Following a complaint from the Canadian Internet Policy and Public Interest Clinic, Canada’s Office of the Privacy Commissioner has wrapped up a serious look into how social networking site Facebook handles privacy and user information…and the findings do not show Facebook in a good light. The report notes that Facebook is obviously concerned with user privacy, but that that service has “serious gaps” in the way it operates and handles users’ personal information, and even violates Canadian law by retaining information on deactivated accounts for an indefinite period of time.
Canada’s privacy commissioner Jennifer Stoddard has said the commission’s report is believed to be the first time any agency has conducted a formal investigation into Facebook’s privacy practices.
One of the main privacy shortcomings uncovered by the report is Facebook’s disclosure of users’ personal information to third-party developers; when users add an application, they consent not only to sharing some of their personal information but information belonging to their friends as well; those friends have no control over access to that information other than blocking specific applications or opting out of applications altogether. The commission recommended apps be restricted to only essential information and that Facebook ensure users are informed what information will be disclosed and how it will be used; so far, Facebook has not agreed to those recommendations.
The commission also found Facebook violates Canadian law by keeping information on deactivated accounts around indefinitely, and confuses users by showing them how to de-activate an account but not how to delete it entirely. Facebook countered that about half the users who deactivate an account eventually come back to reactivate it, so keeping the information onhand provided value to its users.
The Commission also found Facebook needed to more fully explain how on-site advertising works; Facebook agreed to describe its advertising practices more fully and make that information more discoverable. The Commission also dismissed a complaint that Facebook engaged in deception and misrepresentation by promoting itself as a social networking site when it also engaged in other businesses, including supporting third-party apps and online advertising.
The Commission has given Facebook 30 days to comply with unresolved recommendations; if there is no progress, the Commission can take Facebook to Canadian Federal Court.
