Facebook breaches Canadian privacy law: commissioner - Action News
Home WebMail Thursday, November 14, 2024, 05:39 PM | Calgary | 5.9°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Science

Facebook breaches Canadian privacy law: commissioner

Facebook shares personal information with developers who create games and quizzes in a way that breaches Canadian privacy law, the Office of the Privacy Commissioner of Canada has found.

Facebook shares its users' personal information with developers who create games and quizzes in a way that breaches Canadian privacy law, the Office of the Privacy Commissioner of Canada has found.

Thepopular social networking site, which is used by 12 million Canadians and 200 million people worldwide, also keepspersonal information indefinitely after users deactivate their accounts,contrary tothe Personal Information Protection and Electronic Documents Act, says the report released Thursday by assistant privacy commissioner Elizabeth Denham.

The office'smain concernwas thatuserscould not alwaysgive "meaningful consent" to the use of their personal information due to a lack of transparency on the site.

"We found that, although Facebook provides information about privacy issues, it is often confusing or incomplete,"Denham said at a news conference.

Users should be able to opt out of actions that could lead them to lose control over their personal information, she added. In some cases, thatinformation could then be used for marketing purposes or even identity theft.

'For a hangman application ... there is no use for the developer to know where the person lives or have their personal email address.' Jordan Plener, CIPPIC

Facebook declined interview requests Thursday, butissued a statement saying it is about to introduce new privacy features that itbelieves "will keep the site at the forefront of user privacy and address any remaining concerns the commission may have." It added that in the meantime, it will continue to work with the commissioner's office and to raise awarenessabout its privacy controls.

4 areas of concern

The Office of the Privacy Commissioner's reportfound that Facebook continues to breachPIPEDAin fourways and it maderecommendations to correct the problem. It found:

  • Facebookdoesn't have enough safeguards to prevent950,000third-party developers around the world from getting unauthorized access to users' personal information, nor does it ensureusers have given "meaningful consent" to allow theirpersonal information to be disclosed to the developers. Recommendation: Developers shouldonly get the information needed to run the application. Users would have to specifically consent tothe release of that information after being told why it is needed. Information about anyone other than the user would not be disclosed.
  • Facebookkeeps information from accounts deactivated by users indefinitely. Recommendation:Facebook should have a policy to delete the informationafter a reasonable length of time, andusers should be informed of the policy.
  • Facebookkeeps the profiles of deceased users for "memorial purposes" but does not make this clear. Recommendation:Information about use for memorial purposesshould be in Facebook's privacy policy.
  • Facebookallows users toprovide personal information about non-users without their consent. For example, it allows them to tag photos and videos of non-users with their names, and provide Facebook with their email addresses to invite them to join the site. It keeps the addresses indefinitely. Recommendation:Facebook should only keep non-users email addresses for a reasonable, specific length of time and should make its users aware that they need to seek consent of non-users before posting information about them.

Users' responsibilities

Denham and privacy commissioner Jennifer Stoddart emphasized, however,that they aren't telling people to stay away from social networking sites.

"We all understand that social networking sites can be a wonderful way to connect," Stoddart said at the news conference. She added that not everyone sees privacy in the same way, and some people may be more willing to share personal information more widely than others.

Denhamadded that users also need to take responsibility by reading privacy policies andusingthe information to maketheir own choices.

The investigation was launched by the privacy commissioner's office in response to a complaint from the Canadian Internet Policy and Public Interest Clinic, which is based at the University of Ottawa.

Personal Information Protection and Electronic Documents Act

PIPEDAspecifies how private sector organizations may collect, use or disclose personal information in the course of commercial activities.

Under the act, under most circumstances:

  • Personal information must be collected for a specific purpose and cannot be used for other purposes.
  • The information cannot be collected unless the person that the information belongs tohas been informedand has provided consent.
  • The information can only be kept for a specified amount of time, and must be destroyed when it is no longer needed to fulfil its original purpose.

Jordan Plener,a law student who initiated the complaint on behalf of CIPPIC, said he had a number of concerns about areas such as Facebook's default privacy settings and the personal information available to developers.

"For a hangman application, for example, there is no use for the developer to know where the person lives or have their personal email address."

The complaint cited allegations on 12 topics. Denham deemed allegations about fourtopicsunfounded. Facebook accepted Denham's recommendations and resolved problems in four other areas.

Plener said that was a good start. But he noted that so far, Facebook has refused to accept Denham's other recommendations.

With respect to the four remaining topics, the assistant privacy commissioner has asked Facebook to reconsider its recommendations to resolve the problems andsaid she will follow up in 30 days. If Facebook does not comply at that point, the privacy commissioner's office can have its recommendations enforced by the Federal Court.

Denham noted that the company has been co-operative throughout the investigation, and she is hopeful that it will comply.