The following is a continuation of Facebook Privacy: Canadian Privacy Laws and How Facebook is Changing
The Report
The following are excerpts from the privacy commission’s report detailing where the commission found Facebook in breach of Canadian Law
Section 1: The Use of Date of Births (DOBs)
55. In sum, with respect to its collection of
DOB, I find Facebook to be in contravention of the above-cited principles, most notably Principles
4.2.3 and
4.3.2.” 56. In my preliminary report, I recommended that Facebook
(1) revise the pop-up phrase “a means of preserving the integrity of the site” so as to more clearly capture the true purpose intended and make it more understandable to users;
(2) amend its Privacy Policy so as to explain the purposes for which
DOB specifically is collected and used;
(3) revise its site literature wherever appropriate, including pop-ups on the registration page, so as to clearly define what it means by profile information and to clearly dispel the notion that “hiding” DOBs from a profile means exempting them from use in targeted advertising; and
(4) indicate, in the pop-up in which it specifies the purposes for collection of OBs, that
DOBS are collected also for the purpose of targeted advertising. Facebook should likewise specify any other purposes for which it intends to use or disclose users’
DOBs.” 57. “In response, Facebook has agreed to amend the language of the pop-up in question as follows:
“Facebook requires all users to provide their real date of birth to encourage uthenticity and provide only age-appropriate access to content. You will be able to hide this information if you wish, and its use is governed by the acebook Privacy Policy.” 58: Facebook has also agreed to make changes to the language of its Privacy Policy with respect to its use of personal information for advertising and has stated that it is dedicated to “full disclosure as to the collection and use of information for advertising purposes.” In this section the privacy commission found that while Facebook does describe its use of Date of Birth, its description is insufficient. It demands that Facebook revise its language, amends its privacy policy with this information, and includes it in al lsite literature on the subject.
Facebook agrees.
Section 2 – The Pre-selection of Privacy Settings
98. To conclude, I find that Facebook’s notification efforts relating to privacy settings fail to meet a reasonable standard in the circumstances, as envisaged in Principles
4.2.3 and
4.3.2. In particular, Facebook needs to do more to ensure that new users can make informed decisions about controlling access to their personal information when registering. Facebook has given its users tools to control their personal information. 99. In my preliminary report, I recommended that Facebook
(1) make user profiles inaccessible to search engines by default;
(2) change the default setting for photo albums to “Your Networks and Friends”;
(3) provide a link to the privacy settings at registration, accompanied by a means whereby users can inquire and be informed specifically about the meaning of the term “privacy settings” and can be notified that Facebook has preselected the settings and that the settings can be changed according to the users’ preferences; and
(4) provide users who join networks after registration with the same notification as received by users who join networks at registration. 100. In response, Facebook has taken a holistic approach to meeting our Office’s concerns relating to privacy settings. The company intends to implement the following two significant changes in the near future: (1) It will introduce a “Privacy Wizard”, whereby users will be able to select a low, medium, or high privacy setting. This selection will dictate more granular default settings. Notably, users who choose the “high” setting will not be included in public search listings. Facebook maintains that its new Privacy Wizard and emphasis on per-object privacy (see below) will meet the purpose of assuring that users have made a fully informed choice about whether their information is made available in any way to search engines. (2) It will also implement a per-object privacy tool, whereby users will be given “an easily configurable setting on every piece of content that they will be able to configure at the time of uploading or other sharing. In a matter of weeks, the changes that are in testing will allow users to choose privacy settings on individual photos and pieces of content such as status updates.” Our Office infers from this that Facebook intends to extend its
notification practice in respect of photo albums to other types of information. 101. Facebook has also stated that it is conducting preliminary testing on a revised registration flow that will provide more information on privacy settings. 102. As for our fourth recommendation, Facebook has agreed to implement the appropriate measure. In this section the commission rules that Facebooks default privacy settings allow too much personal information to be publicly accessible, and rules that profiles must be preset to deny a great deal of public access. In other words, your information should start private, and then you should have to make it public, not vice versa.
Facebook agrees and takes it a step further. They actually take it a step further and are instituting a complete privacy system including a
privacy wizard at signup, and granular content control so you can set privacy settings
on a per-object basis.
Section 3 – Explanation of the use of personal information for advertising purposes
140. In my preliminary report, I recommended that Facebook
(1) expand the advertising section of the Privacy Policy so as to (i) explain more fully the role of advertising in the Facebook environment and the differences between Facebook Ads and Social Ads, particularly with respect to users’ ability to opt out; and (ii) inform users of the use of their profile information for targeted advertising purposes, the impossibility of opting out of Facebook Ads and the ability and means to opt out of Social Ads; and
(2) provide at the Profile tab, as well as at other locations where the uploading of information may trigger either a Facebook Ad or a Social Ad, (i) a reminder to users that the personal information they are uploading is collected, used, and disclosed in accordance with Facebook’s Privacy Policy; and (ii) a link that brings users directly to the expanded advertising section of the Privacy Policy, as recommended above. 141. In response, Facebook has agreed in principle to describe advertising more clearly in its Privacy Policy. Specifically, the company stated as follows: “Further description of the Facebook Ads system overall is still under development, as there are evolutions in the ways that Facebook is serving ads. We are dedicated to describing the difference between Social Ads and other Facebook Ads and full disclosure as to the collection and se of information for advertising purposes.” 142. Facebook objected in principle to recommendation 2 above on grounds that it was opposed to interruptive notices that disrupt the user experience. Nevertheless, the company agreed to configure its systems so as to “allow users who are particularly privacy sensitive to discover more information easily about site operations and to provide feedback on their concerns to Facebook.” The commission is concerned with Facebooks insufficient explanation of the difference between Facebook Ads and Social Ads, as well as what they see as an insufficient explanation of how personal information is used for advertising purposes. They recommend expanding the privacy policy to explain these, and use a pop up reminder to remind users that they information they are posting will be used in ads.
Facebook agrees to amend their privacy policy and create more in-depth explanations of how their advertising systems work, but
object to pop ups.
Section 4 – Third Party Applications
200. When I speak of limits to access, and especially when I consider the vast amounts of Facebook users’ personal information potentially available to large numbers of application developers, I believe something much more substantial in the way of safeguards is required. Specifically, I mean technological safeguards that will not simply forbid, but effectively prevent, developers’ unauthorized access to personal information that they do not need. 202. I find that Facebook does not have adequate safeguards in place to prevent unauthorized access to users’ personal information by application developers 203. On the question of consent, I find Facebook’s manner of seeking consent to be problematic in two ways. 204. First, the consent language that Facebook uses is excessively broad. […] Facebook is in effect telling users that whenever they add an application, they must consent to allowing access to almost anything and everything that the developer asks for. In my view, consent obtained on such a basis is meaningless. In the circumstances, the user’s meaningful consent to the collection and use of specified information should be sought at each instance of a user’s adding an application. 205. Second, technically, application developers’ receipt of users’ personal information through the Facebook API may be considered not only a collection by the developer, but also a disclosure by Facebook. Accordingly, Facebook has an obligation to ensure that users consent to such disclosure of their personal information. However, given Facebook’s platform as it relates to third party applications, Facebook can meet this obligation by taking reasonable measures to ensure and verify that application developers are obtaining meaningful consent on behalf of Facebook. 207[…] Facebook should take further steps to ensure that developers are well aware of the requirement to do so and that they comply with it. For one thing, Facebook should feature the requirement prominently in the Platform Guidelines and other instructions to developers, as well as in the SRR. For another, the company should develop a means of monitoring applications to ensure that developers are complying with the requirement to obtain consent. The company might even consider providing developers with a means of
explaining to users what information they need and why (possibly by adjusting the current template so as to provide space for such an explanation). 208. Another consent-related concern that I have is the fact that no specific consent is sought from users for the disclosure of their personal information to applications when their friends and fellow network members add applications. Facebook maintains that, through its privacy settings, users have an extensive ability to choose whether or not they will interact with any particular Facebook application and to block any particular application and opt-out of all Facebook applications in a simple way. However true this statement may be in theory, I would note that users’ “ability to choose” would depend on their being knowledgeable about developers’ practice of accessing and using third-party information when friends add applications. I would also note that the only way users can control the exposure of their personal information to application developers when their friends and fellow network members add applications is either to opt out of all applications altogether or to block specific applications. Moreover, the latter option would effectively require them to guess which of the more than 350,000 applications their friends and fellow network members are likely to add. 211. In my preliminary report, I recommended that Facebook consider and implement measures
(1) to limit application developers’ access to user information not required to run a specific application;
(2) whereby users would in each instance be informed of the specific information that an application requires and for what purpose;
(3) whereby users’ express consent to the developer’s access to the specific information would be sought in each instance; and
(4) to prohibit all disclosures of personal information of users who are not themselves adding an application. 212. In response, Facebook raised objections as noted in my findings above and in effect declined to implement the recommendations. The privacy commission had serious problems with the Facebook application model, stating that they require technological limits to access to user information through third party applications. Of particular note was the use of third party applications that could gather information about friends of users. The commission also states that the language used to explain this access is insufficient, and as such does not legally gain the consent of the user. Finally the commission recommends that Facebook should implement stricter third party guidelines and a monitoring system to make sure that third party developers are obeying said guidelines, including denying third party developers access to information that they don’t require for their application, informing users of the information a third party application will use, and prevent
all use of information about users who have not installed an application. Facebook initially objects completely, denying the request.
However on August 24th Facebook released a
press release that stated that they are: Increasing the understanding and control a user has over the information accessed by third-party applications. Specifically, Facebook will introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. In addition, the user will also have to specifically approve any access to their friends’ information, which would still be subject to the friend’s privacy and application settings. So in the end,
Facebook as essentially agreed Section 6 – Collection of Personal Information from Sources Other than Facebook
249. In my preliminary report, I recommended that Facebook develop, institute, and inform users of a retention policy whereby the personal information of users who have deactivated their accounts will be deleted from Facebook’s servers after a reasonable length of time. 250. I also suggested, as best practice in the interest of clarity for users, that Facebook
(1) include an account deletion option, as well as an explanation thereof as distinct from account deactivation, on its users’ Account Settings pages; and
(2) include in its Privacy Policy an explanation of the difference between account deletion and account deactivation. 251. In response to my recommendation, Facebook objected on the following grounds:
“… [A] majority of deactivating users reactivate within weeks, and those who reactivate on a longer timeframe are generally expecting their social connections to be intact when they return. Because the option to delete data is present for users, and because of interdependencies on certain data, setting a firm date for erasing a user’s information without clear direction from them in this context would be inappropriate.” 252. The Act is clear that organizations must retain personal information only for as long as necessary to fulfil the organization’s purposes, that organizations should develop guidelines and implement procedures with respect to the retention of personal information, and that such guidelines should include minimum and maximum retention periods. While I acknowledge that the length of time an organization may retain personal information may vary depending on the circumstances, I do not consider it either necessary or reasonable in the present circumstances for Facebook to retain personal information indefinitely in deactivated accounts. 254. On a more positive note, however, I am pleased to acknowledge that Facebook has agreed to implement my second suggested best practice. Specifically, the organization as proposed to add the following wording to its Privacy Policy:
“Individuals who wish to deactivate their Facebook account may do so on the My Account page. Removed information may persist in backup copies for a reasonable period, but will not be generally available to members of Facebook. Individuals who wish to delete their accounts may use the attached form to submit their account for the deletion process, which may take several weeks to complete processing.” The commission finds that Facebook acts in opposition to the law by retaining accounts indefinitely and requests that Facebook implement an account deletion system, and an account deactivation system, then explains both in their privacy policy. Facebook refuses to implement a deletion option on the account settings page, but
agrees to implement an explanation of deactivation and a form that users can submit that will “submit their account for the deletion process”Section 7b – Accounts of Deceased Users
275. With regard to my first concern above, I would note that, along with its Terms of Use, Facebook also appears to have recently discontinued any adequate description of its practice of memorializing accounts. There is no mention of the practice in the new SRR, and I do not consider the Help section material on how to report “an account that needs to be memorialized” to be an adequate description of the practice itself or adequate notification to users generally. In my view, Facebook’s keeping a deceased user’s account active under special status for memorial purposes constitutes an intended use of the user’s personal information. As such it should be both well-documented and well communicated to users. The fact that Facebook no longer provides a good description of the practice in its Terms of Use is all the more cause for my
concern that such a description be included in Facebook’s Privacy Policy. 276. I find therefore that, with respect to informing individuals of its practice of account memorialization, Facebook is in contravention of 4.2.1, 4.2.3, 4.3.2, and 4.8. 281. In my preliminary report, I recommended that Facebook
(1) include in its Privacy Policy, in the context of all intended uses of personal information, an explanation of the intended use of personal information for the purpose of memorializing the accounts of deceased users; and
(2) provide, and notify users of, a means whereby they may opt out of Facebook’s intended use of their personal information for the purpose of memorializing accounts. 282. In response, Facebook has in effect declined to implement either recommendation, on the following grounds:
“We still do not believe that retaining data for the purpose of allowing users to remember their friends constitutes another use under PIPEDA, and in any event users are perfectly capable of using other means to express their wishes in this area. We also believe that it would be inappropriate to create a standard for handling information in this case that would be at variance with existing legal norms for the disposition of estate property.”
Facebook also noted that services around access to digital assets in the event of death are carried out by private vendors. 284. I will not insist upon Facebook’s implementation of my second recommendation. My first, however, remains. I would strongly urge Facebook to reconsider it. The commission finds that memorialization of accounts is improperly explained, and requests that Facebook provide better description and an option to opt out of memorialization.
Facebook agrees to better explain memorialization in their privacy policy
but refuses to allow an opt out.
Section 8 – Personal Information of Non-users
308. The “Invite New Friends” email invitation feature is also an activity by Facebook. Facebook maintains that it provides this service for the use of its users, but clearly the service also helps Facebook gain new members and thereby increase its ability to generate revenue. 309. In my view, therefore, Facebook should assume some responsibility for seeking consent in these contexts. The question is, what kind of responsibility– 311. I continue to believe that responsibility for consent should begin to apply at the point in the tagging process where Facebook actively solicits non-users’ email addresses from users with the intention of using them for purposes of its own. 312. Furthermore, Principle 4.3 states that the knowledge and consent of the individual are required. For situations where one party collects from a second party the personal information of a third, our Office has determined in previous cases that, depending on the circumstances, it may be deemed incumbent on the second party (in this case, the Facebook user) to directly obtain the consent from the third (in this case, the non-user). We have also determined in such cases that the first party (in this case, Facebook), though not responsible for directly obtaining consent, must nevertheless take reasonable measures to ensure that consent is obtained by the second party. In other words, the first party must exercise due diligence to ensure that the requirement for consent is met. 313. I believe that reasonable due diligence in the circumstances would consist in taking appropriate steps to ensure that users are well aware that they must obtain non-users’ consent before disclosing their email addresses to Facebook. This would mean not only informing users clearly of the consent requirement in the Privacy Policy, but also notifying them of the requirement at each instance of disclosing non-users’ email addresses to Facebook. It would also mean enforcing punitive measures to deal with users who are found to be in violation of the consent requirement. 317. In my preliminary report, I recommended that Facebook
(1) consider and implement measures to address our concerns about nonusers’ lack of knowledge of, and consent to, their being tagged in photographs;
(2) consider and implement measures to improve its invitation feature so as to address our Office’s concerns about non-users’ lack of knowledge and consent to Facebook’s collection, use, and retention of their email addresses; and
(3) set a reasonable time limit on the retention of non-users’ email addresses or purposes of tracking invitation history and the success of the referral program. 318. In response to my first and second recommendations, Facebook declined to implement on the following grounds:
“… Facebook believes we continue to provide significantly greater notice to nonusers as to the presence of any information about them on our site than does any other site on the web. If a nonuser wishes to block further notifications, we honor that request, and data is otherwise retained at the direction of the user who uploaded it initially, making action Facebook would take to delete the data inappropriate without an intervening action by the person who uploaded it in the first place.” 319. As to the practice of tagging non-users, Facebook commented as follows:
“With regard to photographs in particular, Facebook’s tagging infrastructure offers users more notice than they get on other websites as to the presence of a photograph they may want to review. While on most sites a picture of an individual can be uploaded and they may have no idea of its presence, Facebook provides a means for them to be notified and to get in touch with the person who uploaded the photo if they have an objection. For non-users, this can be done by adding an e-mail address to a tag. Furthermore, we have designed the tagging infrastructure to allow removal of tags by the individual tagged, and for blocking of further emails if the recipient so desires.” 320. Over all, Facebook has argued that non-user data is the responsibility of the user who uploads it, that the photo tagging and invitation features constitute personal uses by users themselves, and Facebook provides non-users with better notice than any other website about the presence of their data on the site. 321. As was also the case with my other recommendation relating to retention, Facebook made no direct response to my third recommendation above. The commission notes that as Facebook has a financial interest in the collection of emails of potential users, and as such shares some responsibility when emails are collected without the consent of the third party. It recommends that Facebook implements measures to inform users that they must have permission, and punish them when they invite people who don’t.
Facebook refuses Section 10 – Monitoring for Anomalous Activity
367. Facebook openly acknowledges that it monitors the site for anomalous behaviours. However, whereas the former Terms of Use both set out types of prohibited behaviours and informed users that it monitored the site for these behaviours, the new SRR is silent about the practice of monitoring. Moreover, the Privacy Policy contains no mention of the practice. Indeed, at present only a single sentence in the site’s Safety section implies, but does not explicitly state, that Facebook monitors users’ activities. 368. While I do not find the practice to be unreasonable or inappropriate in itself, in consideration of the Principles cited above I am concerned that Facebook is not making a reasonable effort to document it and inform users of it. 370. In my preliminary report, I recommended that Facebook include in its Privacy Policy an explanation of its practice of monitoring its site for anomalous activity. 371. In response, Facebook has proposed to include the following wording in its Privacy Policy:
“To improve the security of the site, Facebook uses a variety of technological systems to detect and address anomalous activity that may be undertaken by users. This may on occasion result in a temporary or permanent suspension of some functions for some users on the Facebook service.” Facebook monitors users of anomalous activity, but according to the privacy commission does not describe this monitoring properly in its privacy policy.
Facebook agrees to make changes to their privacy policy Really the list of changes aren’t that broad, and most of it is just touching up Facebooks privacy policy. However, major changes include a revamped orbject privacy settings system with granular control, and new restrictions on third part developers. Also you can now delete your account, though it takes several weeks and you have to submit a request form to do it. Still, it’s impressive to see how a country once regarded as “the candy store” because its audience was to small to subsist on, can have profound effects on the world with well enacted privacy legislation.