Facebook to comply with privacy recommendations: Commissioner
By Sarah Schmidt, Canwest News Service August 27, 2009
Photograph by: google images, google images
OTTAWA — In the end, a handful of staffers tucked away in the office of Canada's privacy commissioner have been able to move Facebook to revamp the way it protects the personal information of more than 200 million users worldwide.
After a year-long investigation followed by 30 days of negotiations, Privacy commissioner Jennifer Stoddart on Thursday announced Facebook will add "significant new privacy safeguards" to bring the California company into compliance with Canada's private-sector privacy law.
The biggest change, to be implemented across the entire Facebook network over the next 12 months, will curtail the access outside software developers have to the personal information of users. This will affect hundreds of thousands of third-party developers that create applications, such as games and quizzes, for the social networking site.
The developers are scattered over 180 countries.
"This is hugely significant. Facebook has 12 million users in Canada alone — more than one third of our population," said Stoddart, who last month gave Facebook a month to develop a plan to fall in line with Canada's Personal Information Protection and Electronic Documents Act or face court action.
Other major social networking sites have already taken notice of the sweeping settlement, and one has already approached Canada's privacy czar to figure out how to protect the personal information of its users, said Stoddart.
The small law clinic that started it all when it filed a privacy complaint against Facebook in May 2008 is pleased.
"I think the finding does a really great job of setting standards for how to do social networking in a privacy sensitive manner, and that was really the impetus. It was much broader than Facebook," said Tamir Israel, one of two staff lawyers at the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.
The biggest point of contention in the dispute rested with the "over-sharing" or the "virtually unrestricted access" third-party developers had to the personal information of Facebook users.
In order to download popular games and quizzes, Facebook users have to consent to share their personal information, except their contact details.
"I was quite concerned that this so obvious departure from Canadian standards was extant and certainly that has been at the heart of a lot of the talks that the team has had with Facebook," said Stoddart, who lauded the openness of Facebook to find ways to improve the site's privacy features.
In addition to two main investigators, a few others in commissioner's office worked intermittently on the Facebook file.
Facebook, seen as the industry standard when it comes to privacy, has agreed to retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access.
Under this "new permissions model," users adding an application will be advised the application wants access to specific categories of information; users will be able to control which information they are permitted to access.
BEGIN OPTIONAL CUT
Elizabeth Denham, assistant privacy commissioner and lead investigator, defended the one-year implementation period, saying the shift requires "significant technological changes" to the Facebook application programming interface.
Denham also said Facebook has agreed to allow the commissioner's office to test the model to make sure it meets its expectations. "In essence, we're going to be looking under the hood."
END OPTIONAL CUT
Acknowledging the "important concerns" over third-party applications, Dave Morin, Facebook's senior platform manager, said these changes will give users confidence in the control they have over their information and privacy.
"We truly feel like these improvements to Facebook platform will bring a new privacy standard to the social web."
Morin played down any strain this stricter privacy regime will have on developers of third-party applications — an important revenue stream for Facebook.
"We certainly think good privacy is good business so we think the developers will be happy to look into these changes as much as we are."
BEGIN OPTIONAL CUT
Michael Richter, Facebook's deputy general counsel, added, "cost is really not our focus here. Our focus is making sure our users have complete control over their privacy."
END OPTIONAL CUT
Facebook has also agreed to make it clear to users that they have the option of either deactivating their account or deleting their account; Canada's privacy czar took issue with the "confusing" way Facebook distinguished between deactivation (personal information held in digital storage) and deletion (info erased from Facebook servers).
If the law clinic at the University of Ottawa is not content with the undertakings or Facebook's carry-through on its commitments, it could file another complaint or initiate court proceedings.
So could the privacy commissioner, but Stoddart said it's very unlikely the matter will end up in a Canadian court.
"I doubt it will come to that because we've had such good co-operation with Facebook."