Slashdot Mirror
Facebook Violates Canadian Privacy Law
Myriad and a number of other readers passed along the news that the Canadian Privacy Commissioner has made a determination that Facebook violates Canadian privacy law in four different respects. Canada has the highest per-capita facebook participation in the world — about a third of the population — according to coverage in The Star. The EU is also expressing similar privacy concerns, though Canada's action "represents the most exhaustive official investigation of Facebook privacy practices anywhere in the world," says Michael Geist. The CBC's coverage spells out the areas of privacy concern, in particular that nearly a million developers of Facebook apps in 180 countries have full access to the entirety of users' private data. Also of concern: Facebook holds on to your data indefinitely after you quit the site. The BBC notes that Facebook is working with the privacy commission to resolve the issues, and quotes a Facebook spokesman thus: "Overall, we are looking for practical solutions that operate at scale and respect the fact that people come to share and not to hide." (Schneier recently blogged about research on "privacy salience," and cited Facebook's practices among others' as practical examples of how social networking sites have learned not to push the privacy issue in users' faces.)
Does anyone actually expect privacy from these networking sites anymore?
Besides, who puts something on Facebook that they _want_ to keep _private_?
Everybody seems to expect that Facebook has all this information, the issue is with applications/quizzes. By setting up some stupid quiz, you can collect contact and network data on everyone who fills it out. This could be used for everything from marketing research to "investigation" of various social/political groups.
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
I agree - if Facebook doesn't have a Canadian legal entity, nor Canadian hosting, the answer is "who cares"? I'm Canadian, BTW.
Just because there's users on FB from all around the world, it doesn't mean that FB has to abide by all countries' laws. If that were the case, the Internet would be a hobbled and useless mess.
MadCow.
I used to have a sig, but I set it free and it never came back.
Then how can they be subject to Canadian law? If they're found guilty of violating privacy laws, where's the enforcement mechanism? It's not like they're going to send Mounties to the U.S. or require ISPs to block Facebook.
This space left intentionally blank.
DO NOT RUN ANY APPS!!! Sorry for shouting, but I have been saying this to people for years now (since the first time i read the terms for FaceBook apps). I am not knocking FB as a tool in and of itself, in fact I am very grateful to them for letting my daughter find me after 16 years of seperation (true story - she searched my name and sent me a message) but come on, they state clearly that if you want to plant a garden (or whatever) the developer gets to see all of your info. just Don't Do It. thanks for the rant-space.
Please don't dominate the rap, Jack, if you got nothin' new to say.
They can shut down Canada as long as the size of my Mafia does not suffer.
"You can't really dust for vomit" --Nigel Tufnel
They still do business in Canada when they sell ads for Canadian companies/sell stuff to Canadians/etc, now they could lose that revenue, or they could work with officials to improve the privacy of their users, thus keeping that revenue while improving their site. Do facebook really want to lose 11m users worth of revenue (and probably more long term as the EU may follow suit) ?
IranAir Flight 655 never forget!
Any time you agree to take one of those quizes etc, Facebook pops up a GIANT box in your face basically saying that if you agree to take that quiz then you give all rights to your information and your first bord child to the developers of that application.
If the user is too stupid to read a giant disclaimer right in their face and decide it is not worth that risk to find out how much alike their taste in puppies is to Fergie, then I have no sympathy for them.
How robust is Canada's analog to the 4th amendment? Does it even have one?..
A lot of the privacy debate in the West is completely ass backwards to the point of being Orwellian. Britain is, right now, the best example of that for the entire West. They have data retention mandates that cover all communications, can force you to divulge encryption keys, no written constitution (and thus no lasting written constitutional limitations like the 4th amendment) and yet they fret about what a fucking supermarket or Facebook might do to your privacy.
It's a total farce. The only people who can enable the destruction of your life or directly cause it are the government. Even identity theft is an issue created by the law because the government won't make lenders and merchants responsible for ascertaining the identity of the buyer first. So really, when you scratch beneath the surface, on basically all privacy issues that affect your life, liberty and property, the government is at least an active conspirator if not the culprit. Sometimes that's through negligence like with identity theft, but others it's willful like watering down restrictions on the issuing of warrants and wiretaps.
If you're serving, catering, and marketing to users in Canada, and even partnering with Canadian telecoms to get your software on their phones, then a physical presence might not be required.
The mere fact that I can walk around Montreal and see advertisements for Facebook indicates that at the very least they could be forced to stop advertising in Canada, and the telecoms could be forced to stop distributing/bundling the Facebook apps. Even if they don't have a legal presence in Canada, they certainly do have *a* presence, and that's enough to force changes. That gives the Canadian government leverage to force Facebook to make changes.
"Comply with our laws or we'll cut off all your marketing and partnerships in Canada."
Just because there's users on FB from all around the world, it doesn't mean that FB has to abide by all countries' laws. If that were the case, the Internet would be a hobbled and useless mess.
MadCow.
Actually it doesn't matter where servers are located--what matters is how business is conducted in the country in question. Also, the Internet is hobbled and a mess, though it is still rather useful.
There is already historical precedent. Totalitarian governments, notably those of China and Cuba, thoroughly monitor Internet traffic and routinely block sites that conflict with their propaganda. The Pirate Bay was hosted in Sweden, but it is banned in China and several EU countries have had legal battles over allowing their citizens to visit the site. Then there are legal sites that restrict access--I cannot use Pandora from home (though at my office of my former employer I could, because the corporate proxy was in the US). People in my home country have been convicted on child pornography charges based upon underground sites hosted in another continent. By Quebec law, technically a company doing "significant business" in that province MUST provide French language pages--hosting outside the province does not prevent the "language police" from taking action if they wanted to.
Nobody, not even Facebook, can operate above the law with impunity using the excuse that their computers are not in the country. They conduct business here (notably, a number of apps ARE hosted physically in Canada, so it isn't just that end users are here--they are illegally sharing private information with Canadian facebook app hosts), they have to follow our rules.
Who cares? Well I care--whether I agree with specific laws I want to know that foreign operations are held to the same standards that we must meet ourselves. And, as is apparent in the news, the Canadian government cares a great deal too.
Here is an idea facebook. Give the user an option to not give the app creators 100% access to the facebook users data. I reject all of those apps because all of them expect me to give up my data - all of my data. It is very invasive.
I'm assuming facebook gives this control to the app makers - but as we know - when you have an option and it is free then why not use it?
I do not support "The Man". I also do not support your irrational stupidity
Facebook does business in Canada. SO while they cant 'shut down' the servers, they can stop Facebook from doing business in Canada.
The Kruger Dunning explains most post on
Unlike many slashdoters i feel the need to keep in touch with my friends outweighs the need to live in a basement with a tinfoilhot keeping my data (that nobody wants as anyway) private, so i do have a facebook account *gasp*. I have always taken care to keep my data private though, this is so that while i can tell my friends that im a racist, in-bread(hence all the spelling mistakes), thieving, crack addict, hopefully prospective employers will never know about it. It's surprising that facebook is in trouble now, because i was surprised at how well i can keep my data private while still using 3rd party apps. Originally there was no privacy on FB, then you could protect yourself from facebook themselves, but if you installed one bad app all your data goes straight to the CIA, now this page, that i noticed the other day in my regular app clean-up (how could i not accept an invite to pacman), allows you pretty granular control over your data, ranging from all your data (which some apps may use) to "name, networks, and list of friends", which I'm pretty happy to hand out.
Privacy is not black/white, i was never happy giving a stupid flash game developer access to all my information for whatever evil purposes they have, but tbh ill trade my list of friends and name (which they can surely indirectly get from my friends list of friends) for a stupid flash game anyday! I assume the problem the canadians have is that even without installing any apps, if all my friends do they get access to my name, my list of friends, my wall posts, photos of me taken by others and photos of others including me. Perhaps that will be the next push in the facebook privacy API, stopping friends from giving your data away?
IranAir Flight 655 never forget!
It's not like they're going to send Mounties to the U.S. or require ISPs to block Facebook.
YES facebook IS VERY MUCH bound by Canadian law and it IS enforceable to a large degree. And yes, Facebook CAN be taken to court if they do not make efforts to meet the commissioner's recommendations.
If Pandora can be ordered to refuse entry to non Americans via geolocation, etc. to adhere to DMCA and license agreements in the US, you can ABSOLUTELY expect that Facebook can be ordered to shut off access in Canada (note that this does NOT involve ISPs--it is a function of the web site itself). Proxies, etc. make enforcement imperfect, but by law in both cases the website MUST take "reasonable efforts" to abide by local laws.
Only if websites refuse to cooperate would the issue be escalated to more draconian means (the Canadian gov't CAN file lawsuits in an American juristiction or an international venue you know--and CRTC can mandate ISPs follow certain rules too)
whether this is a problem or such action is right or wrong, it CAN be done.
While many comments here are along the lines of... well then just don't use any apps. Or... just let the people who don't know any better, suffer the consequences of their ignorance. Etc. This is a faulty argument. If we always take the stance that no one should be protected from exploitation because of their ignorance then we will all end up in that boat.
Maybe you're so smart, you know better than to use Facebook at all or maybe just keep your personal info off it. But many people don't know this and Facebook actively encourages you to fill in and post as much info as possible.
Ok, you're too smart for Facebook. But are you overweight? Do you read the ingredients and nutrition info of everything you eat? Maybe we should allow restaurants and food companies to fill their products with trans-fats and all kinds of harmful but tasty chemical garbage, or exorbitant calories because well, if you're too stupid to read the ingredients or research the process to make the food- you deserve what you get.
Ok, maybe you are a conscientious eater and are careful of what you put in your body. You're too smart here. But do you use a cell phone? Maybe we should let cell phone makers create devices that emit tons of radiation and make all the cellphone users who are too stupid to research how much radiation their particular model of phone emits suffer the consequences of their stupidity.
Do you know the safety rating of your car?
Do you know the actual interest rates that payday lenders and/or your credit cards are charging you?
Etc, etc etc.
None of us are totally free of ignorance in every single area of our lives. User beware will bite all of us in the ass eventually. It needs to be a two way street. Buyers need to be aware and sellers need to be responsible for what they produce and how they treat their customers.
I don't dispute your arguments above, especially regarding Canadian-hosted/based Apps within Facebook.
However, FB cannot be held legally accountable to laws of a foreign country where they have no legal presence. Sure, that country can block the site if they think that it's hazardous to their citizens, but that's the only consequence I can even imagine being appropriate. It's a business risk at that point - losing a potential market of customers. It's not like their corporate officers could be extradited to face charges in Canada or anything like that.
MadCow.
I used to have a sig, but I set it free and it never came back.
Problem solved?
Twitter, FaceBook, MySpace, blogs, text messaging, cell phones... They're all just ways of distributing a message. The problem isn't that distribution has become insanely quick, easy, and efficient. The problem is that nobody is thinking about the message anymore.
Actually, the problems being cited by the privacy officials are more the kind of thing the average user probably would not realise/anticipate.
If I ask a site to delete my personal data when they no longer have any reason to hold it, I might reasonably expect them to delete it — not stick some flag in a database, and then find when they have a security breach in five years' time that the data was still there. If an organisation is unwilling to follow this rule, the law should make them; the consequences of failing to do so with modern technology are demonstrated all too frequently, and often with horrendous, underserved consequences for those affected.
If I flag my personal data as private and restrict access to only a select group of friends, I might reasonably expect that data to be kept private and accessible only to those friends — not made accessible, in its entirety, to a million arbitrary developers of Facebook apps around the world, many from countries with far less privacy protection than the law in my country (and other countries where Facebook is hosted) provides. Again, if a site that specialises in collecting personal data and attracts that data on the basis that it can be held in confidence is unable to keep that confidence, the law should compel them to do so.
The way Facebook doesn't really delete data and the way they allow app developers open-ended access to it are the two big reasons I personally don't use their service, and I would be interested to know how many of my Facebook-using friends would agree if they knew the full implications of signing up for one game of Scrabulous or whatever it's called these days.
The world has changed in the Internet age, because now transgressions that might have been forgotten or overlooked after a while in the past are kept on-file forever and searchable for all to see. That in itself makes both education (particularly for the young/vulnerable), privacy awareness, and explicit legal protections for personal information much more important.
Personally, I believe personal data protection and privacy laws are far, far too weak in most jurisdictions today, lagging well behind modern technology and its less constructive applications. I would like to see statutory safeguards on all collection, use and distribution of personal data, and awesome, business-destroying penalties for those who are not careful enough to do so.
Our current path, towards a database state and wholesale aggregation of personal data by private entities, using software that is frequently insecure, with low-level staff unreliable at following even basic security procedures, in a world where leaks can turn a victim's life upside down and the damage may be expensive or impossible to fix, is not a healthy path to follow.
Basically, it's reasonable to expect some common sense from those old enough to know what they're doing, but it is not reasonable to expect people to make decisions based on information they probably don't know or understand, and in any case, no-one is perfect and I personally think society would be a better place with stronger privacy laws governing organisations that compile massive databases of personal data. As I often comment in these discussions, just because we can do something does not mean we should, and just because someone who is only human once made a mistake does not mean we have to catalogue it and make it searchable by anyone for the rest of their life.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
What you say would be true for people who make their facebook profile public, but what about those with private profiles that are visible only to their friends, and are basically being leaked to third parties?
How would you feel if your cell phone company were selling transcripts of your phone calls to advertisers and potential employers without your consent (ie. considering your use of their system as you granting your implicit consent)?
I agree, per the Yahoo! and Belgium issue. But:
http://strategis.ic.gc.ca/cgi-bin/sc_mrksv/corpdir/dataOnline/corpns_re?company_select=4496906
There are 1.1... kinds of people.
if Facebook doesn't have a Canadian legal entity, nor Canadian hosting, the answer is "who cares"? .... Just because there's users on FB from all around the world, it doesn't mean that FB has to abide by all countries' laws. If that were the case, the Internet would be a hobbled and useless mess.
You may be right about most things internet-wise. However, Facebook is an interesting case; fully one-third of the canadian population subscribes to FB (so a much more sizeable proportion of internet users), and thus the privacy commissioner is well within their mandate to ring alarms by whatever means necessary. The implications are enormous. .com.
The nature of Facebook's control over the personal information of our citizens means that if we don't have a clear legal means to manage privacy issues of our nation, the gov rightly feels a need to seek such means. I'm in favour of education over regulation, but something has to be done. I've been ranting about FB's ToS for years, but few seem to care. We have warnings on cigarette packages, for instance. That's a good idea.
If one third of Canada is engaged in a transaction from their own homes, saying that that is not business conducted in Canada rings a bit false, don't you think? It isn't a technical stretch to divide such major sites into country regions. Google, for instance, easily resolves my visits to google.ca based on IP, whereas facebook.ca redirects to the
As usual, the internet throws all former definitions of communication into doubt.
Damn those pesky terrorists