Nexopia investigation highlights youth privacy issues
OTTAWA, March 1, 2012 – The Office of the Privacy Commissioner of Canada (OPC) has completed an in-depth investigation into a complaint about the privacy practices and policies of Nexopia, a youth-oriented social networking website.
The investigation – prompted by a complaint filed by the Public Interest Advocacy Centre – was conducted under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law.
The investigation found several areas where Nexopia was in breach of PIPEDA and resulted in a total of 24 recommendations.
The Privacy Commissioner was satisfied with the organization’s response to 20 of the recommendations.
Four recommendations relating to the retention of personal information remained unresolved at the end of the investigation.
The following is a summary of some of the key concerns identified during the investigation.
1. Disclosure of user profiles to the public and default privacy settings
At the beginning of our investigation, Nexopia’s default privacy settings were “visible to all” – meaning visible to the whole Internet.
Given the special circumstances surrounding youth users and privacy, the OPC found that a reasonable person would not consider it appropriate for Nexopia to pre-select settings that push users towards disclosing their personal information, in some cases very sensitive personal information, for potentially everyone on the Internet to see.
The investigation also revealed that Nexopia does not adequately notify its users of default settings, or explain the difference between various settings.
Our Office found more could be done to inform users about the available privacy settings to ensure that users can make informed decisions about how they can control access to their personal information.
Nexopia users should be expected to opt-in to the “visible to all” setting – and with a full understanding of the implications of that choice.
Our Office found that more restrictive default settings, coupled with increased information for users in a format appropriate for a youth audience, would strike an appropriate balance between ensuring young people can enjoy the benefits of social networking, while protecting their privacy.
The OPC is satisfied that Nexopia’s proposed corrective measures, which include changing defaults and providing better information to users, will meet our recommendations.
2. Lack of meaningful consent for the collection, use and disclosure of personal information collected at registration
Our investigation found that Nexopia failed to adequately identify and inform users of its purposes for the collection, use and disclosure of the personal information it requires users to provide at registration.
For example, it was not clear which “core” profile information and profile pictures would be visible to users within the Nexopia community and anyone on the Internet, by default.
3. Sharing of personal information with advertisers without proper consent
The information Nexopia provides to users about its advertising practices, particularly regarding the sharing of personal information with advertisers is incomplete. In some cases, they are sharing personal information without telling users clearly.
The OPC believes that Nexopia’s own use of personal information for advertising purposes and its serving of behaviourally targeted advertisements to users is acceptable as a condition of service, provided individuals are made fully aware of how this practice works.
However, our Office is also of the opinion that individuals should be able to opt-out of being tracked by third parties – which are typically unknown to them.
The OPC was satisfied with Nexopia’s response to our concerns.
4. Sharing of personal information with other third parties without proper consent
Nexopia regularly discloses users’ unique user IDs to a payment processor when users make purchases on the site. As well, it discloses a user’s age, gender and unique user ID to a rewards company each time a user participates in what the site calls “Earn Plus” offers.
The site did not explain to users the potential disclosure of their personal information to the rewards company, nor that such disclosures may be provided over and above any information the user provides directly to the rewards company as a condition of a particular “Earn Plus” offer. Nexopia admitted that their online statements and actual disclosure practices had become misleading.
Nexopia asserted that the information provided to the payment processor and the rewards company could not be used to identify and obtain more information about individual users. However, our testing revealed that a user’s unique ID can be used to link to the user’s profile and potentially permit access to all the personal information displayed there.
In our view, Nexopia could use another unique code or identifying number that limits the amount of personal information that passes between the parties and yet still allow efficient billing and payment processing.
Nexopia agreed to stop providing unique user IDs to the payment processor and has made the decision to completely remove the “Earn Plus” service from the site, and, therefore, will stop sharing users’ personal information with the rewards company.
The OPC was satisfied with Nexopia’s response.
5. Retention of the personal information
Nexopia collects non-users’ email addresses through invitations to join the site initiated by users. Users are not required to confirm to Nexopia that they have their friend’s consent for the purposes of sending an invitation to join the website, prior to providing the friend’s email address to the company.
A non-user who doesn’t want to receive further invitations, can click on a link to a page entitled “Opt out of Nexopia.com invites”.
However, the non-user is not informed on this page that their email address will be retained by Nexopia. For the unsubscribe feature to be effective, Nexopia says it must retain for an indefinite period a list of email addresses to which no further messages will be sent.
In our view, it is important for the user who provides the e-mail address in the first place to ensure that they have obtained prior consent from the e-mail address owner, their friend, for the invitation e-mail to be issued by Nexopia.
As well, our Office recommended that Nexopia offer non-users a clear choice between a) unsubscribing from join-the-site invitation emails, or b) permanent deletion of their email address.
The OPC was satisfied with Nexopia’s response to our concerns about this issue.
Nexopia agreed to add text to its “Find and Add Friends” feature to emphasize that users should have non-users’ permission to give the website their email addresses.
The organization has also agreed that, in the future, non-users who receive invitation emails will be able to request the permanent deletion of their email address from Nexopia’s database.
Our Office also considered the issue of deletion of accounts.
When users click on an option called “Delete Account” they are advised: This will delete your account, including your profile, your pictures, friends list, messages, etc. Your forum posts, comments and messages in other users’ inboxes will remain.
In fact, Nexopia advised us that the only information deleted is the user’s “shouts”.
Other information is stored indefinitely. (For example, username; user ID; email address; IP address and log-in information; friends list; gallery pictures; profile contents; messages and comments; and profile photos.)
Another concern related to account deactivation and the freezing of accounts, either by Nexopia or upon request by a user. The personal information contained in frozen user accounts remains inactive on Nexopia’s servers indefinitely and is not subject to any periodic review.
Nexopia admitted it has not deleted account information since 2004, either from “deleted” or frozen accounts.
It is clearly misleading to provide a “Delete Account” option. The OPC recommended that Nexopia provide a true delete option for the accounts and personal information of users.
Unfortunately, Nexopia has said it will not implement this recommendation because the cost of doing so would be prohibitively high. It has also argued that the information stored in the archives is only accessible to system administrators and recovered in the event that they receive a warrant from a law enforcement authority.
The OPC does not underestimate the technical challenges presented in permanently deleting users’ personal information. However, Nexopia’s practice of storing indefinitely all of an individual’s personal information is in contravention of PIPEDA.
It’s clear that law enforcement will sometimes require access to information. Such requests or warrants may justify a longer retention period in specific cases, but they do not justify wholesale and indefinite retention of all records just in case there may be a request at some point in time.
Nexopia’s practice of storing personal information in its archives indefinitely, on the small possibility it may be the subject of a warrant from a law enforcement agency is therefore not acceptable.
Moreover, there are security risks inherent in retaining vast amounts of former users’ personal information, long after it has served its original purpose. As well, our Office is concerned that Nexopia’s users are being misled into thinking they can delete their personal information at some point, if they want to.
This issue remained unresolved at the end of our investigation. The OPC is proceeding to address these unresolved issues in accordance with our authorities under PIPEDA, which include the option of going to Federal Court to seek to have the recommendations enforced.