Slashdot Mirror
Facebook Violates Canadian Privacy Law
Myriad and a number of other readers passed along the news that the Canadian Privacy Commissioner has made a determination that Facebook violates Canadian privacy law in four different respects. Canada has the highest per-capita facebook participation in the world — about a third of the population — according to coverage in The Star. The EU is also expressing similar privacy concerns, though Canada's action "represents the most exhaustive official investigation of Facebook privacy practices anywhere in the world," says Michael Geist. The CBC's coverage spells out the areas of privacy concern, in particular that nearly a million developers of Facebook apps in 180 countries have full access to the entirety of users' private data. Also of concern: Facebook holds on to your data indefinitely after you quit the site. The BBC notes that Facebook is working with the privacy commission to resolve the issues, and quotes a Facebook spokesman thus: "Overall, we are looking for practical solutions that operate at scale and respect the fact that people come to share and not to hide." (Schneier recently blogged about research on "privacy salience," and cited Facebook's practices among others' as practical examples of how social networking sites have learned not to push the privacy issue in users' faces.)
Does anyone actually expect privacy from these networking sites anymore?
Besides, who puts something on Facebook that they _want_ to keep _private_?
All Facebook needs to do is shut down all its servers in Canada and require Canadians to log into the U.S. site. Then it's no longer bound by Canadian law. Problem solved!
Also, this is one of the reasons why I refuse to use Facebook, despite the fact that my condo association was too lazy to develop a website and wants us all to log into their Facebook page.
This space left intentionally blank.
Everybody seems to expect that Facebook has all this information, the issue is with applications/quizzes. By setting up some stupid quiz, you can collect contact and network data on everyone who fills it out. This could be used for everything from marketing research to "investigation" of various social/political groups.
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
If the servers are not in Canada or in the CA TLD, why should anyone care? We don't accomodate Iran and China, Canada should be no different. If the Canadian government wishes they can try and block certain offending sites, but they will be no better at it than Iran and China.
If their servers aren't in Canada, why does this matter? Or perhaps maybe they do have some sort of CDN (Content Delivery, not Canadian) network here due to 1/3 our population being on the site.
DO NOT RUN ANY APPS!!! Sorry for shouting, but I have been saying this to people for years now (since the first time i read the terms for FaceBook apps). I am not knocking FB as a tool in and of itself, in fact I am very grateful to them for letting my daughter find me after 16 years of seperation (true story - she searched my name and sent me a message) but come on, they state clearly that if you want to plant a garden (or whatever) the developer gets to see all of your info. just Don't Do It. thanks for the rant-space.
Please don't dominate the rap, Jack, if you got nothin' new to say.
I was forced to sign up for Facebook in university at the point of alcoholic intoxication. I have since deactivated my Facebook account but I fear that they may be keeping hold of my fake name and address thus linking me to all of my other cybercrimes. With any luck, and since I am Canadian, this legal movement will have Facebook remove that information.
They can shut down Canada as long as the size of my Mafia does not suffer.
"You can't really dust for vomit" --Nigel Tufnel
Okay, the thing with holding onto your data after you have closed your account is a genuine point, but don't you see the "allow app xzy to access your profile data?" warning clear enough? If you willingly let someone pull your profile data then for sure there is no violation of a law. Well either that or Canada has some crazy laws in this regard.
It is annoying nevertheless that you can't select what portion of your profile data is visible to some app.
Any time you agree to take one of those quizes etc, Facebook pops up a GIANT box in your face basically saying that if you agree to take that quiz then you give all rights to your information and your first bord child to the developers of that application.
If the user is too stupid to read a giant disclaimer right in their face and decide it is not worth that risk to find out how much alike their taste in puppies is to Fergie, then I have no sympathy for them.
How robust is Canada's analog to the 4th amendment? Does it even have one?..
A lot of the privacy debate in the West is completely ass backwards to the point of being Orwellian. Britain is, right now, the best example of that for the entire West. They have data retention mandates that cover all communications, can force you to divulge encryption keys, no written constitution (and thus no lasting written constitutional limitations like the 4th amendment) and yet they fret about what a fucking supermarket or Facebook might do to your privacy.
It's a total farce. The only people who can enable the destruction of your life or directly cause it are the government. Even identity theft is an issue created by the law because the government won't make lenders and merchants responsible for ascertaining the identity of the buyer first. So really, when you scratch beneath the surface, on basically all privacy issues that affect your life, liberty and property, the government is at least an active conspirator if not the culprit. Sometimes that's through negligence like with identity theft, but others it's willful like watering down restrictions on the issuing of warrants and wiretaps.
Here is an idea facebook. Give the user an option to not give the app creators 100% access to the facebook users data. I reject all of those apps because all of them expect me to give up my data - all of my data. It is very invasive.
I'm assuming facebook gives this control to the app makers - but as we know - when you have an option and it is free then why not use it?
I do not support "The Man". I also do not support your irrational stupidity
Unlike many slashdoters i feel the need to keep in touch with my friends outweighs the need to live in a basement with a tinfoilhot keeping my data (that nobody wants as anyway) private, so i do have a facebook account *gasp*. I have always taken care to keep my data private though, this is so that while i can tell my friends that im a racist, in-bread(hence all the spelling mistakes), thieving, crack addict, hopefully prospective employers will never know about it. It's surprising that facebook is in trouble now, because i was surprised at how well i can keep my data private while still using 3rd party apps. Originally there was no privacy on FB, then you could protect yourself from facebook themselves, but if you installed one bad app all your data goes straight to the CIA, now this page, that i noticed the other day in my regular app clean-up (how could i not accept an invite to pacman), allows you pretty granular control over your data, ranging from all your data (which some apps may use) to "name, networks, and list of friends", which I'm pretty happy to hand out.
Privacy is not black/white, i was never happy giving a stupid flash game developer access to all my information for whatever evil purposes they have, but tbh ill trade my list of friends and name (which they can surely indirectly get from my friends list of friends) for a stupid flash game anyday! I assume the problem the canadians have is that even without installing any apps, if all my friends do they get access to my name, my list of friends, my wall posts, photos of me taken by others and photos of others including me. Perhaps that will be the next push in the facebook privacy API, stopping friends from giving your data away?
IranAir Flight 655 never forget!
Gee a company operating outside of Canada does not adhere to Canadian Law? Impossible!
Seriously though this is just the Privacy Commissioner's Officer playing the political game. Target some company with "Gee Whiz" factor and make a stink. This is all to get PR and good vibes. See look, we do stuff, aren't you happy? Now back to work!
Granted Facebook does business in Canada, but it isn't like they are going to lose any business, nor can they be stopped from operating. If anything this warning may scare off a few Canadian customers, but in the large scheme of things really a drop in the bucket for Facebook.
Canada's constitution is in the same shape as the U.S.constitution: BURNED.
In other news ( in case you've been spider-holed with
Richard B. Cheney) : Iran ( aka Ahmadinejad is crumbling.
Yours In Revolution,
Kilgore Trout, Marxist
Facebook (or any other social networking site for that matter) ought to have, in addition to their myriad of legal disclaimers and consent forms, some form of intelligence waiver requirement before allowing user to create accounts. Something akin to those signs you see at amusement parks -- "You must be this high to ride". Like "U must be dis smart to use Facebuk". Otherwise, go back to playing spider solitaire or bejeweled, etc.
To me adding an application is the same as adding a friend. A friend can be just as destructive with the information, and alot of people will add anyone who asks to be a friend. At least the applications are bound by privacy rules. As for the not deleting all the data when you delete your account to me is something that needs to be cleaned up. If you say delete my account you should cease to exist to them, the clean up process should take care and be able to handle broken links.
I read "people come to share and not to hide" as "privacy isn't that important in social networking." If this is really expressing an attitude that I shouldn't really have an expectation of privacy on Facebook, that's stupid. I should be able to have such an expectation (which isn't to say that I do...).
You're forgetting about the Notwithstanding Clause, that allows the federal government or any provincial government to immunize a law from the Charter:
http://en.wikipedia.org/wiki/Notwithstanding_clause
And, yes, the Notwithstanding Clause has actually been used, most notably and more than once by the Quebec government, which chose to maintain its French language laws despite parts of them being declared unconstitutional:
http://en.wikipedia.org/wiki/Notwithstanding_clause#Use_of_the_clause
How robust is Canada's analog to the 4th amendment? Does it even have one?..
Part of the Charter of Rights and Freedoms which is as robust as it gets in Canadian constitutional law.
8. Everyone has the right to be secure against unreasonable search or seizure.
This space left intentionally blank.
We've already seen amusing stories about US/Canadian citizens by chance finding their faces plastered all over stores in Czechoslovakia it's only a matter of time before someone gets seriously screwed over by lack of controls on privacy. Everyone on slashdot knows how to properly use or not use Facebook but everyone on slashdot is not most people on Facebook. I think the average Facebook user has no idea how much risk they could put themselves under.
Furthermore, if we are going to go forward with the cloud mentality I think the Canadian government is asking some important questions! How do we have a central cloud that acts as a repository of data but yet not sacrifice each and every individual's right to maintain absolute control over their own data? I am Canadian and for the record I tend to not like a lot of things about the running of the Canadian government but sorry folks I think they got this one right.
I set up my own email server in my house to avoid these issues and I will not be comfortable putting any of my personal life on remote servers until these things are hashed out.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
People are surprised when I have this conversation with them.
They think I'm nuts until I make it clear that the reason I don't make stupid little facebook apps is because I don't agree with their information sharing.
I use facebook (no, I have an account, I seldom use it), but I don't add apps.
Do what you want, but I think Facebook should make it perfectly clear what type of information is being given to app developers. A checklist confirming what type of information that particular developer gets access to. Something clear, and obvious. I suspect the number of apps, and type of apps, people would add would be substantially different.
Facebook, even under Canadian law, can share all the same data. They must however make it very clear what is actually being shared and with whom. (So that the user can go back to the companaies involved and file with them to have the information removed).
To the extent that Facebook advertises and offers services directly to Canadians they should be held to the same legal requirements as anyone else. By the way, the Canadian privacy act is actually quite lenient, if people are properly informed of the information to be shared.
I suppose they could go use one of the other jacked up sites out there like myface or spacebook
"who puts something on Facebook that they _want_ to keep _private_?"
http://news.bbc.co.uk/1/hi/uk/8134807.stm
The (wife of the) boss of britains MI6 apparently.
but the UK ICO has only once taken serious action that I'm aware of and it's had the power to do so for 10 years or more.
Let's see, under UK law:
And Facebook has offices in London. So yes, they are subject to this law.
While many comments here are along the lines of... well then just don't use any apps. Or... just let the people who don't know any better, suffer the consequences of their ignorance. Etc. This is a faulty argument. If we always take the stance that no one should be protected from exploitation because of their ignorance then we will all end up in that boat.
Maybe you're so smart, you know better than to use Facebook at all or maybe just keep your personal info off it. But many people don't know this and Facebook actively encourages you to fill in and post as much info as possible.
Ok, you're too smart for Facebook. But are you overweight? Do you read the ingredients and nutrition info of everything you eat? Maybe we should allow restaurants and food companies to fill their products with trans-fats and all kinds of harmful but tasty chemical garbage, or exorbitant calories because well, if you're too stupid to read the ingredients or research the process to make the food- you deserve what you get.
Ok, maybe you are a conscientious eater and are careful of what you put in your body. You're too smart here. But do you use a cell phone? Maybe we should let cell phone makers create devices that emit tons of radiation and make all the cellphone users who are too stupid to research how much radiation their particular model of phone emits suffer the consequences of their stupidity.
Do you know the safety rating of your car?
Do you know the actual interest rates that payday lenders and/or your credit cards are charging you?
Etc, etc etc.
None of us are totally free of ignorance in every single area of our lives. User beware will bite all of us in the ass eventually. It needs to be a two way street. Buyers need to be aware and sellers need to be responsible for what they produce and how they treat their customers.
My only problem with Facebook is that why they can't allow a complete account removal. They just disable the accounts. With a simple log in, the account is re - enabled.
I joined Facebook on the insistence of my friends. However, I no longer feel it useful, they are too many cluttered apps (which I can't tolerate) and other stuff which make it simply unusable. I tried to delete my account, it doesn't work. I emailed Facebook support, they said you have to delete every post, every friend, every link you created manually. I have 250 friends. How am I supposed to manually delete all data?
This sucks. Why are they so insistent with disabling accounts and not allowing users to completely delete them? I feel this is a clear violation of my privacy. I don't like something, it should be deleted. At least users should have this much right.
Problem solved?
My position is to never provide information like my birthdate to any web site, with very few exceptions. If a web site asks for my birth date, I lie.
I know this doesn't really address your issue, but it's a point worth making for anyone who bothers to read this comment.
www.clarke.ca
Facebook is already letting ads use your face in them. See this blog post. I certainly don't qualify as hot or as single, thus I don't want my face showing up in these - especially without remuneration.
The short form of how to turn this off is to go to this page, and change the entry to "No one".
Compartmentalization.
This is a concept that is entirely obvious to anyone who has anything to do with information/intelligence security, of which privacy is or should be a particular case. Since the web is known to be, um, problematic in matters of privacy, one would think it should be obvious to whoever runs third-party software to give it only the information it needs. For example, for a poll, exactly NO personal information is needed.
Quick, relevant point: Since when does Canada have jurisdiction over the internet?
Does Canadian law actually apply to facebook? If not, then facebook doesn't violate Canadian privacy law, its just not congruent with it.
Secondarily, even if facebook did violate Canadian privacy law, users of the site waive that right to privacy by signing up with the user agreement. [What's that random troll? You didnt actually read the user agreement? No one cares. Facebook isnt responsible for you not reading something that you agreed to, and it would be preposterous of facebook to assume that when you said you read and agree to terms and conditions that you didnt read and agree to terms and conditions.]
Twitter, FaceBook, MySpace, blogs, text messaging, cell phones... They're all just ways of distributing a message. The problem isn't that distribution has become insanely quick, easy, and efficient. The problem is that nobody is thinking about the message anymore.
Actually, the problems being cited by the privacy officials are more the kind of thing the average user probably would not realise/anticipate.
If I ask a site to delete my personal data when they no longer have any reason to hold it, I might reasonably expect them to delete it — not stick some flag in a database, and then find when they have a security breach in five years' time that the data was still there. If an organisation is unwilling to follow this rule, the law should make them; the consequences of failing to do so with modern technology are demonstrated all too frequently, and often with horrendous, underserved consequences for those affected.
If I flag my personal data as private and restrict access to only a select group of friends, I might reasonably expect that data to be kept private and accessible only to those friends — not made accessible, in its entirety, to a million arbitrary developers of Facebook apps around the world, many from countries with far less privacy protection than the law in my country (and other countries where Facebook is hosted) provides. Again, if a site that specialises in collecting personal data and attracts that data on the basis that it can be held in confidence is unable to keep that confidence, the law should compel them to do so.
The way Facebook doesn't really delete data and the way they allow app developers open-ended access to it are the two big reasons I personally don't use their service, and I would be interested to know how many of my Facebook-using friends would agree if they knew the full implications of signing up for one game of Scrabulous or whatever it's called these days.
The world has changed in the Internet age, because now transgressions that might have been forgotten or overlooked after a while in the past are kept on-file forever and searchable for all to see. That in itself makes both education (particularly for the young/vulnerable), privacy awareness, and explicit legal protections for personal information much more important.
Personally, I believe personal data protection and privacy laws are far, far too weak in most jurisdictions today, lagging well behind modern technology and its less constructive applications. I would like to see statutory safeguards on all collection, use and distribution of personal data, and awesome, business-destroying penalties for those who are not careful enough to do so.
Our current path, towards a database state and wholesale aggregation of personal data by private entities, using software that is frequently insecure, with low-level staff unreliable at following even basic security procedures, in a world where leaks can turn a victim's life upside down and the damage may be expensive or impossible to fix, is not a healthy path to follow.
Basically, it's reasonable to expect some common sense from those old enough to know what they're doing, but it is not reasonable to expect people to make decisions based on information they probably don't know or understand, and in any case, no-one is perfect and I personally think society would be a better place with stronger privacy laws governing organisations that compile massive databases of personal data. As I often comment in these discussions, just because we can do something does not mean we should, and just because someone who is only human once made a mistake does not mean we have to catalogue it and make it searchable by anyone for the rest of their life.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
What you say would be true for people who make their facebook profile public, but what about those with private profiles that are visible only to their friends, and are basically being leaked to third parties?
How would you feel if your cell phone company were selling transcripts of your phone calls to advertisers and potential employers without your consent (ie. considering your use of their system as you granting your implicit consent)?
Yes, but similarly somebody could post up a picture of you on any number of other websites. While the tagging system might not be the same, most crawlers would probably pick it up well enough from a hyperlink with your name in it, or whatnot.
Now technically I believe that you can request the site to take down those images as needed, but could not the same process be used for facebook? But yeah, I avoid doing dumb things on camera more or less as a general rule...
Yes, because most people care about their privacy, especially users of social networking sites! News channels around the world would interrupt celebrity trivia to highlight the privacy threat to a shocked and angry world population. The fallout would be much worse than the loss of 10 bajillion hits a day worth of ad revenue from Canada, the most politically influential country on the planet.
"When information is power, privacy is freedom" - Jah-Wren Ryel
if Facebook doesn't have a Canadian legal entity, nor Canadian hosting, the answer is "who cares"? .... Just because there's users on FB from all around the world, it doesn't mean that FB has to abide by all countries' laws. If that were the case, the Internet would be a hobbled and useless mess.
You may be right about most things internet-wise. However, Facebook is an interesting case; fully one-third of the canadian population subscribes to FB (so a much more sizeable proportion of internet users), and thus the privacy commissioner is well within their mandate to ring alarms by whatever means necessary. The implications are enormous. .com.
The nature of Facebook's control over the personal information of our citizens means that if we don't have a clear legal means to manage privacy issues of our nation, the gov rightly feels a need to seek such means. I'm in favour of education over regulation, but something has to be done. I've been ranting about FB's ToS for years, but few seem to care. We have warnings on cigarette packages, for instance. That's a good idea.
If one third of Canada is engaged in a transaction from their own homes, saying that that is not business conducted in Canada rings a bit false, don't you think? It isn't a technical stretch to divide such major sites into country regions. Google, for instance, easily resolves my visits to google.ca based on IP, whereas facebook.ca redirects to the
As usual, the internet throws all former definitions of communication into doubt.
Damn those pesky terrorists
..but why should I have to 'opt out'? Should I not be able to assume that I can maintain complete ownership of any file that is mine; even if uploaded to Facebook? I'm not sure how these pages are found but the facebook gui seems a complete disorganized mess to me. I'm not sure how anyone is supposed to find every isolated page that turns off some sort of aspect of sharing. Where is the button that says 'share nothing', and then the link to the page with all different aspects of sharing that I can go through one by one? Where is the 'delete all content permanently' button? Where is the 'Facebook is not allowed to use any aspect of my profile, ever' button?
It just seems like a catastrophe waiting to happen. They almost seem to be preying on people's lack of interest in searching for options and making it as difficult as possible to find them. It reminds me of CD clubs that will send you 'this months sample' automatically hoping that you will find it too much effort to return and just pay for it.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Iceland has an astounding 46.89% of its population on Facebook (since you have to be over 13 to join FB, that means over 50% of adults in Iceland are on Facebook). Norway and Denmark also beat out Canada on a per-capita, with 40.25% and 38.28%. Canada is #4 with 34.37%.
And for those that care, the USA stands at #14 with 19.55%.
Data taken from http://www.nickburcher.com/2009/04/facebook-usage-statistics-by-population.html
The biggest problem I see with Facebook is the stupid, silly apps that get *full* access to your data. I create a dancing Christmas tree that everybody sends to their friends, or similar banality, and I can scam tons of personal data, that I really don't need to show that dancing Christmas tree.
The Canadian report recommends that these third party apps only request the data they need to perform their function, that the app let's the user know what data is using, and gets the user's approval. If that Dancing Christmas tree is asking for my phone number, I don't think that's appropriate, and I should be able to reject it, and the app wouldn't be popular.
I believe Facebook used to have a better granularity in asking what perms an app could have (although most apps asked for everything anyway). If app creators would only ask for what is relevant to their app, and users were aware of it (and refused to give away details unnecessarily), things would be much cleaner.
I do fault facebook for removing (or hiding?) this granularity, and simply making a "grant permission" button instead of showing all that a given vendor was getting access to.
Creating a mindless but popular app really the easiest way to get a ton of demographic data for nothing. It's shameful that Facebook allowed this, perhaps even encouraged it; now they're being called on it.
Proud to be Canadian. :)
Love many, trust a few, do harm to none.
Slashdot says, "Also of concern: Facebook holds on to your data indefinitely after you quit the site." but Facbook told me otherwise. After seeing this video http://www.youtube.com/watch?v=ZMWz3G_gPhU I figured i ought to delete my facebook account. Sent an email to facebook, asking about them keeping information related to my account on their data storage media (whether hard disks or otherwise) after a permanent deletion - not a deactivation. First response from Will at "user oprations" was a stock copy-paste selection from their (not very helpful) help pages about the difference between deletion and deactivation. Sent a clarifying response back to him. I got this: "The contract surrounding the Facebook Platform currently forbids storing data the way you suggest. The security of user data is not the charge of the user, but the responsibility of Facebook. Please remember that we are always looking to improve our platform, and we may revisit this in the near future. Keep your eye on the Developers Homepage Latest News section (http://developers.facebook.com/) for new information. Please let me know if you have any questions about this."
Does anyone know why Canada feels it has jurisdiction over Facebook?
Or is this another case of this?