Facebook falls short of privacy obligations to Canada, says law group

Facebook has failed to meet the Privacy Commissioner of Canada’s requirements to improve user privacy controls before the Sept. 1 deadline, according to a University of Ottawa-based law group.

The Canadian Internet Policy and Public Interest Clinic (CIPPIC) lodged the original complaint with the Privacy Commissioner’s office that led to the original investigation. At its conclusion, Facebook agreed to a long list of changes requested by the commissioner. That included revamping its privacy policies, making it easier to delete an account, and how it treats the accounts of deceased users.

Related Story: Interview with Facebook’s new head of Canadian operations

But by far the most complex changes it committed to was reworking its third-party application programming interface. Facebook agreed to give users more granular controls over what sort of information outside application developers could access, and limit it to only what was required for the purposes of the application.

Now letters that were exchanged between the Privacy Commissioner’s office and Facebook suggest a disagreement on exactly what user information should be up for grabs. The correspondence was acquired by CIPPIC through an Access to Information request and shared with ITBusiness.ca.

Facebook did roll out a new application authorization process for users in June, but it missed the point, says Tamir Israel, a staff lawyer with CIPPIC.

“They promised not just transparency, but more granular control over the items being disclosed. But you don’t really have granular control,” he says. “You’re getting this all or nothing approach and there’s not even transparency on the purpose.”

At the heart of the problem is that Facebook needs to make money. It does this by letting its third-party developers tap user information for marketing purposes. Those marketing purposes are beyond the actual information required for most applications to function, Israel says. Allowing developers to use personal information for advertising purposes without getting direct consent is in contravention of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’ privacy law that regulates the private sector.

Facebook says it has made a number of changes to address the commissioner’s concerns. That includes updating user notifications, a rewritten privacy policy, as well as the new authorization process for applications.

“We believe the changes that we have made are in full compliance with PIPEDA,” Facebook’s spokesperson says. “Advertisers do not have access to users’ personally identifiable information th

In November and December, Facebook rolled out changes to all users’ privacy settings as it disposed of regional networks. At the same time, it changed the default privacy setting for many information categories to “Everyone”, meaning it was public to the entire Internet. That meant that application developers would automatically have access to this information, with no authorization being presented to users.

Related Story: Facebook class-action lawsuit involves nearly half of all Canadians

Assistant Privacy Commissioner Elizabeth Denham (now the Information and Privacy Commissioner of B.C.) expressed concerns over the changes in a letter sent to Facebook dated Dec. 7, 2009.

“With respect to current users, as I understand it, Facebook reasons that since users may have been comfortable with sharing their information with what was previously, in many cases, fairly large networks, they would now be comfortable with sharing that information with everyone on the internet. It is unclear what you are basing that reasoning on especially since many of those categories of information can be considered sensitive,” she writes.

The letter continues to say that granularity of control over privacy settings were the basis of the resolution reached in August 2009. There was no suggestion at that time that public information could not be controlled by the user, Denham writes. Facebook had been changed in a material way.

“It is a different site than the site we investigated earlier this year,” she writes.

Facebook responded the next day. A one-page letter dated Dec. 8, 2009 says that it considers public information fair game for developers to use.

“We never even contemplated a permissions model that requires developers to ask permission for information that is freely available to everyone else,” writes Michael Richter, deputy general counsel.

That’s the crux of Facebook’s “fundamental and blatant misunderstanding of PIPEDA,” CIPPIC’s Israel says. Canada’s laws protecting personal information are contextual – meaning that even publicly available information can’t be scraped up and used for advertising purposes.

Facebook did announce an update to its application authorization process in a June 30 blog post. It explained that applications would be able to access public parts of a user’s profile by default and permission to access private parts would have be explicitly sought.

A permissions box pops up when users install a new applications, wrote Bret Taylor, chief technical officer at Facebook. That’s the users’ opportunity to either give access or to shut the door entirely.

“You can control which information your friends can share with the applications they use,” he adds. “If at any point you ask a developer to remove the data you’ve granted them access to, we require that they delete that information.”

“We have also completely redesigned the privacy settings page to be much more simple, significantly reduced the amount of information that is always visible to everyone and given users more control over how applications and websites access your information, including the ability to completely turn off Facebook Platform applications and websites,” a spokesperson writes in an e-mail exchange with ITBusiness.ca.

Facebook says it shares the same goals as the Privacy Commissioner’s office. It points to the June update as an example of creating more simple privacy controls.

“Such improvements reflect two core Facebook beliefs,” the spokesperson writes. “First, your data belongs to you; second, it should be easy to control what you share.”

The Privacy Commissioner launched anew investigationinto Facebook Jan. 27. The office has said little about the ongoing investigation, only that it will address some of the privacy changes made by the service.

As for the original complainant, CIPPIC isn’t happy with the end result of Facebook’s changes.

“Federal court is still sort of an option,” Israel says. “They didn’t do it a year ago, and they didn’t because Facebook made these obligations, and if they haven’t lived up to them, then we’re back to where we were a year ago.”

ITBusiness.ca requested interviews with Facebook and the Privacy Commissioner of Canada’s office, but didn’t receive a response before publication.

The Privacy Commissioner is expected to address the Sept. 1 deadline sometime soon.

Brian Jackson is a Senior Writer at ITBusiness.ca. Follow him on Twitter, read his blog, and check out the IT Business Facebook Page.

Share on LinkedIn Comment on this article Share with Google+

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>