Facebook agrees to address Privacy Commissioner's concerns

This just in:

News Release: Facebook agrees to address Privacy Commissioner’s concerns - August 27, 2009

Privacy Commissioner of Canada satisfied that proposed changes to the social networking site’s privacy practices and policies would bring Facebook into compliance with Canadian law.

OTTAWA, August 27, 2009 — Facebook has agreed to add significant new privacy safeguards and make other changes in response to the Privacy Commissioner of Canada’s recent investigation into the popular social networking site’s privacy policies and practices.

The company’s decision to implement the Privacy Commissioner’s recommendations is a positive step towards bringing Facebook in line with the requirements of Canada’s privacy law.

“These changes mean that the privacy of 200 million Facebook users in Canada and around the world will be far better protected,” says Privacy Commissioner Jennifer Stoddart.

“This is extremely important. People will be able to enjoy the benefits of social networking without giving up control of their personal information. We’re very pleased Facebook has been responsive to our recommendations.”

Last month, the Privacy Commissioner issued a report on an in-depth investigation triggered by a complaint from the Canadian Internet Policy and Public Interest Clinic.

While Facebook took some steps to resolve privacy concerns, the Commissioner remained dissatisfied by Facebook’s response at the end of the investigation. She was particularly concerned about the risks posed by the over-sharing of personal information with third-party developers of Facebook applications such as games and quizzes.

Facebook was given 30 days to respond to the Commissioner’s report and explain how it would address the outstanding concerns. Following a review of Facebook’s formal response and discussions with company officials, the Commissioner is now satisfied Facebook is on the right path to addressing the privacy gaps on its site.

“Facebook is promising to make significant technological changes to address the issue we felt was the biggest risk for users – the relatively free flow of personal information to more than one million application developers around the world,” says Assistant Commissioner Elizabeth Denham, who led the investigation on behalf of the Office.

“Application developers have had virtually unrestricted access to Facebook users’ personal information. The changes Facebook plans to introduce will allow users to control the types of personal information that applications can access.”

An over-arching issue highlighted during the investigation was that the way in which Facebook provides privacy information to users is often confusing or incomplete.

Facebook agreed to changes to help users to better understand how their personal information will be used and, ultimately, to make more informed decisions about how widely to share that information. The Commissioner has reviewed these improvements and will be following up with Facebook as the changes are implemented.

The following is an overview of key issues raised during the investigation and Facebook’s response:

1. Third-party Application Developers

Issue: The sharing of personal information with third-party developers creating Facebook applications such as games and quizzes raises serious privacy risks. With more than one million developers around the globe, the Commissioner is concerned about a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information, along with information about their online “friends.”

Response: Facebook has agreed to retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access. Under this new permissions model, users adding an application will be advised that the application wants access to specific categories of information. The user will be able to control which categories of information an application is permitted to access. There will also be a link to a statement by the developer to explain how it will use the data.

This change will require significant technological changes. Developers using the platform will also need to adapt their applications and Facebook expects the entire process to take one year to implement.

2. Deactivation of Accounts

Issue: Facebook provides confusing information about the distinction between account deactivation – whereby personal information is held in digital storage – and deletion – whereby personal information is actually erased from Facebook servers. As well, Facebook should implement a retention policy under which the personal information of users who have deactivated their accounts will be deleted from the site’s servers after a reasonable length of time.

Response: Facebook has agreed to make it clear to users that they have the option of either deactivating their account or deleting their account. This distinction will be explained in Facebook’s privacy policy and users will receive a notice about the delete option during the deactivation process.

While we asked for a retention policy, we looked at the issue again and considered what Facebook was proposing. We determined the company’s approach – providing clarity about the options, offering a clear choice, and alleviating the confusion – is acceptable because it will allow users to make informed decisions about how their personal information is to be handled.

3. Personal Information of Non-users

Issue: Facebook should better protect the privacy of non-users who are invited to join the site.

Response: Facebook agreed to include more information in its terms of use statement. Facebook confirmed that it does not use email addresses to track the success of its invitation feature, nor does it maintain a separate email address list for this purpose.

4. Accounts of Deceased Users

Issue: People should have a better way to provide meaningful consent to have their account “memorialized” after their death. As such, Facebook should be clear in its privacy policy that it will keep a user’s profile online after death so that friends can post comments and pay tribute.

Response: Facebook agreed to change the wording in its privacy policy to explain what will happen in the event of a user’s death.

Facebook has committed to a timetable for implementing all of the changes, some of which, such as the third-party application changes, are technologically complex. The company has already started to make changes and we expect them to be fully complete within a year.

“It’s now up to Facebook to demonstrate to us that they are living up to their commitments,” says Assistant Commissioner Denham.

“With the conclusion of the Facebook investigation, our Office has made clear our expectations for how social networking sites need to protect personal information. Other sites should take note – and take steps to ensure they’re complying with Canadian law.”

Statements by the Commissioner and Assistant Commissioner are available on the OPC’s website.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Remarks by Jennifer Stoddart, Privacy Commissioner of Canada

Remarks by Elizabeth Denham, Assistant Privacy Commissioner of Canada

Letter from OPC to CIPPIC outlining its resolution with Facebook

Commissioner to reveal result of Facebook negotiations tomorrow

Apparently both the Privacy Commissioner of Canada and Facebook intend to hold separate press conferences tomorrow to discuss the outcome of the last month of negotiations between the two about whether Facebook is in compliance with Canadian privacy laws. See: Canada may reveal next step on Facebook privacy.

Privacy? We Got Over It.

Yesterday's Wall Street Journal had an interesting Op/Ed on privacy, highlighting contemporary expectations of privacy.

Information Age - WSJ.com

Privacy? We Got Over It.

August 25, 2008; Page A11

In 1988, Congress banned video stores from disclosing the titles of films that people rent. The issue arose because in the battle to block Robert Bork from the Supreme Court, someone leaked his video rentals.

Fast-forward to this summer, and a federal judge hearing a $1 billion copyright complaint by Viacom ordered YouTube to turn over online records about which computer addresses were used to watch which videos on the site. The judge dismissed privacy concerns as "speculative." How quickly our expectations of privacy have changed.

Privacy advocates objected that with access to Internet protocol addresses, it would be possible to track who watched what. Hundreds of millions of people have watched videos on YouTube since its founding in 2005 -- indeed, by one estimate, virtually everyone who uses the Web has watched a video on the site. This makes it surprising that there was such little public outcry about this potential loss of privacy. Google, which owns YouTube, has complied with the judge's order by using encryption to hide individual records, but it is indeed "speculative" how much people would object to disclosing this online behavior.

This incident is a telling moment. We seem to be following the advice of Scott McNealy, chairman of Sun Microsystems, who in 1999 said, "You have zero privacy anyway. Get over it." And the observation by Oracle CEO Larry Ellison: "The privacy you're concerned about is largely an illusion. All you have to give up is your illusions, not any of your privacy."

These comments could be dismissed as technology executives trying to minimize complaints about technology. But whatever we say about how much we value privacy, a close look at our actual behavior suggests we have gotten over it. A recent study by AOL of privacy in Britain found that 84% of people said they would not disclose details about their income online, but in fact 89% of them willingly did.

Amazon closely records our taste in books, Gmail scans our emails to deliver relevant ads, and electronic tolls track where we drive. Profiles on MySpace and Facebook are accessible, forever. The disclosure that Judge Bork liked to rent British comedies seems quaint in comparison.

Records about us are no longer kept in scattered manila files in dusty cabinets, but digitally, which means in permanent records that can be combined with other records to paint a full picture of our tastes and habits. Information held by different retailers, insurers and government agencies can be mined to create constantly updated files more complete than the most tenacious intelligence report on a suspected criminal a generation ago.

Privacy advocates do their jobs by reminding us of these risks, but our choices all seem to be in the direction of trading away privacy. The fantastic power and convenience of digital life has led us to change what we consider private in ways that we can only begin to understand.

Indeed, our expectations of privacy have changed radically over time. Stanford law professor Lawrence Friedman in his recent book, "Guarding Life's Dark Secrets," documents the total lack of privacy expectations through the medieval period, when people lived together with no option for privacy, to a period of privacy for some people and some purposes as part of what he calls the "Victorian compromise." Propriety was defined through social norms focused on reputation, which included significant freedom for otherwise scandalous behavior if it was done carefully, in private.

"If the nineteenth century was a world of privacy and prudery, a world of closed doors and drawn blinds," Mr. Friedman writes, "then the world of the twenty-first century is the world of the one-way mirror, the world of the all-seeing eye."

We now seem happy to trust companies with our information for benefits such as one-click buying and online searches for personally relevant results. In a digital world where it is possible to know more than ever about everything, including one another, the new vice may be the flip side of privacy -- concealing information about ourselves of legitimate value to others.

In the physical world, surveillance cameras, satellites and bio-recognition systems have redefined privacy expectations. We have learned that "privacy can be very dangerous," as federal appeals judge Richard Posner has observed. "Obviously if you're a terrorist, privacy is enormously important. So the more we think of privacy as endangering us, that will reinforce these commercial incentives to surrender privacy."

Privacy remains a virtue, or at least we still say it does. But the balance has been tipped by other values, such as transparency, a free flow of information and physical security. We're in the early stages of adapting to more digital and visible lives, with privacy expectations better defined by what we do than by what we say.

Privacy Commissioner v Facebook: Next chapter imminent

You may recall that last year, following a high-profile complaint made against Facebook by the Canadian Internet Policy and Public Interest Clinic, the Privacy Commissioner of Canada gave Facebook a year to get its house in order. In particular, the social networking site told the Commissioner that it would take about a year to address issues regarding third party applications on the Facebook platform and the handling of accounts of deceased users.

A year has passed and the media are reporting that there may be a showdown brewing. It is suggested that if the Commissioner is not satisfied with what Facebook is doing today, it's off to court: Privacy czar set to hand down Facebook ruling.

I'm not sure it's as dire as that, but it will be interesting to see what transpires in the coming days.

It should also be borne in mind that the Commissioner is an ombuds(wo)man. If she goes to court, it's a de novo hearing, so the matter starts all over at the very beginning. Factoring in "Internet time", what Facebook was doing a year ago seems like pre-history.

Update: CIPPIC says that Facebook still falls short of its Canadian obligations, according to an article at ITBusiness.ca.

Facebook to be off-limits to German employers

According to Spiegel, the German government is currently working on an addition to the country's data protection laws that will prevent employers from using Facebook to screen prospective employees, but most other internet-derived information will be fair game:

Saving Jobseekers from Themselves: New Law to Stop Companies from Checking Facebook Pages in Germany - SPIEGEL ONLINE - News - International

But those Facebook users hoping to apply for a job in Germany should pause for a moment before they hit the "deactivate account" button. The government has drafted a new law which will prevent employers from looking at a job applicant's pages on social networking sites during the hiring process.

According to reports in the Monday editions of the Die Welt and Süddeutsche Zeitung newspapers, Interior Minister Thomas de Maizière has drafted a new law on data privacy for employees which will radically restrict the information bosses can legally collect. The draft law, which is the result of months of negotiations between the different parties in Germany's coalition government, is set to be approved by the German cabinet on Wednesday, according to the Süddeutsche Zeitung.

Although the new law will reportedly prevent potential bosses from checking out a candidate's Facebook page, it will allow them to look at sites that are expressly intended to help people sell themselves to future employers, such as the business-oriented social networking site LinkedIn. Information about the candidate that is generally available on the Internet is also fair game. In other words, employers are allowed to google potential hires. Companies may not be allowed to use information if it is too old or if the candidate has no control over it, however.

Privacy Commissioner to accept Fracebook's friend request

According to the Toronto Star, the Privacy Commissioner is going to accept Facebook's friend request, just on the eve of the deadline to comply with the Commissioner's prevous adverse finding:

TheStar.com Canada Facebook, privacy commissioner make friends

Susan Delacourt

Ottawa Bureau

OTTAWA – Friendship, fittingly, appears to have broken out in the dispute between Canada's privacy commissioner and the Facebook social networking site.

Today is the 30-day deadline for Facebook to respond to a strongly worded report issued last month by Canada's privacy commissioner, Jennifer Stoddart, criticizing how people's personal information was being treated by the global giant in online friendships.If Stoddart is not happy with Facebook's response, she has 15 days to decide whether to get the Federal Court of Canada involved.

But the two sides appear to be solving their problems in harmony.

Alexandra Brown, a Toronto spokesperson for Facebook, said a formal response is being sent today to the privacy commissioner's office, complete with timelines for Facebook to respond to the concerns raised in last month's report. Over the past month, the two sides have reportedly been working well together, with privacy-commission officials paying a visit to Facebook headquarters in Palo Alto, Calif., to negotiate a compromise.

"I know there's been lots of discussion and there will continue to be discussion over the next 15 days," Brown said.

Canada's privacy commission was sounding similarly upbeat about the status of the dispute.

Anne-Marie Hayden, a spokesperson for the commission said: "We continue to have very positive discussions with Facebook.... It's going very well."

Neither side was willing to talk about details of their agreement to date or even what is in the report that Facebook sent to the privacy office today. Hayden said that the privacy commission needs time to review what Facebook has filed, and more will be said closer to the next deadline, 15 days from now.

Stoddart's original report on Facebook last month identified concerns in the following areas:

* A lack of adequate safeguards to restrict outside software developers — of games, quizzes and the like — from gaining access to personal profiles of users and their online friends.

* Facebook's indefinite retention of personal information of people who have deactivated their accounts.

* A lack of clarity about how Facebook material can be used in the event of a person dying, which the privacy office calls "memorialization" concerns.

* A lack of protection of information about non-users — people who may not have their own Facebook accounts, but whose personal data may be on friends' or associates' pages.

Facebook must satisfy Canada's privacy commissioner by Monday

Following the Commissioner's adverse finding against Facebook, the social networking site's deadling to respond is tomorrowf (See: Canadian Privacy Law Blog: Canadian Privacy Commissioner calls on Facebook to improve privacy practices). I don't expect a big response from Facebook, so we'll have to wait to see if the Commissioner takes them to court. See: Facebook must satisfy Canada's privacy commissioner by Monday.

Opinion: Give privacy laws teeth

The next in the series of three privacy OpEds in the National Post goes to Phillipa Lawson, formerly of CIPPIC:

Give privacy laws teeth
Internet use in Canada has had enormous economic and social benefits; individuals and organizations can now broadcast their ideas, promote their businesses and build communities of interest instantly, at minimal cost, worldwide. But technology is a double-edged sword; it can be used for bad as well as good, and the impacts of its use even for non-criminal purposes are not all positive. The greatest casualty of our enthusiastic embrace of the Internet is, without doubt, individual privacy.

Fraudsters, identity thieves, stalkers and vengeance-seekers are using the Internet to solicit, track and prey on victims, often by taking advantage of the vast amount of personal information available online. While such information is a gold mine for imposters and stalkers, its collection, use and trading by non-criminals can be equally damaging for the individuals whose personal information is at issue.

Careless or malicious posting of photos, videos and personal information online can have devastating reputational impacts on individuals -- impacts that may never fully disappear because the digitized information, once released online, never disappears.

A video posted on You-Tube, for example, can turn a small-town student into an instant celebrity, but it can also provoke ridicule worldwide. False rumours can spread like wildfire. Embarrassing photographs posted online can seriously impede future employment prospects. And because the digital medium is so persistent, reputational effects may never be overcome.

Easily abused personal information is offered up to a remarkable extent by individuals themselves on social-networking sites, personal blogs and chat rooms. But many users don't appreciate the extent to which such information is publicly accessible, easily gathered and compiled by others and thus vulnerable to abuse. Only a minority of Facebook users, for example, bother to adjust their privacy settings from the defaults set by Facebook, which are to share with everyone in the Facebook-determined networks they have joined.

Personal information is also made public by friends, acquaintances and organizations who post it online often without the individual's knowledge, let alone consent. Once discovered, it can be too late to undo the damage caused, for instance, by publication of an indiscreet photo or the home address of a high-risk social worker.

Furthermore, there is a huge industry in the collection and trading of personal information, much of it covert. Marketers want to manipulate us into buying more stuff. Insurers want to minimize their risk. Employers want reliable, mature employees. Governments want to make sure that we aren't threatening national security.

Privacy law is about protecting our right to control with whom we share information about ourselves. But it should also recognize that certain uses are simply inappropriate, and that "consent" is often no more than a fiction.

Canada has a reasonably good set of data-protection laws. In general, corporations are required to get our informed consent before collecting, using or disclosing our personal data, and can do so only for purposes that a reasonable person would consider appropriate in the circumstances. Government entities can collect, use and disclose our data only for certain specified purposes.

But these laws do not place explicit limits on the collection and use of personal information posted by children, who are most vulnerable to abuse online.

Nor do our laws, outside Quebec, Alberta and B. C., place significant limits on non-commercial and nongovernmental uses of personal data without consent. While courts are starting to recognize a common-law right to privacy that would fill this gap, there is little to protect most Canadians from privacy abuses that arise outside the commercial or government context.

Moreover, existing privacy laws are only as good as their enforcement. At least one study has shown that there is widespread non-compliance with Canadian privacy laws, especially in the commercial sector.

This is not surprising given that the costs of non-compliance are minimal. The federal privacy commissioner is limited to making recommendations. Complainants in most jurisdictions must engage in expensive lawsuits in order to get binding orders for which they will likely receive no compensation.

This is not good enough. Privacy laws should apply to non-commercial as well as commercial activities. They should prohibit collection and use of kids' data, other than in exceptional cases. They should require meaningful consent, not just an easily overlooked opt-out check box. And we should be able to hold others accountable under privacy laws without undue effort and cost -- it's time to put some teeth into our privacy laws.

Philippa Lawson was director of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa from 2003 to 2008 and currently practises law in Whitehorse, Yukon.

Privacy needs to be built into the product

Jacob Glick, Canadian policy counsel for Google Inc., has a good OpEd piece in today's National Post. I agree that innovators need to build privacy into their products, not only to manage their own risks but as members of society who have responsibilities for their users. I would say that responsibility is heightened for companies whose products are used by young people who may have an under-developed sense of privacy.

Privacy is in the product

This week, the National Post brings you a three-part series on the rocky place where the Internet meets the law. The question put to today's contributors: Given the proliferation of personal information on the Internet, especially on social-networking sites such as Facebook, how must Canada's laws adapt to ensure our privacy online?

When I moved to Ottawa four years ago, social-networking sites helped me keep up with my friends in Toronto and elsewhere -- in a way and on a scale that wasn't possible previously. Recently, I started micro-blogging on Twitter (mostly because I'm too lazy to blog more than 140 characters at a time) to share my thoughts on work-related matters and other miscellany. Through the Internet, we're reshaping the ways we do business, communicate and represent ourselves to the world. The good news is, we can embrace these changes without surrendering our privacy.

Privacy protection can and ought to be at the heart of innovative tools -- not only as a matter of legal compliance, but also as a principle of product design. This is what Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, calls "Privacy by Design."

Questions about the sufficiency of Canada's privacy regime, while relevant, miss the bigger picture. Privacy is best protected by good product design. In fact, Canada has a well-functioning private-sector privacy regime. The Internet is not a Wild West: Existing rules related to legal jurisdiction and privacy apply online, as they do in the physical world. Internet companies, just like their brick-and-mortar brethren, are legally accountable for the ways they collect, use and disclose personal information.

For example, street-level photography has long been part of cartography. With a quick trip to your local municipal archive, you'll discover thousands of photos, taken over decades, of our urban landscapes. For those of us who can't read maps, seeing the world at street level is the easiest way to get around unfamiliar locales. Google Street View takes this traditional discipline and integrates it with digital mapping.

Google's approach is to build products that harness the power of the Internet while protecting privacy for the benefit of hundreds of millions of people worldwide, including tens of millions of Canadians. That's why we have built facial and license-plate blurring into Google Street View and why we make it easy for Canadians to request that we remove any image containing themselves, their kids, their cars or their homes -- even if the image is already blurred. There are privacy rules that apply to Google Street View just as they do to more traditional cartographers.

In addition to offering more accessible and useful mapping data, today's online applications provide exciting tools for collaboration and community building. They help us break through the alienation endemic to urban society and reconnect with our communities in new and fun ways. For example, here in Ottawa, online groups and web-sites give new parents a great support network and help them find local activities they can enjoy with their kids.

One of these innovative communications and collaboration tools is YouTube, a revolutionary platform that turned four this year. YouTube enables people to make their videos, professional or amateur, available worldwide. This ability can blur the line between the public and the private spheres, and Canadians get that. They also know that they are in control of what they post on YouTube -- and with whom they share it.

That's why not every video on YouTube has to be made public. Some can be shared with a smaller circle of friends. That's also what Google has done with the recent launches of Google Latitude, our mobile feature which enables users to select people to share their location with, and our Interest-based advertising system, which was built with tools that allow users to specify which categories of ads they'd like to see (or not see).

Of course, to make sensible choices people must have products that let them make such choices. Innovators should therefore develop applications in which privacy is built in from the start, so that Canadians can control the parts of themselves they reveal to the world.

Regulators ought to hold companies accountable for their privacy practices. However, privacy ultimately should be about good product design -- not just about legislation, regulation or compliance. The best products and businesses will have transparency and user choice built right in. Canadians should expect it.

-Jacob Glick is Canada policy counsel for Google.

English case looks under the hood of Facebook in privacy case

A colleague just brought to my attention a case handed down yesterday by the High Court of Justice (Queen's Bench Division) of England & Wales: Applause Store Productions Ltd. & Anor v Raphael [2008] EWHC 1781 (QB) (24 July 2008).

The case relates to the misuse of private information and defamation. The defendant in this case had set up a false Facebook profile in the name of the plaintiff and established a Facebook group that was, shall we say, not flattering of the plaintiff. The court found in favour of the defendant on both claims.

What's additionally interesting is the detail with which the Court reviews the logging data generated by Facebook and provided to the Court. The case is an interesting read for privacy issues, but also is a good chance to look under the hood of Facebook, forensically speaking.

Privacy dilemma illustrated in Vermont library

The local Halifax paper is running an AP story about the tough choices that custodians of personal information are sometimes called upon to make. After a young girl went missing, the police showed up at the public library demanding to take the public access computers that the girl had apparently used to communicate on MySpace. The librarian stood her ground and demanded that the police get a warrant. They did. Here's the full story:

Nova Scotia News - TheChronicleHerald.ca

Police raid on library offers privacy dilemma

By JOHN CURRAN The Associated Press

Sun. Jul 20 - 5:19 AM

RANDOLPH, Vt. — Children’s librarian Judith Flint was getting ready for the monthly book discussion group for eight and nine-year-olds on Love That Dog when police showed up.

They weren’t kidding around: Five state police detectives wanted to seize Kimball Public Library’s public access computers as they frantically searched for a 12-year-old girl, acting on a tip that she sometimes used the terminals.

Flint demanded a search warrant, touching off a confrontation that pitted the privacy rights of library patrons against the rights of police on official business.

"It’s one of the most difficult situations a library can face," said Deborah Caldwell-Stone, deputy director of intellectual freedom issues for the American Library Association.

Investigators obtained a warrant about eight hours later, but the June 26 standoff in the 105-year-old, red brick library on Main Street frustrated police and had fellow librarians cheering Flint.

"What I observed when I came in were a bunch of very tall men encircling a very small woman," said the library’s director, Amy Grasmick, who held fast to the need for a warrant after coming to the rescue of the 4-foot-10 Flint.

Library records and patron privacy have been hot topics since the passage of the U.S. Patriot Act after the Sept. 11, 2001, terror attacks.

Library advocates have accused the government of using the anti-terrorism law to find out, without proper judicial oversight or after-the-fact reviews, what people research in libraries.

But the investigation of Brooke Bennett’s disappearance wasn’t a Patriot Act case.

"We had to balance out the fact that we had information that we thought was true that Brooke Bennett used those computers to communicate on her MySpace account," said Col. James Baker, director of the Vermont State Police.

"We had to balance that out with protecting the civil liberties of everybody else, and this was not an easy decision to make."

Brooke, from Braintree, vanished the day before the June 26 confrontation in the children’s section of the tiny library.

Investigators went to the library chasing a lead that she had used the computers there to arrange a rendezvous.

Brooke was found dead July 2.

An uncle, convicted sex offender Michael Jacques, has since been charged with kidnapping her.

Authorities say Jacques had gotten into her MySpace account and altered postings to make investigators believe she had run off with someone she met online.

Flint was firm in her confrontation with the police.

"The lead detective said to me that they need to take the public computers and I said ‘OK, show me your warrant and that will be that,’ " said Flint, 56. "He did say he didn’t need any paper.

"I said ‘You do.’ He said ‘I’m just trying to save a 12-year-old girl,’ and I told him ‘Show me the paper.’"

Cybersecurity expert Fred H. Cate, a law professor at Indiana University, said the librarians acted appropriately.

"If you’ve told all your patrons ‘We won’t hand over your records unless we’re ordered to by a court,’ and then you turn them over voluntarily, you’re liable for anything that goes wrong," he said.

Canadian Privacy Commissioner calls on Facebook to improve privacy practices

The Privacy Commissioner of Canada has determined that Facebook needs to improve its privacy practices to comply with Canadian privacy laws.

The Report is here: Commissioner’s Findings - PIPEDA Case Summary #2009-008: Report of Findings: CIPPIC v. Facebook Inc. - July 16, 2009.

Here's the media release:

News Release: Facebook needs to improve privacy practices, investigation finds - July 16, 2009

Privacy Commissioner recommends steps to ensure social networking site better protects the privacy of users and meets the requirements of Canadian privacy legislation

OTTAWA, July 16, 2009 — In order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care, the Privacy Commissioner of Canada said today in announcing the results of an investigation into the popular social networking site’s privacy policies and practices.

“It’s clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates,” says Privacy Commissioner Jennifer Stoddart.

The investigation, prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic, identified several areas where Facebook needs to better address privacy issues and bring its practices in line with Canadian privacy law.

An overarching concern was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers.

The Privacy Commissioner’s report recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.

The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found.

The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.

The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts – a violation of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law. The law is clear that organizations must retain personal information only for as long as is necessary to meet appropriate purposes.

Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.

Facebook has agreed to adopt many of the recommendations stemming from the Privacy Commissioner’s investigation or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations that Facebook has not yet agreed to implement.

“We urge Facebook to implement all of our recommendations to further enhance their site, ensure they are in compliance with privacy law, and ultimately show themselves as models of privacy,” says Assistant Commissioner Elizabeth Denham, who led the investigation on behalf of the Office.

“Social networking sites can be a wonderful way to connect. They help us keep up with friends and share ideas and information with people around the globe. It is important for these sites to be in compliance with the law and to maintain users’ trust in how they collect, use and disclose our personal information.”

The Office of the Privacy Commissioner will review after 30 days the actions Facebook takes to comply with the recommendations. The Commissioner is empowered to go to Federal Court to seek to have her recommendations enforced.

“The privacy issues stemming from social networking sites are still relatively new. All of us – social networking sites, users and data protection authorities – are only beginning to develop the appropriate rules of engagement in this new world of online communication,” says Assistant Commissioner Denham. “The findings of our Facebook investigation are an important contribution to the development of these rules.”

While the investigation recommendations are aimed at Facebook, Assistant Commissioner Denham said users of social networking sites also have responsibilities.

“We asked Facebook to clearly advise users about its privacy practices, but it’s still up to the user to actually read it and use the privacy tools to control how their information is shared,” she says. As a result of the investigation, Facebook has announced a new privacy tool for its site, which is aimed at giving users more control over who gets to see each item on their Facebook page.

A detailed report on the Facebook investigation is available at www.priv.gc.ca. The website also includes information about some of the other work the Privacy Commissioner’s Office has done on social networking, including guidelines for employers and public education materials.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Privacy Commissioner to issue Facebook privacy finding tomorrow

The Privacy Commissioner of Canada is holding a press conference tomorrow to announce her findings after a complaint against Facebook's privacy practices. The Ottawa Citizen is anticipating that the report will not be favourable to the online social networking service used by over 250 million users. See: Facebook still violates privacy laws: Experts.

British intelligence leader's personal details on Facebook

A lesson that just because you're not on Facebook, your friends, acquaintances and spouses may have put your information up there. Or information that may compromise your eligibility to be the head of the British Secret Intelligence Service (aka MI6): MI6 chief blows his cover as wife's Facebook account reveals family holidays, showbiz friends and links to David Irving Mail Online.

Facebook to streamline user privacy controls, raise awareness about dissemination of info

Facebook is responding to privacy backlash concerns by introducing a new unified privacy interface and making users more aware of where their posted materials may be broadcast on the service. This stems, in part, from their plans to make users postings available system-wide like Twitter. (See: Canadian Privacy Law Blog: One privacy step forward, one back for Facebook.)

This is a Good Thing, in my view. The more control you give people to make informed decisions about their privacy, the better. Even if they're completely ignored, it's harder for people to later say they didn't know what was going on. Privacy is about giving people the ability to make informed choices about how their information is collected, used and disclosed.

A copy of a WebEx given by Facebook is available here: Facebook’s Complete Privacy Presentation.

And some additional details are on Facebook's blog: Facebook Improving Sharing Through Control, Simplicity and Connection.

Some coverage from SiliconValley.com.

Responding to privacy concerns, Facebook streamlines user controls - SiliconValley.com

By Scott Duke Harris and Elise Ackerman

Mercury News

Posted: 07/01/2009 11:57:07 AM PDT

Amid mounting concerns about Internet privacy, Facebook on Wednesday announced plans to streamline its user controls by introducing a "Unified Privacy Page."

The Palo Alto social-networking leader said it was taking action to address common complaints among its more than 200 million users worldwide about privacy. The company also announced that it is phasing out familiar regional networks such as "Silicon Valley" to minimize confusion.

Facebook credits its growth to fostering a culture that assures privacy and encourages authenticity. But in the past, Facebook has also engendered controversy by gathering data without user consent — a practice later reversed amid a user backlash.

On Wednesday, Facebook also sought to allay puzzlement and concerns over its fledgling "Everyone" posting feature, which it introduced in March. The feature, Facebook says, eventually will enable users to broadcast messages, photos and video far beyond their personal social networks and to the Internet at large. Facebook is vague about products, but acknowledged they could take the form of bulletin boards or forums on a vast array of topics, as well as a new searchable database.

The "Everyone" initiative has helped revive questions about Facebook's dedication to privacy safeguards. Jeffrey Chester, executive director of the Center for Digital Democracy, portrayed the latest changes as a public relations gimmick.

"I think Facebook realizes they have a political problem,'' he said. "They are in denial. They are in digital denial."

Full control

But Facebook Chief Privacy Officer Chris Kelly, in a conference call with reporters and analysts, insisted that Facebook's fundamental philosophy remains to give users full control over their privacy settings, and said the changes will simplify those controls.

"We've always believed privacy controls enhance this mission," Kelly said.

Facebook users can expect the changes to be tested and refined over the next three weeks. The Unified Privacy Page, the company said, should alleviate user frustration by simplifying and consolidating some 45 privacy settings scattered across six pages in the current format.

Facebook, because of its size and influence, is closely watched by Internet privacy advocates in the United States and abroad. It is the only company listed among 16 "hot policy issues" on the home page of the Washington, D.C.-based Electronic Privacy Information Center, along with such general topics as "domestic surveillance," "cloud computing," "search engine privacy" and "social-networking privacy." Marc Rotenberg, executive director of the Electronic Privacy Information Center, advised Facebook users to carefully watch the changes.

"Changing user settings is a risky strategy, particularly in the privacy world. And this is always what gets Facebook into trouble," Rotenberg said. "It will be very important that users are not opted-in to data sharing under the new settings where they had previously opted out with the original settings.

"Facebook also needs to do more to address data collection by third-party app developers," he added. "Too much personal information, made public by Facebook, ends up in secret profiles."

The Center for Digital Democracy's Chester flatly questioned Kelly's statement that Facebook allows users to control data shared with advertisers. "That's not true. The fact of the matter is they are really not transparent when it comes to how the data is used for advertising," Chester said. "We think it's a black box."

Pop-up questions

Facebook said care will be taken to guide users through the changing privacy process. There will be, for example, pop-up questions to make users doubly aware of where their posts will be sent.

Facebook has already started phasing out the regional networks users often join. About half of Facebook users opted in to such networks, the purpose of which often has caused confusion as Facebook has grown and attracted users with identical and similar names.

Local businesses and advertisers that relied on such networks for marketing will instead be able to use data such as city of residence to reach Facebook users.

One privacy step forward, one back for Facebook

One step forward and one step backward for privacy on Facebook ...

One Step Back: According to the New York Times (The Day Facebook Changed - Messages to Become Public by Default - NYTimes.com), Facebook "feeds" will become publicly available. This is seen as a step to compete with Twitter. This will surprise and upset a lot of Facebook users.

One Step Forward: Facebook will let users specify privacy settings for individual status updates, so you can let your real friends know you're hung over but your acquaintances will remain clueless (Facebook More Ways to Share in the Publisher).

Facebook shoud have learned from the Feed and Beacon debacles by making the default settings more privacy protective. Choice is good, but assuming that people want to disclose more of their personal information is not a good idea.

City in Montana requires job applicants to hand over all social network logins and passwords

Applying for a job with the city of Bozeman, Montana? Check out what's on the application:

"Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.," the City form states. There are then three lines where applicants can list the Web sites, their user names and log-in information and their passwords.

I've never seen anything like this, and I've seen some intrusive stuff. (And, of course, it forces the user the violate the terms of use of each of those sites.) From Montana's News Station, via Boing Boing.

Watch those Facebook apps!

One of the most problematic features of Facebook, from a privacy point of view, is that Facebook shares data with the owners of Facebook Apps, whose privacy practices are not well articulated or well understood. This week, the Washington Post had an interesting article highlighting this problem. See: A Flashy Facebook Page, at a Cost to Privacy - washingtonpost.com.

Facebook's facial recognition system should help users control their privacy (but doesn't)

Facebook is edging back into the privacy spotlight with the expected global roll-out of assisted tagging of photos using facial recognition. The service scans uploaded photos for faces and suggests tags for the people in them. (See: Facebook's Latest Privacy Settings Shadiness Invades Your Drunk Pics - Gizmodo.)

What I'd like to see is the service being used in reverse: alert me if someone posts a photo of me on Facebook. If it can help someone tag me, it can surely recognize me in untagged photos and give me a heads' up. Just a thought of using the technology to let users control (or at least know about) others posting photos of them.

Commissioners launch youth privacy initiative

The federal, provincial and territorial privacy commissioners are meeting this week in Regina and have jointly started a new initiative, youthprivacy.ca. Here's the media release describing it:

News Release: Privacy Advocates Express Concern About Child Privacy Online (June 4, 2008) - Privacy Commissioner of Canada

Privacy Advocates Express Concern About Child Privacy Online

Regina, June 4, 2008 — As Canadian youth spend more time online, they run the risk of losing control of their personal information and, potentially, facing complications at home, school or work.

Canada’s privacy commissioners and ombudspersons issued a joint resolution today expressing their commitment to work together to improve the state of online privacy for children and young people.

“It’s time to stop the commercial exploitation of our children. It’s high time we came to terms with the impact of the Internet on youth and their lives,” says Saskatchewan Information and Privacy Commissioner, Gary Dickson.

The resolution was the product of the semi-annual meeting of Canada’s privacy commissioners and ombudsmen from federal, provincial and territorial jurisdictions across Canada, being held June 4 and 5 in Regina, Saskatchewan.

During the meeting, the commissioners and ombudspersons heard from a panel of young people about their online activities and their attitudes towards, and concerns about, privacy online.

"Young people are very adept and comfortable with electronic communication. As advocates, we have to help young Canadians find the information they need to be their own privacy watchdogs," says Irene Hamilton, Manitoba Ombudsman.

Many of Canada’s privacy commissioners and ombudsmen have already proposed tools and learning materials on youth privacy, frequently in cooperation with provincial ministries of education and local school boards.

Beginning today, young people will be able to turn to youthprivacy.ca, an interactive website that offers advice about how youth can protect their personal information and take charge of how their identity is being shaped online.

Youthprivacy.ca also features a blog where young Canadians can discuss how technology is affecting their privacy.

“Young Canadians are among the most wired in the world,” says the Assistant Privacy Commissioner of Canada, Elizabeth Denham. “They need to understand that all these new technologies can have a significant impact on their privacy, and they need to know what they can do to prevent others from accessing and using this information without permission.”

Ms. Denham also announced that the Office of the Privacy Commissioner is launching a contest for youth, ages 12 to 18. The “My Privacy and Me” National Video Competition invites youth to create their own video public service announcements on the issue of privacy. Detailed information about the contest is featured on the new web site.

“The video can be about any aspect of privacy they want to explore—like the ever-growing presence of security cameras, the popularity of social networking sites like MySpace, Facebook, Bebo or Xanga, or how their favourite store collects personal information for marketing purposes,” says Assistant Commissioner Denham. “We want to encourage young people to explore the issues around online privacy and empower them to stand up for their right to privacy.”

In coming months, Canadians can expect to see more tools and learning materials designed to help Canadian youth tackle the challenge of managing their personal information and identity in an increasingly dynamic online world.

— 30 —

For more information and/or media interview requests, contact:

Colin McKay

Office of the Privacy Commissioner of Canada

Tel: (613) 947-7226

Email: cmckay@privcom.gc.ca