Facebook Canadian Privacy News
Some thoughts on the Report of Findings by the Assistant Privacy Commissioner of Canada into the complaint filed by CIPPIC against Facebook.
Overall this is a very well informed and thoughtful decision. The majority of the issues raised by CIPPIC (Canadian Internet Policy and Public Interest Clinic) are either denied or found to have been successfully addressed by many of the privacy enhancements introduced by Facebook over the past year. The most significant unresolved issue as identified by the Commissioner is probably around the many thousands of third party applications that have become so popular with Facebook users. Although Facebook has contractual policies restricting the access and retention of user data by the “apps”, and has enforced these rules by kicking various apps off of Facebook, concerns by the Commissioner still exist about whether Facebook should be able to implement some sort of technical monitoring of these programs. Although Facebook has launched a “Verified Apps” program, where apps can sign more intensive review of their practices and receive a label informing users, this program is voluntary. We agree that this is an area where users are right to have concerns about the identities and practices of third party app developers, many of whom are individual developers or start-ups operating anywhere in the world. But we also think that a mandatory approval and review program for apps controlled by Facebook would be subject to policy debate over the openness of the platform criticism and would create a huge bottleneck for the developers of the apps. The role of “policing” these apps may be better suited for third parties or seal organizations, which can independently set trust guidelines and devote time and resources to the auditing and technical monitoring of apps.
Two other issues flagged by our northern neighbors are also intriguing. The Commissioner would like Facebook to spell out in its privacy policy what it does with user accounts, after users die. Although companies in the US often do have policies around how to handle user accounts after death, the controlling practices are usually trust and estate laws and they are dependent on the ability of a next of kin to establish ownership of the account. Rarely, if ever is information about this spelled out in a privacy policy and we wonder whether the Commissioner would require this of all blogs, Web sites, email providers or the like. Although we think transparency is key to ensuring users trust with the companies they deal with, we aren’t sure that most users want to discuss death when they sign up for a social network. What do our readers think? Do you want your Facebook profile or your blog to stay up after you die? Do you want to decide this when you create an account? Should estate planners start advising clients to leave online account passwords and orders with their executors?
Also relevant to all sites that allow users to post content is the request that Facebook implement methods to ensure that users who post images or provide emails of non-Facebook users can show that they have the consent of those non-users. Although the Commissioner recognizes that personal use by individuals is ordinarily exempted from PIPEDA (Personal Information Protection and Electronic Documents Act), the fact that Facebook makes additional use of this information is held to be the basis to cover it under PIPEDA. In addition to the free speech concerns of users that might be raised under US law, practical application of this principle to user Web sites in general seems practically impossible. On the other hand, facebook more strictly limiting retention of certain non-user data supplied by users, for example email addresses used to invite friends, seems practical, required by PIPEDA and likely to be a very good idea and an effective way to deal with this concern.
The Commissioner also makes a strong case that the option to completely delete a user’s profile needs to be easier to do. We firmly agree. At a time when users are first becoming aware of that many ways the data they post can later be used against them or out of context, the safety valve that can help ensure users have more control over their data trail is a firm ability to easily delete their profile information. And de-activated profiles, which are maintained for the long term are quite likely forgotten by their owners and should also be deleted on a published schedule.
Here is the response from Facebook: “Facebook will soon be introducing a number of new additional privacy features to its service that we believe will keep the site at the forefront of user privacy and address any remaining concerns the Commission may have. In the meantime, we will also continue our efforts to work with the Canadian Federal Privacy Commissioner to address the outstanding areas highlighted in the report and will continue our efforts to raise awareness of the privacy controls on Facebook.”
Kudos to Assistant Commissioner Liz Denham, author of the report, for producing one of the best pieces of work we have seen from a data protection agency anywhere. The document demonstrates an understanding of the Facebook platform and how users interact with it. In the many cases where complaints were raised but where Facebook was already in compliance or where practical changes were made, the reports takes a pragmatic and user focused view towards application of the law and recognizes those measures. We agree with leading Canadian privacy scholar Michael Geist, who commented as follows:
“The finding is one of the longest and most detailed in memory as it chronicles not only the complaint and findings but the negotiations with Facebook in addressing the concerns. In doing so, it represents the most exhaustive official investigation of Facebook privacy practices anywhere in the world.”