Disclosure: I have worked with CIPPIC on privacy issues, including those related to Facebook and other social networking sites.
The Canadian Internet Policy and Public Interest Clinic (â€œCIPPICâ€) has filed a complaint (pdf) against Facebook alleging 22 violations of Canadian law. The group asked the Privacy Commissioner of Canada to investigate their allegations â€œregarding the unnecessary and non-consensual collection and use of personal information by Facebook, a social networking website.â€
â€œSocial networking online is growing phenomenon,â€ said CIPPIC Director Philippa Lawson. â€œIt is proving to be a tremendous tool for community-building and social change, but at the same time, a minefield of privacy invasion.â€
There has been controversy over several Facebook practices, especially that of its â€œBeaconâ€ feature. There, Facebook gathered data on usersâ€™ transactions with third-party sites and broadcast usersâ€™ purchases to their friends in â€œsocial adsâ€ that appeared on Facebook. The social networking site automatically broadcast these details, placing the burden upon users to opt-out of the Beacon program. Last year, after considerable public pressure, Facebook changed Beacon and required users to affirmatively opt-in before publicizing their purchases.
CIPPIC claims Facebook has violated the Personal Information Protection and Electronic Documents Act (â€œPIPEDAâ€) by failing to: identify the purposes for which the personal data of users is collected (including the dataâ€™s use by third-party advertisers); obtain consent for all collection, use, and disclosure of user and non-user data; inform users that Facebook monitors what it calls â€œanomalous behaviorâ€; or properly securing the data collected, used, and disclosed.
CIPPIC also accuses Facebook of â€œmisrepresent[ing] the level of control available to Users over personal information.â€ Though one of Facebookâ€™s core principles is: â€œYou should have control over your personal information,â€ the group notes, â€œUsers are not even permitted to opt out of certain kinds of information sharing.â€
Harley Finkelstein, one of the law students who worked on the complaint, explains, â€œ[F]or example, even if you select the strongest privacy settings, your information may be shared more widely if your Facebook Friends have lower privacy settings. As well, if you add a third party application offered on Facebook, you have no choice but to let the application developer access all your information even if they donâ€™t need it.â€
In April, the International Working Group On Data Protection in Telecommunications released a â€œReport and Guidance on Privacy in Social Network Servicesâ€ (pdf) that highlighted these problems. â€œWhile social network services offer a new range of opportunities for communication [â€¦], the use of such services can also lead to putting the privacy of its users (and of other citizens not even subscribed to a social network service) at risk.â€ Risks identified include the misuse of profile data by third parties and â€œnotoriouslyâ€ insecure infrastructure. To mitigate these risks, the group recommended: improved security protections for the data; more openness about data collection and use by social networking services; and requirements that providers notify users of data breaches.
CIPPIC’s complaint (pdf) goes into great detail about the specific problems with Facebook, which may surprise many users, and I urge you to read it. The Privacy Commissioner has one year to investigate the allegations set out by CIPPIC.