What’s really going on when Facebook asks you for ID

If you want to shake a German to his very core, there are three words that will do it: “Ihre papieren, bitte.”

A bit like this:

As a legal immigrant and naturalised citizen whose existence once hinged on a stamp in a passport, I completely understand how being ordered to present a form of government identification can set off your deepest insecurities and fears. Smashing Magazine is a vital web design resource, so in this post I’m going to thank Smashing for what I’ve learned from it by giving you a plain English explanation of the bizarre geopolitical soap opera surrounding this seemingly simple demand.

I have already written about the issue of governments being asked to mandate formal identification as a prerequisite for using social media. This post is about social networks requiring it outside any government action.

It’s no secret that Facebook has occasionally asked users to verify their identities with a copy of a formal government identity document. While there’s no defined pathway for that, it seems to happen when a question arises over a user’s identity – say, that the account may not be legitimate, or there has been a hacking attempt. (However, a “mistake” once led them to lock out tens of thousands of innocent accounts with a demand for government ID to get back in.) Smashing Magazine is hugely popular so it’s easy to conceive how a hacker, or a bot, would target it.

The question then becomes what Facebook does with those scanned government documents. In their own policies and procedures they say “We encrypt people’s connections to Facebook by default, including IDs you send to us. We delete your ID information after verification is complete.” These are two fairly useless sentences. Encryption is a means of protecting the transmission, which is irrelevant to what is done with the information at its destination. “Deleting after verification” says nothing about who processes the information, what is done with it, how long verification takes, or how proof of verification is stored after confirmation.

While we don’t know the answers to these conveniently obfuscated questions, Vitaly, as a German, an EU citizen, and an EU resident, lives under the protection of European data protection law. This umbrella provides a fairly uniform standard of data protection law across the continent and enshrines privacy as a basic human right like air and water. In other words, what Facebook is able to do with Vitaly’s scanned passport is in theory restricted by European and national law. There is also a framework called Safe Harbor which governs transfers of European data from Europe, where it is protected, to the US, where it is not. That should be a triple lock of protection, right?

Of course not. We now know that the NSA & partners use national security loopholes to hoover up all of that information anyway, and this is where Vitaly is being – pardon the pun – a very smart cookie. There is no chance that Vitaly’s passport data would not be transferred to America, where the Safe Harbor provisions which are supposed to protect it are barely worth the paper they were agreed on, or that his data would not go wandering somewhere it was never meant to be.

Now on to the geopolitics. Individual countries, known as member states, police and enforce data protection through each national data protection office. For us that’s where things get a bit funny. When Facebook asks Vitaly for his papers, what he doesn’t know is that as far as Facebook is concerned, he is Irish.

If you want to pause and get yourself a Guinness now that’s fine by me. In fact, if you want to pause and get me a Guinness that would be good too.

Do you remember how, about ten to fifteen years ago, corporations started headquartering their European operations in Ireland due to the country’s generous tax breaks and business deals? This meant that Ireland had an unusually large and robust tech sector on the ground when social media started up. Additionally, Ireland was also seen – rightly or wrongly – as having the most business-friendly (translation: weak) interpretation of EU data protection law within the rigidly prescribed framework. Good lawyers, tax loopholes, and complicated flowcharts showing business subsidiaries in the Cayman Islands filled in the rest of the details. (Do read that link, it’s rather informative.)

What this means is that Facebook, and Twitter, and Google, and Dropbox, and lots of others, operate across Europe from Ireland, under Irish law. On paper, Facebook is an Irish company operating in Europe. As far as Facebook is concerned, the presentation of Vitaly’s German passport is governed by Irish data protection law.

One of the interesting consequences of this is the job of the Irish Data Protection Commissioner. The Irish DPA was, like any national bureaucracy, only ever meant to deal with domestic issues affecting Ireland’s 4.6 million citizens: say, an Irish doctor accidentally leaving patient medical records on an Irish train. But that combination of tax loopholes and tech law means that the Irish DPA is also responsible for Europe’s 990 million Facebook users, 175 million LinkedIn users, and – oh yeah – everyone in Europe who uses Google, Apple, PayPal, eBay, Dropbox, and Twitter.

The latter link will show you a picture of the Irish DPA headquarters. As part of a government decentralisation programme, it was moved from central Dublin to…well, look for yourself, and imagine you’re Marc Zuckerberg looking at that picture.

The new Irish DPA, Helen Dixon, clearly means business. I have no doubt in her professional abilities or personal commitment. But the best damn DPA in the world is always going to be fighting an uphill battle when balancing the data protection needs of a billion or so people against the ravenous appetites of tech firms which chose Ireland specifically because they smelled blood. Her budget for all of this work, by the way? €3.65 million.

Back to Vitaly’s passport then. If he isn’t happy about being ordered to present seine Papiere, shouldn’t his protection be in Germany, under German law, and with recourse to the German justice system? For that matter, by uploading his passport to Facebook, what protection does he have against a multinational surveillance apparatus which doesn’t give a toss about EU data protection law?

This is the exact argument being made by an Austrian activist called Max Schrems. His class-action suit, co-signed by 25,000 European Facebook users, calls on Facebook Ireland to – as they say on The Last Leg stop being a bunch of dicks. Mr Schrems brought the suit in his native Austria, but rather than dealing with the substance of the claim, Facebook took the stance that the suit is invalid because it can’t be brought in Austria because – of course –  Facebook is Irish. The ruling is scheduled for 24 June.

One day we will sit in a Dublin pub over many pints of Guinness and laugh about all of this. Until then, the simple act of using social media makes us all pawns in a geopolitical game of law and subversion and control. If I were you I’d keep that passport locked away.

About the author
Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional web site designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.

5 thoughts on “What’s really going on when Facebook asks you for ID

  1. I’ve been locked out 3 or 4 times this year and had to supply ID each time. I’m starting to get sick of it. Why would they be doing this to me? It really feels like harassment.

  2. they have not only asked for my government ID but my birth cerificate as well, i sent them my photo ID licence, they came back and said it was not good enough! I am 54 years old, i am a grandmother, my children live out of state, that is why i am on face book! it has been days and they still refuse to open my account back up! i have read on google that people who go through this hardly ever get their page back! and those that do most of their personal pictures are gone! this has to be illegal!

  3. My mother is locked out and has sent photo ID and said it was no good. So I sent them her social security card and birth certificate and they have not responded and it’s been days. This is terrible all of her grandchildren photos are on there!

  4. I have been locked out of Facebook with no previous notification. My Father passed away in Dec. 2014 and I’ve now lost all the pictures I had of him. Thinking atleast having them on Facebook, I’d always have them.

    It is insane for a “SOCIAL” media website to be requiring people to use government names and provide social security #’s, government ID, copy of bills etc. This after I watch a video on how FB is cooperating with the CIA and the CIA agent stating,” FB was the BEST thing to ever happen to them”. I won’t be sending this website any government ID’s. We should be able to use ANY name we want. Whether you choose to use a nickname, a Ms. and last name or your government name.

    Lesson learned.

Comments are closed.