Facebook is deceiving its users and breaking Canadian privacy laws, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) alleged in a complaint to Canada’s Privacy Commissioner on Friday.
See video: Privacy on social networks
The Privacy Commissioner of Canada’s information on social networking sites.
Ottawa-based CIPPIC represents consumer and other public interests in such areas as intellectual property, consumer protection in e-commerce, domain name governance, personal information protection and privacy.
The clinic has released a 35-page complaint detailing 22 separate violations of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) by Facebook.
Law interns put together the complaint against the Palo Alto, Calif.-based social networking site over a four-month period.
The complaints allege the social networking site’s fails to inform members of how their personal information is disclosed to third parties for advertising, and does not attain permission from members when disclosing their personal information.
“They say they’re purely a social networking site, but they’re in fact a commercial enterprise that is about sharing and using the personal information of its members with advertisers and third-party application developers,” says Philippa Lawson, director of CIPPIC.
Third-party applications have been active on Facebook since May of last year and hundreds have been made available to users since then.
These applications collect all information available about Facebook users when they’re added, and can even access information about other people through the user’s friends list.
“That’s a clear violation of the law,” Lawson says. PIPEDA “says you shouldn’t be collecting more information than you need for a particular application.”
But Facebook calls CIPPIC’s interpretation of the law flawed. Facebook aims to give its users control over their information and how they choose to share it, a spokesperson for the social networking site says.
“We’ve reviewed the complaint and found it has serious factual errors – most noticeably its neglect of the fact that almost all Facebook data is willingly shared by users,” says spokesperson Amy Sezak. The complaint “ignores key elements of Facebook’s privacy policy and architecture.”
The office of the Privacy Commissioner confirms they have received the complaint against Facebook. An investigation file has been opened and the case is of interest, says spokesperson Anne-Marie Hayden.
“Companies have an obligation to protect the personal information in their care, to be transparent about their use of personal information, to attain consent for the collection, use and disclosure of personal information and so on,” she says. “We have to look at the complaint more closely, but these are the things we’ll be looking at.”
It’s not the first such investigation launched by the office into social networking sites, Hayden says. But details of other ones can’t be disclosed because they are under investigation.
But the office is concerned enough to have posted a fact sheet on social networking, a guide to protecting privacy on the Internet, and even produced a video on social networking and privacy.
Another CIPPIC grievance is that user’s privacy settings in Facebook are automatically set to share the most information when a new account is created.
Younger Facebook users, or less Web-savvy users may never think to change these, and are unknowingly sharing their information with the world, according to Harley Finkelstein, one of the law students that worked on the document.
“Facebook calls them privacy settings, but we’ve come to discover these are actually publicity settings,” he says. “Social networking and privacy don’t necessarily go hand in hand.”
But even with privacy settings at maximum, users still face a number of vulnerabilities, Finkelstein adds. He’s a member of the site himself. Applications available on the network can gain information through a friends’ list linkage, for example.
“The developer could have zero legitimacy,” he warns. “They might have access to your sexual preference, what university you go to, or even your address.”
At least one avid Facebook user was surprised that his information could be viewed so easily.
Chris Centeno is a fourth year student in a communications program at Toronto-based York University. As an early adopter of Facebook, he’s collected 1251 friends. “It’s a bit scary, these companies are looking through your information and seeing who you are,” he says.
Centeno considers himself a careful user, not posting his full birth-date or any address information due to identity theft concerns. When strangers want to get on his friends list, he’ll grant them access to a limited profile with less personal information. But now he’ll reconsider how he uses the social network.
“When the applications first came out, I was adding them like crazy,” he recalls. “But now with the security breaches, I will be more cautious.”
Canada is third in overall users on Facebook. But with about 7 million users, Facebook is more popular in Canada than anywhere else proportionally. About 40 per cent of Canadians who have online access also have a user account, according to Facebook.
If Facebook is found to contravene the privacy law in Canada, then Privacy Commissioner Jennifer Stoddart will make recommendations to fix the problems, Hayden says. Typically, organizations will follow these.
If not, then a federal court case could be launched to try and force the company to comply. But even then, cross-border enforcement might prove difficult, Lawson says.
“There could be a problem actually enforcing Canadian law against them,” she says. “They could just refuse to cooperate.”
For its part, Facebook says it is ready to work with Stoddart to “set the record straight.”