Feeds

Canadian privacy chief flunks Facebook

Lax data policies in sharp detail

Securing Web Applications Made Simple and Scalable

Facebook does not protect personal information well enough to comply with Canadian data protection law, the Canadian Privacy Commissioner has said.

Jennifer Stoddart's office has investigated the social-networking website's use of personal information and has found that Facebook is not clear enough about how users can control their information, or restrictive enough in regulating other companies' access to it.

The Commissioner's office said that the company needed to be more transparent.

"Social networking sites can be a wonderful way to connect. They help us keep up with friends and share ideas and information with people around the globe," said assistant commissioner Elizabeth Denham. "It is important for these sites to be in compliance with the law and to maintain users’ trust in how they collect, use and disclose our personal information.”

The investigation found that users were told on Facebook how to deactivate accounts, but not how to delete them. Only deleting accounts actually removes personal information from Facebook's servers.

Facebook faced a storm of protests when it initially allowed only deactivation of accounts, but eventually changed its policy to allow deletion. This is not clear, the Commissioner's office said.

"Although Facebook provides information about its privacy practices, it is often confusing or incomplete," said a statement from the office. "For example, the 'account settings' page describes how to deactivate accounts, but not how to delete them."

"Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts – a violation of the Personal Information Protection and Electronic Documents Act, Canada’s private-sector privacy law," it said. "The law is clear that organizations must retain personal information only for as long as is necessary to meet appropriate purposes."

Privacy law expert Rosemary Jay said that under European data-protection law it is essential that a company such as Facebook allow users to delete, and not just deactivate, their profiles.

"I can't see why you would have a purpose for retaining the actual account," said Jay. "I would have thought in Europe regulators would say that there is no reason to retain the detail and you have no legitimate business reason to have it, so you should delete it."

The Candian Commissioner's report said that although a 'delete' option was available, it was difficult to find and unavailable from the 'settings' page of the website.

"Facebook may cause some users to assume that account deactivation is the only option available to them," said the report. "I see no reason why Facebook should not and could not easily put an account deletion option, as well as an account deactivation option, on users’ Account Settings pages so as to give equal exposure to the two options and make it clear to users that they can choose between the two."

The report also said that Facebook should not keep the data contained in accounts which are deactivated forever.

The report also highlighted privacy problems in relation to Facebook applications developed by third-party companies. To use these, Facebook users must agree to allow those companies access to the data that Facebook holds on them.

The Commissioner's report said that Facebook should not allow developers access to all the information it holds on users. "I find that Facebook does not have adequate safeguards in place to prevent unauthorized access to users’ personal information by application developers, and is thus in contravention of [the law]," said the report.

The report also said that the consent gained by Facebook was so broad and general that it was not adequate to absolve it of responsibility. "In my view, consent obtained on such a basis is meaningless," said the report.

Denham, who wrote the report, said that while offices like hers can recommend that companies improve privacy policies, it is still up to users to inform themselves of the status of their information.

"We asked Facebook to clearly advise users about its privacy practices, but it’s still up to the user to actually read it and use the privacy tools to control how their information is shared,” she said.

Facebook has introduced tools to help users more fully control the use of their information on the site, a move which the Canadian Privacy Commissioner's office said was a result of its investigation. Facebook said that it would introduce "a number of new additional privacy features" to its service.

Copyright © 2009, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.