News

ARCHIVED - Backgrounder

Facebook investigation follow-up complete

Versión en español

OTTAWA, September 22, 2010 – The Privacy Commissioner of Canada has completed a follow-up review related to her Office’s investigation of the privacy practices and policies of the social networking site Facebook last year.  The following is a summary of the investigation and the Office’s follow-up work.

Background

The investigation was prompted by a wide-ranging complaint filed with the Office of the Privacy Commissioner of Canada by the Canadian Internet Policy and Public Interest Clinic (CIPPIC), a public advocacy group.

The investigation was conducted under the Personal Information Protection and Electronic Documents Act, or PIPEDA, Canada’s federal private-sector privacy law.

In July 2009, the Privacy Commissioner concluded her Office’s investigation and determined that:

  • Four issues raised by the complaint were dismissed as not well founded;
  • Four were well founded but considered to be resolved after Facebook agreed to make specific changes to its policies or practices; and
  • A further four aspects of the complaint were well founded and remained unresolved.

The Commissioner stated that her Office would review after 30 days the actions Facebook took to comply with the recommendations and would then consider going to Federal Court to seek to have her recommendations enforced.

A month later, in August 2009, the Commissioner was able to announce that, following extensive discussions, Facebook had made a number of commitments to resolve the outstanding privacy concerns.  Those changes were to be implemented over a one-year period and progress would be tracked by the Privacy Commissioner’s Office.  As a result of Facebook’s undertakings, the outstanding issues were considered resolved. At that point, the investigation was officially closed.

The full investigation report is available at http://www.priv.gc.ca/index_e.cfm.

Timeline

May 2008 – Canadian Internet Policy and Public Interest Clinic files complaint.

July 2009 – Privacy Commissioner announces her investigation has identified a number of privacy concerns related to the Facebook site and that some of those issues remain unresolved.  She asks Facebook to respond to those concerns within 30 days.

August 2009 – Facebook agrees to make a series of changes in order to address the Commissioner’s concerns.  Facebook and the Commissioner’s Office set a one-year timetable for implementing these changes.

September 2010 – Privacy Commissioner announces that her review of the changes Facebook has implemented as a result of her investigation is complete and that the issues have been resolved to her satisfaction.

Investigation Issues and Follow-up

The investigation highlighted eight issues of concern to the Privacy Commissioner’s Office.

The two major issues – default privacy settings and third-party applications – were the most time-consuming to resolve, in large part because the required changes were more onerous from a technical point of view. The six remaining issues involved changes to the privacy policy and other language on the site.  The Office asked Facebook to provide users with more detailed and understandable explanations of its practices and to clarify users’ responsibilities in using the site. 

The issues of concern and the changes Facebook has implemented in response are detailed below.

1. Third-party Application Developers

The sharing of personal information with third-party developers creating Facebook applications such as games and quizzes raised serious privacy risks and was a focus of the investigation. With hundreds of thousands of developers around the globe, the Office was concerned that, at the time of the investigation, Facebook had no technical safeguards to effectively restrict those developers from accessing users’ personal information, along with information about their online “friends.” Moreover, users were not informed of the information that applications were accessing and why.

Facebook has now retrofitted its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access. Under the new permissions model, users adding an application are advised that the application wants access to specific categories of information.  Users are asked to click “Allow” if they consent to the sharing of those specified categories of data.

The Privacy Commissioner’s Office developed a test application and confirmed that applications can only access the categories of personal information that the application had specified it required in order to run – and that they can only do so after the user clicks on “allow.”

The Privacy Commissioner is satisfied that these changes are in line with Facebook’s commitments and meet the requirements of Canadian privacy legislation.

2. Default Privacy Settings

During the investigation, the Privacy Commissioner’s Office raised concerns that privacy settings were not transparent and accessible enough to users.  In response, Facebook undertook to implement significant changes in order to bring its practices in line with Canadian privacy law.  Those changes included:

  • Allowing users to select a low, medium or high privacy setting;
  • A per-object privacy tool permitting users to set an  “easily configurable setting on every piece of content at the time of uploading or other sharing.”
  • A privacy tool that would be presented to all users and encourage them to review their privacy settings; and
  • A privacy tour for new users which would explain privacy settings.

Facebook honoured its commitment to make its privacy settings easier to understand and use. Users can now refer to a privacy guide which explains privacy settings and is accessible from every Facebook page. Privacy settings are also better explained in Facebook’s privacy policy. 

The per-object privacy tool has been fully implemented. Facebook introduced simplified privacy settings allowing users who want to restrict access to their personal information to set their privacy settings to “Friends” with one click. Also noteworthy is the fact that users have been required to confirm their privacy settings following the December 2009 site redesign.

However, a series of other changes to the site after the investigation have also had an impact on the privacy of Facebook users and made the Commissioner’s follow-up work more complex.

  • “Everyone”

After the investigation was concluded, Facebook introduced new privacy controls which expanded the meaning of its “Everyone” privacy setting.  While the old definition referred to allowing everyone on Facebook to see specified information, the new definition allows everyone on the Internet to have access to it.

In its investigation report, the Commissioner’s Office had recommended that default settings for both photo albums and public search listings be more restricted. However, both still default to the most open setting.

In the case of photo albums, the privacy concerns were mitigated to a large extent by Facebook’s new per-object privacy tool.  The question of default settings for public search listing was more complex to assess because of significant changes to the site since the complaint was filed in May 2008.  Ultimately, the Commissioner determined this issue to be outside the scope of the follow-up process for this investigation.

  • Openness of Personal Information

The Privacy Commissioner has also advised Facebook that she has concerns about post-investigation changes making the site more open.  In December, Facebook introduced changes that meant users could not restrict public access to certain categories of personal information.  After the Commissioner expressed concern about this change, those categories were scaled back.  Initially, there were seven categories of information that could not be protected with privacy settings.  Those were scaled back to four categories (name, profile picture, gender and networks – and Facebook has confirmed plans to phase out networks.)

While the rollback was encouraging, the Commissioner has advised Facebook that she remains uneasy about Facebook’s future plans for this category of information and encouraged the site to refrain from expanding it.

3. Privacy Policy / Language Issues

The Privacy Commissioner’s concerns about how Facebook presented information related to:

  • Date of birth

Facebook implemented a recommendation to provide users with information about why birth dates are required when registering.

  • Advertising

Facebook implemented a recommendation to expand its description of how advertising works on the site in its privacy policy.  It now explains how personal information is used to target ads. While the Commissioner considers this matter to be resolved, she noted that Facebook’s targeted advertising model changed significantly since the complaint was made.

  • Account deactivation and deletion 

Facebook had been providing confusing information about the distinction between account deactivation – whereby personal information is held in digital storage – and deletion – whereby personal information is actually erased from Facebook servers to the extent that is possible. Facebook now makes it clear in its privacy policy that users have the option of either deactivating their account or deleting their account.

  • Accounts of deceased users

Facebook has changed the wording in its privacy policy to explain the circumstances under which it will keep a user’s profile online after death so that friends can post comments and pay tribute.

  • Personal information of non-users

The Office recommended that Facebook better protect the privacy of non-users invited to join the site. Facebook now includes more information in its terms of use statement.

  • Monitoring for anomalous activity

Facebook implemented a recommendation to explain the practice of monitoring for anomalous activity in its privacy policy.

Next Steps / New Investigations

The Office of the Privacy Commissioner’s work with Facebook on other issues will continue. The Facebook site is constantly evolving.  The Office is following the changes on Facebook and other social networking sites and will take action if it believes there are potential new violations of Canadian privacy law.

As well, the Office has received several further complaints about issues that were not part of the initial investigation and is now examining those.  As a result of those complaints, the Office has opened investigations that are examining Facebook’s invitation feature (the process by which Facebook suggests friends to new users) and Facebook social plug-ins (the Facebook “Like” buttons that other websites can add to their sites.)  These investigations are ongoing and the Privacy Commissioner’s Office is not in a position to comment on them at this time.

For more information (media only), please contact:

Office of the Privacy Commissioner of Canada
Anne-Marie Hayden
Tel: (613) 995-0103
E-mail: Anne-Marie.Hayden@priv.gc.ca