My Quest to Get My Data Back From Facebook, OkCupid and More

potentially big penalties for companies that don't comply. Just how huge four of global annual revenue. For a company with worldwide sales of a hundred billion dollars, that could mean penalties of four billion in certain circumstances. Almost every company collects data about us, and they're all subject to this law. Until now, we've had very little control over how companies use that information. It got me thinking about this new law means for us, the consumers. So I decided to

find out. This new law gives us many powerful new rights. But how useful are those rights? What can I do with them? Hi? M Aquito and I'm Nates Lanson, And this weekend decrypted, Nate sets up to discover what data companies have on him and how much that data is worth.

This new European law, called the General Data Protection Regulation, opens up all kinds of new possibilities for us as consumers to use our data for our own benefit by protecting ourselves from hackers, making our online lives more convenient, and maybe even making some money. This lot could also foster new services to help consumers get the most out of their data. I tried to find out how far away those business opportunities are from becoming reality. Stay with us.

Perhaps the most well publicized part of this law is that any European citizen now has the right to approach any company and ask it to hand over all the data it has on them, and the company has to do this within a month. And Nate, let's quickly recap why you would want to have mountains of your own data like this. Well, there are several reasons. For some people worried about security. We can ask for our data back and then ask the company to delete it and

most companies would have to comply with that. Okay, makes sense. Another reason is convenience. Many companies use our data to customize the ads we see and the promotions we receive from them. And the more data, the better the recommendations. Right, and GDPR allows us to move our data from one firm to another in order to have a better experience with the companies we like or prefer using. The other big principle in this law is about giving power back

to the user. Our data has helped companies like Facebook and Google become enormously profitable. Now some of the games might trickle down to ordinary customers. In theory, the law allows us to take our data from one company and give it or sell it to another. In theory, yeah, I'll get into that a little later. So sell us which companies you reached out to. Well, at the top of my list were the big guys like Apple, Facebook, Google, But of course this law applies to every company, not

just the Silicon Valley giants. Yeah, so I also went to a handful of smaller companies, like a local food delivery company here in the UK called Delivery and Okay, Cupid, the dating site where I actually met my wife. But my first challenge was to figure out how to submit a request. The thing is, I'm glad you thought this is a good idea, because when I first heard the idea, I thought, this is either never gonna work, or it's gonna work and be a massive invasion of my own

personal privacy at my own hands and my fault. I asked an expert called Julian Saunders for some advice. Julian is the CEO of a company called Sports, and he helps businesses make sure they're complying with the new law. We started by going through all the documents I'd need to send off along with these requests. I'm guessing here because no one's put these these principles into place yet, but I'm guessing you're going to have to prove your identity.

So in a way, I'm going to have to give them personal information in order to get my personal information. That's a little bit of a dilemma, yes, but it's true. It's an opportunity for businesses to learn even more about you and ask you if your data. If I'm having to basically say, okay, I want to check that you're trustworthy and you're you're responsible enough to have my information. So here's a scan of my passport and my driver's license. There's a delicious irony to that that that I didn't

fully appreciate. The law is so new that I wasn't sure what to expect when I started submitting my requests. Big profitable companies like Apple and Facebook have mostly created easy one click landing pages where you can go and request your data. For smaller companies, though, there's no one click option, So I wrote a bunch of letters, and for good measure, I went old school and printed out hard copies in case I needed to use that classic

old system that postal service. My guess is that you're going to be quite shocked at how many businesses aren't fully GDPR compliant. Julian did warn me the new GDPR regulations are so onerous and are such a big departure from the way many businesses are used to operating. There may be lots of companies that are still trying to get to grips with the law, even though it officially

took effect over a month ago. The other thing is going to be really interesting is the extent to which they offer your data back to you, Because strictly speaking with the guidelines, they should be giving you, of course the information that you provided to them, but they should then be giving you back all the related information that has been generated around your profile while it's been in their organization, and the degree of extra data that they

provide back is entirely dependent on their desire to be open and transparent with you and to give you everything that they've got, some of what they've got, none of what they've got, And there's really no way to know whether a company has fulfilled this larger requirement that Julian is talking about. So bearing all this in mind, I set out to get my data back. I'm starting with the service that fascinates me the most, the dating site. Okay, Cupid.

You know, Nate, it's worth noting that you're married. Yeah, I am, And I thought I deleted my account years ago, and okay, Cupid definitely doesn't need my data anymore. So I was in for a bit of a surprise when I went to submit my data request and I've just been asked and do I want to restore my account? I've rest yes, And I'm actually now staring at my old dating account, including all the messages that I sent,

my profile, pictures, my profile itself. I genuinely didn't see this before that I'm seeing this for the first time. My account isn't even closed, it was just deactivated. You know, you stand a little shocked here. I was. I genuinely thought I deleted my account. But what I probably did is just deactivated, which is an option okay Cupid office customers, instead of deleting it. And if you had deleted it,

would okay, Cupid be obliged to destroy that data. Well, legally, they're obliged only to keep it as long as it's necessary. It doesn't have to be immediate. But I did suddenly have a bit of a mild panic. What if somehow my wife got notified or somehow found out that I'd reactivated my dating account. Hello, hey, it's me. I put my GDPR letters down and made a quick call to

prevent any risk of divorce. I've just been on They've still got my profile, which I've reactivated, and I just thought, on the off chance that somehow you find out that I've reactivated my profile, I'm not trying to date other people. Okay, that's fine, I'm really gonna have you anyway. Thank you, excellent, And I think I like your wife already. Yeah, She's made it pretty clear that this is the last time she's going to let me cruise through dating profiles after

she's gone to bed. But it was a stark reminder that businesses don't always delete the data they have on you just because you don't use this service anymore. That's one of the new powers consumers now have. Many companies have to destroy your data if you ask them to. Yeah, with a few exceptions, such as if a business has what's called a legitimate interest in the data. So a credit scoring company won't have to wipe your data if

you ask it, for example. But before I could do anything with my okay Cupid data, I had to figure out who to even send my request to. Okay. So I'm staring now at my account page and I'm trying to work out how to find who to send this too. So I've gone into my account settings. There's a button here says privacy. I'm being offered hidden users, blocked users. This turned out to be harder than I expected. There was nowhere obvious on the Okaycupid website to submit a

GDPR request. Okay, maybe gdp R, Nope, fine looking in the footer again, I've got at trans choices about careers. Was a little little submit a success story I suppose I could do that afterwards saying that I got married, or maybe the success stories that I found how to actually send this this information. I even tried buying contact info for okay Cupid, but that didn't get me anywhere. In the end, all I could do was send okay Cupid help request. So I'm going to put in this

request as other help. I'm going to put subject g d p R request tell us your problem. Hello. My problem is that I couldn't figure out the fastest way to send you a request for my personal data, and it turned out this contact form was the best way to submit my request. But it's been four weeks and the company only just replied to ask for further proof

of identity. You know, I'm kind of surprised how difficult of a time you've had because okay Cupid is owned by Match dot Com, which is a publicly traded company. It's not like they're this tiny, under resource start up. Yeah, I wish I knew. I mean, some companies just seemed to make it difficult to get in touch, either pointing users towards a generic inbox requests or asking users to use a feedback form. It's not the first I've seen it.

I don't know. That sounds pretty risky. If this law has some pretty serious penalties for companies that aren't complying, that's the thing. I have no doubt they are complying. It's just that it's expensive for companies, even midsized ones

like okay, Cupid or Match, to fully automated system. There's no formula for how data should be organized internally within a company either, so a lot of companies are still working things out and using more manual measures to make sure that they can at least comply with the law. I reached out to okay Cupid to find out why it took so long to reply to my initial GDPR request, but at the time of recording that email remains unanswered. The next company I approached was Delivery. Now I've used

this food delivery company a load of times. You order meals through its website or app and they'll have someone bring it to you. It's the biggest competitor to Uber Eats, although here in Europe, Delivery is actually a lot bigger than Uber's service. Okay, well, let's just realize that deliver rou is just around the corner, quite literally from Bloomberg's office here in the financial districts of London. So so of thought if I can give this letter to them

in person. As a relatively young but rapidly expanding startup, Delivery is a good example of a company that's quickly ended up accumulating vast amounts of data delivering hundreds of millions of meals to its customers, and so it had to build out its privacy team to ensure it complied with the law. And it's also part of a surging food delivery market with fierce competition across Europe. So all that data has on you could be of great interest

to a competitor or vice versa exactly. And I really like Delivery, so it's in my hands to make sure it's the right company to have the records of all my embarrassing dining habits. Oh yeah, I can just slack Jill. Okay, we can just leake. I was here to meet Jill Pollock, Delivery's data protection officer. I was taken through Delivery's headquarters, an open plan workspace complete with a miniature basketball court.

There was actually being used to screen a soccer game while employees sat working on bean bag chairs how're they go? Good to meet you? Hello, can I give you this? This is a request for all of my data from delivery. Oh yes, let me app and have a look. Okay, thanks, Actually probably don't need to do that now, but at some point in the next few days will be would be contested. I'm taking it now as you're here in past. Okay, thank you. Just checking that it's valid requst this will

be incredibly embarrassing if it isn't. Well, actually, there are very few formalities which show needed for request. Just wanted to check this same email dress that we have on far for you. She allows me to verify that you are truly who say you are. Um, So yes, we can process this request for f you and 'll be

in touch with your data. For companies that process large amounts of user data, GDPR requires them to appoint a data protection officer to make sure that the public knows exactly who they can go to if they have concerns or questions about their personal information, and that's what Jill does for deliver U. But I also wants to whether any customers had tried to give her their data from rival food delivery companies, so Delivery could personalize their service.

We have not had to request like this. It's a very interesting idea. You're referring, of course, here to the right of data portability, which is a new GDPR right. I think there's probably more appetite for customers to do this with companies like social networks or perhaps the music streaming services. I've been wondering whether a lot of people are trying to now move their playlists to title now the new Beyonce album is on that that's an interesting example, Nick.

Do you think you'd ever consider doing something like that? Um, well, if by Beyonce you mean Metallica or Flesh Got Apocalypse, then maybe. Otherwise no, but there's probably an opportunity here for smaller companies to encourage their customers to hand over their data from a competitor like this. Yeah, if I could get free burgers for a week with Delivery by giving the company my burger buying history from Uber Eats, I probably would. And so, with another GDP IR request filed,

I was good to leave Delivery's building. Well, that was very successful. I don't really know what else to do now, except wait, I suppose I'll get lunch. I should really mules in there. After all that, Jill couldn't just hand me my data, so I'm still waiting for Delivery to send it to me. But I did hear back from some of the big tech companies Apple and Facebook, and within the giant archives he sent me, I found some

extremely unexpected items. Okay, so so far in a you've managed to submit your request to a bunch of companies, some big, some small. Would you get back well. Shortly after I was done with delivery, Facebook sent me an automated alert saying my archive was ready for download. Okay, I am now unzipping my Facebook folder. Here. Let's have a look. What have we got? Okay, this is This is quite a large number of folders, twenty six folders here.

There are folders here titled ads, calls and messages comments. This folder gives me eight hundred and eighty sub folders, and by the looks of it, it's organized by um by friends, so I can see the names of various friends of mine. In fact, I can see numerous ex girlfriends in here. Let's have a look at this one. I'm asking one of my exes in two thousand and seven whether she has a Flicker profile. I have no idea why I would be doing that. I haven't seen

her in about twenty years. Nat, I think your wife might have some thoughts about this. No, no, no, it's fine. I actually invited one of my excess to our wedding, so we're all on good terms. Oh, there's a video here. This is a This is a video of my younger brother, aged about six, dancing around with balloons stuffed up his shirt and me in a set of pajamas teasing him about it. That is a golden file to have on record. I love that. That's so cute. You know it sounds

like Facebook Major data available in a pretty readable format too. Yeah, they did. And actually that's what I found interesting. When going through the request process, you can ask it to give you data either in a machine readable format, which would make it easier for another company to use it, or in a human readable format, which makes it easier

for you and I to go through. And g DPR doesn't say that you have to give that kind of option, right, No, that's true, And many companies are actually also making these tools available to everyone, not just those of us in Europe. So you can go and do this yourself now, Aki, Although turn Buck says, I've got the best video of a relative shoving balloons up his shirt with underpands on his head. Blacy. It wasn't long before I had an email from Apple saying my data from them was ready

for download. Apple says it lets you download data about the history of your app Store download activity, Apple music streams, device information, market subscriptions, or email archives, calendars, and even support requests. But I was interested in a category simply titled other data. What exactly is other data? This lists things like Apple TV call history. That's interesting. This is a Comma separated values files. So this is like a

giant Excel spreadsheet field line after line with raw data. Yeah, and inside the file with information I definitely wasn't expecting. Now, this is interesting. This is showing me a list of what looks like all my recent calls, at least at the time I requested the data. This is showing mobile phone numbers. It's showing whether they were connected outgoing calls, missed calls, connected incoming calls. It's showing me the phone numbers as well of whoever it was I was I

was talking to. There's also a line on some of these phone calls. That says answered elsewhere, which I assume probably means I answered the phone, but I answered it on my iPad or my Mac or possibly even my Apple Watch since they all connect to my phone. Um. This is a data set that I definitely wouldn't want to to get out the because it lists phone numbers, it lists the duration in seconds broken down to two decimal places, um, and things like that. So that's, uh,

that's a very interesting file to have. This kind of metadata on calls and messages is the kind of detailed police officers might request from companies to help them solve a crime. Yeah, exactly. And it doesn't contain the content of a call, but by knowing the time it took place, the phone number of the caller, the length of the conversation, even whether the call was answered or missed, it all helps build up a picture of an individual's private life.

This data is obviously of a very sensitive nature, and it's one of the reasons companies like Apple and Facebook have spent billions of dollars securing their products and cloud services. Well, I've just found another folder. Now, this is buried quite deep in this directory. It's one, two, three, four, five levels deep. Here and it's under stores activity and then Apple TV and podcast Information. And here there are two

files that intrigue me. One is called your Podcasts. This is a fairly standard COMMA separated values file that shows the podcasts that I'd subscribed to within Apple's podcast app, the U r L of the RSS feed, the title UM, and a column called last touched on which I'm assuming is the last date that I interacted with each of these particular shows. But more interestingly, there's another file next to it called podcasts play state. And this is a

gigantic file. So now what's a place state file? Whether it contained about twelve thousand entries or more about individual podcast episodes I'd listened to using Apple's app, which is even more amazing considering that I only use that app for a little while, although I do subscribe to a lot of podcasts. Maybe this type of data would be valuable to the developers of another podcast app to help

them personalize their services for you too. It is valuable, but the trigger party is to get it correctly maps to the episodes we have in our system. This is Johann Bilgrin, CTO and co founder of a Cast, which makes podcasting software and just for honest disclosure, A cast hosts my personal tech podcast here in the UK. So it's difficult to get the mapping correct and to actually be able to port your data from one service to an other, you need to get that mapp in correct

to make it valuable. So it's about so standardization is key. It's not just about giving the data. It has to be in a in a standard format that that everybody is using in the same sort of ecosystem exactly the format and the mapping. I would say it's the biggest challenges and currently there are there is no standard. Do you think a company would ever pay or otherwise incentivize you to let them see the data from one of

their competitors. That's a good question. Uh. You know, we see that data is getting more and more valuable, and you know people are talking about the new currency is data. So that might be the possibility in the future, but when it comes to podcasting, I don't believe it's in the near future at all. So even with data being portable from company to a company, it's not clear that

businesses are willing to pay for it, not yet. No. I think a big part of the problem is that companies are giving us our data in commonly used formats, but that doesn't necessarily mean it's immediately possible for another company to start doing something useful with it. I thought maybe there's a market for a third party service that could convert data from one company into a format easily

usable by another. So I went back to Julian Saunders, the CEO of Sport, to show him some of the data I've got back from these companies and asked him whether this could be a huge business opportunity. I'm absolutely sure it is, and I think there will be a

lot of data broker type services that will emerge. But of course the real problem with that is that you at the bottom end of the market, where maybe five pounds a month for your data is is quite a good value proposition for those people who are really high value marketing targets, that just isn't interesting to them. I brought an iPad to show Julian some of the data I got back from companies. I took a gamble and let him look through the folder containing all of my

Facebook message history. Well, first of all, I have a standard by the number of files here. This is really incredible. Let's just pick one out, Emma, let's try and see what we've got. Emma's got photos as well. I didn't see this. Let's check that out and see how good these photos. I know who she is, so it's now let's find out. Oh yes, this is Oh yeah, I'll have to explain this off the podcast, U no name. This sounds pretty risky, yeah, I mean it was ultimately

less scary than I feared. I suppose what was eye opening is just how much information there is in these files. And now I have so much of my own data in my own possession, I've got a new problem making sure I keep it safe. When we take control of this kind of data, we become the data controller, not just the data subject. We then have full responsibility for where that information goes, and it could be used very

positively if we share it with the right people. So you've gone through this whole process for us, I'm wondering, what have you learned? What surprised you? I think what surprised me is just how different the ways that companies are actually approaching this new responsibility they have. You know, you can find a fairly big company that's using a

quite manual method for letting consumers request their data. Um, but then you have got the big guys who perhaps unsurprisingly have gone all out and said, we're going to give you this super fancy click process to to get everything. I sort of expected to be a little more automation. Oh interesting. Are you excited for this future or consumers have more control over the data? I mean this has

been a pretty controversial regulation. Yeah, I mean I think the thing I'm most interested in is the fact that data now is it's kind of becoming a new currency, and it's only going to become more the case. So we're going to see companies, third parties and middleman and things actually saying, look, your data is no different to cash. You know, when it's in a bank, you know you can take it out of a bank, and it's no

different for a company. Data goes into a company and it should be able to come out and be transferred to another one too. And that's it for this week's episode of Decrypted. Thanks for listening. Have you tried to sell order leads your data yet? With to hear about your experience, and you can send us a message at decrypted at Bloomberg dot net. We'll find me on Twitter, I'm at Nate Blankson and I'm at aki Ito seven.

If you enjoy listening to Decrypted, please recommend us to your friends, and if you haven't already, please take a moment to rate and review our show. This helps us find new listeners. This episode was produced by Pierre Goodkari Liz Smith, TOFA Foreheads, and Magnus Hendrickson. Francisca Levi is the head of Bloomberg Podcasts. This is the last episode of our season and we're now taking a few weeks off to work on new episodes. We'll be back again in the fall.