Facebook agrees to changes and improves user privacy

Facebook has agreed to add significant new privacy safeguards and make other changes in response to the Privacy Commissioner of Canada’s recent investigation into the popular social networking site’s privacy policies and practices. Last month, the Privacy Commissioner issued a report on an in-depth investigation triggered by a complaint from the Canadian Internet Policy and Public Interest Clinic.

While Facebook took some steps to resolve privacy concerns, the Commissioner remained dissatisfied by Facebook’s response at the end of the investigation. She was particularly concerned about the risks posed by the over-sharing of personal information with third-party developers of Facebook applications such as games and quizzes.

Facebook was given 30 days to respond to the Commissioner’s report and explain how it would address the outstanding concerns. An over-arching issue highlighted during the investigation was that the way in which Facebook provides privacy information to users is often confusing or incomplete.

Facebook agreed to changes to help users to better understand how their personal information will be used and, ultimately, to make more informed decisions about how widely to share that information. The Commissioner has reviewed these improvements and will be following up with Facebook as the changes are implemented.

The following is an overview of key issues raised during the investigation and Facebook’s response:

1. Third-party application developers

Issue: The sharing of personal information with third-party developers creating Facebook applications such as games and quizzes raises serious privacy risks. With more than one million developers around the globe, the Commissioner is concerned about a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information, along with information about their online friends.

Response: Facebook has agreed to retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access. Under this new permissions model, users adding an application will be advised that the application wants access to specific categories of information. The user will be able to control which categories of information an application is permitted to access. There will also be a link to a statement by the developer to explain how it will use the data.

This change will require significant technological changes. Developers using the platform will also need to adapt their applications and Facebook expects the entire process to take one year to implement.

2. Deactivation of accounts

Issue: Facebook provides confusing information about the distinction between account deactivation – whereby personal information is held in digital storage, and deletion, whereby personal information is actually erased from Facebook servers. As well, Facebook should implement a retention policy under which the personal information of users who have deactivated their accounts will be deleted from the site’s servers after a reasonable length of time.

Response: Facebook has agreed to make it clear to users that they have the option of either deactivating their account or deleting their account. This distinction will be explained in Facebook’s privacy policy and users will receive a notice about the delete option during the deactivation process.

While we asked for a retention policy, we looked at the issue again and considered what Facebook was proposing. We determined the company’s approach – providing clarity about the options, offering a clear choice, and alleviating the confusion – is acceptable because it will allow users to make informed decisions about how their personal information is to be handled.

3. Personal information of non-users

Issue: Facebook should better protect the privacy of non-users who are invited to join the site.

Response: Facebook agreed to include more information in its terms of use statement. Facebook confirmed that it does not use email addresses to track the success of its invitation feature, nor does it maintain a separate email address list for this purpose.

4. Accounts of deceased users

Issue: People should have a better way to provide meaningful consent to have their account “memorialized” after their death. As such, Facebook should be clear in its privacy policy that it will keep a user’s profile online after death so that friends can post comments and pay tribute.

Response: Facebook agreed to change the wording in its privacy policy to explain what will happen in the event of a user’s death.

Facebook has committed to a timetable for implementing all of the changes, some of which, such as the third-party application changes, are technologically complex. The company has already started to make changes and we expect them to be fully complete within a year.