Remarks at a Press Conference on the Facebook Investigation
August 27, 2009
Address by Elizabeth Denham
Assistant Privacy Commissioner of Canada
(Check against delivery)
Thank you, Commissioner, and good morning.
Not too many days ago, I saw a headline announcing “Facebook and privacy commissioner make friends.”
Well, I haven’t received a “friend request” from anyone at Facebook! But it is fair to say that our discussions over the past few weeks have indeed been positive and productive.
We’ve seen a great deal of movement in terms of Facebook’s position on a number of important issues.
Some of the changes Facebook has agreed to make are substantial and will lead to much better protections for the personal information of Facebook users.
I’m going to remind you of our outstanding areas of concern and explain what Facebook is doing to address them….
As the Commissioner mentioned, our top concern relates to the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes.
There are more than one million of these developers around the globe. We were alarmed by a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information – as well as information about their online “friends.” The notion that some teenager in a basement on the other side of the world could have access to all this personal information is unsettling, to say the least.
Facebook has now agreed to retrofit its application platform in a way that will give users control over the types of information the developer will be permitted to access. The changes will prevent an application from accessing information until it obtains express consent for each type of data it wants to access.
Application developers will only have access to the personal information of the user’s friends if the user provides express consent. Even then, those friends can stop their information from going to developers, for example, by blocking all applications or specific applications. We’ve taken a very close look at the issues and have concluded the approach is reasonable and in accordance with Canadian privacy law.
The technology issues involved here are complex and Facebook has told us it will likely take a year to put the new system in place. We’ve agreed this is a reasonable timeframe. Facebook has also agreed to allow us to test the model prior to its implementation, to ensure that it meets the expectations of our report and the company’s subsequent undertakings. In essence, we’re going to be looking under the hood.
In the meantime, we are satisfied with Facebook’s oversight and due diligence measures to review the applications’ use of data on Facebook servers.
Personal Information of Non-users
Another concern related to the privacy of non-users who are invited to join the site.
Facebook has agreed to provide more information in its statement of rights and responsibilities about the fact that users need to ensure they have the consent of non-users to share their email addresses with Facebook.
Facebook confirmed that it does not use email addresses to track the success of its invitation feature, nor does it maintain a separate email address list for this purpose.
In our investigation report, we asked Facebook to better explain to users that they have the option to deactivate or delete their accounts. We also asked Facebook to adopt a retention policy that would see the personal information of users who have deactivated their accounts deleted after a reasonable length of time.
In our recent discussions, Facebook agreed to provide users with better information about the options they have when they want to stop using the site.
To date, it hasn’t been made clear to users that they can either deactivate their account – whereby personal information is held in digital storage. Or, they can delete their account – whereby personal information is actually erased from Facebook servers.
While we asked for a retention policy, we looked at the issue again and considered what Facebook was proposing. We determined the company’s approach to providing clarity and alleviating the confusion is acceptable.
We were willing to reconsider our position provided that users are well informed of the difference between deactivation and deletion, and are presented with a clear choice between the two.
Up to this point, we don’t think people were given a real choice because the option to delete an account was difficult to find. The changes Facebook is planning will allow users to make informed decisions about how their personal information is to be handled.
The deactivation issue is only one example of where information about privacy issues was confusing or incomplete.
As a company, Facebook has certain obligations under Canadian privacy law. Our job is to ensure they live up to the law.
Users have a major role to play too.
This is something we want to emphasize. Many of the changes we’ve been discussing with Facebook are about empowering users. We’d certainly urge people to understand and take advantage of the new information and mechanisms that Facebook is introducing.
Users of Facebook – and other social networking sites for that matter – have a responsibility. People need to inform themselves about how their personal information is going to be used and shared. Read those privacy policies! And use the privacy settings the sites offer!
In terms of next steps for us, we’ll be following up over the coming year to ensure Facebook has in fact complied with our recommendations. They’ve committed to a detailed timetable for implementing all of these changes, as well as to providing us with reports at critical milestones before the modifications are actually rolled out.
In closing, I’d like to join the Commissioner in thanking Facebook for working with us in a cooperative way. I would also like to offer my appreciation to CIPPIC for bringing forward these important issues.