News Releases

Letter from OPC to CIPPIC outlining its resolution with Facebook

August 25, 2009

Mr. David Fewer
Faculty of Law
University of Ottawa
57 Louis-Pasteur
Ottawa ON K1N 6N5

Dear Mr. Fewer:

I am writing to follow up to my July 15, 2009 report of findings into the complaint you filed against Facebook Inc. regarding its privacy practices. I am pleased to provide you with the following information in relation to the well-founded allegations and my outstanding recommendations, as well as to Facebook’s promised undertakings on certain matters that were considered well-founded and resolved. I will address these items in the same order in which they appeared in the report of findings.

Collection of date of birth

In the report of findings on this well-founded and resolved allegation, Facebook had agreed to amend the language of the pop-up box that users see when registering that explains the purpose for collecting the date of birth. It also agreed to make changes to the language of its Privacy Policy with respect to its use of personal information for advertising and has stated that it is dedicated to “full disclosure as to the collection and use of information for advertising purposes.”

The pop-up box with a link to the explanation already appears on the registration page, and the language in the Privacy Policy will be in place in approximately 10 weeks. I have reviewed the changes that Facebook has proposed in this regard, and find them to be in keeping with Facebook’s stated undertakings.

Default privacy settings

With respect to the issue of default privacy settings, during the investigation, Facebook committed to introducing a means whereby users would be able to select a low, medium, or high privacy setting. This selection would dictate more granular default settings. Notably, users who choose the “high” setting would not be included in public search listings.

It also committed to implementing a per-object privacy tool, whereby users will be given “an easily configurable setting on every piece of content that they will be able to configure at the time of uploading or other sharing.”

Following the issuance of the report of findings, we reviewed a portion of Facebook’s proposed new privacy tool that it will be introducing in the next four to six months. The tool is currently being tested and is under development. The tool will require all users to review their privacy settings. At this point, certain details, such as default settings, are still outstanding but it appears that the low, medium or high settings is not the version of the tool that is preferred by users in the test group and Facebook. In the version we have seen, users are directed to go through the screens and review their own settings. For the moment, it appears that the default setting for photographs will shift from “everyone” to “friends of friends.” However, the public search listings will remain set to “everyone.”

For new registrants, they will be able to learn about Facebook’s privacy controls by taking a “privacy tour” that will explain the privacy settings (and links to them) and the privacy lock icon. The ‘per-object privacy’ feature is moving ahead. Users can select individualized privacy settings for each type of content they post on the site, at the time they are publishing their content. In addition, Facebook is including language in its Privacy Policy explaining the privacy settings.

In the report of finding, we recommended that Facebook provide users who add networks after registering with the same notification as when they add a network at time of registration. Facebook said it would be streamlining this notification; it is removing regional networks but maintaining “token” networks, i.e. networks tied to a common e-mail address, such as a school or workplace.

As the tool is being tested, I am requiring Facebook to report back to us once the testing is completed and before implementation. Facebook has agreed to do so.

Facebook Advertising

In response to our preliminary letter of finding, Facebook agreed to better describe advertising in its Privacy Policy. I have reviewed its proposed language and I am satisfied that Facebook is honouring its commitment.

Third-party applications

I am pleased that Facebook reconsidered my recommendations with respect to improving consent and safeguards around third-party application developers’ access to users’ personal information. I was concerned about open access by developers to users’ personal information and recommended that Facebook introduce technical measures to limit access.

Facebook has agreed to adopt such measures and will be implementing significant changes to its site (namely, retrofitting its API) in order to give its users granular control over what personal information developers may access and for what purposes. Facebook plans to introduce a permissions-based model whereby the user can choose what information she wants to share with that particular application. There will also be a link to a statement by the developer explaining how it will use the data. Currently, other than a user choosing to opt out of the Facebook API altogether, there is no way a user can choose what information is shared with all applications.

As for friends’ data, a user can now choose if they want to share their friends’ data with a particular application. The application will only be able to access the information the friend is already sharing with the user. Friends can limit the information they share with their friends, de-friend someone, block all applications, block specific applications or block certain information through their application privacy settings. Facebook has also agreed to add information to explain the new permissions model so that users will know what happens when their friends add applications and can take steps to limit their data should they wish to.

While I had recommended the prohibition of all disclosures of users’ personal information who are not themselves adding an application, I was persuaded by Facebook’s argument that many applications are designed to be social and interactive, in keeping with Facebook’s social model. Given that users can control what information an application can access when their friends add an application and given the improved explanation that Facebook will provide to users, I am satisfied that my overarching concerns about applications and friends’ data are being satisfactorily addressed.

As for the control the user will now have over what information the application developer can access, I am very pleased with the steps that Facebook has taken to address this significant concern – a concern expressed not only in our report, but by many users and observers. I view this as a major step in the right direction.

I understand that such significant changes to Facebook’s API will take time. Facebook has committed to using its best efforts to roll out the permissions model by September 1, 2010. In the meantime, Facebook will oversee the applications developers’ compliance with contractual obligations. Since the conclusion of the investigation, Facebook has provided us with detailed information on its oversight activities, and I am satisfied that it will be a useful means of monitoring developers’ compliance with Facebook’s Statement of Rights and Responsibilities, in the interim.

Facebook has also agreed to a test of the model by an expert third party, prior to its implementation, to ensure that the new model meets the expectations of our report and the company’s subsequent undertakings.

Account deactivation and deletion

In my letter of finding, I had asked Facebook to reconsider my recommendations to develop, institute, and inform users of a retention policy whereby the personal information of users who have deactivated their accounts will be deleted after a reasonable length of time. I had also suggested as a best practice that Facebook include the deletion option on the Account Settings page and include in the Privacy Policy an explanation of the difference between account deletion and deactivation.

Facebook is not proposing to include a retention period for deactivated accounts, explaining that the majority of its users reactivate and that they expect to have their information available to them when they reactivate. In essence, Facebook is of the view that it is storing this information on their behalf and most users do not expect to be absent for a long period of time.

Upon consideration, I am willing to accept this viewpoint provided that users are well informed of the difference between deactivation and deletion and are presented with clear choices between the two. To that end, Facebook is including a more fulsome explanation of the differences in its Privacy Policy and Help Center, with links to each option (this includes making it clear that if a user deactivates, he is requesting Facebook to store his information until he reactivates his account). It is also including an explanation during the deactivation flow so that users clearly understand the differences between deactivation and deletion and can request deletion if they wish.

On the whole, the actions Facebook is taking appear to be satisfactory in this regard.

Accounts of deceased users

I had recommended that Facebook include memorializing as a purpose in its Privacy Policy. I have reviewed Facebook’s proposed wording and am satisfied with it. This wording will be in place in 10 weeks time.

Personal information of non-users

In my letter of finding, I asked Facebook to reconsider the recommendations I had made to them earlier: namely, to consider and implement measures to improve its invitation feature so as to address our Office’s concerns about non-users’ lack of knowledge and consent to Facebook’s collection, use, and retention of their email addresses; and to set a reasonable time limit on the retention of non-users’ email addresses for purposes of tracking invitation history and the success of the referral program.

Facebook has agreed to add appropriate language to its Statement of Rights and Responsibilities informing users of their obligations to obtain the consent of non-users before providing their e-mail addresses to Facebook. Facebook also confirmed that it will follow up on any complaints it receives from non-users that it may receive in this regard.

On the issue of retaining non-users’ e-mail addresses, Facebook confirmed that it does not use e-mail addresses to track the success of its invitation feature. In fact, it states that it does not keep a specific list of such addresses for its own use.

On the whole, I am satisfied with the actions Facebook has taken in this regard.

Monitoring for anomalous activity

In my letter of finding, I asked that Facebook include an explanation of its practice of monitoring the site for anomalous activity. The company agreed to do so, and I have reviewed the language, which is satisfactory. The language will be incorporated into Facebook’s Privacy Policy in 10 weeks.

Facebook committed to reporting back to this Office before implementing the Privacy Policy, the privacy tool (privacy settings tool), and the permissions model. It will also report to us in six months time on the status of the development of the permissions model, and will inform us of any changes to the Policy that may arise as a result of its user consultations.

This Office will continue to monitor these proposed changes. On the whole, I am satisfied with the direction Facebook is taking to address the concerns raised in our investigation. I would like to thank you for interest in this issue and for your cooperation throughout the investigation.

Sincerely,

Original signed by

Elizabeth Denham
Assistant Privacy Commissioner