Facebook Violates Canadian Privacy Law

Myriad and a number of other readers passed along the news that the Canadian Privacy Commissioner has made a determination that Facebook violates Canadian privacy law in four different respects. Canada has the highest per-capita facebook participation in the world — about a third of the population — according to coverage in The Star. The EU is also expressing similar privacy concerns, though Canada's action "represents the most exhaustive official investigation of Facebook privacy practices anywhere in the world," says Michael Geist. The CBC's coverage spells out the areas of privacy concern, in particular that nearly a million developers of Facebook apps in 180 countries have full access to the entirety of users' private data. Also of concern: Facebook holds on to your data indefinitely after you quit the site. The BBC notes that Facebook is working with the privacy commission to resolve the issues, and quotes a Facebook spokesman thus: "Overall, we are looking for practical solutions that operate at scale and respect the fact that people come to share and not to hide." (Schneier recently blogged about research on "privacy salience," and cited Facebook's practices among others' as practical examples of how social networking sites have learned not to push the privacy issue in users' faces.)

Draconian Laws

[A.+B3ttik]

Does anyone actually expect privacy from these networking sites anymore?

Besides, who puts something on Facebook that they _want_ to keep _private_?

Re:Draconian Laws

[schon]

who puts something on Facebook that they _want_ to keep _private_?

People who don't know any better, who are (incidentally) the same people the privacy laws were written to protect.

Re:Draconian Laws

[RiotingPacifist]

Does anyone actually expect privacy from these networking sites anymore?

Yes many people do, not all countries believe so strongly in the market as the US and we often want restrictions put on businesses to keep our data the way we want it.

Besides, who puts something on Facebook that they _want_ to keep _private_?

People with friends, FB is not myspace (its not a site to go meet random people off the internet with) it's a site to allow friends (of varying levels of technical competency) to keep in touch and communicate. I put stuff i want my friends to see on my facebook profile that perhaps i don't want everybody in the world to know about! embarrassing pictures people take of me can be tagged on facebook, tbh i don't care if my mates see me passed out in a field but i sure as hell don't want everybody on the internet (including prospective employers) to see it. If i have a choice between
1)total privacy
2)a convenient way being able to organise events and nights out much easier at the expense of privacy.
I'm going to choose 2, however if that expense can be reduced then that is great.

Re:Draconian Laws

[ceoyoyo]

Some people use Facebook to keep in touch with friends, not to post compromising pictures of themselves. Most Facebook profiles these days are only available to friends of the owner.

The apps thing has always bothered me about Facebook. The vast majority of apps are stupid and easy to ignore but there are a few interesting ones that I might use except that the only way to do so seems to be to give the free run of any and all personal information. Why did a game of Scrabble need to know anything more than my user number?

Re:Draconian Laws

[sodul]

There's one thing that disturbed me about Facebook: I wanted to apply for a position there, but you need a Facebook account in order to do so. So why not ? You have to provide some personal information especially your birth date, which is illegal for a prospect employer to ask.

I understand the recruiters might not look actively look for your birth date, yet now it's there for them to look at, forever in their database.

Re:Draconian Laws

[Beardo+the+Bearded]

That's not the point.

The point is that Facebook is disclosing personal information to any developer that asks for it, without regard to what the information is, or what use the developer has for the information. That's against Canadian law.

The quote in the article states it most clearly: "Why does a hangman developer have to know your address?"

Re:Draconian Laws

[psyklopz]

It is worth noting that Facebook violates privacy of more than just its members.

The summary does not mention this, but one of the things the Canadian study found was that users of Facebook can post photos and Tag the names of each person in the photo (whether they are on Facebook or not).

I believe there are good reasons why a non-Facebook user would not want their images posted, and for that matter, have a searchable Tag posted against that image.

Presently, I can't 'opt-out' of images of myself being posted by members, even though I am not on Facebook.

And on the same subject-- should I even need to 'opt-out'? Maybe they should require 'opt-in'?

Re:Draconian Laws

[Ephemeriis]

You're right, but I don't think Joe Sixpack necessarily understands the concepts of data mining, profiling, etc and how they might relate to social networking sites. Nor do I think he, or the average teenager, understands the permanence of data or the associated implications.

And frankly, what may make sense to post on a gigantic billboard in your front yard may not make sense, or even be legal, tomorrow. Times change. Governments change. Social mores change. I think expecting your average internet user to consider these things is asking a little much.

No it isn't.

People have been making decisions (sometimes stupid ones) and living with the consequences for centuries. Ok, maybe it's easier to squash a verbally-distributed nasty rumor than a digitally-distributed incriminating photo, but that doesn't mean that common sense no longer applies.

Look back at some printed statements over the years... Things that were appropriate at the time and showed up very proudly in newspapers all over the united states, and now look very embarrassing.

Political careers have been ended because of a youthful indiscretion or an incriminating photograph.

Tons of people have tattoos that they wish they hadn't gotten.

Plenty of people have taken pictures they shouldn't have, and had it used against them.

Ever hear of Nixon? Recorded some tapes he probably wished he hadn't.

How about Sotomayor? Bet she wishes she hadn't said some things right about now.

This isn't about understanding data mining or profiling, this is about simple common sense - which is apparently in short supply these days. If I proudly proclaim that I like big butts on FaceBook you don't need to mine any data - you know that I like big butts. You don't have to profile anything, I've stated it in plain text. Oh, now my mother read it and I'm embarrassed? I guess I shouldn't have written it where she could see it, now should I?

Twitter, FaceBook, MySpace, blogs, text messaging, cell phones... They're all just ways of distributing a message. The problem isn't that distribution has become insanely quick, easy, and efficient. The problem is that nobody is thinking about the message anymore.

Folks will call up a friend and have a running conversation about the random people walking by them and what they're wearing - why? Just because you can tell your friend that somebody wearing a Penny Arcade t-shirt doesn't mean you have to.

People actually report on their bowel movements! Why?!

Re:Draconian Laws

[Roman+Coder]

Yesterday I saw an IQ Test" app and thought "Why not?", so I took the test (one could argue I failed it by just using Facebook to test my IQ, but I'll leave that for another discussion).

When I was done, the app wouldn't give me my results until I gave it my cell phone number, so it could send me the results of my test to my cell phone. Not like I could read it off of the web browser, right?

Pissed me off to no end that the app would so underhandedly try to farm my cell number this way, so I just backed out of the test and swore to never try another Facebook app after that.

So I agree, there's no reason why these apps needs ALL of my personal information to do their thing. Its just marketing companies running amok IMHO.

Re:Draconian Laws

[ToadProphet]

Yup, however...

Your examples are ones that have easily recognizable consequences for just about anyone. My point is more about the ones that take considerably more thought. For example, you give a big thumbs up to some fringe political party that, in the not so distant future, is outlawed with the supporters being flagged. Hell, atheism could become illegal someday if some fanatics got their way.

Extreme examples, for sure, but I believe the point is clear

Easy data mining for 3rd parties

[Locklin]

Everybody seems to expect that Facebook has all this information, the issue is with applications/quizzes. By setting up some stupid quiz, you can collect contact and network data on everyone who fills it out. This could be used for everything from marketing research to "investigation" of various social/political groups.

Re:Easy data mining for 3rd parties

[RiotingPacifist]

..to keep the noise in Facebook down to a minimum. This way I don't see any of the quizzes people want me to take..

little known facebook trick, is that if you hover over the notification, then click the x, you can select hide all from this application (also report as spam), a similar thing can be done when hiding friends who talk too much!

Re:Simple solution

[MadCow42]

I agree - if Facebook doesn't have a Canadian legal entity, nor Canadian hosting, the answer is "who cares"? I'm Canadian, BTW.

Just because there's users on FB from all around the world, it doesn't mean that FB has to abide by all countries' laws. If that were the case, the Internet would be a hobbled and useless mess.

MadCow.

The answer is pretty simple

[Minion+of+Eris]

DO NOT RUN ANY APPS!!! Sorry for shouting, but I have been saying this to people for years now (since the first time i read the terms for FaceBook apps). I am not knocking FB as a tool in and of itself, in fact I am very grateful to them for letting my daughter find me after 16 years of seperation (true story - she searched my name and sent me a message) but come on, they state clearly that if you want to plant a garden (or whatever) the developer gets to see all of your info. just Don't Do It. thanks for the rant-space.

Re:The answer is pretty simple

[eln]

I agree, but on the other hand it's foolish for Facebook to have taken such a lazy approach to apps. What they should have done (and should do) is allow a developer of an App to determine what information from a user's profile they actually need for their app to operate, and allow that app access to only that information. Further, instead of the blanket "allow this app to see everything about you" screen, they should tell you precisely what information that particular app is asking for (and will be allowed to see), and let the user choose whether or not that particular information is something they're willing to share. Most people will just blindly click through anyway just like they do now, but at least if the information to be shared is clearly spelled out, there's a chance someone will think twice before clicking, and at the very least they'll be more informed of what they're actually giving out.

In addition, they should review apps (not sure if they do this now or not, if they do their criteria are laughable) before allowing them on to the site...and part of their review of an app should include whether or not the app is asking for more information than it actually needs.

And for the love of God, instead of making every stupid little quiz a separate app, Facebook should maintain its own in-house developed "quiz app" and allow random idiots to submit quizzes to it. I'm tired of having to block every stupid quiz individually because they're all individual apps. This would also have the side effect of not needing to give all of your information to a random 14 year old so you can find out which Teletubby you are...your information would only be shared by the developer of the Quiz App (Facebook itself). Of course, this would only work in conjunction with the review process mentioned above, as any other quiz apps would be rejected by the review and the developers pointed to the Facebook Quiz App.

Facebook strikes me as a company with a lackadaisical approach to privacy and a generally lazy approach to the design and implementation of site features. It angers me that the site could be so much better than it is if someone at that company gave a damn about these things.

Re:Simple solution

[RiotingPacifist]

They still do business in Canada when they sell ads for Canadian companies/sell stuff to Canadians/etc, now they could lose that revenue, or they could work with officials to improve the privacy of their users, thus keeping that revenue while improving their site. Do facebook really want to lose 11m users worth of revenue (and probably more long term as the EU may follow suit) ?

Re:Simple solution

[Guspaz]

If you're serving, catering, and marketing to users in Canada, and even partnering with Canadian telecoms to get your software on their phones, then a physical presence might not be required.

The mere fact that I can walk around Montreal and see advertisements for Facebook indicates that at the very least they could be forced to stop advertising in Canada, and the telecoms could be forced to stop distributing/bundling the Facebook apps. Even if they don't have a legal presence in Canada, they certainly do have *a* presence, and that's enough to force changes. That gives the Canadian government leverage to force Facebook to make changes.

"Comply with our laws or we'll cut off all your marketing and partnerships in Canada."

Facebook app privacy

[furby076]

Here is an idea facebook. Give the user an option to not give the app creators 100% access to the facebook users data. I reject all of those apps because all of them expect me to give up my data - all of my data. It is very invasive.

I'm assuming facebook gives this control to the app makers - but as we know - when you have an option and it is free then why not use it?

Re:They prompt you

[ceoyoyo]

I agree with that one, but what if you want to play chess with your friend? You should be able to do that without giving someone access to everything. Either the Facebook API doesn't support requesting limited rights, or a I have never seen an app that uses that capability.

Re:Simple solution

[WebCowboy]

It's not like they're going to send Mounties to the U.S. or require ISPs to block Facebook.

YES facebook IS VERY MUCH bound by Canadian law and it IS enforceable to a large degree. And yes, Facebook CAN be taken to court if they do not make efforts to meet the commissioner's recommendations.

If Pandora can be ordered to refuse entry to non Americans via geolocation, etc. to adhere to DMCA and license agreements in the US, you can ABSOLUTELY expect that Facebook can be ordered to shut off access in Canada (note that this does NOT involve ISPs--it is a function of the web site itself). Proxies, etc. make enforcement imperfect, but by law in both cases the website MUST take "reasonable efforts" to abide by local laws.

Only if websites refuse to cooperate would the issue be escalated to more draconian means (the Canadian gov't CAN file lawsuits in an American juristiction or an international venue you know--and CRTC can mandate ISPs follow certain rules too)

whether this is a problem or such action is right or wrong, it CAN be done.

Re:Priorities

[abigor]

As another poster mentioned, the Canadian equivalent of the 4th Amendment is Section 8 of the Canadian Charter of Rights and Freedoms.

More to the point, Canada has a very powerful Privacy Act ("An Act to extend the present laws of Canada that protect the privacy of individuals and that provide individuals with a right of access to personal information about themselves") that limits the government's ability to collect and retain private information, and a Privacy Commissioner to enforce it. I don't think there's anything comparable in the US, as Canada's privacy laws are probably the toughest in the western world.

The real situation

[Anonymous+Brave+Guy]

Twitter, FaceBook, MySpace, blogs, text messaging, cell phones... They're all just ways of distributing a message. The problem isn't that distribution has become insanely quick, easy, and efficient. The problem is that nobody is thinking about the message anymore.

Actually, the problems being cited by the privacy officials are more the kind of thing the average user probably would not realise/anticipate.

If I ask a site to delete my personal data when they no longer have any reason to hold it, I might reasonably expect them to delete it — not stick some flag in a database, and then find when they have a security breach in five years' time that the data was still there. If an organisation is unwilling to follow this rule, the law should make them; the consequences of failing to do so with modern technology are demonstrated all too frequently, and often with horrendous, underserved consequences for those affected.

If I flag my personal data as private and restrict access to only a select group of friends, I might reasonably expect that data to be kept private and accessible only to those friends — not made accessible, in its entirety, to a million arbitrary developers of Facebook apps around the world, many from countries with far less privacy protection than the law in my country (and other countries where Facebook is hosted) provides. Again, if a site that specialises in collecting personal data and attracts that data on the basis that it can be held in confidence is unable to keep that confidence, the law should compel them to do so.

The way Facebook doesn't really delete data and the way they allow app developers open-ended access to it are the two big reasons I personally don't use their service, and I would be interested to know how many of my Facebook-using friends would agree if they knew the full implications of signing up for one game of Scrabulous or whatever it's called these days.

The world has changed in the Internet age, because now transgressions that might have been forgotten or overlooked after a while in the past are kept on-file forever and searchable for all to see. That in itself makes both education (particularly for the young/vulnerable), privacy awareness, and explicit legal protections for personal information much more important.

Personally, I believe personal data protection and privacy laws are far, far too weak in most jurisdictions today, lagging well behind modern technology and its less constructive applications. I would like to see statutory safeguards on all collection, use and distribution of personal data, and awesome, business-destroying penalties for those who are not careful enough to do so.

Our current path, towards a database state and wholesale aggregation of personal data by private entities, using software that is frequently insecure, with low-level staff unreliable at following even basic security procedures, in a world where leaks can turn a victim's life upside down and the damage may be expensive or impossible to fix, is not a healthy path to follow.

Basically, it's reasonable to expect some common sense from those old enough to know what they're doing, but it is not reasonable to expect people to make decisions based on information they probably don't know or understand, and in any case, no-one is perfect and I personally think society would be a better place with stronger privacy laws governing organisations that compile massive databases of personal data. As I often comment in these discussions, just because we can do something does not mean we should, and just because someone who is only human once made a mistake does not mean we have to catalogue it and make it searchable by anyone for the rest of their life.