Facebook Must Let Users Erase Data, Restrain Apps, Canada Privacy Commissioner Says

But Privacy Commissioner Jennifer Stoddart said Facebook had agreed to make some changes, and the company itself touted Stoddart’s praise of its “extensive privacy settings.” A Facebook spokesman told us the company was still trying to convince the office that some recommendations -- such as getting the permission of everyone in a photo before posting it -- simply weren’t “practical,” and if broadly applied would kill other business models such as that of Yahoo’s Flickr.

The office cleared Facebook of deception, misrepresentation and mobile privacy violations. It said Facebook had resolved claims about its default privacy settings and advertising practices. The clinic filed a wide- ranging complaint in May 2008 and followed up with specific allegations about third-party developers (WID June 2/08 p2). Over the past year Facebook has met with the office four times, including twice after a preliminary report was released in March.

Facebook features without an “obvious link to its business model” are nonetheless “indirectly contributing to the success of Facebook as a commercial enterprise,” said the report by Assistant Privacy Commissioner Elizabeth Denham. That justifies regulation of information posted for “purely personal purposes” that ordinarily would be exempt from the Personal Information Protection and Electronic Documents Act, the report said. And despite Facebook’s “well-known” vocal user community, “the legislative requirements and obligations imposed by the Act are not contingent on user approval,” Denham said. But she credited Facebook with “granular” control settings and frequent disclosures to users about how information is used, though they're “scattered” too broadly around the site.

Denham said Facebook has good reasons to collect date- of-birth from users -- namely its U.S. obligations -- but faulted the company for a “vague” explanation to users. Users may falsely believe that hiding their date-of-birth on profile pages also prevents Facebook from using that data to target advertising. Denham said Facebook agreed to revise an associated pop-up to tell users it collects the data to “provide only age-appropriate access to content,” and that its privacy policy similarly will disclose data use in serving ads.

The office also sided with Facebook on not requiring users to pick their own privacy settings at signup. That would be “complicated and time-consuming,” and Facebook’s “networks and friends” default setting is “quite reasonable,” Denham said. But the same default setting should apply for photo albums, currently available to “everyone,” and profiles shouldn’t come up on search engines by default, she said. Facebook said it will introduce a “privacy wizard” that lets users choose a low, medium or high setting, the last of which will be hidden from search engines. In “weeks” it will debut a “per-object privacy tool” for users to configure any piece of content.

‘Technological Safeguards’ Needed to Restrain Developers

Facebook doesn’t explain well its targeted advertising to users, the report said. It fails to distinguish between “social ads” where users can opt out, and regular Facebook sidebar ads where they can’t, leaving users unaware of their options. Facebook will add a placeholder in its privacy policy promising an explanation later, Denham said. She dismissed claims that Facebook doesn’t notify users of new uses of their data or collection of their non-Facebook data.

The office and Facebook strongly disagreed on how well application developers are overseen. Denham said they had “seemingly unlimited and unmonitored access” to user information, and that Facebook’s reliance on “contractual limits” to keep developers in line wasn’t good enough. She said “technological safeguards” were needed to “effectively prevent” developers’ unauthorized access to information, including data not required for the application’s operation. Also, users have no “meaningful” consent option other than all-or-nothing access given to developers. Consent “should be sought at each instance of a user’s adding an application.” Facebook should develop a way to monitor applications for compliance with its Statement of Rights and Responsibilities, and prevent the disclosure of one’s personal data through applications installed by friends or network members, Denham said. Facebook flat-out declined to adopt her recommendations, and Denham said the company had 30 days to change its mind before the office took action “in accordance with our authorities,” or asking a court to enforce the order.

Facebook is also holding firm against adding an account- deletion option on the settings page, where a deactivation option is located. It’s not enough that users can delete their accounts from the help section, where users may not find it, Denham said. She also said Facebook can’t “indefinitely” retain user data in deactivated accounts. “The longer an account remains deactivated and the information in it unused, the more difficult it is to argue that retention of the user’s personal information is reasonable for the social networking purposes for which it was collected,” Denham said, proposing Facebook adopt a “retention cutoff.” She won’t force Facebook to create an opt-out for users who want their account deleted if they die, not “memorialized,” but demanded it add a section on the common practice of other members memorializing their deceased Facebook friends. She gave the same 30-day warning for each demand.

Denham said non-users’ information couldn’t be kept indefinitely by Facebook, in the context of friends providing the e-mail addresses of non-users to invite them to join or show them photos in which they're tagged. Though tagging is a personal activity, “Facebook’s purposes are also being served … since Facebook’s ability to generate revenue is closely tied to its membership numbers,” she said. Non-users must join Facebook to remove their tags in others’ photos. Facebook should notify users every time they provide a non- users’ address that the latter’s consent is required before posting and tagging a photo, Denham said. The company also should impose a “reasonable” retention limit on non-users’ addresses, which Facebook uses to track “invitation history” and the success of referrals. Facebook again rejected those demands, saying it offers more disclosure to non-users than any similar site.

Say Goodbye to Flickr and Picasa, Too

Most of the office’s concerns can be fixed through better disclosures in the help center or privacy policy, the Facebook spokesman said. But some recommendations aren’t “practical,” he said, such as requiring user permission whenever an application “makes a call” for data. An occasional reminder that users have installed applications, similar to the auto-logout used by Yahoo and other portals, probably wouldn’t help much, he said. “The vast majority of apps aren’t constantly making calls for your data,” and under Facebook policy apps can’t retain user data for more than a day or pass it outside of Facebook. “We believe our disclosure is more than adequate,” and users can control which data are given to their own or their friends’ applications.

The deactivation policy is based on a long history of users changing their minds about leaving Facebook, and others just wanting to “pause” their presence, he said. Some users may be confused about deactivation versus deletion, but Facebook will continue discussing it with the office, the spokesman said. “I can’t think of another service that offers” pre-deceased opt-out, which counters the historical use of profile pages for memorialization by next of kin, the spokesman said. On collection of non-user information, the office’s consent recommendation for tagging is impractical as well, because it would affect not only Facebook but make the business model of Yahoo’s Flickr and Google’s Picasa “impossible.”

It’s “far from a foregone conclusion” that the office could get a court to enforce the recommendations that Facebook so far has spurned, the spokesman said. If all else fails, Facebook can claim U.S. jurisdiction as a California- based company, he said. But “we're confident that we'll be able to figure this out. This is not the last of this or the final word.”