Wednesday, September 22, 2010

Canadian Privacy Commissioner satisfied with Facebook resolution

This just posted on the OPC website:

News Release: Privacy Commissioner completes Facebook review - September 22, 2010

Privacy Commissioner completes Facebook review

OTTAWA, September 22, 2010 – The Privacy Commissioner of Canada has finished reviewing the changes that Facebook implemented as a result of her investigation of the social networking site and has concluded that the issues raised in the complaint have been resolved to her satisfaction.

Privacy Commissioner Jennifer Stoddart today issued the following statement:

The changes Facebook has put in place in response to concerns we raised as part of our investigation last year are reasonable and meet the expectations set out under Canadian privacy law.

The investigation has resulted in many significant changes. Facebook has put in place measures to limit the sharing of personal information with third-party application developers and is now providing users with clear information about its privacy practices.

A major concern during our investigation was that third-party developers of games and other applications on the site had virtually unrestricted access to Facebook users’ personal information. Facebook has since rolled out a permissions model that is a vast improvement. Applications must now inform users of the categories of data they require to run and seek consent to access and use this data. Technical controls ensure that applications can only access user information that they specifically request.

We’re also pleased that Facebook has developed simplified privacy settings and has implemented a tool that allows users to apply a privacy setting to each photo or comment they post.

It has been a long road in arriving at this point. These changes are the result of extensive and often intense discussions with Facebook. Our follow-up work was complicated by the fact that we were dealing with a site that was continually changing.

Overall, Facebook has implemented the changes it promised following our investigation.

The issues related to the investigation – and, to be clear, I am only speaking about those issues rather than the site as a whole – have been resolved to my satisfaction.

However, our work with Facebook is not over.

While we are satisfied that the changes address the concerns raised during our investigation, there is still room for improvement in some areas. We’ve asked Facebook to continue to improve its oversight of application developers and to better educate them about their privacy responsibilities. We have also cautioned Facebook against expanding the categories of user information made available to everyone on the Internet – and over which users cannot control through privacy settings. As well, we had recommended that Facebook make its default settings for photo albums more restrictive than “everyone on the Internet” – though this concern has been mitigated to a large extent by Facebook’s per-object privacy tool.

Facebook is constantly evolving and we are actively following the changes there – as well as on other social networking sites. We will take action if we feel there are potential new violations of Canadian privacy law.

As well, we have received several further complaints about issues that were not part of our first investigation and we are now examining those. The new complaints deal with Facebook’s invitation feature and Facebook “Like” buttons on other websites.

Our ongoing work does not take away from the improvements Facebook has already made. Indeed, I would like to express my sincere appreciation to Facebook for the cooperation it has provided throughout our discussions. We recognize that some of the changes needed in order for Facebook to meet its legal obligations in Canada were complex and time-consuming to implement. Ultimately, Facebook has made several privacy improvements that will benefit its users around the globe. I believe we have also demonstrated that privacy protection does not stand in the way of innovation.

I would also like to offer my gratitude to the Canadian Internet Policy and Public Interest Clinic for bringing these important issues forward. CIPPIC recognizes how much Canadians value their privacy and has become an important voice for privacy rights in Canada.

A large focus of our work with Facebook related to third-party applications. It is our expectation that application developers will take note of our investigation. Like Facebook, many of them have an obligation to respect Canadian privacy law.

Finally, Facebook users also have a responsibility here. They need to inform themselves about how their personal information is going to be used and shared. The investigation has led to more privacy information and improved privacy tools – Facebook users should take advantage of those changes.

A backgrounder with detailed information about the investigation is available on the Office of the Privacy Commissioner of Canada’s website,

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

The Commissioner's "backgrounder" is here: .

1 comment:

Alex Lougheed said...

Frankly, there's still a lot of glaring holes that the privacy commissioner seems to have missed.

For instance, if you host a page (say, for your employer), and you wish to add a third-party app to that page, you must do so by adding the app on your personal/administrator account as well. That means if I want "Alex Co."'s page to have a YouTube tab, I need to inform the maker of the YouTube app about my gender, friends, and other
PII. Only once the app is set-up can you decouple from your account, but at that point, the damage is done.

Also, there's still a slew of problems with defaults. Every time there's a chance to your settings, be they intentional or not, FB assumes you want privacy-invasion.