Facebook International Expansion Highlights Privacy Issues

Facebook Chief Privacy Officer Chris Kelly attacked the complaint’s reasoning in a statement issued the same day as the complaint was filed. Facebook users are “willingly sharing” data, Kelly said. His claim was challenged by BT Chief Security and Technology Officer Bruce Schneier. “I'm pretty sure if you spoke to any seven people who use Facebook, they would never say the point of it is to share information,” Schneier said in an interview. “It’s all about connecting with their friends.”

Facebook default settings are a major security concern, Schneier said, agreeing with the Canadian Internet Public Policy and Information Clinic filing. Data show that half of people won’t change default settings, especially on social networking sites like Facebook, he said: “Most people will do what’s normal.” The best privacy practice would be for people to have to choose actively what to share, rather than having the ability to choose what not to share, he said.

Control over user information is a major issue for social networks, Schneier said. Referring to a user revolt over Facebook’s Beacon feature, he traced the outcry not to the sharing of information, but to doing so without permission. “Who’s in charge of my information?” he asked. “That’s really what the concerns are.” In its terms of service Facebook claims ownership of all user data on the site, which Schneier explained as driven by an economic motive to “lock in” users: “They want to make it painful for you to leave.”

The U.S. needs a comprehensive data privacy law, Schneier said, noting that Facebook’s questionable privacy practices are getting their first test before a foreign regulatory body. The U.S. lags far behind many countries at protecting people’s data, he said: “We really need the same sorts of protection that Canada has.”

Others said users should know what they are getting into, calling terms of service and privacy policies sufficient protection against abuse. Schneier and those who share his views err by “turning this into a moral issue,” Berin Szoka of the Progress and Freedom Foundation said. Szoka contested many aspects of the Canadian law, characterizing them as potentially harmful if implemented in the U.S.

One point of contention is Facebook’s policy of retaining user data after a user deletes his or her account without asking explicitly that data associated with it be deleted. CIPPIC terms this practice misleading and illegal. Facebook said it wants exiting users to be able to restore accounts if they rejoin. Szoka called the practice reasonable for any hosted online service. He expressed his own worry at having a malicious user delete an account: “I live in fear that someone might break into my Gmail account and delete it, and it would be gone forever.”

Szoka’s view doesn’t jibe with Google policy, however. Google’s official Gmail FAQ page says the company “keeps multiple backup copies of users’ e-mails so that we can recover messages and restore accounts in case of errors or system failure.” However, unlike Facebook, which indefinitely keeps from deleted accounts, Google retains backups for a limited amount of time: “We will make reasonable efforts to remove deleted information from our systems as quickly as is practical.”

Szoka is more troubled by the implication that “Canada is trying to extend its privacy laws to other countries,” he said. Mandatory default opt-out for sharing data could have “real world consequences,” he added. He said a patchwork of U.S. state laws isn’t ideal, but to adopt a system similar to Canada’s would be “to buy into some comprehensive, onerous federal legislation.” And were Facebook to revise its site to obey Canadian law, such as by not demanding registrants’ birthdates, it could break U.S. laws. These include child protection statutes that require sites to ask users’ ages before providing service.

Facebook deems user privacy a high priority, it said. In a March 10 developer Q&A session, founder and CEO Mark Zuckerberg was asked about sharing data with governments. “Making sure people’s information is private” is one of his company’s major goals, and Facebook would avoid putting itself in a position where obeying the law would compromise privacy, Zuckerberg said: “Keeping people’s private information only accessible to people they want to share it with is a core thing for Facebook.”

User feedback has led to gradual introduction of more granular privacy controls, but Facebook privacy settings still default to sharing most information. However, in what may be an attempt to neutralize aspects of the CIPPIC complaint, a login timeout feature such as online banking sites use has been deployed quietly. That functionality’s previous absence figured prominently in the CIPPIC filing.

The complaint may be an opening salvo over international legal issues involving Facebook. In the same March Q&A, a questioner asked how Facebook would handle information sharing with authoritarian governments, citing an episode in which Yahoo allegedly shared data leading to a Chinese blogger’s arrest.

Zuckerberg said at the time that as yet Facebook hadn’t expanded into China because “we're not openly working with governments.” But in countries where Facebook does operate, “we have to follow the law,” he added. The company’s China strategy was mired in intense internal debate over whether to launch using servers located there, he said. That would mean better service but could put employees at risk, whereas using outside servers could be blocked or slowed by the government, he said.

Zuckerberg then hesitated to commit to a firm China strategy, describing the available options as “not a great set of tradeoffs.” But a source familiar with Facebook operations said the company plans to launch a Chinese network “as soon as the site is translated.” Repeated calls and e- mails to Kelly, Zuckerberg and Adam Conner, Facebook’s Washington, D.C.-based associate for privacy and global public policy requesting comments on these issues were not returned at our deadline. - Andrew Feinberg