After a 13-month investigation, Canada’s Privacy Commissioner announced on Thursday that Facebook’s policies and practices violate the country’s privacy laws.
There are “serious privacy gaps” in the way Facebook operates, according to Commissioner Jennifer Stoddart.
The investigation was triggered by a complaint from the Canadian Internet Policy and Public Interest Clinic (CIPPIC).
The ruling may impact other social networking sites, which may be targeted by CIPPIC soon.
The Privacy Commission’s Report
The Commission launched an investigation against Facebook after receiving a complaint from CIPPIC in May 2008.
That complaint consisted of 24 allegations relating to 12 distinct subjects, according to the Commission’s report, which was signed by Assistant Privacy Commissioner Elizabeth Denham.
These included default privacy settings, the collection and use of users’ personal information for advertising purposes, disclosure of users’ personal information to third-party application developers, and the collection and use of non-users’ personal information.
“The central issue in CIPPIC’s allegations was knowledge and consent,” Denham said. Other issues related to the retention of personal information and security safeguards.
During the course of its investigation, the Commission met with Facebook executives repeatedly.
“Facebook has taken this issue very seriously and has worked with us well throughout the process,” Kasia Krzymien, the Commission’s lead investigator in the case, told TechNewsWorld.
4 Dismissed, 4 Resolved, 4 Remain
The findings against Facebook are filed as Case #2009-008 under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Four of the 12 subjects raised by CIPPIC –including deception and misrepresentation, along with security concerns around Facebook Mobile — were not well-founded, Denham ruled.
Facebook Mobile consists of Facebook services and features for mobile phones.
Allegations on subjects like default privacy settings and advertising were well-founded, in her estimation, and those issues were ruled resolved after Facebook proposed corrective measures.
CIPPIC’s allegations on the four remaining subjects — third-party applications; account deactivation and deletion; accounts of deceased users; and non-users’ personal information — were also well-founded, in Denham’s opinion. However, these four pain points remain unresolved; Facebook has not at this time committed to adopting Denham’s recommendations.
Suggestions for Change
The report recommends Facebook make several changes. One is ensuring that developers can access only the user information they actually require to run a specific application.
The report also recommends that Facebook prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.
After 30 days, the Commission will check to see whether changes have been made in instances where issues have been deemed resolved, and whether Facebook has tackled unresolved issues by either implementing the Commission’s recommendations or setting up acceptable alternatives.
Facebook’s Response
“Facebook is pleased that the Canadian Federal Privacy Commissioner has dismissed … most of the inaccurate claims brought by CIPPIC, and that we were able to collaboratively resolve other issues raised in the complaint,” spokesperson Barry Schnitt told TechNewsWorld.
“The Commissioner also recognized, as we do, that privacy and user control on the social Web is a new area, which requires Web sites, users and data protection authorities to work together. Without question, Facebook and the Canadian Privacy Commissioner’s Office share the common goal of making the Internet more privacy-friendly for Canadians and users across the world.”
The Commission recognizes that Facebook provides greater privacy protection than other Web sites, Schnitt pointed out, noting that the social networking giant will soon introduce new privacy features.
It will also continue working with the Commission, he said.
CIPPIC’s Comeback
Facebook’s criticism of CIPPIC’s complaints is a dramatic misrepresentation, according to Tamir Israel, a lawyer on staff with CIPPIC.
“A lot of things changed along the way while the investigation proceeded, and some of the points that were accurate in the complaint had changed by the time the Commissioner got to them,” he said.
The Commission’s Krzymien agreed. “The Commissioner makes findings on what Facebook looked like at the time the complaint was filed, and any changes in the Web site subsequent to that are taken into account in subsequent discussions,” she said.
CIPPIC, established at the University of Ottawa’s Faculty of Law in 2003, seeks to ensure balance in policy and lawmaking processes as new technologies change our landscape.
External advisors include Stanford University Professor of Law Lawrence Lessig; Electronic Privacy Information Center Director Marc Rotenberg; and Electronic Frontier Foundation Legal Director Cindy Cohn.
Lining Up Other Targets
The ruling on Facebook could impact other social networking sites that operate in Canada.
“This provides a very clear framework on how social networking should be done with respect to privacy laws in Canada,” CIPPIC’s Israel said.
“We, as well as the Privacy Commissioner, will be looking at other social networks. But we hope they take the initiative on their own to improve things,” he said.