Letter from OPC to CIPPIC outlining its resolution with Facebook
August 25, 2009
Mr. David Fewer
Faculty of Law
University of Ottawa
Ottawa ON K1N 6N5
Dear Mr. Fewer:
I am writing to follow up to my July 15, 2009 report of findings into the complaint you filed against Facebook Inc. regarding its privacy practices. I am pleased to provide you with the following information in relation to the well-founded allegations and my outstanding recommendations, as well as to Facebook’s promised undertakings on certain matters that were considered well-founded and resolved. I will address these items in the same order in which they appeared in the report of findings.
Collection of date of birth
Default privacy settings
With respect to the issue of default privacy settings, during the investigation, Facebook committed to introducing a means whereby users would be able to select a low, medium, or high privacy setting. This selection would dictate more granular default settings. Notably, users who choose the “high” setting would not be included in public search listings.
It also committed to implementing a per-object privacy tool, whereby users will be given “an easily configurable setting on every piece of content that they will be able to configure at the time of uploading or other sharing.”
Following the issuance of the report of findings, we reviewed a portion of Facebook’s proposed new privacy tool that it will be introducing in the next four to six months. The tool is currently being tested and is under development. The tool will require all users to review their privacy settings. At this point, certain details, such as default settings, are still outstanding but it appears that the low, medium or high settings is not the version of the tool that is preferred by users in the test group and Facebook. In the version we have seen, users are directed to go through the screens and review their own settings. For the moment, it appears that the default setting for photographs will shift from “everyone” to “friends of friends.” However, the public search listings will remain set to “everyone.”
In the report of finding, we recommended that Facebook provide users who add networks after registering with the same notification as when they add a network at time of registration. Facebook said it would be streamlining this notification; it is removing regional networks but maintaining “token” networks, i.e. networks tied to a common e-mail address, such as a school or workplace.
As the tool is being tested, I am requiring Facebook to report back to us once the testing is completed and before implementation. Facebook has agreed to do so.
I am pleased that Facebook reconsidered my recommendations with respect to improving consent and safeguards around third-party application developers’ access to users’ personal information. I was concerned about open access by developers to users’ personal information and recommended that Facebook introduce technical measures to limit access.
Facebook has agreed to adopt such measures and will be implementing significant changes to its site (namely, retrofitting its API) in order to give its users granular control over what personal information developers may access and for what purposes. Facebook plans to introduce a permissions-based model whereby the user can choose what information she wants to share with that particular application. There will also be a link to a statement by the developer explaining how it will use the data. Currently, other than a user choosing to opt out of the Facebook API altogether, there is no way a user can choose what information is shared with all applications.
As for friends’ data, a user can now choose if they want to share their friends’ data with a particular application. The application will only be able to access the information the friend is already sharing with the user. Friends can limit the information they share with their friends, de-friend someone, block all applications, block specific applications or block certain information through their application privacy settings. Facebook has also agreed to add information to explain the new permissions model so that users will know what happens when their friends add applications and can take steps to limit their data should they wish to.
While I had recommended the prohibition of all disclosures of users’ personal information who are not themselves adding an application, I was persuaded by Facebook’s argument that many applications are designed to be social and interactive, in keeping with Facebook’s social model. Given that users can control what information an application can access when their friends add an application and given the improved explanation that Facebook will provide to users, I am satisfied that my overarching concerns about applications and friends’ data are being satisfactorily addressed.
As for the control the user will now have over what information the application developer can access, I am very pleased with the steps that Facebook has taken to address this significant concern – a concern expressed not only in our report, but by many users and observers. I view this as a major step in the right direction.
I understand that such significant changes to Facebook’s API will take time. Facebook has committed to using its best efforts to roll out the permissions model by September 1, 2010. In the meantime, Facebook will oversee the applications developers’ compliance with contractual obligations. Since the conclusion of the investigation, Facebook has provided us with detailed information on its oversight activities, and I am satisfied that it will be a useful means of monitoring developers’ compliance with Facebook’s Statement of Rights and Responsibilities, in the interim.
Facebook has also agreed to a test of the model by an expert third party, prior to its implementation, to ensure that the new model meets the expectations of our report and the company’s subsequent undertakings.
Account deactivation and deletion
Facebook is not proposing to include a retention period for deactivated accounts, explaining that the majority of its users reactivate and that they expect to have their information available to them when they reactivate. In essence, Facebook is of the view that it is storing this information on their behalf and most users do not expect to be absent for a long period of time.
On the whole, the actions Facebook is taking appear to be satisfactory in this regard.
Accounts of deceased users
Personal information of non-users
In my letter of finding, I asked Facebook to reconsider the recommendations I had made to them earlier: namely, to consider and implement measures to improve its invitation feature so as to address our Office’s concerns about non-users’ lack of knowledge and consent to Facebook’s collection, use, and retention of their email addresses; and to set a reasonable time limit on the retention of non-users’ email addresses for purposes of tracking invitation history and the success of the referral program.
Facebook has agreed to add appropriate language to its Statement of Rights and Responsibilities informing users of their obligations to obtain the consent of non-users before providing their e-mail addresses to Facebook. Facebook also confirmed that it will follow up on any complaints it receives from non-users that it may receive in this regard.
On the issue of retaining non-users’ e-mail addresses, Facebook confirmed that it does not use e-mail addresses to track the success of its invitation feature. In fact, it states that it does not keep a specific list of such addresses for its own use.
On the whole, I am satisfied with the actions Facebook has taken in this regard.
Monitoring for anomalous activity
This Office will continue to monitor these proposed changes. On the whole, I am satisfied with the direction Facebook is taking to address the concerns raised in our investigation. I would like to thank you for interest in this issue and for your cooperation throughout the investigation.
Original signed by
Assistant Privacy Commissioner