Canadian Group Alleges Privacy Violations by Facebook
Disclosure: I have worked with CIPPIC on privacy issues, including those related to Facebook and other social networking sites.
The Canadian Internet Policy and Public Interest Clinic (“CIPPICâ€) has filed a complaint (pdf) against Facebook alleging 22 violations of Canadian law. The group asked the Privacy Commissioner of Canada to investigate their allegations “regarding the unnecessary and non-consensual collection and use of personal information by Facebook, a social networking website.â€
“Social networking online is growing phenomenon,†said CIPPIC Director Philippa Lawson. “It is proving to be a tremendous tool for community-building and social change, but at the same time, a minefield of privacy invasion.â€
There has been controversy over several Facebook practices, especially that of its “Beacon†feature. There, Facebook gathered data on users’ transactions with third-party sites and broadcast users’ purchases to their friends in “social ads†that appeared on Facebook. The social networking site automatically broadcast these details, placing the burden upon users to opt-out of the Beacon program. Last year, after considerable public pressure, Facebook changed Beacon and required users to affirmatively opt-in before publicizing their purchases.
CIPPIC claims Facebook has violated the Personal Information Protection and Electronic Documents Act (“PIPEDAâ€) by failing to: identify the purposes for which the personal data of users is collected (including the data’s use by third-party advertisers); obtain consent for all collection, use, and disclosure of user and non-user data; inform users that Facebook monitors what it calls “anomalous behaviorâ€; or properly securing the data collected, used, and disclosed.
CIPPIC also accuses Facebook of “misrepresent[ing] the level of control available to Users over personal information.†Though one of Facebook’s core principles is: “You should have control over your personal information,†the group notes, “Users are not even permitted to opt out of certain kinds of information sharing.â€
Harley Finkelstein, one of the law students who worked on the complaint, explains, “[F]or example, even if you select the strongest privacy settings, your information may be shared more widely if your Facebook Friends have lower privacy settings. As well, if you add a third party application offered on Facebook, you have no choice but to let the application developer access all your information even if they don’t need it.â€
In April, the International Working Group On Data Protection in Telecommunications released a “Report and Guidance on Privacy in Social Network Services†(pdf) that highlighted these problems. “While social network services offer a new range of opportunities for communication […], the use of such services can also lead to putting the privacy of its users (and of other citizens not even subscribed to a social network service) at risk.†Risks identified include the misuse of profile data by third parties and “notoriously†insecure infrastructure. To mitigate these risks, the group recommended: improved security protections for the data; more openness about data collection and use by social networking services; and requirements that providers notify users of data breaches.
CIPPIC’s complaint (pdf) goes into great detail about the specific problems with Facebook, which may surprise many users, and I urge you to read it. The Privacy Commissioner has one year to investigate the allegations set out by CIPPIC.