Skip to content

Facebook and Privacy

August 6, 2009

In the Summer of 2008 University of Ottawa law students at the Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint to the federal Office of the Privacy Commissioner, alleging 22 separate violations of Canadian privacy laws by Facebook under the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to the federally-regulated private sector with respect to the collection, use and disclosure of personal information, but only for the transaction of commercial activities. PIPEDA deals with fair information practices and affirms that personal information should be collected, used, and disclosed only with an individual’s consent.

In their complaint, CIPPIC argued three main points: 1) Facebook should be open with its users about its use of their personal information; 2) Facebook should obtain express permission to share its users’ personal information; and 3) Facebook should limit the personal information that it shares to what is necessary. Specifically the complaint alleged PIPEDA infractions with regard to the following PIPEDA Principles: 4.2 (Identifying Purposes), 4.3 (Consent), 4.4 (Limiting Collection), 4.5 (Limiting Use, Disclosure and Retention), 4.7 (Safeguards), and 4.8 (Openness).

In July 2009 the OPC released their report on the CIPPIC complaint. Stating that the central issues revolved around knowledge and consent, the OPC thus concentrated their investigation “on whether Facebook was providing a sufficient knowledge basis for meaningful consent by documenting purposes for collecting, using, or disclosing personal information and bringing such purposes to individuals’ attention in a reasonably direct and transparent way” (Denham, 2009, n.p.). The OPC ruled that of CIPPIC’s twelve major complaints, four of the complaints were un-founded, and four were well-founded but correctly addressed by the company during their year-long investigation. These included requests for user’s date of birth, more precision on the nature of default privacy settings, advertising, and monitoring for anomalous activity (this can include sending out too many friend requests that can be construed as harassment, or abuse by spammers or scammers).

The OPC deemed four other allegations well-founded with remedies not yet sufficiently addressed by Facebook. These included third-party applications wherein information is disclosed to developers who make software for the site, account deactivation and deletion, accounts of deceased users, and the collection of personal information of non-users. The specific recommendations the OPC asked Facebook to remedy included:

Third-Party Applications
Facebook is asked to implement measures that limit application developers’ access to user information not required to run a specific application; to inform users of specific information that an application requires and for what purpose; to obtain express consent by users’ to the developer’s request for specific information; and, to prohibit all disclosures of personal information of users who are not themselves adding an application.

Account Deactivation and Deletion
Facebook is asked to develop, institute, and inform users of a retention policy that deletes from the Facebook servers, after a reasonable length of time, the personal information from deactivated accounts. The Privacy Policy should be more explicit to indicate that users can choose to delete their accounts rather than merely deactivating them.

Accounts of Deceased Users
Facebook is asked to include in its Privacy Policy’s explanation of intended uses of personal information an explanation of how personal information for the purpose of memorializing the accounts of deceased users will be used.

Personal Information of Non-Users
Facebook is asked to implement measures that protect the personal information of non-users. It currently allows users to post personal information about non-users without their consent (e.g. tagging photos and videos of users with their names). Facebook is asked to improve its invitation feature so that non-users will be informed about Facebook’s collection, use, and retention of their email addresses and ensure that the email addresses for such invitations will be retained for a reasonable period of time.

The OPC has asked Facebook to respond to their recommendations within 30 days. Facebook acknowledged that changes made in response to the OPC recommendations will apply to Facebook users worldwide, and that they are in dialogue with other international privacy regulators (Delacourt, 2009).

See also:

Canadian Internet Policy and Public Interest Clinic (CIPPIC). (2008, May 30). PIPEDA complaint to the Office of the Privacy Commissioner.
http://www.cippic.ca/uploads/CIPPICFacebookComplaint_29May08.pdf

Delacourt, S. (2009. July 17). Facebook gets poked by Canada over privacy, The Toronto Star.
http://www.thestar.com/news/canada/article/667700

Denham, Elizabeth. (2009, July). PIPEDA case summary #2009-008. Report of findings into the complaint filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc., under the Personal Information Protection and Electronic Documents Act. Ottawa: Office of the Privacy Commissioner of Canada.
http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm

Feinberg, L. (2008, Summer). Facebook: Beyond friends. Our Schools/Our Selves, 75-80.
http://www.policyalternatives.ca/osos/2008/07/ourschoolsourselves1946/?pa=a5671525
PIPEDA (Personal Information Protection and Electronic Documents Act), S.C. 2000, c.5, updated 2006. http://www.privcom.gc.ca/legislation/02_06_01_e.aspCanadian Internet Policy and Public Interest Clinic (CIPPIC) Complaint to the Office of the Privacy Commissioner, 2008.
http://www.cippic.ca/uploads/CIPPICFacebookComplaint_29May08.pdf
PRINCIPLE 4.2 (IDENTIFYING PURPOSES)
Requires an organization to identify the purpose for which personal information is collected at or before the time of collection and only to collect information necessary for the identified purposes.
CIPPIC Complaint: Facebook allows third party application developers to access User information that is beyond what is necessary to operate their applications.

Principle 4.2.3
Requires identified purposes to be specified at or before the time of collection to the user from whom the personal information is collected.
CIPPIC Complaint: Facebook does not precisely identify why Users’ information is collected from other sources.

Principle 4.2.4
Requires that if personal information that has been collected is to be used for purposes not previously identified, the new purpose needs to be identified prior to use. The individual’s consent is needed unless the new purpose is required by law.
CIPPIC Complaint: Facebook reserves the right to modify or add to its Terms of Use without notice and Facebook retains deceased Users’ profile for memorial reasons, a new purpose.

Principle 4.2.5
Recommends that the purpose of information collected should be explained to the individuals for whom the information is being collected.
CIPPIC Complaint: Facebook does not explain to Users why third party application developers need access to all their User information.

PRINCIPLE 4.3 – CONSENT
Principle 4.3.1
Requires consent for the collection of personal information and the subsequent use or disclosure of this information.
CIPPIC Complaint: Facebook does not obtain the consent of non-Users to collect their information from Users, to share their information with other Users, and to retain their information.

Principle 4.3.2
Requires organizations to make reasonable efforts to ensure that individuals are advised of the purposes for which the information will be used. Such meaningful consent must be stated in ways that individuals can reasonably understand how information will be used or disclosed.
CIPPIC Complaint: Facebook does not make a reasonable effort to ensure that Users are advised of: The purposes for which their dates of birth will be used; The purpose of using User information for Social Ads; All the types of information that are shared with third party application developers, including Friends’ information; and The purpose behind retaining information of Users who have deactivated their accounts.

Principle 4.3.3.
Requires that organizations shall not, as a condition of the supply of a product or service, require individuals to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
CIPPIC Complaint: Facebook requires Users, as a condition of use of its service, to: Provide their dates of birth despite that its purpose for doing so is not explicitly specified; and Participate in one variation of Social Ads despite that this activity is beyond that required to fulfill Facebook’s explicitly specified and legitimate purpose of social networking. Facebook requires Users, as a condition to use of third party platforms, to: Share personal information with third party application developers that is beyond what is required to fulfill the purposes of the applications. Facebook retains non-Users’ email addresses for purposes beyond sending them an email to invite them to Facebook.

Principle 4.3.6
Requires that organizations seek express consent when the information is likely to be considered sensitive.
CIPPIC Complaint: Facebook does not obtain express consent to share sensitive information in the following ways: Users’ information with other Users in joined Networks; Users’ photo albums and associated comments with everyone; Users’ name and picture searchable to everyone; Users’ information with third party application developers and with third party advertisers; Non-User’s information, including photographs, with Users; and To retain Users’ information after they deactivate their accounts.

Principle 4.3.8
Allows individuals to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
CIPPIC Complaint: Facebook does not permit active Users to withdraw consent from the Social Ads that are displayed in the left hand “Ad Space” of their Profiles. Facebook does not inform Users who withdraw consent to share their personal information with third party application developers that all their applications will be lost. Facebook does not permit Users who effectively withdraw consent to share their information by deactivating their accounts to do so.

PRINCIPLE 4.4 – LIMITING COLLECTION
Principle 4.4.1
Sets out limitations on the amount and type of information collected for the stated purposes of collection.
CIPPIC Complaint: Facebook allows third party application developers to collect information beyond what is necessary to run the applications.

Principle 4.4.2
States that consent for collection purposes must not be made with deceptive practices.
CIPPIC Complaint: Facebook deceives Users about its purposes for collecting personal information and about the level of User control over their personal information.

PRINCIPLE 4.5 – LIMITING USE, DISCLOSURE AND RETENTION
Principle 4.5.2
Organizations need to develop policies for the retention of personal information.
CIPPIC Complaint: Facebook does not indicate the retention period for Profiles of Users who have deactivated their accounts anywhere on its Privacy Policy or website.

Principle 4.5.3
States that any personal information no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous.
CIPPIC Complaint: Facebook does not guarantee that personal information that has been disclosed to third party application developers will be destroyed once a User removes an application from Facebook. Facebook retains Users’ personal information after they have terminated their accounts, when their information is no longer necessary to serve Facebook’s identified purpose of social networking.

PRINCIPLE 4.7 – SAFEGUARDS
Principle 4.7.
Requires organizations to have security safeguards to protect against unauthorized access, use, copying or disclosure.
CIPPIC Complaint: Facebook enables a cookie of indefinite length on a User’s mobile device, which could potentially allow others to access the User’s Facebook account.

PRINCIPLE 4.8 – OPENNESS
Requires organizations to allow access to their policies and practices with reasonable effort.
CIPPIC Complaint: Facebook does not make its policies on the range of personal information that is disclosed to third party application developers available on their general website. Facebook does not disclose that it uses technology to actively search for anomalous behaviour. (CIPPIC, 2008, p. 33-36).

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: