Facebook commits to year-long global privacy overhaul

Facebook has agreed to Canada’s Privacy Commissioner’s recommendations, but it will take a year to do so.

The Palo Alto, Calif.-based social networking Web site will make changes to its privacy policy, and will overhaul the Application Programming Interface (API) for third-party developers. The end result will be a greater degree of control for users over who sees their personal information, and a greater awareness of Facebook’s use of that information.

Following a year-long investigation of Facebook, the Privacy Commissioner listed four remaining points of contention in a report last month. It gave a deadlineof 30 days for Facebook to respond, or be taken to federal court — now that won’t be necessary.

Facebook is on the way to meeting the requirements of Canada’s privacy law, Jennifer Stoddart said at a pressconference.

The Privacy Commissioner’s investigation was prompted by a complaint filed against Facebook by the Canadian Internet Policy and Public Interest Clinic (CIPPIC); the work of student interns and lawyers based at the University of Ottawa. The group is cautiously optimistic about the proposed changes.

“Generally, we’re happy,” says Jordan Plener, a former CIPPIC intern. “We’ve effected a lot of change and the changes we wanted to see have been mostly addressed.”

Facebook will update its privacypolicy to make the distinction between “deactivating” and “deleting”an account more clear to users. One saves the user’s information indefinitely, while the other removes it from Facebook’s servers.

The Privacy Commissioner had asked for deletion of user information after a reasonable period of inactivity. But now it seems thatoffering users a more clear choice between the two options is good enough.

“Facebook has agreed to provide users with better information about the two options,” says Elizabeth Denham, the Assistant Privacy Commissioner. “Facebook hasagreed to provide a notice about the delete option in the deactivationprocess.”

You can read about how to completely delete your Facebook account now, see our previous article: Howto delete – not just ‘deactivate’ – your Facebook account.

Facebook will also explain usage of user information for the purposes of a memorial account in the event of a user’s death. All changes to the policy will likely be live much sooner than a year from now.

“Not everything is subject to a one-year time line,” Plener says. “The privacy policy will be changed in 10weeks, I believe.”

Changing the infrastructure of its third-party developereco-system and enforcing stricter permissions to the use of personalinformation is the big challenge. Facebook hascommitted to do this by Sept. 1, 2010. It will need that much time tocoordinate about a million developers, worldwide.

“We certainly sympathize with developers,” says Dave Morin,senior platform manager with Facebook. “We’ve workedclosely with our developers every time we’ve made a change in the past.”

The new permissions-based system will allow users more control over how third-party applications use their information. Users will beable to determine how they share different types of content — photos and videos, for example — and will be able to opt out of having their information accessed by third-parties entirely.

“This approach is reasonable and it’s in compliance withCanadian privacy law,” Denham says. “We’re going to be looking under the hood”when the new system is complete.

One London, England-based developer is pleased to see theincreased privacy controls. Sebastien de Halleux is chief operating officer at Playfish,a company that has several popular games on Facebook.

“We have always had the utmost respect for user’s privacy,”he says. “Among the hundreds of thousands of developers on Facebook, I don’t think all of them have such high ethical standards … we’re glad to see Facebook taking this action.”

Developers will need to adjust their “integration point” tocomply with the new permissions-based system, Halleuxadds. Users will have to either opt-out or sharing information or click check boxes to give consent to share information.

Playfish uses only publicallyavailable information such as a user’s profile picture and friends’ list, hesays. If users don’t share this, they can’t play the games.

The results of the privacy investigation won’t just affect Canada, but Facebook users and developers around the world.

“Canada is the first country in the world to complete a comprehensive review into Facebook’s privacy practices,” Stoddartsays. “This has clearly struck a chord. People using social networking sites docare about privacy.”

For Facebook, meeting with therequirements of Canada’sPersonal Information Protection and Electronic Documents Act (PIPEDA) couldhelp avoid similar investigations in other parts of the world.

“We’re confident that by meeting the requirements of thePrivacy Commissioner of Canada,it will help us in other discussions we’re already engaged in around the world,” says Richard Allen, director of European Policy and Privacy at Facebook.

Other social networking sites should also take note, says CIPPIC’s Plener. Facebook might be the most popular site in Canada with 12million users, but it’s not the only one that must play by the rules.

“Before this, it would be hard to say anyone would take asmall group like CIPPIC seriously,” he says. “But now it’s clear that thingshave been resolved as a result of our complaint.”

Other social networking sites should be proactive aboutprivacy controls, Plener adds. It will save them timeand money in the long run, when they avoid legal intervention.

All parties agree that users have the largest roleto play in defining their own privacy. All the controls and permissions createdmust be considered by users, or they are useless.

Facebook will also be implementinga “privacy tour” for new users to the site.

Share on LinkedIn Share with Google+