[IRP] facebook and privacy - canada

Bodle, Robert Robert_Bodle
Thu Jul 23 00:34:37 EEST 2009

This is interesting. Thanks for posting Lisa.

Amazing to read about privacy regimes with teeth - "If Facebook's changes are unsatisfactory, the [Canadian] Commission can take the issue to Federal Court to enforce the recommendations."

Also, striking about role of third parties, with Facebook having over 950,000 application developers collecting personal info for "secondary, unintended purposes." Putting this report together with a recent article on how facebook quizzes are used to entice disclosures, seems to constitute "serious privacy gaps" indeed. Go Canada!



New Facebook blog: We can hack into your profile

Facebook Platform Privacy Issues
Robert Bodle, PhD
Assistant Professor of Communication Studies
College of Mount St. Joseph
Cincinnati, Ohio 45233
(513) 244-4829 (office)
robert_bodle at mail.msj.edu

From: irp-bounces at lists.internetrightsandprinciples.org [irp-bounces at lists.internetrightsandprinciples.org] On Behalf Of Lisa Horner [lisa at global-partners.co.uk]
Sent: Wednesday, July 22, 2009 4:02 AM
To: irp
Subject: [IRP] facebook and privacy - canada

Thought this might be of interest to people looking at privacy and social networking ? extracted from the EPIC newsletter?


[4] Canadian Commissioner Holds that Facebook Must Strengthen Privacy =======================================================================

The Office of the Privacy Commissioner of Canada released a Report of "Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic" against Facebook, Inc. The complaint was filed by the CIPPIC under the Personal Information Protection and Electronic Documents Act, and contained twenty-four allegations concerning a range of Facebook business practices.

The PIPEDA covers privacy protections by private data holders, including the actions of third parties to whom the data holders provide information. It requires data holders to obtain individual consent for any use of such data, and requires data holders, upon request, to provide details regarding the nature of information held, and a list of all third parties to whom the information has been provided.

The charges include allegations that Facebook fails to inform users:

how it uses the personal information it collects; the extent of disclosures of such information to the more than 950,000 third-party application developers; of new uses of the personal data collected; of monitoring for anomalous behavior; and, of persistent cookies in mobile Facebook. The complaint further alleges that Facebook fails to allow for deletion (as opposed to deactivation) of user accounts or obtain consent from non-users for upload and storage of personal information.

Privacy Commissioner Jennifer Stoddart stated that while Facebook has clearly made efforts to maintain user privacy, "we found serious privacy gaps in the way the site operates."

Facebook has agreed to many of the Commission's recommendations, and has also proposed what the Commission calls "reasonable alternatives"

to others. The company has not, however, addressed all of the recommendations, noting that under the current "statement of rights and responsibilities" it would have to consult users regarding changes to certain policies. The Commission, however, states in its report that "[w]hile we understand the importance Facebook places on user feedback, the legislative requirements and obligations imposed by the Act are not contingent on user approval."

The Commission will review Facebook's new policies in 30 days to assess that the company is in compliance with the ruling. If Facebook's changes are unsatisfactory, the Commission can take the issue to Federal Court to enforce the recommendations.

In June, the Article 29 Working Party warned about the dissemination and use of information available on Social Networking Sites for other secondary, unintended purposes. Earlier, in February, Facebook had announced that it was opening its site governance to user voting after the new Terms of Service were widely criticized, and were to be the subject of an EPIC complaint to the Federal Trade Commission. Facebook restored the old terms and sought user feedback on the new terms. About

75 percent of the users voted to adopt new terms re-drafted from user feedback. Under the updated terms, users have the right to "own and control their information." Facebook had also taken some steps to improve account deletion, to limit sublicenses, and reduce data exchanges with application developers. EPIC supported the adoption of the new terms.

Office of the Privacy Commissioner of Canada:


Report of Findings into the Complaint Filed by the CIPPIC against Facebook, Inc. under PIPEDA:


Personal Information Protection and Electronic Documents Act (PIPEDA):


Article 29 Working Party Opinion of Social Networking Sites:


Facebook Privacy Policy:


Facebook Statement of Rights and Responsibilities:


EPIC - Facebook Privacy:


EPIC - Social Networking Privacy:


Lisa Horner
Head of Research & Policy  Global Partners and Associates
338 City Road, London, EC1V 2PY, UK
Office: + 44 207 239 8251     Mobile: +44 7867 795859
lisa at global-partners.co.uk<mailto:lisa at global-partners.co.uk>  www.global-partners.co.uk<http://www.global-partners.co.uk/>

More information about the IRP mailing list