Facebook Cited in Canadian Privacy Commissioner Complaint
Facebook faces a complaint filed Friday with the Canadian Privacy Commissioner by the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic. CIPPIC charges Facebook with violating the Personal Information Protection and Electronic Documents Act, including not fully disclosing how the social networking site uses personal data it collects and shares, not deleting personal material automatically when an account is closed and lack of transparency on how user data are tracked by or shared with advertisers.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
CIPPIC Director Phillipa Lawson said Facebook’s most troubling problems include situations in which the service gives users no choice when giving third-party applications access to information, specifically that “there is no way to uncheck the box” and revoke permissions. Lawson also cited Facebook’s contact importer, which searches users’ e-mail address books to connect them with contacts already on the service. The tool allows users to invite contacts to join Facebook, and by default invites all of a user’s contacts, but Facebook doesn’t disclose what it does with addresses to which invitations are not sent.
Facebook’s account termination policy violates Canadian law, the complaint alleges. Now, when a user “terminates” an account, Facebook merely deactivates it, retaining the user’s personal information and other data. Facebook permanently deletes account data only when the departing user specifically requests that by e-mail.
The complaint also questions the legality of Facebook’s assertion of ownership of all user data, and site security features, citing Facebook’s lack of an automatic log-off feature similar to online banking sites.
Facebook Chief Privacy Officer Chris Kelly shrugged off the complaint, saying Facebook takes users’ privacy seriously. “At Facebook, we pride ourselves on the industry-leading controls we offer users over their personal information,” he said in a written statement. Kelly also said the complaint has “serious factual errors” and nearly all data is “willingly shared by users.”
Lawson questioned Kelly’s definition of “willingly” and said the most disturbing aspect of problems with Facebook are evident in the site’s privacy settings, which default to sharing information. She said Facebook would be in a much stronger position if the setting was changed.
Facebook has faced many privacy controversies, lately over last year’s Beacon advertising feature. “Most of the points here have been raised with Facebook in the past,” Lawson said. -- Andrew Feinberg
* * * * *
Facebook is blocking messages that link to sites with “contact importer” applications and catching flak from users, Facebook security engineer Ryan McGeehan said last week on the Facebook blog. The curbs aim to protect Facebook users’ privacy and that of their friends, he said. Users providing Facebook login information to a site with a contact importer not only “spam all of their friends” but grant full control of their Facebook accounts to such applications, McGeehan said. Users will be able to share their information with other sites through “trusted authentication” in Facebook’s nascent Connect initiative, he said.