Facebook Addresses Canada's Privacy Commissioner Concerns

Several weeks ago the Office of the Privacy Commissioner of Canada, issued a comprehensive report about Facebook’s privacy policies and asked the company to address several privacy concerns they laid out or face imminent legal action. In response, Facebook announced today a series of changes that intended to address the concerns offered by the Commissioner.

Among the changes Facebook will be making:

• Updating its Privacy Policy to better describe a number of practices, including the reasons for the collection of date of birth, account memorialization for deceased users, the distinction between account deactivation and deletion, and how its advertising programs work.

• Encouraging users to review their privacy settings to make sure the defaults and selections reflect the user’s preferences.

• Increasing the understanding and control a user has over the information accessed by third-party applications. Specifically, Facebook will introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. In addition, the user will also have to specifically approve any access to their friends’ information, which would still be subject to the friend’s privacy and application settings.

In my opinion, the most important change is related to applications. As I have previously discussed, the challenge of policing the activities of tens of thousands of independent developers around the world is a daunting but necessary task. The current process on Facebook allows users to opt-in to giving applications permission, but allows apps to require users to provide access to all of their own data and all their friends data. Many users have no clue that by doing quizzes, they are providing a developer with access to all the information in their profile and access to their friends profiles and their information.

The new process will require applications to spell out the data they want from users with more detail and to more specifically approve access to categories of an individual’s data or their friends’ data.

For the first time, when users authorize an application, they will have the opportunity to opt out of giving certain pieces of information. Fields that are necessary for the application to function will still be mandatory. Facebook also said that it anticipated that users will need to opt-in to giving applications access to their friends’ data.

These changes are absolutely a very positive step,and do lead the way for other platforms that support applications to step up to provide more transparency and control.

Unfortunately, I don’t see how Facebook can take on the job of policing hundreds of thousands of applications, without creating huge bottlenecks or hiring hundreds of reviewers. Who will decide what data is necessary for an application to function? Will users pay attention and exclude the sharing of data which isn’t required or will they just click through? Clearly, there is a desperate need for third parties such as seal companies or application rating sites to fill the void here so that users can look to trusted experts for help before deciding to share the details of their lives with unknown and unverified developers. Of course, this issue isn’t unique to Facebook as the focus tomorrow will be on the other social network platforms. And, it’s only a matter of time before open mobile platforms feel the heat as well.

The other important note here is that, once again, the international privacy regulators are driving the global privacy agenda and setting standards for US companies. In response to recent pressure from European authorities, search engines have all reduced the time they keep search queries. Although international regulators have for many years published opinions or made public declarations about their views that companies weren’t meeting local standards, they have begun to play a significantly more aggressive role in demanding actual changes from companies active in their jurisdictions. A review of the agenda of the November international conference of data commissioners makes it clear that social networking, kids privacy, behavioral advertising will continue to be lead topics of discussion. Although the FTC cooperates with many of the international regulators and has observer status at some of the conferences, I re-iterate the call for the Obama administration to appoint a Chief Privacy Officer who can ensure that the US is more visible and relevant on this increasingly global playing field.

Dan Solove

Above the Law has an entertaining interview with FPF advisory board member Prof Dan Solove on the “skanks” case, as well as some background on his career.  Check it out here.

New York Times on Government Use of Cookies:

Kudos to the New York Times for addressing the government’s use of cookies in an editorial in this morning’s paper . As the piece indicates, currently there is no ban in place which prevents a federal agency from using tracking devices, such as cookies. Unfortunately, it is an all or nothing policy, which allows agencies in the government to use cookies with the approval of their agency head or a specific designee. If approval is granted by an agency head, the current use of cookies is allowed without any substantial privacy protections or use limitations. A new policy is needed that would both enable government web managers to ensure federal web sites are optimized for the public and to make the government policy more privacy protective. By addressing issues that the Future of Privacy Forum and other advocates have proposed, such as limiting the retention of Internet Protocol addresses and setting policies that would increase transparency and user control, we can have our cake (or our cookies in this case) and eat it too.

Massachusetts Tweaks Its Data Security Regs

The Commonwealth of Massachusetts, home of the infamous 2007 TJX data security breach, is the first state to require detailed regulation over how personal data is secured. As an incubator of a new kind of law, it has found that getting the regs right is no easy task. The regs have been revised once already, and the deadline for compliance has been extended once before.

Our friend from her FTC days, Barbara Anthony, now Massachusetts Undersecretary of the Office of Consumer Affairs and Business Regulation, took up her post this year, and heard various concerns expressed by many small businesses and others about the effect of even the revised regs. So, yesterday she announced that a second revision to the Massachusetts data security regulations will occur, and that the original compliance deadline of January 1, 2010 will be extended again, this time to March 1, 2010. The regulations now will have a “risk-based approach”, which is intended to make it easier for small businesses that may not handle a lot of personal information about customers. Several specific provisions required to be included in a business’s Written Information Security Program have been removed from the regulation and are intended as guidance only. The scope of the regulations was revised to cover “persons who own or license personal information,” removing previous regulatory language related to those that “store or maintain personal information”. (Thus, if a business simply uses swipe technology for credit cards only, and does not have actual custody or control over the personal information, then a business does not own or license personal information with respect to that data. Still, Payment Card Industry (PCI) standards would have to be observed.) The encryption definition was amended to be technology neutral and, in addition, technical feasibility will apply to all computer security requirements.

As to portable devices, only those that contain personal information of customers or employees need to be protected and only where “technically feasible”. And as to back-up tapes, there is a requirement to encrypt backup tapes on a prospective basis, but with respect to the transport of a backup tape from storage, only if it is technically feasible to encrypt must one do so prior to the transfer. If it is not technically feasible and there is sensitive personal information on the tapes, the regs suggest that using an armored car service (rather than an ordinary courier) would be in order.

Getting granular is hard, as the regulators in Mass. have found, but kudos to them for trying. Interested parties will have another opportunity to weigh in on this round of revisions at a public hearing in Boston on September 22d and written comments will be accepted until September 25th. For more details, click here.

31st International Conference of Data Protection & Privacy Commissioners – November 4-6, 2009

Jules is scheduled to participate in the 31st Annual International Conference of Data Protection and Privacy Commissioners in Madrid, Spain at the Palacio de Congresos (Congress Palace).

Click here for more information regarding this event.

Web Analysis, Behavioral Targeting and Advertising: Individual Visitors Tracking v/s Aggregate Data

http://webanalysis.blogspot.com/2009/08/individual-visitors-tracking-vs.html

In our comments on the federal government’s request for input on the use of cookies, we made the point that for the purpose of Web site analytics use of data in the aggregate was quite sufficient. This discussion and debate between analytics industry experts from Google and Comscore provides some insight on the issues around analytics, individual data, personalization and related privacy issues.

See how you are being seen

Steve Smith’s description of the DailyMe service puts it perfectly.

“Transparency alone is not the right answer to the quandary over privacy and targeting. The users must not only feel in control but be able to see a real benefit from the technology”.

Association of Corporate Counsel 2009 Annual Meeting – October 18-21, 2009

Jules will be participating in the Association of Corporate Counsel 2009 Annual Meeting.

October 18-21, 2009

Hynes Convention Center

900 Boylston Street

Boston, MA 02215

Click here for more information regarding this event.

TARGUSinfo "Online Lead Quality Summit"

Chris is scheduled to participate on a panel at the TARGUSinfo “Online Lead Quality Summit” entitled, “2010 Privacy Debate: Who and What Will Drive Resolution?”

September 24, 2009

2:25pm- 3:15pm

Panelists:

Alan Chapell, President, Chapell & Associates

Chris Pirrone, General Counsel, Connexus

Matt Wise, CEO, Q Interactive

Mike Zaneis, VP of Public Policy, IAB

California Healthcare Institute Meeting

Chris will deliver a luncheon address to the California Healthcare Institute on “Behavioral Adversiting, Disclosure, and the Life Sciences Sector” on September 22, 2009 from noon to 1:30pm in Newport, California.