Privacy and the Worldwide Web: How the OPC Investigation of Facebook made Worldwide Waves

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the IAPP KnowledgeNet session

October 7, 2009
Ottawa, Ontario

Address by Elizabeth Denham
Assistant Privacy Commissioner of Canada

(Check against delivery)


Introduction

Good afternoon, Bonjour à tous, and thank you very much for that warm welcome.

It is a great pleasure to share an afternoon of discussion with fellow privacy professionals and, in particular, to be able to relive with you one of the defining events of the Office of the Privacy Commissioner of Canada.

The story I’ve been asked to recount for you is our Office’s investigation of the privacy policies and practices of Facebook, a U.S.-based social networking colossus with global reach.

It’s a story I’m always delighted to tell, because it’s a tale of triumph for privacy.

And I suggest to you that if there is one lesson to be drawn from our experience, it’s this: Even in the most public of forums – and it doesn’t get more public than the Internet – privacy matters.

From our perspective as Canada’s privacy guardian, the goal was never to stand in the way of social networking, a phenomenon that engages hundreds of millions of people in Canada and around the world.

Our aim was merely to underscore that, even when we choose to share portions of our lives with others online, we do not extinguish our rights to control our personal information.

But controlling our personal information is only possible if we, as users, are able to provide meaningful consent to the collection, use and disclosure of our personal information. And that consent is only meaningful if it is truly informed by accessible and understandable information.

And so social media – whether that’s Facebook, MySpace, LinkedIn or the federal government’s GCPedia – have an obligation to ensure that users have the means to control their personal information, just as users have a duty to read, understand and apply the settings and tools available to secure their own privacy.

Overview of Facebook Case

The Facebook story begins in May 2008 when representatives of CIPPIC, the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic, submitted to us a 35-page complaint about 24 aspects of Facebook’s privacy policies and practices.

In response, we launched what turned out to be the world’s first full-scale probe of this social networking giant.

The investigation was of unparalleled scope and complexity for our Office. We created a team of two investigators dedicated to the file pretty much full-time. They were backed as necessary by a lawyer, and were able to draw upon help from our policy, research and communications groups. We also hired a software engineering firm to look at the specific and highly technical aspect of the complaint that related to Facebook Mobile.

I am pleased to say that Facebook co-operated with us throughout the effort, so that many issues were resolved in the course of the investigation.

Even so, we could not reach agreement on a handful of concerns.

In mid-July of this year, we went public with my investigative findings, drawing attention from media, privacy experts and Internet observers around the world.

Following our report, Facebook had 30 days to respond to my recommendations, a period characterized by extensive discussions and negotiations between our Office and the company.

Finally, in late August, we were able to announce that Facebook had agreed to undertake comprehensive policy and technical changes that would address our concerns and enhance user privacy.

What’s more, Facebook pledged that the strengthened safeguards would apply across its global operations, thus extending the benefits to all 300 million users worldwide.

The entire process was scrutinized and commented on around the world. An analysis commissioned by our Office determined that, between July 14th and September 9th, there had been well over 3,000 print articles, broadcast stories, online news reports, blogs and tweets, informing the world about the case.

The conventional media alone reached an estimated 77 million people.

According to the analysis, the coverage, both traditional and online, was universally positive. In fact, to our surprise, there was little or no objection in the U.S. media to what we had to say.

Our investigation was widely touted as a victory for the ‘little guys,’ whether that was our small Office, Canada, or the university students who filed the original complaint.

In fact, however, it was a victory for privacy and for users of social networking sites – not just in Canada but around the world.

Context

Even so, the investigation was not without controversy, as some critics questioned the logic of insisting on privacy in a forum where people post personal words and photos for viewing by friends, friends of friends – and, in many cases, complete strangers.

But with 12 million Canadians now on Facebook, we felt our investigation would shed invaluable light on the privacy issues raised by social media.

One key objective was to clarify the distinction between what people choose to do with their personal information, and what the social networking site does with it.

Facebook users decide what information they want to post about themselves on the site. That information does not fall under the Personal Information Protection and Electronic Documents Act, the private-sector privacy law.

However, the moment Facebook uses that information for commercial purposes, the law applies. From our standpoint, two key principles of PIPEDA kick in at this juncture:

One, the commercial entity is obliged to obtain from users meaningful and informed consent for the collection, use and disclosure of their personal information, and two, the entity becomes responsible for safeguarding the data in its possession.

I want to mention that PIPEDA, which is based on principles rather than prescriptive requirements, proved sufficiently flexible to apply to technologies and a business model that did not exist when the legislation was drafted.

The Complaint

Part of this new business model involved the relationship between Facebook and the developers of the million or so games, quizzes and other applications that run on the platform.

Those apps were a key element of what ultimately became a 12-part investigation.

The allegation was that users who downloaded these little programs were giving the unknown developers – in 180 different countries around the world – practically unfettered access to their profile information – as well as that of their Facebook friends.

There was also concern about the collection of personal information, such as the birth dates asked for during the registration of new users.

The complainants further alleged that Facebook was not making reasonable efforts to notify users that their personal information would be used for advertising purposes.

There were, moreover, concerns about what happens when people die or wish to quit Facebook.

In particular, we were asked to examine Facebook’s practice of “memorializing” the accounts of deceased users; the distinction between deactivating and deleting accounts; and Facebook’s retention of personal information.

A final major issue to mention here related to people who are not on Facebook. In fact, their personal information can be uploaded to the site in a number of ways, including photo tagging and by way of invitations from users to join the site.

Findings – Not well founded/ Well-founded and resolved

In the end, I dismissed four aspects of the complaint – which I think underscores that Facebook really does care about user privacy.

For example, I found no evidence to support the allegation that Facebook was willfully misleading or deceiving users about the purposes for which it collects information.

In four other areas, I agreed that the complaints were well-founded, but concluded that the issues had been resolved to my satisfaction over the course of the investigation.

For instance, it was alleged that Facebook was not making reasonable efforts to inform users that their personal information is used for advertising. By the time of my report, Facebook had agreed in principle to describe its advertising more clearly in its information for users, and help users to find that information more readily.

Facebook also agreed to take a holistic approach to what users are told about their privacy and how to safeguard it through their privacy settings. The truth is that privacy policies on social networking sites can be tricky, because asking users to wade through the weeds of a privacy policy can make a site less attractive. This is an issue that I had to consider in making recommendations to the company.

Findings – Well-founded

I upheld as well-founded the remaining four aspects of the complaint because I felt Facebook had not proposed or implemented satisfactory remedies to our concerns.

The most significant one related to those third-party applications I mentioned earlier.

In a traditional business model, a company may disclose to a third party specific pieces of the personal information of customers – with their consent and under defined terms and conditions.

In the Facebook model, things worked differently. By accessing an application, users are effectively inviting the application’s developer into Facebook’s database to retrieve information about them – and not just them, but their Facebook friends as well.

We felt this exposed far too much personal information.

We wanted to see a mechanism to ensure that developers of such applications have access only to the information they actually need for their applications to operate. Moreover, we wanted Facebook to deny access to the information of users who are not themselves adding the program.

We also called for a retention policy under which the personal information of users who have deactivated their accounts would be deleted from the site’s servers after a reasonable length of time.

Finally, we recommended that people be able to consent to having their accounts memorialized after death, and called for better privacy protection for non-users “tagged” in photos or invited to join the site.

Further Negotiations

We gave Facebook 30 days to show progress on its commitments and to respond to my recommendations on the four outstanding issues.

This sparked a period of intense discussions between our Office and Facebook representatives.

Facebook may not have loved the worldwide coverage of this investigation, but they clearly grasped this opportunity to drive home their oft-stated concern for user privacy.

I also believe they ultimately acknowledged our recommendations as reasonable, and in harmony with the sentiments of many of their own users.

In any event, it was gratifying to note that Facebook demonstrated a clear desire to get it right.

And so, five weeks later, we were able to go public with a comprehensive resolution to all outstanding issues.

With respect to my biggest concern, for example, the company agreed to retrofit its application platform to prevent third-party application developers from accessing personal information until they obtain express consent from users for each category of information they’re seeking to access.

Facebook anticipates that bringing its practices fully in line with PIPEDA could take a year to complete.

We will be monitoring their progress over this time. They are furnishing us with progress reports, and giving us an opportunity to test out some of the proposed solutions in advance.

At the same time, we will continue to build on extensive sociological research that our Office has conducted, in order to understand the behaviours, motivations and privacy expectations of people who use social networking sites.

Just recently, for example, we released a new report that compares privacy policies and tools on six social networking sites. It is available on our web site if you are interested in learning more.

A Victory for Privacy

All this effort, as I said at the outset, amounted to a major victory for privacy.

The one-third of Canadians who are currently on Facebook will enjoy stronger protections for their personal information, and a more informed and meaningful say over how it is collected, used and disclosed.

Facebook, moreover, has already pledged to extend the same data protections to all of its sites around the globe. Indeed, data protection authorities in many other jurisdictions around the world have already told us they are using our investigation as a roadmap for their own efforts in safeguarding privacy on social networking sites. I even received an e-mail the other day from a technologist in Italy, who was pleased about the finding and said that the report would be a useful guide for his work.

Another gratifying outcome is that other social networking sites, eager to forestall a similar investigation, have been watching the Facebook case. In fact, MySpace has already approached us to ensure its privacy practices are up to snuff.

Our ultimate expectation is that people will be able to engage in social networking without relinquishing a meaningful level of control over their personal information.

Other Benefits

While that was the object of the exercise, there were other important side benefits worth noting:

For one thing, the initiative demonstrated the effectiveness of PIPEDA’s pragmatic principles-based approach, which falls somewhere between the market-based tack favoured by the U.S., and the more prescriptive approach prevalent in Europe.

Building on previous court cases and investigations, this file showed that PIPEDA can apply to the commercial collection of personal information of Canadians by foreign entities, even if they are operating entirely online.

Learning opportunities

The experience was also an invaluable learning opportunity for our Office.

First, the investment of so much time and effort paid off far beyond this particular case, because it equipped us with a blueprint for other major investigations and research and policy-development initiatives that could arise in future.

We also learned that, even in the apparently borderless world of the Internet, a single state’s data protection authority can have something meaningful to say.

In fact, I would suggest that even the most ardently libertarian social networking enthusiast understands that Web 2.0 is still a bit of a wild frontier. And while this frontier territory has found many effective ways to police itself, there are aspects, such as privacy protection, that simply demand the added force of real-world laws.

Which brings me to the third lesson that we drew from this experience: If a state authority wants to speak credibly about this online world, then it must be of this world.

As such, our investigators and I immersed ourselves in Facebook to an unprecedented degree. We strove for solutions and recommendations that were realistic, balanced, appropriate and useful for actual users.

And we harnessed the power of the Internet itself, in order to communicate our findings and recommendations to users in Canada and around the world.

Conclusion

In fact, we felt it was crucial for Canadians to understand their own role in this regard.

Individuals need to be able to look out for themselves – to be masters, so to speak, of their own data.

But in order to share only the information they want to share – and only with those friends they want to share it with – people need to be able to exercise a meaningful level of control over their personal information.

That, in turn, demands that the site provide them with understandable information about its privacy policies and how to make the best use of privacy settings.

That, at the end of the day, was what we strove to achieve: to help Facebook give users better control over their own privacy, while remaining an attractive place for people to play.

Thank you.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: