Disclosure: I have worked with CIPPIC on privacy issues, including those related to Facebook and other social networking sites.
The Canadian Internet Policy and Public Interest Clinic (“CIPPIC”) has filed a complaint (pdf) against Facebook alleging 22 violations of Canadian law. The group asked the Privacy Commissioner of Canada to investigate their allegations “regarding the unnecessary and non-consensual collection and use of personal information by Facebook, a social networking website.”
“Social networking online is growing phenomenon,” said CIPPIC Director Philippa Lawson. “It is proving to be a tremendous tool for community-building and social change, but at the same time, a minefield of privacy invasion.”
There has been controversy over several Facebook practices, especially that of its “Beacon” feature. There, Facebook gathered data on users’ transactions with third-party sites and broadcast users’ purchases to their friends in “social ads” that appeared on Facebook. The social networking site automatically broadcast these details, placing the burden upon users to opt-out of the Beacon program. Last year, after considerable public pressure, Facebook changed Beacon and required users to affirmatively opt-in before publicizing their purchases.
CIPPIC claims Facebook has violated the Personal Information Protection and Electronic Documents Act (“PIPEDA”) by failing to: identify the purposes for which the personal data of users is collected (including the data’s use by third-party advertisers); obtain consent for all collection, use, and disclosure of user and non-user data; inform users that Facebook monitors what it calls “anomalous behavior”; or properly securing the data collected, used, and disclosed.
CIPPIC also accuses Facebook of “misrepresent[ing] the level of control available to Users over personal information.” Though one of Facebook’s core principles is: “You should have control over your personal information,” the group notes, “Users are not even permitted to opt out of certain kinds of information sharing.”
Harley Finkelstein, one of the law students who worked on the complaint, explains, “[F]or example, even if you select the strongest privacy settings, your information may be shared more widely if your Facebook Friends have lower privacy settings. As well, if you add a third party application offered on Facebook, you have no choice but to let the application developer access all your information even if they don’t need it.”
In April, the International Working Group On Data Protection in Telecommunications released a “Report and Guidance on Privacy in Social Network Services” (pdf) that highlighted these problems. “While social network services offer a new range of opportunities for communication […], the use of such services can also lead to putting the privacy of its users (and of other citizens not even subscribed to a social network service) at risk.” Risks identified include the misuse of profile data by third parties and “notoriously” insecure infrastructure. To mitigate these risks, the group recommended: improved security protections for the data; more openness about data collection and use by social networking services; and requirements that providers notify users of data breaches.
CIPPIC’s complaint (pdf) goes into great detail about the specific problems with Facebook, which may surprise many users, and I urge you to read it. The Privacy Commissioner has one year to investigate the allegations set out by CIPPIC.