Facebook Violates Canadian Privacy Law 179
Myriad and a number of other readers passed along the news that the Canadian Privacy Commissioner has made a determination that Facebook violates Canadian privacy law in four different respects. Canada has the highest per-capita facebook participation in the world — about a third of the population — according to coverage in The Star. The EU is also expressing similar privacy concerns, though Canada's action "represents the most exhaustive official investigation of Facebook privacy practices anywhere in the world," says Michael Geist. The CBC's coverage spells out the areas of privacy concern, in particular that nearly a million developers of Facebook apps in 180 countries have full access to the entirety of users' private data. Also of concern: Facebook holds on to your data indefinitely after you quit the site. The BBC notes that Facebook is working with the privacy commission to resolve the issues, and quotes a Facebook spokesman thus: "Overall, we are looking for practical solutions that operate at scale and respect the fact that people come to share and not to hide." (Schneier recently blogged about research on "privacy salience," and cited Facebook's practices among others' as practical examples of how social networking sites have learned not to push the privacy issue in users' faces.)
Draconian Laws (Score:5, Insightful)
Besides, who puts something on Facebook that they _want_ to keep _private_?
Re:Draconian Laws (Score:5, Insightful)
who puts something on Facebook that they _want_ to keep _private_?
People who don't know any better, who are (incidentally) the same people the privacy laws were written to protect.
Re:Simple solution (Score:5, Insightful)
I agree - if Facebook doesn't have a Canadian legal entity, nor Canadian hosting, the answer is "who cares"? I'm Canadian, BTW.
Just because there's users on FB from all around the world, it doesn't mean that FB has to abide by all countries' laws. If that were the case, the Internet would be a hobbled and useless mess.
MadCow.
Re:Simple solution (Score:2, Insightful)
Then how can they be subject to Canadian law? If they're found guilty of violating privacy laws, where's the enforcement mechanism? It's not like they're going to send Mounties to the U.S. or require ISPs to block Facebook.
Re:Simple solution (Score:4, Insightful)
They still do business in Canada when they sell ads for Canadian companies/sell stuff to Canadians/etc, now they could lose that revenue, or they could work with officials to improve the privacy of their users, thus keeping that revenue while improving their site. Do facebook really want to lose 11m users worth of revenue (and probably more long term as the EU may follow suit) ?
They prompt you (Score:3, Insightful)
Any time you agree to take one of those quizes etc, Facebook pops up a GIANT box in your face basically saying that if you agree to take that quiz then you give all rights to your information and your first bord child to the developers of that application.
If the user is too stupid to read a giant disclaimer right in their face and decide it is not worth that risk to find out how much alike their taste in puppies is to Fergie, then I have no sympathy for them.
Re:Simple solution (Score:4, Insightful)
If you're serving, catering, and marketing to users in Canada, and even partnering with Canadian telecoms to get your software on their phones, then a physical presence might not be required.
The mere fact that I can walk around Montreal and see advertisements for Facebook indicates that at the very least they could be forced to stop advertising in Canada, and the telecoms could be forced to stop distributing/bundling the Facebook apps. Even if they don't have a legal presence in Canada, they certainly do have *a* presence, and that's enough to force changes. That gives the Canadian government leverage to force Facebook to make changes.
"Comply with our laws or we'll cut off all your marketing and partnerships in Canada."
Re:Simple solution (Score:3, Insightful)
Just because there's users on FB from all around the world, it doesn't mean that FB has to abide by all countries' laws. If that were the case, the Internet would be a hobbled and useless mess.
MadCow.
Actually it doesn't matter where servers are located--what matters is how business is conducted in the country in question. Also, the Internet is hobbled and a mess, though it is still rather useful.
There is already historical precedent. Totalitarian governments, notably those of China and Cuba, thoroughly monitor Internet traffic and routinely block sites that conflict with their propaganda. The Pirate Bay was hosted in Sweden, but it is banned in China and several EU countries have had legal battles over allowing their citizens to visit the site. Then there are legal sites that restrict access--I cannot use Pandora from home (though at my office of my former employer I could, because the corporate proxy was in the US). People in my home country have been convicted on child pornography charges based upon underground sites hosted in another continent. By Quebec law, technically a company doing "significant business" in that province MUST provide French language pages--hosting outside the province does not prevent the "language police" from taking action if they wanted to.
Nobody, not even Facebook, can operate above the law with impunity using the excuse that their computers are not in the country. They conduct business here (notably, a number of apps ARE hosted physically in Canada, so it isn't just that end users are here--they are illegally sharing private information with Canadian facebook app hosts), they have to follow our rules.
Who cares? Well I care--whether I agree with specific laws I want to know that foreign operations are held to the same standards that we must meet ourselves. And, as is apparent in the news, the Canadian government cares a great deal too.
Re:Simple solution (Score:3, Insightful)
Facebook does business in Canada. SO while they cant 'shut down' the servers, they can stop Facebook from doing business in Canada.
Re:Facebook app privacy (Score:3, Insightful)
Is this [facebook.com], what your looking for?
Re:Draconian Laws (Score:5, Insightful)
That's not the point.
The point is that Facebook is disclosing personal information to any developer that asks for it, without regard to what the information is, or what use the developer has for the information. That's against Canadian law.
The quote in the article states it most clearly: "Why does a hangman developer have to know your address?"
Re:Draconian Laws (Score:5, Insightful)
It is worth noting that Facebook violates privacy of more than just its members.
The summary does not mention this, but one of the things the Canadian study found was that users of Facebook can post photos and Tag the names of each person in the photo (whether they are on Facebook or not).
I believe there are good reasons why a non-Facebook user would not want their images posted, and for that matter, have a searchable Tag posted against that image.
Presently, I can't 'opt-out' of images of myself being posted by members, even though I am not on Facebook.
And on the same subject-- should I even need to 'opt-out'? Maybe they should require 'opt-in'?
Re:Draconian Laws (Score:3, Insightful)
who puts something on Facebook that they _want_ to keep _private_?
People who don't know any better, who are (incidentally) the same people the privacy laws were written to protect.
People who don't know any better?
I put a gigantic billboard in my front yard - 20' tall. Plaster all kinds of personal information on it. Maybe some racy photos. And then, when everyone in the world knows the intimate details of my life I can cry foul because some privacy law was supposed to protect me, because I didn't know any better?
What ever happened to common sense?
I'm not talking about understanding the intricacies of HTTP or how various web apps share information... I'm talking about basic, common sense.
Why would you put private information on a social networking site? The whole point in a social networking site is to share information.
Re:Draconian Laws (Score:2, Insightful)
Re:Draconian Laws (Score:1, Insightful)
If you think that there is no field in which you would be considered "stupid" then you're quite an arrogant little sod.
Re:Draconian Laws (Score:4, Insightful)
You're right, but I don't think Joe Sixpack necessarily understands the concepts of data mining, profiling, etc and how they might relate to social networking sites. Nor do I think he, or the average teenager, understands the permanence of data or the associated implications.
And frankly, what may make sense to post on a gigantic billboard in your front yard may not make sense, or even be legal, tomorrow. Times change. Governments change. Social mores change. I think expecting your average internet user to consider these things is asking a little much.
No it isn't.
People have been making decisions (sometimes stupid ones) and living with the consequences for centuries. Ok, maybe it's easier to squash a verbally-distributed nasty rumor than a digitally-distributed incriminating photo, but that doesn't mean that common sense no longer applies.
Look back at some printed statements over the years... Things that were appropriate at the time and showed up very proudly in newspapers all over the united states, and now look very embarrassing.
Political careers have been ended because of a youthful indiscretion or an incriminating photograph.
Tons of people have tattoos that they wish they hadn't gotten.
Plenty of people have taken pictures they shouldn't have, and had it used against them.
Ever hear of Nixon? Recorded some tapes he probably wished he hadn't.
How about Sotomayor? Bet she wishes she hadn't said some things right about now.
This isn't about understanding data mining or profiling, this is about simple common sense - which is apparently in short supply these days. If I proudly proclaim that I like big butts on FaceBook you don't need to mine any data - you know that I like big butts. You don't have to profile anything, I've stated it in plain text. Oh, now my mother read it and I'm embarrassed? I guess I shouldn't have written it where she could see it, now should I?
Twitter, FaceBook, MySpace, blogs, text messaging, cell phones... They're all just ways of distributing a message. The problem isn't that distribution has become insanely quick, easy, and efficient. The problem is that nobody is thinking about the message anymore.
Folks will call up a friend and have a running conversation about the random people walking by them and what they're wearing - why? Just because you can tell your friend that somebody wearing a Penny Arcade t-shirt doesn't mean you have to.
People actually report on their bowel movements! Why?!
Re:The answer is pretty simple (Score:3, Insightful)
"allow a developer of an App to determine what information from a user's profile they actually need"
This sidesteps the issue under discussion. The issue is, some developers might be data mining, and some people don't desire all their data to be mined. Whether or not I am developing a legitimate app or not, I can claim to need personal data, right down to the size of a member's panties and bra. Or, maybe my app is just a front for a personnel screening service. While I claim to be developing the app, I'm mailing information to General Electric about every person who has applied for a position there. Or, more sinister, I live in Iran, and I'm mining accounts for details on protestors. As I find them, they are put on a list for the morality police to visit, and re-educate.
Developers don't need diddly squat. They can create their app, and put it up for use and/or sale. If it's any good, people will use/buy it. If it's no good, they can start over, or get out of the development business. They don't even need to know if I'm male or female, old or young, rich or poor.
Re:Simple solution (Score:3, Insightful)
I don't dispute your arguments above, especially regarding Canadian-hosted/based Apps within Facebook.
However, FB cannot be held legally accountable to laws of a foreign country where they have no legal presence. Sure, that country can block the site if they think that it's hazardous to their citizens, but that's the only consequence I can even imagine being appropriate. It's a business risk at that point - losing a potential market of customers. It's not like their corporate officers could be extradited to face charges in Canada or anything like that.
MadCow.
Re:Draconian Laws (Score:3, Insightful)
Yup, however...
Your examples are ones that have easily recognizable consequences for just about anyone. My point is more about the ones that take considerably more thought. For example, you give a big thumbs up to some fringe political party that, in the not so distant future, is outlawed with the supporters being flagged. Hell, atheism could become illegal someday if some fanatics got their way.
Extreme examples, for sure, but I believe the point is clear
Re:They prompt you (Score:3, Insightful)
Your American libertarian view of the law sees this as a business transaction, where the user can either use the product (and accept the terms of total data disclosure) or not use it.
Other countries with more civilized privacy laws prevent companies from demanding unnecessary personal data (i.e. anything not needed for the specific product or application) when providing a product. Terms of business have to comply with the law, just as they must in the U.S.; Canada just has more terms.
Yes I'm American.
The real situation (Score:5, Insightful)
Twitter, FaceBook, MySpace, blogs, text messaging, cell phones... They're all just ways of distributing a message. The problem isn't that distribution has become insanely quick, easy, and efficient. The problem is that nobody is thinking about the message anymore.
Actually, the problems being cited by the privacy officials are more the kind of thing the average user probably would not realise/anticipate.
If I ask a site to delete my personal data when they no longer have any reason to hold it, I might reasonably expect them to delete it — not stick some flag in a database, and then find when they have a security breach in five years' time that the data was still there. If an organisation is unwilling to follow this rule, the law should make them; the consequences of failing to do so with modern technology are demonstrated all too frequently, and often with horrendous, underserved consequences for those affected.
If I flag my personal data as private and restrict access to only a select group of friends, I might reasonably expect that data to be kept private and accessible only to those friends — not made accessible, in its entirety, to a million arbitrary developers of Facebook apps around the world, many from countries with far less privacy protection than the law in my country (and other countries where Facebook is hosted) provides. Again, if a site that specialises in collecting personal data and attracts that data on the basis that it can be held in confidence is unable to keep that confidence, the law should compel them to do so.
The way Facebook doesn't really delete data and the way they allow app developers open-ended access to it are the two big reasons I personally don't use their service, and I would be interested to know how many of my Facebook-using friends would agree if they knew the full implications of signing up for one game of Scrabulous or whatever it's called these days.
The world has changed in the Internet age, because now transgressions that might have been forgotten or overlooked after a while in the past are kept on-file forever and searchable for all to see. That in itself makes both education (particularly for the young/vulnerable), privacy awareness, and explicit legal protections for personal information much more important.
Personally, I believe personal data protection and privacy laws are far, far too weak in most jurisdictions today, lagging well behind modern technology and its less constructive applications. I would like to see statutory safeguards on all collection, use and distribution of personal data, and awesome, business-destroying penalties for those who are not careful enough to do so.
Our current path, towards a database state and wholesale aggregation of personal data by private entities, using software that is frequently insecure, with low-level staff unreliable at following even basic security procedures, in a world where leaks can turn a victim's life upside down and the damage may be expensive or impossible to fix, is not a healthy path to follow.
Basically, it's reasonable to expect some common sense from those old enough to know what they're doing, but it is not reasonable to expect people to make decisions based on information they probably don't know or understand, and in any case, no-one is perfect and I personally think society would be a better place with stronger privacy laws governing organisations that compile massive databases of personal data. As I often comment in these discussions, just because we can do something does not mean we should, and just because someone who is only human once made a mistake does not mean we have to catalogue it and make it searchable by anyone for the rest of their life.
...an inaccurate view, IMO (Score:3, Insightful)
What you say would be true for people who make their facebook profile public, but what about those with private profiles that are visible only to their friends, and are basically being leaked to third parties?
How would you feel if your cell phone company were selling transcripts of your phone calls to advertisers and potential employers without your consent (ie. considering your use of their system as you granting your implicit consent)?
Re:...an inaccurate view, IMO (Score:3, Insightful)
What you say would be true for people who make their facebook profile public, but what about those with private profiles that are visible only to their friends, and are basically being leaked to third parties?
Your FaceBook profile is only private if your friends don't share anything with people you don't want them to. It doesn't much matter what FaceBook's privacy policy is... Or what kind of mechanics they've got in place to protect you... If you post something on FaceBook you have to assume that it'll wind up somewhere you don't want it to.
How would you feel if your cell phone company were selling transcripts of your phone calls to advertisers and potential employers without your consent (ie. considering your use of their system as you granting your implicit consent)?
I wouldn't be terribly surprised, to be honest.
I'd be even less surprised if they were doing that with my text messages. Or using the photos I take on that camera for promotional purposes.
But I wouldn't be terribly horrified. I do use the phone for business, so there might be some confidentiality concerns with some of our clients... But I don't generally say anything terribly private on the phone. Important stuff is best handled face-to-face.
But, then again, I'm operating on the assumption that anything I say on a cell phone can be overheard anyway. It isn't like I duck into a cone of silence every time it rings. If I'm chatting on the phone with my wife anyone within earshot can hear at least half of the conversation. And if I ever get into trouble my call records can be subpoenaed. And if I leave my phone unattended somewhere someone could go through my address book or call log. So I'm not assuming that I've got some built-in level of privacy.
Re:The real situation (Score:3, Insightful)
Basically, it's reasonable to expect some common sense from those old enough to know what they're doing, but it is not reasonable to expect people to make decisions based on information they probably don't know or understand
The only thing you need to know is that you're posting information on the Internet.
If I ask a site to delete my personal data when they no longer have any reason to hold it, I might reasonably expect them to delete it
Sure, that's a reasonable expectation. But it isn't necessarily reality. If I give you a picture of me doing something lewd to a llama and ask you to destroy it I might reasonably expect you to do so... But that doesn't mean that you actually destroyed anything. And it doesn't mean that you have to destroy it either. Unless we signed some kind of legally binding contract that said you would destroy it... In which case I'd want to get a lawyer and make sure the contract was really just as binding as I thought it was. And ultimately the best way to make sure you didn't keep that picture hanging around would be not to give it to you in the first place.
But this is the Internet. Millions of inter-connected computers. Tons of indexes and archives and everything else. Even if FaceBook does delete your information, what's to say that it isn't cached by Google or the WayBack Machine? What's to say that someone out there didn't already save it to their HDD?
If I flag my personal data as private and restrict access to only a select group of friends, I might reasonably expect that data to be kept private and accessible only to those friends
Again, a reasonable expectation. And again, not necessarily relevant.
So it's limited to those people... Let's say FaceBook doesn't give out the information to other people, doesn't retain it after you deleted your account, etc. But one of your friends shares your information where they shouldn't have - re-posts it to a different website or something.
Or maybe you check your FaceBook account at work, or at an airport and someone logs your credentials.
Again, the best way to avoid something incriminating getting out is to never put it out there to start with.
The way Facebook doesn't really delete data and the way they allow app developers open-ended access to it are the two big reasons I personally don't use their service, and I would be interested to know how many of my Facebook-using friends would agree if they knew the full implications of signing up for one game of Scrabulous or whatever it's called these days.
That's certainly your choice.
And it may very well be that your friends don't know just how vulnerable they are on FaceBook.
But, myself, I just don't post anything terribly incriminating there. There's no information on FaceBook that isn't already posted dozens of other places on the Internet.
I'm not saying that FaceBook is a good site, or that they've got a great privacy policy or anything like that. I'm saying that a key ingredient in the whole mix is common sense, which many people don't have.