← Social Media
F

Facebook

$10 billion in fines. Myanmar genocide. 87 million profiles harvested. Manipulated 700,000 people's emotions as an experiment. The FTC has fined them three times and they're still violating.
Fail
Meta Platforms · 🇺🇸 United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: com.facebook.katana
Manufacturer: Meta Platforms

⚠️ The bottom line

Facebook makes $135 billion a year letting advertisers target you based on 52,000 things they know about you. They say they don't 'sell' your data — technically, they sell access to you. Under California law, that IS selling. When someone pays to show you an ad because you're a depressed 19-year-old interested in weight loss, your data was the product whether or not a CSV file changed hands. If you've never signed up for Facebook, they still have a file on you. Your friends uploaded their contacts — Facebook has your phone number and email. You visited a website with a Facebook tracking pixel (30% of all major websites have one) — Facebook knows. You used an app with Facebook's code inside it (a third of top Android apps) — Facebook knows. A Belgian court ordered them to stop. They told the US Senate they don't do this. Both things can't be true.

Legal jurisdiction
🇺🇸 United States (headquarters)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
4/4 EXTREME
Is someone spying on me?
Kids at risk
Data Sharing
4/4 EXTREME
Who gets my data?
Kids at risk
Security
4/4 EXTREME
Is it actually secure?
Kids at risk
Honesty
4/4 EXTREME
Can I trust what they say?
Kids at risk
REPLACE Extreme risk. Look for alternatives or lock down hard.
17Contradictions
11Critical
6High
0Medium
17Sources
Findings by concern
Spying 4/4 EXTREME 11 findings
⚠️ criticalpolicy claims vs firmware analysis
Facebook makes $135 billion a year letting advertisers target you based on 52,000 things they know about you. They say they don't 'sell' your data — technically, they sell access to you. Under California law, that IS selling. When someone pays to show you an ad because you're a depressed 19-year-old interested in weight loss, your data was the product whether or not a CSV file changed hands.

What they claim: 'We don't sell your data.' Facebook's standard response to privacy concerns.

What we found: Facebook doesn't sell raw databases. Instead, it sells access to audiences defined by that data — ~97% of Meta's ~$135B annual revenue comes from advertising built entirely on user surveillance. Advertisers pay to reach people with specific traits from a catalogue of ~52,000 characteristics Facebook infers about each user. Under California's CCPA, sharing data for targeted advertising legally qualifies as a 'sale.' The distinction between selling your data and selling access to you based on your data is a semantic trick.

⚠️ criticalpolicy claims vs firmware analysis
If you've never signed up for Facebook, they still have a file on you. Your friends uploaded their contacts — Facebook has your phone number and email. You visited a website with a Facebook tracking pixel (30% of all major websites have one) — Facebook knows. You used an app with Facebook's code inside it (a third of top Android apps) — Facebook knows. A Belgian court ordered them to stop. They told the US Senate they don't do this. Both things can't be true.

What they claim: 'Facebook does not create profiles for people who don't have accounts.' Told to the US Senate Judiciary Committee.

What we found: Facebook builds 'shadow profiles' on non-users through: (1) Contact list uploads — when any Facebook user syncs contacts, non-users' names, numbers, and emails are harvested. (2) Facebook Pixel embedded on 30%+ of the top websites globally, tracking every visitor via cookies and browser fingerprinting. (3) Facebook SDK integrated into 32% of the top 500 Android apps, reporting app installs, usage, and device data. (4) Like/Share buttons across the web creating tracking beacons. (5) Data purchased from brokers. A Belgian court ordered Facebook to stop tracking non-users, threatening EUR 250,000 per day in fines. Facebook's own 'Off-Facebook Activity' tool revealed the scope but only disconnects data — doesn't delete it.

⚠️ criticalfirmware analysis vs policy claims
You turned off location tracking. Facebook tracked you anyway. They use your Wi-Fi connections, Bluetooth signals, IP address, and browsing patterns to figure out where you are. A university researcher proved it — she turned everything off and still got location-targeted ads. When a Senator called this misleading, Facebook said tracking your location is 'required' for their advertising business. The off switch is decoration.

What they claim: 'You can turn off location tracking in your settings.' Facebook's location privacy guidance.

What we found: An AP investigation (2018) revealed Facebook tracks location even when Location Services is set to 'off.' Facebook's Chief Privacy Officer Rob Sherman confirmed the company uses IP addresses, Wi-Fi network names, Bluetooth signals, and browsing habits to determine location. USC Professor Aleksandra Korolova demonstrated that with Location Services set to 'Never' and Location History cleared, Facebook still showed her location-matched ads. Senator Chris Coons called the practices 'insufficient and even misleading.' Facebook's defence: location data is 'required' to support their ads business.

⚠️ criticalpolicy claims vs regulatory findings
A quiz app collected data on 87 million people through their friends without asking. Facebook knew about it for over two years and did nothing. That data was used to manipulate voters in the 2016 US election and Brexit. When journalists were about to break the story, Facebook threatened to sue the newspaper. Mark Zuckerberg testified before Congress, said 'I'm sorry' 98 times, and Facebook's stock went UP 4% during his testimony. The total bill: $5.9 billion in fines. Nobody went to prison.

What they claim: 'We protect user data and take swift action when we learn of misuse.'

What we found: In 2014, ~300,000 people installed a personality quiz app. Facebook's API let the app harvest data from ALL their friends — 87 million profiles collected without consent. Facebook changed its API rules in 2014 but didn't enforce retroactively. In December 2015, The Guardian reported Cambridge Analytica was using the data for political targeting. Facebook asked CA to delete it. CA said they did. Facebook took their word. For over two years, Facebook knew about the data harvesting and did nothing beyond asking nicely. The data was used to micro-target voters in the Trump 2016 campaign and Brexit. When The Guardian and NYT prepared their March 2018 exposé, Facebook threatened to sue the day before publication. Total cost to Meta: $5B FTC fine + $725M class action + $100M SEC settlement = ~$5.9 billion.

⚠️ criticalfirmware analysis vs policy claims
Facebook secretly changed what 689,003 people saw in their feeds to test whether it would change their emotions. It worked — people shown sad content became sadder. Nobody was asked. Nobody was told. Facebook said the permission was buried in a 9,000-word legal document nobody reads. The university didn't review the ethics because Facebook ran it. An academic journal expressed concern but didn't retract the study. Nearly 700,000 people were experimented on without consent, and nobody faced consequences.

What they claim: 'We conduct research to improve our services and create better experiences for people.'

What we found: In January 2012, Facebook and Cornell University researchers manipulated the News Feeds of 689,003 users for one week without their knowledge or consent. Half saw fewer negative posts; half saw fewer positive posts. The study proved 'emotional contagion' — users exposed to negative content posted more negatively themselves. No informed consent was obtained. Facebook claimed its 9,045-word Data Use Policy covered it via a buried clause about 'research.' Cornell's IRB did not review the study because Facebook collected the data. EPIC filed an FTC complaint for 'deceptive trade practices.' The journal PNAS published an 'Editorial Expression of Concern' but did not retract the paper. The sample size (689,003) was grossly excessive — similar findings could have been achieved with a few thousand participants.

⚠️ criticalfirmware analysis vs policy claims
Facebook's own researchers proved Instagram harms teen girls — one in three felt worse about their bodies, and it worsened suicidal thoughts for 13.5% of UK teen girls. While sitting on this research, Facebook was building Instagram for kids under 13. They also deliberately juiced their algorithm to amplify outrage — weighting angry reactions 5x more than likes. Their own engineers proved that removing this weight reduced misinformation. They kept it anyway because anger drives engagement. Meanwhile, 5.8 million VIP users were exempt from the rules. Their rule-breaking content was seen 16 billion times. A whistleblower told Congress. Internal documents said: 'We are not actually doing what we say we do publicly.'

What they claim: 'We care deeply about the safety and wellbeing of young people on our platforms.'

What we found: Frances Haugen, former Facebook product manager, leaked thousands of internal documents (2021) revealing: Facebook's OWN research showed '32% of teen girls said that when they felt bad about their bodies, Instagram made them feel worse.' 13.5% of UK teen girls said Instagram worsened suicidal thoughts. 17% said their eating disorders got worse. Internal researchers called Instagram 'distinctly worse than other forms of social media.' Facebook was simultaneously developing 'Instagram Kids' for children under 13 (paused only after exposure). In 2018, Facebook changed its algorithm to weight emoji reactions 5x more than likes — internal staff warned this would amplify misinformation, outrage, and clickbait. When engineers set the 'angry' reaction weight to zero, misinformation and graphic violence decreased — proving the trade-off was deliberate. The XCheck system exempted 5.8 million VIP users from content moderation rules. Rule-breaking VIP content was viewed 16 billion times before removal. Internal review admitted: 'We are not actually doing what we say we do publicly.'

⚠️ criticalpolicy claims vs firmware analysis
Researchers counted: protecting your privacy on Facebook takes 13 clicks. Giving it away takes 4. Facebook puts fake notification dots behind privacy screens to make you rush through. All defaults are set to maximum data sharing. The privacy 'checkup' is designed to make sharing feel safe. This is so well-documented it has a name — 'Privacy Zuckering' — literally named after the CEO. In Europe, Facebook said: pay us EUR 13 per month, or let us track everything. The EU fined them EUR 200 million. 'You're in control' is the most expensive lie in Silicon Valley.

What they claim: 'You're in control of your privacy on Facebook.'

What we found: The Norwegian Consumer Council's 2018 'Deceived by Design' report documented systematic dark patterns: (1) Enabling privacy requires 13 clicks/taps vs 4 for the data-sharing option. (2) Settings hidden behind 'see more' links despite ample screen space. (3) Privacy-intrusive defaults — all settings maximize data sharing on new accounts. (4) Manipulative framing — emphasizes lost features if you choose privacy, never mentions privacy benefits. (5) Fake notification dots appeared behind privacy popups suggesting unread messages — even when there were none. (6) 'Privacy checkup' tools guide users through settings in a way that encourages sharing. The term 'Privacy Zuckering' — named after Mark Zuckerberg — is now a recognised dark pattern category in UX research. In Europe (2023-2025), Meta offered a 'pay or consent' model: EUR 12.99/month for ad-free, or accept full tracking. Fined EUR 200M by the EU Commission for violating the Digital Markets Act.

⚡ highfirmware analysis vs policy claims
Facebook scanned every photo you uploaded, identified every face, and built a database of over a billion people's faces — without asking. In Illinois, that's illegal. 1.6 million people sued and won $650 million. Facebook says they deleted the face data in 2021, but nobody knows if the AI models trained on a billion faces were also deleted. Once an AI learns your face, deleting the photos it learned from doesn't make it forget you.

What they claim: 'We obtained appropriate consent for our facial recognition features.'

What we found: Facebook built one of the largest facial recognition databases in history through 'Tag Suggestions' — using DeepFace technology to automatically identify people in uploaded photos. In Illinois, the Biometric Information Privacy Act (BIPA) requires informed written consent before collecting biometric data. Facebook never obtained it. 1.6 million Illinois residents sued. Settlement: $650 million (average $397 per claimant). Potential verdict was billions ($1,000-$5,000 per violation under BIPA). Facebook shut down facial recognition in November 2021 and said it would delete over 1 billion face templates — but questions remain about whether machine learning models trained on that data were also deleted.

⚡ highpolicy claims vs regulatory findings
Facebook has been part of the NSA's PRISM surveillance program since 2009. The government collects your stored messages, photos, and data directly from Facebook's servers — and Facebook is legally forbidden from telling you it happened. In 2022, governments made 450,000 requests for user data. Facebook said yes to 88% of US requests. Nearly half a million times a year, a government asks Facebook for someone's data, and Facebook almost always says yes.

What they claim: 'We carefully scrutinize any government request for compliance with all applicable laws.'

What we found: Facebook has been a participant in the NSA's PRISM program since June 2009 (Edward Snowden leaked slides). Under PRISM, the NSA collects stored communications directly from participating companies under Section 702 of FISA. In 2022, Meta received over 450,000 government requests for user data globally. US requests covered 236,000 users, with Meta complying in 88% of cases. Global compliance rate: ~73-75%. FISA/national security requests are reported only in ranges of 500 with a 6-month delay. Facebook is legally prohibited from telling affected users about PRISM data collection.

⚡ highregulatory findings vs policy claims
Facebook has been fined over $10 billion — and it doesn't matter. They make $135 billion a year from advertising. The total fines across a decade are less than one month's revenue. The FTC fined them $5 billion and they didn't change. The EU fined them EUR 2.5 billion and they didn't change. At this scale, fines aren't punishment — they're a subscription fee for the right to violate privacy. The regulators are outgunned and everyone knows it.

What they claim: 'We have invested billions in safety and privacy.'

What we found: Total documented fines and settlements exceed $10 billion: FTC $5B (2019). Cambridge Analytica class action $725M (2022). BIPA facial recognition $650M (2020). SEC $100M (2019). EU fines: EUR 1.2B data transfers, EUR 390M forced consent, EUR 265M data leak, EUR 251M breach, EUR 200M DMA, EUR 110M WhatsApp merger, EUR 91M plaintext passwords, EUR 60M cookies. Meta's annual advertising revenue is ~$135 billion. $10 billion in cumulative fines over a decade represents roughly 7% of a single year's revenue. The fines are a cost of doing business, not a deterrent.

⚡ highfirmware analysis vs policy claims
Meta gave Europeans a deadline to opt out of AI training — miss it and your posts are in the AI forever. Data already used can't be removed. They're also planning to use your uploaded photos and videos for AI training by default. Their new app Threads collects your health data, financial data, sexual orientation, and biometric data. Want to delete Threads? You have to delete Instagram too. 'Meaningful control' means a deadline you probably missed for a system that can't be undone.

What they claim: 'We give users meaningful control over how their data is used for AI.'

What we found: In April 2025, Meta announced it would begin training AI models on public content from adult EU users starting May 27, 2025. Users who didn't object by May 26 had their data incorporated — and subsequent objections don't operate retroactively. Data already used for training cannot be removed from the models. In 2025, Meta also began preparing to use uploaded files, photos, and videos for AI training with a default-on approach. Threads (launched July 2023) collects 45% more individual data points than Twitter/X, including health data, financial data, precise location, browsing history, contacts, ethnicity, sexual orientation, political opinions, and biometric data. EU launch was delayed due to GDPR concerns. Deleting Threads requires deleting Instagram.

Data Sharing 4/4 EXTREME 5 findings
⚠️ criticalfirmware analysis vs regulatory findings
The United Nations said Facebook helped cause a genocide. In Myanmar, Facebook WAS the internet. The military used fake Facebook pages to spread hatred against the Rohingya people. Human rights groups warned Facebook for four years. Facebook didn't act. Thousands of people were killed. Facebook's hate speech detection in the local language was described as 'abysmally poor.' A genocide survivor is now asking the SEC to investigate Meta for lying about what happened. This is not a privacy violation. This is a company that was warned its platform was being used to organize mass murder and chose not to invest in stopping it.

What they claim: 'We take safety seriously and are working to prevent abuse on our platform.'

What we found: The United Nations Independent International Fact-Finding Mission on Myanmar explicitly named Facebook as having 'substantively contributed' to the genocide against the Rohingya minority. In Myanmar, Facebook was the internet — the company had a de facto monopoly on online communication. Civil society organizations warned Facebook employees from 2013 to 2017 — four years of warnings. The military operated sock puppet accounts disguised as entertainment pages; two-thirds of anti-Rohingya hate speech found on Facebook originated from military accounts. Activity spiked in 2017 during the run-up to mass killings. Facebook's ability to detect Burmese-language hate speech was 'abysmally poor' (Global Witness). A $150 billion lawsuit was filed in 2021. In January 2025, a Rohingya genocide survivor filed an SEC whistleblower complaint against Meta for misrepresenting its role in what the US government classified as genocide.

⚠️ criticalpolicy claims vs regulatory findings
The FTC told Facebook to stop violating privacy in 2012. Facebook violated it. The FTC fined them $5 billion in 2019 — the largest privacy fine ever — and Zuckerberg got personal immunity from the deal. Facebook violated THAT order too. In 2023, the FTC found them still breaking the rules and proposed banning them from making money off children's data. Meta's response was to sue the FTC. Three strikes, still swinging, and the punishment has never changed the behaviour.

What they claim: 'We comply with all regulatory requirements and have implemented a comprehensive privacy program.'

What we found: The FTC has taken action against Facebook THREE times in an unbroken cycle: (1) 2012: eight-count complaint for deceiving consumers. Consent decree, no fine. (2) 2019: violated the 2012 decree. $5 billion fine — largest privacy penalty in history. Settlement included executive immunity protecting Zuckerberg and Sandberg from personal liability. FTC's own dissenting commissioners wanted Zuckerberg held personally accountable. (3) 2023: FTC found Meta 'repeatedly violated' the 2019 order. Independent assessor found 'several gaps and weaknesses' posing 'substantial risks.' Proposed a blanket ban on monetizing data from anyone under 18 — first such proposal in FTC history. Meta's response: sued the FTC, calling it 'a political stunt.' Total pattern: consent decree -> violation -> fine -> violation -> fine -> violation -> Meta sues the regulator.

⚠️ criticalmarketing vs regulatory
€200 million fine. Meta told EU users: let us track everything, or pay €10/month for less tracking. The EU said that's not a choice — it's a ransom note. Pay for privacy or surrender it. Meta treated privacy as a premium feature. The EU treated it as a right.

What they claim: Meta offers users control over their data and advertising preferences

What we found: The EU fined Meta €200 million in April 2025 — the first DMA enforcement against Meta — for failing to give users a genuine choice of a service that uses less personal data. The "pay or consent" model Meta offered was ruled insufficient. Users were forced to either accept full data harvesting or pay a subscription to use a service with less tracking. The EU said that is not a real choice.

⚡ highpolicy claims vs firmware analysis
A journalist bought a housing ad on Facebook that excluded Black, Asian, and Hispanic people from seeing it. Facebook approved it in 15 minutes. That's illegal under the Fair Housing Act. Facebook said they fixed it. A year later, the same journalist tested it — still worked. Facebook removed the racial categories. Researchers found the replacement system was even better at racial targeting than the original. Facebook was sued by the ACLU and the US Department of Housing. Three attempts to fix racial discrimination in ads, each one making it worse.

What they claim: 'Our advertising platform does not enable discrimination.'

What we found: In 2016, ProPublica purchased a housing ad on Facebook that excluded anyone with 'affinity' for African-American, Asian-American, or Hispanic people. Facebook approved the ad in 15 minutes. Civil rights lawyer John Relman called it 'massively illegal' under the Fair Housing Act. Facebook promised fixes. In 2017, ProPublica tested again — the same discriminatory targeting still worked. Facebook retired 'Multicultural affinity' categories in August 2020. But in 2021, The Markup found that proxy categories available after the 'fix' were even MORE accurate at targeting minorities than the old system. Facebook was sued by the ACLU, HUD, and the National Fair Housing Alliance.

⚡ highfirmware analysis vs regulatory findings
Facebook bought WhatsApp for $19 billion and promised European regulators they would never combine the data. Internal documents showed they could already do it when they made that promise. Two years later, they started combining it. The EU fined them EUR 110 million for lying. Then Facebook made data sharing mandatory — accept it or lose WhatsApp. The backlash was so severe that 17 million people downloaded Signal in a single week. The promise, the lie, the fine, and then doing it anyway — that's the pattern.

What they claim: 'WhatsApp will continue to operate independently. We will not link Facebook and WhatsApp data.' (2014 merger promise to EU Commission)

What we found: Facebook acquired WhatsApp for $19 billion in 2014, explicitly promising the EU Commission it would NOT be able to match Facebook and WhatsApp user accounts. Internal documents later showed the technical capability to match users existed at the time of the merger application — Facebook concealed this. In August 2016, WhatsApp changed its privacy policy to begin sharing user data with Facebook — auto-opt-in with only a 30-day opt-out window. The EU fined Facebook EUR 110 million for providing 'misleading information' during the merger review. In January 2021, WhatsApp forced a new policy requiring users to accept Meta data sharing or lose their accounts. EU/UK users received a different, less invasive policy. The backlash drove 17 million Signal downloads in one week.

Security 4/4 EXTREME 1 finding
⚠️ criticalpolicy vs regulatory
The EU found Meta in breach of digital safety rules for children under 13 in April 2026. The potential fine: up to $12 billion, with billions more stacking up every day Meta doesn't fix it. That's not a slap on the wrist — that's the EU telling the world's largest social network it can't be trusted with kids.

What they claim: Meta claims compliance with EU digital regulations and child safety requirements across Facebook and Instagram.

What we found: On April 29, 2026, the EU issued a preliminary finding that Meta breached the Digital Services Act regarding children under 13 on Facebook and Instagram, with a potential fine of up to $12 billion (6% of global turnover) plus billions more until Meta reaches compliance.

Latest Risks & Threats
New developments that compound existing privacy concerns. 1 active threat · 1 emerging risk.
RISK Meta AI-first transformation — AI embedded across all Facebook surfaces ⚠️ Ai_Expansion Announced 2026-05-26
Meta CTO Andrew Bosworth leading company-wide AI integration. Facebook feed, Marketplace, and messaging all being rebuilt around AI models. Every interaction becomes AI-mediated — recommendations, content generation, ad targeting, and customer interactions all processed through Meta's AI stack. Expands data processing from passive content delivery to active AI inference on every user action.
Sources
THREAT Threads Collects Everything — Including Health and Financial Data ⚠️ Privacy Launched 2023-07-05
Meta launched Threads as a Twitter/X competitor and signed up 100 million users in 5 days. The App Store privacy label revealed Threads collects: health and fitness data, financial information, browsing history, search history, location, contacts, and "sensitive info." For a text posting app. The EU delayed launch specifically because of data collection concerns under the Digital Markets Act. Meta launched it everywhere else and collected the data first, asked questions never.
Sources
What happened to real people
Documented incidents involving Meta Platforms products and user data.
Cambridge Analytica harvested 87M Facebook users' data without consent for political ad targeting in the 2016 US election and Brexit referendum. $5B FTC fine. [source]
FISA content requests to Meta increased 2,171% since 2014. Meta complied with 88% of 60,000+ government data requests. PRISM participant since 2009. [source]
What your data is worth to governments
Meta complied with 60,000 government data requests in H2 2023. That's +675% over 10 years. Meta has been a confirmed PRISM participant since 2009. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702).
Documented: Cambridge Analytica harvested 87M Facebook users' data without consent for political ad targeting in the 2016 US election and Brexit referendum. $5B FTC fine.
Documented: FISA content requests to Meta increased 2,171% since 2014. Meta complied with 88% of 60,000+ government data requests. PRISM participant since 2009.
What is PRISM? · What is the CLOUD Act? · Transparency report
Sources