Saturday, May 31, 2008

Canadian Internet Policy and Public Interest Clinic files complaint with the Privacy Commissioner about Facebook

The Canadian Internet Policy and Public Interest Clinic (CIPPIC) - Canadian Internet Policy and Public Interest Clinic (CIPPIC) has filed a 35 page complaint with the Privacy Commissioner of Canada, alleging that Facebook violates the Personal Information Protection and Electronic Documents Act in at least eleven ways.

I just gave a presentation in Toronto on privacy and social networking sites. Social networking is very interesting and problematic from a privacy point of view. Unlike other online services, social networking sites are all about the collection, use and ultimate disclosure of personal information. Also, unlike other online services, it is the users (who sign up) who want their information to be disclosed. They want to know what their friends are up to and they want to reciprocate by providing this information to their friends and others. It can be fun and very useful for things like organizing parties, keeeping in touch and (as I've found out by reconnecting with most of my friends from grade 8) reconnecting with people with whom you've lost touch. The key, from a privacy point of view, is making sure that the users are aware of what happens with their information and are given maximum control over how that information is used.

Being on the leading edge of this social networking revolution, Facebook has had its share of privacy blunders. Legions of its users freaked out when the company rolled out the "mini feed" without adequate notice, but now most users find this to be one of the greatest features. Similarly, the Beacon advertising service caused a huge uproar when introduced. Again, this was done without giving people adequate notice and in both cases they were introduced on an opt-out basis without the default being privacy protective.

The main issue, in my view, for social networking sites is to be clear to users about how their information is used and disclosed and to give users maximum control over that use and disclosure. As a Facebook user myself, I think that they've done a good job of providing users with tools to control use and disclosure, but have fallen down on the job of educating their users and by taking an opt-out position on most of the privacy settings.

I will be very interested to see how the Privacy Commissioner deals with the complaint. The Commissioner has already published information about social networking and privacy, so has certainly had an opportunity to consider many of these issues. Stay tuned to hear how it turns out.

Here's the detailed summary of the complaint:

Summary of PIPEDA Complaint

To summarize, we submit that Facebook is in violation of the following PIPEDA provisions in the following regards:

Principle 4.2 – Identifying Purposes:

Principle 4.2.2

Principle 4.2.2 requires that an “organization identify the purpose for which personal information is collected at or before the time of collection” and that an “organization collect only the information necessary for the purposes that have been identified.”

  • Facebook allows third party application developers to access User information that is beyond what is necessary to operate their applications.

Principle 4.2.3

Principle 4.2.3 sets out that “the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected.”

  • Facebook does not precisely identify why Users’ information is collected from other sources.

Principle 4.2.4

Principle 4.2.4 sets out that “when personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.”

  • Facebook reserves the right to modify or add to its Terms of Use without notice.
  • Facebook retains deceased Users’ profile for memorial reasons, a new purpose.

Principle 4.2.5

Principle 4.2.5 recommends that information collectors “should be able to explain to individuals the purpose for which the information is being collected.”

  • Facebook does not explain to Users why third party application developers need access to all their User information.

Principle 4.3 – Consent:

Principle 4.3.1

Principle 4.3.1 sets out that “consent is required for the collection of personal information and the subsequent use or disclosure of this information.”

  • Facebook does not obtain the consent of non-Users to collect their information from Users, to share their information with other Users, and to retain their information.

Principle 4.3.2

Principle 4.3.2 sets out that “organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used” and that meaningful consent requires that “the purposes must be stated in such a way that the individual can reasonably understand how the information will be used or disclosed”.

  • Facebook does not make a reasonable effort to ensure that Users are advised of:
    • The purposes for which their dates of birth will be used;
    • The purpose of using User information for Social Ads;
    • All the types of information that are shared with third party application developers, including Friends’ information; and
    • The purpose behind retaining information of Users who have deactivated their accounts.

Principle 4.3.3

Principle 4.3.3 sets out that “an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.”

  • Facebook requires Users, as a condition of use of its service, to:
    • Provide their dates of birth despite that its purpose for doing so is not explicitly specified; and
    • Participate in one variation of Social Ads despite that this activity is beyond that required to fulfill Facebook’s explicitly specified and legitimate purpose of social networking.
  • Facebook requires Users, as a condition to use of third party platforms, to:
    • Share personal information with third party application developers that is beyond what is required to fulfill the purposes of the applications.
    • Facebook retains non-Users’ email addresses for purposes beyond sending them an email to invite them to Facebook.

Principle 4.3.6

Principle 4.3.6 sets out that “an organization should generally seek express consent when the information is likely to be considered sensitive.”

  • Facebook does not obtain express consent to share sensitive information in the following ways:
    • Users’ information with other Users in joined Networks;
    • Users’ photo albums and associated comments with everyone;
    • Users’ name and picture searchable to everyone;
    • Users’ information with third party application developers and with third party advertisers;
    • Non-User’s information, including photographs, with Users; and
    • To retain Users’ information after they deactivate their accounts.

Principle 4.3.8

Principle 4.3.8 sets out that “An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.”

  • Facebook does not permit active Users to withdraw consent from the Social Ads that are displayed in the left hand “Ad Space” of their Profiles.
  • Facebook does not inform Users who withdraw consent to share their personal information with third party application developers that all their applications will be lost.
And CIPPIC's media release:
CIPPIC files privacy complaint against Facebook

The Canadian Internet Policy and Public Interest Clinic (CIPPIC), based at the University of Ottawa, Faculty of Law, has asked the Privacy Commissioner of Canada to investigate alleged violations of Canadian privacy law by the popular social networking site, Facebook. CIPPIC’s 35-page complaint alleges 22 separate violations by Facebook, including its failure to inform Facebook members of how their personal information is disclosed to third parties for advertising and other profit-making activities and its failure to obtain permission from Facebook members to such uses and disclosures of their personal information.

A team of law students, some of whom are dedicated Facebook users, analysed the company’s policies and practices as part of a clinic course this past winter and identified specific practices that appear to violate the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”).

“Social networking online is growing phenomenon,” said Clinic Director Philippa Lawson. “It is proving to be a tremendous tool for community-building and social change, but at the same time, a minefield of privacy invasion. We chose to focus on Facebook because it is the most popular social networking site in Canada and because it appeals to young teens who may not appreciate the risks involved in exposing their personal details online.”

Facebook has more than seven million Canadian members, with more joining every day. This makes Canada the third largest user base, after the U.S.A. and the U.K.

“Facebook purports to provide users with a high level of control over their data,” said Harley Finkelstein, one of the law students who lodged the complaint. “But our investigation found that this is not entirely true – for example, even if you select the strongest privacy settings, your information may be shared more widely if your Facebook Friends have lower privacy settings.

As well, if you add a third party application offered on Facebook, you have no choice but to let the application developer access all your information even if they don’t need it”.

Jordan Plener, another law student who worked on the complaint, noted that “although Facebook has taken steps to allow for more control over sharing one’s information on the site, its default settings are for sharing in most cases. Changing those settings requires a high level of aptitude and experience with the site. We believe that many Facebook Users, especially young people, don’t appreciate the extent to which their often sensitive personal information is being shared beyond their social circle.”

“We're concerned that Facebook is deceiving its users,” said Lisa Feinberg, another law student behind the Complaint. “Facebook promotes itself as a social utility, but it's also involved in commercial activities like targeted advertising. Facebook users need to know that when they're signing up to Facebook, they're signing up to share their information with advertisers.” Under PIPEDA, the Privacy Commissioner has up to a year to investigate and render her findings on the complaint.

No comments: