keep browsing history private

www.theguardian.com/technology/2017/jul/03/facebook-track-browsing-history-california-lawsuit