Facebook F*#@k-up's

We're not going to go into detail about what's going on with Facebook and Cambridge Analytica; there is plenty of information out there about it (see sources at the bottom).  We obviously have huge problems with their approach and we understand that as users we know our data is valuable and collected but to be used and lied to on such a scale is simply unacceptable.  We are hoping to make people aware of the extent of this through their legal right to make a subject access request...



What can we do?

In the UK at least, every citizen has the right to issue something called a 'Subject Access Request' - this is essentially the legal right provided in section 7 of the Data Protection Act that you have to request a copy of all digital and non-digital information a company or organisation has regarding you; this entitles you to see how your data has been processed, a description and reasons for it being processed and whether it will be or has been shared with any other organisation and for what reasons.  You are also entitled to have information regarding the process and reasoning behind any automated decisions made about you.

Furthermore, the organisation or company has a legal obligation to provide this within 40 days of your request (an organisation is entitled to verify your identity and this 40 days does not start until this has been completed although an organisation MUST reply as promptly as possible).  There are some exceptions and other details so if you're interested, take a look at



Our Proposal

Ultimately, due to the level of information required, subject access requests typically tend to be processed manually with people directly involved in the process.  Regardless of organisation size, enough of these requests will become difficult to satisfy if that organisation has been using data illegally and without permission; it becomes a massive process of sorting and brings direct attention to the fact that we do care and we're not happy!

We have provided a sample template below that you are more than welcome to use.  We've also provided the email address to use when submitting your request.  We're encouraging as many people as possible to do this - directly profiting from stolen personal information while laughing in the face of your users is not something we will tolerate.



Our Official Stance

Currently, we are considering Facebook a direct vulnerability to people's security, directly affecting their personal information.  At this time, we see Facebook as nothing more than online spyware and strongly discourage it's use.  We have removed our TSSec Facebook presence and will be removing any Siite activity shorltly; we do not intend to return for the foreseeable future.



Making the request

There are a few points to mention here but generally, use the template below replacing the marked sections with your details and you should be set.  Use the official email address below to deliver your request and await your response (please note that email is typically insecure so please do not share sensitive info such as your password in your request or responses).  We do also strongly advise you read the documentation from the ICO at - this is the same link provided in the template below.  Please note, we refere to this request as a 'SAR' from this point.

  • A SAR does not need to be in any particular format and no company or organisation can insist it must be.
  • A company or organisation does have the right to charge a fee for processing your request - in this instance, it is limited to a maximum amount of £10.
  • An individual is entitled to:
    • Be told whether any personal data is being processed.
    • Be given a description of the personal data, the reasons it is
      being processed, and whether it will be given to any other
      organisations or people.
    • Be given a copy of the personal data.
    • Be given details of the source of the data (where this is
    • available).
  • An individual can also request information about the reasoning behind any automated decisions taken about them.
  • In most cases a subject access request must be replied to promptly and in any event within 40 calendar days of receiving it.
  • A company or organisation has the right to verify the identify of the person making the request - this must be done promptly however.




1 Rathbone Square
United Kingdom


Dear Sir or Madam

Subject access request

My full name is [MY FULL NAME] and I am seeking a copy of all information the Facebook organisation holds about me as entitled by section 7 of the Data Protection Act 1998.

I would like a copy of all information you hold (digital and non-digital) including but not limited to the following:

  • All personal information known about myself including sources where possible.
  • All communications between myself and any other contact and / or website both inside or outside of Facebook, including sources where possible.
  • A list of all organisations, companies and / or third parties that my information has been passed to and why.
  • The details and reasoning of any automated decisions that have been made about me where appropriate.
  • A complete list of any recorded interactions with Facebook including access logs with any collected IP addresses, browser headers or any other data collected, including sources where possible.

I understand a maximum fee of £10 may be charged for facilitating this request, if a fee is applicable please specify how this is to be paid.  Furthermore, if you require any additional information in order to verify my identity please let me know what you require and how it is to be provided as quickly as possible.

I look forward to receiving my information within the legally mandated 40 days of this request.  If you need any further information on how to deal with this request, please visit  Alternatively, the Information Commissioner’s Office can assist you and can be contacted on 0303 123 1113 or at

If you do not normally deal with these requests, please pass this to your Data Protection Officer as soon as possible.


Yours faithfully


You're more than welcome to tweak and / or host / share a copy of this yourself.


Where to send

The easiest method of submitting your request is sending it in an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Alternatively, you can send the request via writing to Facebook London office, 1 Rathbone Square, London, United Kingdom.

We've sent ours so what are you waiting for...?


What's going on..

About TSSec

We are Digger and Odskee, a small information security research team based in the UK.  We love breaking and fixing things and enjoy getting our hands dirty in the field of infoSec.

Odskee tends to focus on the theoretical, software based aspects while Digger finds himself at home with the raw electronics.  We both have a number of years of experience within a number of similar roles and think these work best as a team.

Latest News

©2019 TSSec