Facebook’s time is up – tomorrow, 30 days will have elapsed since the Privacy Commissioner of Canada outlined several changes the social network must follow to conform with Canada’s privacy law.
So far, it looks like those recommendations haven’t been followed.
A July 15 report issued by the commissioner’s office found that Facebook is in violation of the Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Despite working with the office to make several changes, four outstanding issues remained.
“We continue to be hopeful they are going to respond to our concerns,” says Anne-Marie Hayden, a spokesperson with the Privacy Commissioner’s office. “We have been in positive discussions with them.”
The Privacy Commissioner’s investigation was prompted by a complaint filed by the University of Ottawa-based Canadian Internet Policy and Public Interest Clinic (CIPPIC) May 30, 2008. The group has been following the site closely over the past 30 days and hasn’t seen any changes yet.
“I haven’t seen any changes to the four issues that were raised by the report,” says David Fewer, acting director of CIPPIC. “We haven’t heard anything public from these guys and we don’t expect to.”
When the report was released, Facebook’s chief privacy officer, Chris Kelly, didn’t commit to making any of the changes recommended. Facebook felt that it was already compliant with the law.
“There are some matters where we feel our controls weren’t recognized,” he said.
Facebook has been making revisions to its privacy policy and “statement of rights and responsibilities” for users. But neither appear to address the concerns raised in the report.
Facebook is rolling out a new version of its publisher bar that will allow users to choose the recipients of each post they make. For example, you could share a photo with everyone on the Internet, or just a select group of your friends on Facebook.
The site is also engaging users in a revision of it “statement of rights and responsibilities” this week. The document being collaborated on doesn’t appear to address the four recommendations made by the commissioner’s office.
“They could be planning to release a one-off sort of statement when they’ve decided what to do on each issue,” says Tamir Israel, a lawyer with CIPPIC. “I think they’re still in negotiations with the Privacy Commissioner.”
Facebook was contacted but didn’t comment on the issue.
Third-party application controls
Perhaps the most glaring privacy violation listed in the report was the access to personal information on Facebook by some third-party applications.
These applications can access user information not related to their main purpose, and can even glean information from users who don’t have the application installed.
Facebook should implement measures to limit the developer’s access to user information that isn’t required to run an application, the report recommends. It urges that users be notified about each instance of their information being used, and informed for what purpose. The information of users who aren’t using the application should be off-limits, it says.
“We’ve found that Facebook lacks the adequate safeguards to protect users’ profile information, along with their online friends,” said Elizabeth Denham, assistant Privacy Commissioner of Canada, upon releasing the repot.
Using third-party applications remains the same experience it was since before the report was released.
Facebook’s privacy policy has a “Sharing information with third parties” section that issues the following caution: “if you, your friends or members of your network use any third-party applications developed using the Facebook Platform, these Platform Applications may access and share certain information about you with others in accordance with your privacy settings.”
Facebook asks developers to respect privacy settings, the policy states. It has imposed “contractual and technical steps” to limit collection, but does not offer a guarantee that developers will follow the agreements.
Deactivated account information
Another report recommendation asks that Facebook delete the information in deactivated accounts after a reasonable period of time.
For a users, deleting their profile remains somewhat difficult on Facebook. The account deactivation can be found under the Account Settings page. But deactivating a user account leaves a backup copy of your information on Facebook’ database. To delete an account entirely, a user must search through the Help section.
Users looking to do so can follow our guide here: How to delete – not just ‘deactivate’ – your Facebook account.
“Facebook is essentially a monster database and it’s difficult to manage that database,” Fewer says. “The solution could take an engineering commitment from Facebook to build out.”
Memorial accounts for dead users
Facebook should also make clear in its privacy policy that account information could be used for a memorial account in the case of a deceased user. This relates to the phenomenon of friends and family posting memories and goodbye messages on the accounts of users who pass away.
But the privacy policy makes no mention of this yet.
“I’m surprised that Facebook let itself get a black eye over that,” Fewer says. “This is an easy one to fix.”
Information of non-users
Facebook must make changes to its invitation feature to address concerns about non-users’ lack of knowledge and consent to the collection and retention of e-mail addresses. There must be a reasonable time limit set for keeping these e-mail addresses on record, the report says.
No change has been noted to this practice by Facebook.
Despite the 30 day deadline issued by the Privacy Commissioner, the office will have another 15 days before it must take some action against Facebook, Fewer says.
If Facebook doesn’t follow through on the changes, going to federal court has been listed as an option by the office.