16 Jul 2009

Report of Findings with respect to Facebook

(from our backgrounder)

The Office of the Privacy Commissioner of Canada has completed an in-depth investigation into a wide-ranging complaint about the privacy practices and policies of Facebook, a social networking website. The complaint was filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC).

The investigation was conducted under PIPEDA, the Personal Information Protection and Electronic Documents Act, which is the federal private-sector privacy law.

Our investigation concluded that four aspects of the complaint were well founded. Another four were well founded but considered to be resolved after Facebook agreed to make specific changes to its policies or practices. The final four issues raised by the complaint were dismissed as not well founded.

Here are examples from each of the three categories of our findings.

Well-founded allegation of the complaint: Third-party applications

One key allegation of the complaint that we upheld as well founded related to Facebook’s disclosure of personal information to third-party developers who create applications, such as games, quizzes and classified ads, that run on the Facebook platform. There are more than 950,000 application developers in some 180 countries.

When users add an application, they consent to giving the application’s developer access to some of their personal information, as well as that of their “friends.”  Moreover, the only way that users can refuse to share personal information when their friends add applications is by opting completely out of all applications, or blocking specific applications.

Based on our investigation, we recommended that Facebook implement technological measures to restrict application developers’ access only to the user information essential to run a specific application. We also called on Facebook to ensure that users are informed of the specific information that an application requires, and what the purpose is.

We further recommended that users signing up for an application be asked for express consent to provide their personal information to third-party developers. Measures are needed to prohibit all disclosure of the personal information of users who are not themselves adding an application.

Facebook has not agreed to the recommendations.
Well-founded and Resolved allegation of the complaint: Facebook advertising

The complainant alleged that Facebook was not making a reasonable effort to notify users clearly that their personal information is used for advertising purposes.

Our Office examined the two types of ads on Facebook that use personal information – “Facebook ads,” which are targeted to demographic profiles or key words in a user’s profile, and “social ads,” which are triggered by actions such as becoming a fan of a page or joining a particular group.

Social ads are inherently intrusive because they use peoples’ actions, thumbnail photos and names to promote products and services. The ads give the appearance that a user is endorsing a particular product. Users can, however, opt out of this type of ads.

On the other hand, users cannot opt out of Facebook ads. But, because only users can see the ads being targeted at them, we considered them to be less invasive.

We accepted that, as a free service to users, Facebook needs to generate revenue, and that most Facebook users reasonably expect to receive advertisements. However, in light of the prominent role of advertising on the site, we recommended that Facebook explain the role of advertising more fully in its Privacy Policy, and inform users that their profile information is used for targeted advertising purposes.

Facebook agreed in principle to describe advertising more clearly and to configure its systems to allow users to more easily find information about advertising.
Not Well-founded allegation of the complaint: Deception and misrepresentation

The complainant alleged that Facebook was misrepresenting itself by claiming to be purely a social networking site when, in fact, it was engaged in other activities, such as advertising and third-party applications, and did not clearly explain this involvement. The complainant also alleged that Facebook was misrepresenting users’ level of control over their personal information.

We found no evidence that Facebook was willfully misleading or deceiving users about the purposes for which it collects information, or that it is obtaining consent through deception.
The Road Ahead

The Privacy Commissioner has given Facebook 30 days to comply with any unresolved recommendations. During that time, our Office will continue to work with the company to address any outstanding concerns.

Under PIPEDA, the Privacy Commissioner can apply to the Federal Court of Canada to have her recommendations enforced.

11 Responses

Canadian Privacy Commissioner warns Facebook privacy gaps | Business 2.0 Press Says:

[…] the RSS feed for the best in daily Business, Tech & Web contentCanada’s Privacy Commissioner has concluded (see the complete findings report) they’ve found significant privacy “gaps” on what is now […]

Miguel Reimer Says:

I’m a bit confused. While the investigation was very thorough and informative, how can Canadian law be even remotely applicable to a company that is run out of the US? Facebook, as far as I know, has no presence(not even servers) in Canada. As a Canadian Facebook member, I do understand and appreciate why Facebook would want to cooperate with our Privacy Commission and agree with most or all of the findings, but I don’t understand how there can be any legal requirement for them to do so.

Colin McKay Says:

Hi Miguel.

Facebook collects the personal information of Canadians in the course of conducting business. They also sell advertising to Canadians, and for delivery to Canadian audiences. We found they’re subject to PIPEDA.

Steve Says:

Agree, however it appears that the goal of the Priv Comm is to focus on information that could be used for identity theft in this case. The reality is that DOB, maiden names (especially in Quebec) and many other personal items are really easily available, Facebook is simply one more place to get it. The focus should really be on getting a better means to confirm an identity other than relying on these DOB type info. Banking/Government community must do more in this area and the Priv Comm should be leading the charge. Start thinking outside the box !

Annie Says:

Thank you for the informative post.

Theoreti.ca » Blog Archive » Office of the Privacy Commissioner » Blog Archive » Report of Findings with respect to Facebook Says:

[…] Office of the Privacy Commissioner of Canada has issued a Report of Findings with respect to Facebook. The OPC investigated Facebook after a complaint by Canadian Internet Policy and Public Interest […]

Light Blue Touchpaper » Blog Archive » Facebook Tosses Graph Privacy into the Bin Says:

[…] to help users update their settings.  Ostensibly, Facebook’s changes are the result of pressure from the Canadian privacy commissioner, and in Facebook’s own words the changes are meant to be “new tools to control your […]

Facebook vs. Privacy « Blog of Schihei Says:

[…] to help users to update their profiles. The ugly true is that Facebook only made this change on pressure from the Canadian privacy commissioner. Or in the words of Facebook: “New tools to control your experience.” Nevertheless, the […]

Jules Says:

I was very happy to hear of the action by the commissioner… but now very glum to see that facebook is still merrily violating privacy willy nilly.

My latest concern is that while on my facebook ‘home’ page, I saw a suggestion in the right-hand sidebar that I add as a friend someone I knew.

The only problem? The only contact info I had for the person was in my gmail account, and there was NO other way that facebook could have known about this person… they do not and never have shared a school or workplace with me, they don’t know anyone else I know – at all – and they live far away.

Also, I have been very careful not to give facebook my personal e-mail password, despite their standing attempt to phish this out of everyone. (that’s my next issue).

I wonder if this happened because I once linked some youtube videos with my facebook account. Google (gmail) owns YouTube. HOWEVER – I don’t see where I gave facebook permission to poke around my gmail account. If they have my password there, then they can read my private mail as freely as I can!

OK, has anyone seen the page where if you go to your ‘friends’ page, front and centre it brightly and confidently suggests that you provide your private and personal mail account password? Is anybody else outraged by this blatant attempt at phishing/duping the unsuspecting into divulging this info that should NEVER be divulged – to ANYONE?

I just checked the aforementioned page, and I now see that it seems to no longer require my password for facebook to retrieve contacts from my gmail account – meaning it already has that information through other means. I can only assume it was because of that one time I accidentally linked youtube and facebook using my gmail login (due to a personal data-hungry prompt from youtube, and my being tired) info instead of my exclusively youtube info. I quickly cancelled the link – wanting to keep all my accounts separate for security and privacy reasons, but I guess it didn’t respect my decision and kept the login info anyhow.

Facebook even lays the groundwork to make it seem normal to give out private password info by having your email address as a way of logging into facebook. I wonder how many people, when logging into facebook, have accidentally entered their email address, then in the ‘password’ field below, inadvertently entered their actual e-mail account password, while facebook silently stores this information?

This is pretty outrageous and blatant stuff. What kind of action will the commissioner take on these fronts?

Jules Says:

addendum: if this could happen to me, a cyber-security conscious ‘net vet who has been deliberately attempting to avoid the trap of handing over a private e-mail password, then what chance do the majority of facebook users have? This is clearly a subtle and integrated phishing mentality that has become common among many major web 2.0 giants. Information IS power!

Leave a Reply

If you wish to leave a reply, you will be asked to provide your name and e-mail address. Your e-mail address is required for the purposes of limiting spam and contacting you should we have questions about your comment.

To learn more about why this information is collected and how it will be used, please read our Blog Comment Policy.