Facebook Download Your Information Basics for Lawyers

Original publication, PDF Version at JD Supra

In October 2010, Facebook released a new utility that allows a Facebook user to download the contents of his or her Facebook Member Profile.[FN1] Because Facebook features prominently in many areas of law, lawyers will probably encounter Facebook materials in a matter at some point, and lawyers may need basic familiarity with the current capabilities of the utility (as of March 2011).

In an effort to better understand the Download Your Information utility, I performed a single test of my own Facebook Account in March 2011. I used the utility to download my own profile information and then performed a basic, technical review of the results.

The results of the test indicate some areas of potential concern for lawyers relying on the data including:

  • some missing data,
  • potential for alteration of content,
  • apparent lack of ability to readily and objectively authenticate the contents of the download,
  • potential time stamp discrepancies, and
  • limited metadata.

Facebook, by revising the utility, might be able to mitigate many of these issues. Until revised, a lawyer should be aware of the potential limitations and issues.

Update: Another Report That All Facebook Profile Data Might Not Be Disclosed

In a recent news story involving a requests under an Irish Data Protection Law, the persons making requests similarly claim that data is missing, altered, or retained despite action by the user (such as deletion). See Emil Protalinski, Blog, Facebook: Releasing your personal data reveals our trade secrets, ZDNet (Oct. 12, 2011) http://www.zdnet.com/blog/facebook/facebook-releasing-your-personal-data-reveals-our-trade-secrets/4552.

Getting Started: Performing a Facebook Download Your Information

The Download Your Information task consists of three steps:

  1. initiate the Download Your Information request,
  2. wait to receive an email notification that the materials are available, and
  3. download the compressed, file “package” (zip file).

Generally, the Facebook account-holder must log-in 1) to initiate the Download Your Information request and 2) to retrieve the data download after Facebook completes the request.

Initiating the Request[FN2]

After log-in to the Facebook Account, proceed to:

  • Home …
  • Account Settings …
  • Download your information…
  • Start the download. Requires re-authentication of password.

Email Notice When Request is Complete

  • The request may take quite some time to process. In my case, the request took approximately one hour. (My account information, however, dates back to 2006.)
  • Facebook sends a notification email to the account-related email address acknowledging that materials are collected and ready for download.

Retrieving the Requested Materials

  • Use the specific download link provided in the notification email to download the requested materials.
  • To download, the account-holder must log-in.
  • The utility requires the account-holder to again supply a password to authenticate prior to download.
  • Download the compressed zip file package containing the aggregated materials.

Contents of the Download Your Information Zip File

The Download Your Information zip file package contains the aggregated account information in an HTML-based format that is navigable by a common web browser.

The zip file contains:

  • a README.txt file indicating when the zip file was prepared for download,
  • an index.html file serving a table of contents, and
  • the individual files of aggregated information organized by content type.

Note that Facebook organizes the materials in the resulting zip file by numerical Facebook user ID and not by Facebook member name.

“Table of Contents” (index.html)

An index.html file supplies links to content organized in the /html sub-directory. The index.html, in my simple test example, included information about:

  • [Member] Profile,
  • Wall [Posts],
  • Photos,
  • Friends,
  • Events, and
  • Messages.

Profile

Includes general information provided by the member such as numerical member ID, marital status reported, group memberships, and birth date.

Wall

Displays the contents of wall posts. The post may include a LOCK icon indicating, apparently, privacy settings were in effect. The wall post includes the Member Name, text of the post, and date stamp. (Whether deleted messages are included was not tested.)

Photos

None in my case.

Friends

A simple list of friends of the member and alphabetized by name—generally in “first name, last name” format. The utility provides no additional information such as Facebook Member ID or Numerical ID for the friend. (Verified by reviewing the HTML code.)

Events

The events appear to be a summary of each Facebook Event Posting that the member subscribed to. The event information is detailed. Event HTML links are active and connect to the event materials online as stored, apparently, by Facebook.

Messages

Displays, evidently, every message from or to the member regardless whether deleted. Each message includes

  • a origination header with basic TO or FROM information by Member Name,
  • date and time stamp,
  • message title,
  • “threaded,” hierarchical message exchanges (somewhat difficult to navigate because related materials are displayed inline rather than indented), and
  • any embedded links in the message (active).

Testing Notes

Even with minimal materials in my account, the preparation time for the download was approximately one hour (9:25 PM to 10:35 PM with email notification sent at 10:44PM).

In my preliminary test, some deleted items apparently were not included in the download (for example, deleted photos were not included).

The time and date in the README.txt manifest file reflect when the download was apparently prepared and not when the materials were actually downloaded.

The links in individual messages apparently permit viewing of the content even if not a logged-in member of Facebook. The URL itself appears to redirect from Facebook to the external content. [Update May 4, 2011: A interstitial page appears and requires confirmation before redirecting to the link.]

In messages, the display name for the member appears to be the current member name and not the member name at the time the message was sent or received.

General Analysis

The Facebook Download Your Information utility provides aggregated, member account information. In addition to the Testing Notes (above), issues with authenticating the materials may be a challenge in some circumstances.

Some Missing Content

Some deleted materials, such as photos, are apparently not available with this utility. Messages and Wall materials, however, appear to be available. Thus, if a member deletes a photo prior to running the Download Your Information utility, the utu

Potential Altered Content

The Member Names in the Message content might be altered to reflect current names rather than names at the time of sending or receipt.

Download Authentication

The download requires Member participation. In other words, there appears no ready means to allow a third party, without access to the member’s account, to independently download the materials using the utility. Currently, the utility requires several Member log-ins to complete the Download Your Information process.

Because no hash value or check-sum authenticates the integrity of the content and because the download (in general) is in the hands of the Member, the contents cannot be easily and objectively validated. That is, a MD5 or SHA hash would at least validate the package’s overall integrity and obviate claims of alteration or tampering—important because the zip file package contains only simple, easily altered, HTML. At present, there appears no impediment to downloading, altering, and then re-packaging the content. Even better would be a Facebook signed package that would validate both 1) the origin from Facebook and 2) that integrity of the contents.

Date/time Stamps

Technically, the date/time stamps of individual files in the zip package do not agree with the date/time stamp reported in the README.txt manifest. The date/time associated with each file seems to be the date/time on the server when created using the server’s time zone. The README.txt manifest date/time, however, seems to use the Member’s time zone.[FN3]

Furthermore, in my test, “unzipping” the package on Windows displays the date/time of unzipping and not the original date/time in the downloaded zip file package.

Limited Metadata

The Download Your Information utility provides a digest of the Member’s information on Facebook. As noted, the utility aggregates the information in a report format rather than providing access to raw data. The Download Your Information utility, therefore, provides only minimal metadata.

Closing Summary

This overview helps introduce a lawyer to the Download Your Information utility. The utility permits a Facebook Member to download a “package” of aggregated, Facebook content. As indicated, some latent issues may include the potential alteration of content in the package, potential inability to objectively authenticate the data, limited access to metadata, and apparent unavailability of some deleted (or altered), account data.

Footnotes

FN1—See, e.g., Blog Post, Facebook Implements ‘Download Your Profile’ Option, SlashDot.org, http://tech.slashdot.org/story/10/10/07/1250242/Facebook-Implements-Download-Your-Profile-Option?from=rss.

FN2—See the latest Facebook instructions and tips at Facebook Help Center, Download Your Information, https://www.facebook.com/help/?page=18830.

FN3—Thus, assume the server is located in California (Pacific Time Zone) and the member is located in Virginia (Eastern Time Zone). Assume the request was processed at 4:00 PM Eastern Time (member time zone). The The README.txt manifest date/time would be 4:00 PM (Eastern Time Zone), but the time stamps on the files in the zip file package would be 1:00 PM (Pacific Time Zone).

Publication Information

Original research in March 2011. Text revised on 05 May 2011. Original Publication JD Supra 05 March 2011.

PDF Version at JD Supra

Minor Update: 13 October 2011