Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Report of Findings #2011-005

Facebook authentication practices reasonable, investigation finds

The complainant alleged that Facebook collected more personal information than was necessary as a condition for granting her access to her Facebook account.

As well, she alleged that Facebook did not provide her with the opportunity to address a challenge to the organization’s compliance with the principles of the Personal Information Protection and Electronic Documents Act (PIPEDA) to the designated individual(s) responsible for compliance.

The Office concluded that both complaints were not well-founded.

Facebook had clearly informed its users of the purpose of the collection, namely that the collection of personal information is a security measure used to ensure that the user is a real person with one Facebook account. Facebook also offered its users various options for confirming their identity.

On the issue of challenging compliance, Facebook provided a web form at the beginning of its privacy policy that allowed users to complain to Facebook about a privacy issue. As such, the Office found that Facebook’s privacy complaint procedures were accessible and easy to use.

Lessons Learned:

  • In some cases, organizations may require information to confirm the identities of their users. However, organizations should provide users with a variety of means through which they can authenticate their identities; and it is important to provide options that correspond to different levels of disclosure to ensure that the user’s privacy rights are respected.
  • Organizations must provide privacy complaint procedures that are easily accessible and simple to use.

Complaint under the Personal Information Protection and Electronic Documents Act (the Act)

  1. The complainant alleges that Facebook Inc. (“Facebook”) collected more personal information than was necessary for the identified purposes as a condition for granting her access to her Facebook account.
  2. The complainant also alleges that Facebook did not provide her with an opportunity to raise a challenge to the organization’s compliance with the principles of the Act to the designated individual(s) accountable for the organization’s compliance.

Summary of Investigation

Limiting Collection

  1. The complainant created a personal Facebook account in September 2010. She alleges that she was able to use her Facebook account for a few days, but was then required to provide her mobile phone number to confirm her identity to be able to access her account again.
  2. The complainant alleges that since she did not have a mobile phone number, she was unable to confirm her identity with Facebook. She also states that she tried to gain access to her account by resetting her password, but was still required to provide her mobile phone number. The complainant was only able to access her Facebook after she provided a mobile phone number.
  3. In its representations, Facebook describes how it uses mobile phone numbers as part of its account verification process. Facebook informs our Office that this process is used when a Facebook account is flagged due to suspicious botnet or spam-related activity.
  4. To verify an account using a mobile phone, Facebook users provide their mobile phone numbers to Facebook by typing it into their browsers and then a short numeric code is sent to the phone number via text message. Once the user enters the numeric code on Facebook, he/she is able to access his/her Facebook account.
  5. Facebook informs our Office that once a user associates his/her mobile phone number with their Facebook account, the user will be able to receive security-related notifications from Facebook via their mobile phone. For example, a user could be notified by text message if their account has been accessed on an unknown device. Facebook states that a user can opt-out of receiving such notifications. In addition to receiving notifications, a user could reset their passwords from his/her mobile phone, if necessary.
  6. According to Facebook, the mobile phone number is stored in the user’s account for the period of time that he/she decides to maintain an account with Facebook or until he/she decides to remove the mobile phone number from his/her profile. The user’s mobile phone number appears in the user’s contact information and can be deleted if and when the user decides to. A user can also control whether his/her mobile phone number appears on his/her profile through Facebook’s Privacy Settings.
  7. Facebook notes that if a second Facebook account is created and linked to the same mobile phone number, the Facebook account may be flagged as potentially being in violation of Facebook’s Statement of Rights and Responsibilities. The account may then be disabled by Facebook pending verification that the user has access to the mobile phone number associated with his/her account.
  8. In its Help Centre, Facebook notifies its users that the goal of the account verification process is to confirm that a real person is behind the account and to ensure that Facebook remains a community of people using their real identities to connect and share.
  9. Facebook argues that verification by e-mail address would not be as effective as verification by mobile phone in accomplishing the purpose of detecting fraudulent accounts or other activity that violates Facebook’s Statement of Rights and Responsibilities. Facebook claims that, unlike mobile phone numbers, e-mail address are easy to create and use by spammers. Further, it is easy to create multiple e-mail address from various free e-mail services.
  10. During its internal investigation, Facebook determined that the complainant’s account was flagged for further verification through their ongoing fraud detection and monitoring program as a result of activity that appeared consistent with an attempt at creating multiple accounts, which is a violation of Facebook’s Statement of Rights and Responsibilities.
  11. Facebook states that verification by mobile phone is only one option for verification of a Facebook account. The user could also confirm the names of their Facebook friends by identifying those tagged in photographs posted on Facebook. As well, the user could verify his/her account by providing his/her full name on the Facebook account, date of birth, login e-mail address and uploading a government-issued ID and ensure that his/her full name, date of birth and photo are clear. Facebook notes that it encourages users to sever any personal information on the government-issued ID that is not needed to verify their identity.
  12. Facebook argues that it provided the complainant with the option of using an alternate method to verify her account, but did not identify which alternative she was presented with.

Challenging Compliance

  1. In addition to her collection complaint, the complainant alleges that Facebook did not allow her to address a challenge concerning compliance with the principles of the Act to the designated individual(s) accountable for the organization’s compliance.
  2. The complainant alleges that she sent several e-mails to Facebook customer services, and to other services with respect to the confirmation of her identity, but only received automated messages from Facebook directing her to use the Facebook Help button.
  3. The complainant also claims that she contacted Facebook and outlined the problems she encountered with her account, namely that her account seemed to be disabled. The evidence indicates that Facebook replied with an automated message with instructions on how to confirm the ownership of her account.
  4. In another e-mail, the complainant informed Facebook that even though her account seemed to be disabled, her friends were still able to post on her “wall”. The complainant stated that she continued to receive notifications via e-mail every time something was posted on her wall, but could not control what was posted as she could not access her account. In response, Facebook provided the complainant with the procedure to reactivate her account. However, when the complainant completed the steps, she was still unable to access her account.
  5. Upon our Office’s intervention in the matter, Facebook conducted an investigation and discovered that there were two accounts associated with the complainant’s e-mail address: a disabled account and her active account. Facebook admitted that the error was caused by a bug in its system. To resolve the issue, Facebook disassociated the e-mail address with the disabled account and informed the complainant that her problem had been solved.
  6. The complainant confirms that she now has full access to her Facebook account.
  7. In its representations, Facebook submits that it has various contact forms for privacy questions and comments. Facebook states that the privacy-related contact forms are routed to their user operations privacy team, which handles user comments, concerns, questions and complaints related to Facebook’s privacy policy and to privacy issues related to their platform. Also, Facebook informs our Office that its privacy team regularly meets with the legal team and may escalate users’ concerns as necessary, including to their Chief Privacy Counsel.
  8. Furthermore, Facebook’s privacy policy notes that an individual can submit a privacy complaint against Facebook via TRUSTe’s Watchdog Dispute Resolution Process. TRUSTe’s Privacy Seal program ensures that its member websites, including Facebook, protect the privacy of its users’ personal information. TRUSTe also relies on the vigilance of users to keep members accountable. TRUSTe provides users with an online Watchdog Dispute Resolution Form, which allows them to report violations of posted privacy statements and specific privacy concerns pertaining to TRUSTe member websites.

Application

  1. In making our determinations, we applied subsection 5(3) of the Act and Principles 4.3.3, 4.4, 4.10 and 4.10.2 of Schedule 1 of the Act.
  2. Subsection 5(3) states that an organization may collect, use or disclose personal information only for the purposes that a reasonable person would consider are appropriate in the circumstances.
  3. Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes.
  4. Principle 4.4 states in part the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.
  5. Principle 4.10 states in part that an individual shall be able to address a challenge concerning compliance to the designated individual(s) accountable for the organization’s compliance.
  6. Principle 4.10.2 states that organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use.

Findings

Issued September 26, 2011

Limiting Collection

  1. In general, organizations authenticate users’ identities prior to granting access to their systems and/or computer applications or prior to providing personally identifiable information in person or on the telephone, to ensure protection and legal compliance. Authentication of individuals invariably involves the collection of personal information about the individual and may include sensitive information depending on the method of authentication used.
  2. When an account is flagged for suspicious activity, Facebook requires authentication to confirm that a real person is behind the account and to ensure that Facebook remains a community of people using their real identities to connect and share, as per its Statement of Rights and Responsibilities.
  3. To achieve its purpose, our Office finds it reasonable that Facebook uses a mechanism that allows the authentication of its users, avoids botnet and spam-related activity, and considers the sensitivity of the personal information being protected.
  4. We note that Facebook clearly informs its users of the purpose of the collection, namely that the collection of personal information is a security measure used to ensure that the user is a real person with one Facebook account. Further, we find that this purpose will serve to protect users’ privacy and the integrity of their account.
  5. In this case, Facebook provides users with a choice of authentication. Each option for authentication corresponds to a different level of privacy invasiveness. The least privacy invasive form of authentication is the one which requires users to confirm the names of their friends on Facebook by identifying those tagged in photographs posted on Facebook.
  6. After reviewing the evidence, we find that Facebook’s verification procedure responds to a need to confirm the identity of the user when Facebook finds suspicious activity on an account, and to provide a safe community experience. By offering a variety of choices for authentication, our Office finds that Facebook does not require the user to consent to the collection of the user’s personal information beyond which is required to fulfil the purposes.
  7. However, while Facebook offers different methods of user authentication, the complainant alleges that she was not offered an alternative to confirm her identity, but was required to provide Facebook with her mobile phone number to verify her identity.
  8. Upon review of the screenshot that the complainant provided our Office, it is clear that the complainant was asked to provide her mobile phone number and to add it to her account to confirm her identity. The screenshot does not appear to provide any other options with which to achieve the same purpose. However, our Office is not convinced that this screenshot was not part of a sequence of pages introducing the need to confirm the user’s identity and the alternatives to do so.
  9. Overall, our investigation confirmed that Facebook uses at least three (3) methods to verify the identity of the user: (1) by providing his/her mobile phone number; (2) by confirming the names of the user’s Facebook friends; and (3) by uploading a government issued ID. Facebook claims that these options were presented to the complainant. After considering the evidence, we find that it is more than likely that the complainant was presented with alternative methods for authentication.
  10. Therefore, we find that a reasonable person would find it appropriate and expect Facebook to verify and authenticate the user if it is suspicious about the account activity. Further, we find that the personal information collected is limited to that which is necessary for the purpose identified by Facebook. Thus, we find that Facebook did not contravene subsection 5(3).
  11. Accordingly, there is insufficient evidence to support the complainant’s allegation that she was denied service due to a lack of other options to confirm her identity. Therefore, we cannot find that Facebook failed to comply with Principles 4.3.3 and 4.4.

Challenging Compliance

  1. During our investigation, we found that Facebook’s privacy policy indicates that an individual may inquire about the policy by contacting Facebook by mail and/or contacting their privacy team through the help page. Also, Facebook’s privacy policy notes that an individual may submit a complaint via TRUSTe’s Watchdog Resolution Process, which allow users to report violations of posted privacy statements and specific privacy concerns pertaining to TRUSTe’s member websites.
  2. Although Facebook appears to have all available contact pages to help resolve the issues that their users may have, it appears that some Help pages are only accessible after the user logs into his/her account. Clearly, this feature can be of little assistance to users, like the complainant, who are unable to access their accounts.
  3. The complainant has not confirmed whether she contacted Facebook with regard to her privacy concerns. All of her e-mails to Facebook concern the technical issue she encountered with accessing her account. In response, Facebook Support described the procedure through which the complainant could reactivate her account. However, the complainant was unable to reactivate her account and Facebook rectified the problem only after our Office intervened.
  4. While the complainant faced difficulties in resolving her technical issues with Facebook, these issues are not related to the privacy aspect of collecting a mobile phone number so that Facebook could confirm her identity.
  5. According to Principle 4.10.2 of the Act, Facebook is required to provide complaint procedures for challenging compliance that are easily accessible and simple to use. Our investigation established that Facebook provides a web form at the beginning of its privacy policy that allows users to complain to Facebook regarding a privacy issue. As such, it appears that Facebook has procedures in place that are accessible and easy to use.
  6. Although the treatment of the complainant’s technical issues was less than ideal, our Office is not convinced that the confusion the complainant faced suggests that Facebook does not have easily accessible and simple to use complaint procedures related to privacy.
  7. The evidence indicates that Facebook provides users with mechanisms to address challenges with compliance, and has procedures in place that are “easily accessible and simple to use”. Therefore, our Office finds that Facebook has met its obligations under Principles 4.10 and 4.10.2.

Conclusion

  1. Accordingly, it is concluded that both the limiting collection and challenging compliance complaints are not well-founded.