News

Backgrounder

Facebook Investigations Finding Details

Friend suggestions

Three individuals filed complaints after receiving emails inviting them to join Facebook. These invitations included “friend suggestions” – a list of Facebook users who, in most cases, were people the complainants knew. Without any explanation about how the suggestions were generated, the individuals (who had no prior relationship with the site) were concerned that Facebook may have inappropriately accessed their electronic address books.

The investigation, however did not find evidence that Facebook was accessing the complainants’ address books. Rather, friend suggestions are generated from information drawn from address books uploaded by existing Facebook users.

When the complaints were filed, invitations provided little information about the process for providing friend suggestions. They also lacked a clear feature enabling recipients to opt-out of receiving further messages, or of having their email address used to generate friend suggestions.

During the investigation, the company agreed to make a number of changes following discussions with our Office along with another international data protection office, which had related concerns. In particular, Facebook added a more user-friendly method to opt out of receiving friend suggestions or any further messages. As well, it removed friend suggestions from initial invitations and only sent these in subsequent reminders.

Social plug-ins

Social plug-ins allow users to see content on other web sites drawn from their Facebook profiles. These include “Like” and “Recommend” icons. For example, logged-in Facebook members visiting a news website may see a list of articles recommended by their friends.

The complainant in this case was concerned about the potential exchange of information between Facebook and the two million-plus websites which host such social plug-ins. The investigation found no evidence that Facebook collected or used the personal information of non-users, or of users who are logged out of their accounts, when visiting a webpage hosting a social plug-in.

With respect to Facebook users visiting a webpage with a social plug-in while logged-in to their accounts, our investigation revealed that although Facebook did collect personal information from such users, the company was adequately describing social plug-ins in order to obtain informed consent. As well, users who don’t wish to receive personalized content were able to log out of Facebook prior to accessing websites with social plug-ins.

Authentication

The third investigation stemmed from a complaint alleging that Facebook collected more personal information than was necessary as a condition for granting access to a Facebook account. It was also alleged that Facebook didn’t provide the opportunity to address a challenge to its compliance with the principles of PIPEDA to Facebook’s designated individual responsible for compliance.

The investigative findings note that organizations may require information to confirm the identities of users, but should provide users with a variety of means through which they can authenticate their identities. On the issue of challenging compliance, it was found that Facebook provided a web form at the beginning of its privacy policy allowing users to complain about a privacy issue.

In this case, Facebook clearly explained the security purposes for which it needed the personal information and offered users various options for confirming their identity. It was also found that the site’s privacy complaint procedures were accessible and easy to use.