Facebook has been put on notice to comply with Canadian privacy laws within 30 days and says it willcontinue to work with the Privacy Commissioner of Canada to boost privacy controls and make users more aware of them.
The Privacy Commissioner’s office released a report today on its investigationinto a complaint lodged against the popular social network by the CanadianInternet Policy and Public Interest Clinic (CIPPIC) May 30, 2008. Facebook must adopt key recommendations from the office byAug. 15 to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) or face the possibility of being brought before the Canadian federalcourt.
The Santa Clara, Calif.-based Web site has been collaborating with thePrivacy Commissioner and will continue to do so, says Chris Kelly, chiefprivacy officer at Facebook. But he made no clear commitments on what actionswill be taken.
“We’re continuing our productive conversations,” he says. “There are somematters where we feel our controls weren’t recognized.”
Related story: FacebookConnect lets users “take control” of privacy while surfing
Recommendations from the privacy watchdog include better controls forthird-party application developers, deleting information for users who havedeactivated their accounts and a better explanation as to what happens to theaccount of a dead user.
Overall, Facebook must offer better controls for private informationand make users more aware of them. There are about 12 million Canadians usingthe site, and 250 million accounts worldwide.
“We found serious privacy gaps in the way the site operates,” says JenniferStoddart, the Privacy Commissioner of Canada. “Facebook must make somechanges with its site to bring it into compliance with Canadian privacy law.”
Third-party developers have been allowed to build Facebook applicationssince May 2007. They include productivity tools, games and media-sharing tools.The applications can give developers access to all the personal information ona user’s profile, and even to that user’s friends information – even if thefriends don’t have the application installed.
This stands out as the glaring privacy shortfall that Facebook must fix, says ElizabethDenham the Assistant Privacy Commissioner of Canada and lead of theinvestigation.
“We’ve found that Facebook lacks the adequate safeguards to protect users’profile information, along with their online friends,” she says.
Third-party applications and the way they access information is thebig-ticket item here, agrees David Fewer, the acting director of CIPPIC.
“Facebook has to get its head around that they built a business model inignorance or at least willful blindness,” he says. “These are not radicalrecommendations. They should be adopted.”
Facebook should limit application developers to collectingonly information required, and users should give consent on specifically whatinformation is given and for what purpose. Personal information for non-usersshouldn’t be touched at all, the report recommends.
But in an interview, Facebook wouldn’t commit to changing the way itsthird-party applications are handled. There are already controls in place thatwill continue to be improved over time, Kelly says. But Facebook doesn’t wantto interrupt its users more than it has to.
“Right now we have an interruptive notice for users the first time they login to an application,” he says. “To have this done every time would be tooannoying.”
Mozelle Thompson, an advisory board member for Facebook, has previously saidthat CIPPIC’s complaints were based on misunderstandings of the service. Seepast ITBusiness.ca story “Facebooksays ‘misrepresentations’ behind Canadian privacy probe.”
Facebook must also tell its users of its policy to hold on to personal information after an account has been deactivated,and delete the information after a reasonable time period, Denham says. Thesite’s current explanation of how to delete an account is too confusing.
“There have been complaints in the past and they get black eyes in the presson this issue,” Fewer says. “When you’re holding onto this information, you’rejust offside.”
But Kelly says the option for users to delete an account already exists andusers should be able to make their own decisions about whether they want todelete or deactivate an account. Facebook also retains the profiles of deceasedusers.
“It respects the fact that when people pass away, they generally want toallow their friends to remember them,” the chief privacy officer says. “We dorespect the wishes of the next of kin.”
Facebook doesn’t have to take down these memorialized accounts, the reportsays. It just has to explain the intended use of personal information for such purposes. The executor of thewill should have the right to what happens with the account.
“People like Facebook accounts of the deceased,” Fewer says. “It’s a way forthe deceased to go on and live virtually in cyberspace.”
Facebook has worked with the privacy watchdog throughout its investigation and hasalready fixed several of the complaints made by CIPPIC. Facebook has takenmeasures to resolve issues relating to its default privacy settings,participating in social advertising and Facebook Mobile safeguards.
Denham praised the social network for its cooperative stance and itsintentions to protect the privacy of users. But at the same time, shethreatened legal action if the recommendations weren’t met after 30 days.
“The federal court has told us in a previous case that we havejurisdiction,” she says. “Facebook is operating in Canadaand we have jurisdiction only on Facebook’s operations in Canada.”
Kelly wouldn’t say whether Facebook would recognize that jurisdiction.
“We’re listening to users around the world and that’s a bridge we’d cross ifit comes to that,” he says. “We’re confident it would be heard that we’re notin violation of the law.”
In filing its complaint, CIPPIC says it wants to create a set of rules forall social network sites to follow when doing business in Canada, notjust Facebook. The public interest group based at the University of Ottawawill be watching how other social networks react to the report, to see if theyadopt the recommendations.
Denham also says other social networking sites should “look at ourrecommendations and take them to heart.”
For Kelly, any critical attention diverted away from Facebook’s privacyoperations would be a relief.
“We think we outpace the competition, and maybe the attention should befocused there next,” he says.
Facebook is currently rolling out a privacy tool that will be featuredalongside the publisher box on its home page. This will allow users to decidewho they’re sharing information with on a post-by-post basis.