Slashdot Mirror
Facebook Violates Canadian Privacy Law
Myriad and a number of other readers passed along the news that the Canadian Privacy Commissioner has made a determination that Facebook violates Canadian privacy law in four different respects. Canada has the highest per-capita facebook participation in the world — about a third of the population — according to coverage in The Star. The EU is also expressing similar privacy concerns, though Canada's action "represents the most exhaustive official investigation of Facebook privacy practices anywhere in the world," says Michael Geist. The CBC's coverage spells out the areas of privacy concern, in particular that nearly a million developers of Facebook apps in 180 countries have full access to the entirety of users' private data. Also of concern: Facebook holds on to your data indefinitely after you quit the site. The BBC notes that Facebook is working with the privacy commission to resolve the issues, and quotes a Facebook spokesman thus: "Overall, we are looking for practical solutions that operate at scale and respect the fact that people come to share and not to hide." (Schneier recently blogged about research on "privacy salience," and cited Facebook's practices among others' as practical examples of how social networking sites have learned not to push the privacy issue in users' faces.)
Does anyone actually expect privacy from these networking sites anymore?
Besides, who puts something on Facebook that they _want_ to keep _private_?
I agree - if Facebook doesn't have a Canadian legal entity, nor Canadian hosting, the answer is "who cares"? I'm Canadian, BTW.
Just because there's users on FB from all around the world, it doesn't mean that FB has to abide by all countries' laws. If that were the case, the Internet would be a hobbled and useless mess.
MadCow.
I used to have a sig, but I set it free and it never came back.
Then how can they be subject to Canadian law? If they're found guilty of violating privacy laws, where's the enforcement mechanism? It's not like they're going to send Mounties to the U.S. or require ISPs to block Facebook.
This space left intentionally blank.
They still do business in Canada when they sell ads for Canadian companies/sell stuff to Canadians/etc, now they could lose that revenue, or they could work with officials to improve the privacy of their users, thus keeping that revenue while improving their site. Do facebook really want to lose 11m users worth of revenue (and probably more long term as the EU may follow suit) ?
IranAir Flight 655 never forget!
Any time you agree to take one of those quizes etc, Facebook pops up a GIANT box in your face basically saying that if you agree to take that quiz then you give all rights to your information and your first bord child to the developers of that application.
If the user is too stupid to read a giant disclaimer right in their face and decide it is not worth that risk to find out how much alike their taste in puppies is to Fergie, then I have no sympathy for them.
If you're serving, catering, and marketing to users in Canada, and even partnering with Canadian telecoms to get your software on their phones, then a physical presence might not be required.
The mere fact that I can walk around Montreal and see advertisements for Facebook indicates that at the very least they could be forced to stop advertising in Canada, and the telecoms could be forced to stop distributing/bundling the Facebook apps. Even if they don't have a legal presence in Canada, they certainly do have *a* presence, and that's enough to force changes. That gives the Canadian government leverage to force Facebook to make changes.
"Comply with our laws or we'll cut off all your marketing and partnerships in Canada."
Just because there's users on FB from all around the world, it doesn't mean that FB has to abide by all countries' laws. If that were the case, the Internet would be a hobbled and useless mess.
MadCow.
Actually it doesn't matter where servers are located--what matters is how business is conducted in the country in question. Also, the Internet is hobbled and a mess, though it is still rather useful.
There is already historical precedent. Totalitarian governments, notably those of China and Cuba, thoroughly monitor Internet traffic and routinely block sites that conflict with their propaganda. The Pirate Bay was hosted in Sweden, but it is banned in China and several EU countries have had legal battles over allowing their citizens to visit the site. Then there are legal sites that restrict access--I cannot use Pandora from home (though at my office of my former employer I could, because the corporate proxy was in the US). People in my home country have been convicted on child pornography charges based upon underground sites hosted in another continent. By Quebec law, technically a company doing "significant business" in that province MUST provide French language pages--hosting outside the province does not prevent the "language police" from taking action if they wanted to.
Nobody, not even Facebook, can operate above the law with impunity using the excuse that their computers are not in the country. They conduct business here (notably, a number of apps ARE hosted physically in Canada, so it isn't just that end users are here--they are illegally sharing private information with Canadian facebook app hosts), they have to follow our rules.
Who cares? Well I care--whether I agree with specific laws I want to know that foreign operations are held to the same standards that we must meet ourselves. And, as is apparent in the news, the Canadian government cares a great deal too.
Facebook does business in Canada. SO while they cant 'shut down' the servers, they can stop Facebook from doing business in Canada.
The Kruger Dunning explains most post on
Is this, what your looking for?
IranAir Flight 655 never forget!
"allow a developer of an App to determine what information from a user's profile they actually need"
This sidesteps the issue under discussion. The issue is, some developers might be data mining, and some people don't desire all their data to be mined. Whether or not I am developing a legitimate app or not, I can claim to need personal data, right down to the size of a member's panties and bra. Or, maybe my app is just a front for a personnel screening service. While I claim to be developing the app, I'm mailing information to General Electric about every person who has applied for a position there. Or, more sinister, I live in Iran, and I'm mining accounts for details on protestors. As I find them, they are put on a list for the morality police to visit, and re-educate.
Developers don't need diddly squat. They can create their app, and put it up for use and/or sale. If it's any good, people will use/buy it. If it's no good, they can start over, or get out of the development business. They don't even need to know if I'm male or female, old or young, rich or poor.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I don't dispute your arguments above, especially regarding Canadian-hosted/based Apps within Facebook.
However, FB cannot be held legally accountable to laws of a foreign country where they have no legal presence. Sure, that country can block the site if they think that it's hazardous to their citizens, but that's the only consequence I can even imagine being appropriate. It's a business risk at that point - losing a potential market of customers. It's not like their corporate officers could be extradited to face charges in Canada or anything like that.
MadCow.
I used to have a sig, but I set it free and it never came back.
Twitter, FaceBook, MySpace, blogs, text messaging, cell phones... They're all just ways of distributing a message. The problem isn't that distribution has become insanely quick, easy, and efficient. The problem is that nobody is thinking about the message anymore.
Actually, the problems being cited by the privacy officials are more the kind of thing the average user probably would not realise/anticipate.
If I ask a site to delete my personal data when they no longer have any reason to hold it, I might reasonably expect them to delete it — not stick some flag in a database, and then find when they have a security breach in five years' time that the data was still there. If an organisation is unwilling to follow this rule, the law should make them; the consequences of failing to do so with modern technology are demonstrated all too frequently, and often with horrendous, underserved consequences for those affected.
If I flag my personal data as private and restrict access to only a select group of friends, I might reasonably expect that data to be kept private and accessible only to those friends — not made accessible, in its entirety, to a million arbitrary developers of Facebook apps around the world, many from countries with far less privacy protection than the law in my country (and other countries where Facebook is hosted) provides. Again, if a site that specialises in collecting personal data and attracts that data on the basis that it can be held in confidence is unable to keep that confidence, the law should compel them to do so.
The way Facebook doesn't really delete data and the way they allow app developers open-ended access to it are the two big reasons I personally don't use their service, and I would be interested to know how many of my Facebook-using friends would agree if they knew the full implications of signing up for one game of Scrabulous or whatever it's called these days.
The world has changed in the Internet age, because now transgressions that might have been forgotten or overlooked after a while in the past are kept on-file forever and searchable for all to see. That in itself makes both education (particularly for the young/vulnerable), privacy awareness, and explicit legal protections for personal information much more important.
Personally, I believe personal data protection and privacy laws are far, far too weak in most jurisdictions today, lagging well behind modern technology and its less constructive applications. I would like to see statutory safeguards on all collection, use and distribution of personal data, and awesome, business-destroying penalties for those who are not careful enough to do so.
Our current path, towards a database state and wholesale aggregation of personal data by private entities, using software that is frequently insecure, with low-level staff unreliable at following even basic security procedures, in a world where leaks can turn a victim's life upside down and the damage may be expensive or impossible to fix, is not a healthy path to follow.
Basically, it's reasonable to expect some common sense from those old enough to know what they're doing, but it is not reasonable to expect people to make decisions based on information they probably don't know or understand, and in any case, no-one is perfect and I personally think society would be a better place with stronger privacy laws governing organisations that compile massive databases of personal data. As I often comment in these discussions, just because we can do something does not mean we should, and just because someone who is only human once made a mistake does not mean we have to catalogue it and make it searchable by anyone for the rest of their life.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
What you say would be true for people who make their facebook profile public, but what about those with private profiles that are visible only to their friends, and are basically being leaked to third parties?
How would you feel if your cell phone company were selling transcripts of your phone calls to advertisers and potential employers without your consent (ie. considering your use of their system as you granting your implicit consent)?