Update on April 18, 2018 at 6:58 AM EST: Facebook has also issued a statement outlining some of the steps it is taking toward GDPR compliance.

In the midst and aftermath of last week's Congressional hearings with Mark Zuckerberg, people have been questioning the preparedness of those involved.

Was Mark Zuckerberg well-equipped to answer lawmaker questions? And were Senators and Representatives alike prepared to ask the right ones? 

One thing is for sure: There were several questions that Zuckerberg couldn't answer in the hearing room, which he promised lawmakers either he or his team would respond to at a later time. According to Wired, there were 43 of these items in total, which reporter Brian Barrett compiled here.

In the days since the hearings, Zuckerberg and his fellow executives at Facebook have been fairly mum, with the exception of a "Hard Questions" post written by Product Management Director David Baser on the ways and degree to which Facebook collects data on user behavior off the network.

Some questions around that topic did arise last week from Senator Roger Wicker and Representative Jerry McNerney, among others.

On Tuesday's Senate joint committee hearing, Senator Wicker was one of the first to broach the topic of if and how Facebook tracks a user's browsing activity -- even for those who are logged out of the network or without an account, which was one of the many outstanding items Zuckerberg said he'd have to check and have his team answer at a later time.

Screen Shot 2018-04-17 at 12.55.51 PM

Source: Wired

At Wednesday's House Energy and Commerce Committee hearing, Representative Jerry McNerney asked whether -- and why -- browsing data is or is not included in a Facebook user's downloaded data file.

The answer, we eventually learned, was no: browsing data is not included in a downloaded personal data file, which Zuckerberg later confirmed in the form of a correction after a break.

The "web logs," in this case, are the logs of browsing activity that Representative McNerney previously asked about. And since then, a great deal of information has emerged on how, exactly, this data is captured and maintained by Facebook.

And while Zuckerberg made promises to answer a range of questions, yesterday's post from Baser answers a small subset of those marked as outstanding by Wired -- many of which could already be answered by existing information found throughout Facebook's various product pages. During Wednesday's hearing, Alex Kantrowitz of Buzzfeed went into detail about it. 

Here's a closer look at the additional detail Baser provided in Monday's post.

What Facebook Has Told the Public Since Last Week's Hearings

The Nature of the Post

It's important to reiterate the fact that much of the information provided in Baser's post already existed on various Facebook product pages. The decision to categorize it within Facebook's "Hard Questions" series, which the company describes as one "that addresses the impact of our products on society," was at minimum interesting. 

As Casey Newton of the Verge noted on Twitter (and later in a post of his own), this question shouldn't have been one of the more difficult ones to answer. And even if it was, why did answering it require such a long, text-heavy explanation -- especially after Zuckerberg's numerous and repeated hearing remarks stressing the importance of making Facebook's policies easier to understand?

In the course of covering last week's event, I touched a bit on what exactly Representative McNerney was asking about and some of the ways in which that tracking manifests itself across the web. Baser didn't provide a ton of new information in his post, but did shed more light on the details of it. 

But one term that Baser seemingly refused to use in his explanation was: "shadow profiles." And once we get through the major points of his post, I'll explain why that's important.

A Summary of Facebook's Web Behavior Tracking

To see the full detail of this tracking, I'd recommend reading Baser's full post here. In the meantime, I've outlined a summary of what Facebook collects, and how.

To start, there are four major tools that Facebook uses for this type of tracking:

1. Social Plugins

These are the "Like" and "Share" buttons you might see on a site that allows you to Like or comment on something like a news story -- which uses a plugin that uses Facebook's tools, rather than the site having to build its own comment or reaction section.

As Baser explains, when a user interacts with these tools on another website, Facebook uses "your IP address, browser/operating system information, and the address of the website or app you’re using to make these features work," since that's required to display the tools in the right language according to the geographical location it detects, as one example.

2. Facebook Login

You might have come across certain websites or apps that, instead of requiring you fill out an entire form with several fields to log in or join, allow you to join in one or two clicks by doing so with your Facebook profile. You might also recall seeing a secondary message pop up alerting you what information doing so would allow the website to see, which is related to what initially set off the sequence of events that led to the misuse of personal Facebook data by analytics firm Cambridge Analytica.

3. Facebook Analytics

This product works similarly to several other tools designed to help webmasters and marketers track the behavior of people who visit their websites -- like what drove them there, where they're located, and how long they stayed on the page. As Baser was sure to point out in his post, Google Analytics works in a similar capacity.

But in order for Facebook Analytics to work, Baser explains, it requires Facebook to gather certain tracking tools like "cookies and other identifiers" to help determine which website visitors are also Facebook users -- which helps developers and webmasters gain supplemental demographic data from their profiles, like age and gender. And while this wasn't spelled out in his post, Baser makes it sound as though this information isn't personally identifiable when provided in this way, saying it's "aggregated."

4. Facebook Ads and Measurement Tools

These tools, Baser explains, help webmasters and developers display ads on Facebook and beyond, by showing them what people interested in their content might be doing online beyond Facebook, and to measure conversion from Facebook ads to actions like websites visits. 

This is one place where the Facebook Pixel comes in, which was almost a point of contention during Wednesday's House hearing. Essentially, the Pixel is a piece of code advertisers can ad to sites that measures how many users are engaging with their ads across any number of devices that person might use. It works, Baser says, "without us sharing anyone’s personal information."

But the Pixel has to work with the aforementioned cookies, as well as what Baser calls "device identifiers" to see if the person engaging with a Facebook ad displayed outside of the network even has a profile.

"If they don’t, we can show an ad encouraging them to sign up for Facebook," he wrote. "If they do, we’ll show them ads from the same advertisers that are targeting them on Facebook. We can also use the fact that they visited a site or app to show them an ad from that business -- or a similar one -- back on Facebook."

This might be one of the most important things Baser noted in his post.

What's Still Unanswered

Shadow Profiles

To reiterate: When a Facebook user engages with these tools outside the network, it can help personalize ads and other content displayed in his or her News Feed.

But here's the clincher: Even if that person is logged out of Facebook at the time of engaging with elsewhere-displayed content, the tools track the behaviors, so it can later determine what he or she sees after logging back in. That's one of the key items Newton pointed out in his post, and a tool Baser says helps Facebook in "improving our products and services."

This logged-out browsing activity tracking is a core building block behind the concept of a shadow profile, which, to reiterate, is not a term Baser used in his explainer. A shadow profile is essentially the Facebook presence the company builds for you prior to joining based on the online behavior data it has tracked through these tools, so that when you do create a profile, it can easily recommend Pages to Like or friends to add.

Antonio García Martínez of Wired -- who once worked for Facebook -- confirmed this during Wednesday's hearing on Twitter, noting that beyond the security and personalization purposes Baser identified in his post, Facebook tracks this information for "growth."

Opting Out

Baser concluded his post by going into the many controls Facebook users have over their data -- like turning off ad customization and being able to choose what's displayed in the News Feed. In fact, he wrote that users can completely opt out of personalized ads that have been created and displayed based on information Facebook receives from other websites and apps.

But if you read the statement carefully, you'll see Baser said nothing about the ability to opt out of having their browsing behavior tracked, or their weblogs being collected.

And again, as Zuckerberg noted during the hearings, these weblogs don't appear in a user's downloaded data file -- nor did Baser indicate they would be included in the future. Instead, what's displayed in this file are the "ad topics" Facebook deems to be of interest to a given user based on the browsing behavior it tracks.

So, why is that? And does Facebook have any plans to change it?

To me, those are some of the "hard questions" Facebook might consider answering. 

Whether or not the company will respond to these outstanding queries in a public capacity remains to be seen. I do not believe last week's hearings will serve as the last instance in which Facebook executives are called upon by lawmakers, nor do I think any sustainable regulation or legislative action will result from those sessions alone.

But, as the demand for further transparency continues -- and the days until the General Data Protection Regulation (GDPR) comes into force next month dwindle -- I'm curious to see to what degree Facebook responds to it. And if it does, I'll let you know.

Featured image credit: Facebook

As part of being a fully transparent organization, we wanted to tell you a few things about this blog. Read more here.