Canada’s Information and Privacy Commissioner has released decisions in three formal complaints against Facebook’s privacy practices, under the Personal Information Protection and Electronic Documents Act (PIPEDA). The results offer valuable insight into the workings of the world’s most popular social network. Users and non-users alike might also feel confident that the company is interested in addressing privacy concerns.
Does Facebook obtain consent to collect and use non-users’ information?
In 2010, three complainants—none of them Facebook users at the time—alleged that the company was collecting and using their personal information without their knowledge or consent. The complainants each received invitations by email to join Facebook; the invitations included accurate “friend suggestions”—existing users that Facebook believes the invitee might know. They worried that “Facebook had inappropriately accessed their email address books (or that of their friends).”
The commissioner found that Facebook did—and does—collect and use non-users’ information to suggest friends to invitees, and it did so without invitees’ knowledge or consent. The company may in fact access the external email address books of users, but only with their consent. However, Facebook failed to ensure that it obtained the non-users’ consent to the use of their email addresses (provided by their Facebook-user friends) and failed to inform them of the intended use of their email address. Finally, Facebook failed to provide a convenient procedure for non-users to opt out, prior to the use of their email addresses to suggest friends.
The commissioner ruled that the complaints against Facebook were well-founded.
However, over the 18 months of the investigation, the company modified its practices to comply with PIPEDA. Now, in its initial invitation email, Facebook asks non-users directly for consent to use their information to suggest friends, and offers them a clear opt-out mechanism. Friend suggestions only show up in a follow-up email from Facebook, if the non-user consents in the initial invitation.
Facebook does not share user or non-user information with websites that host Facebook plug-ins
In 2011, the commissioner investigated whether Facebook shares personal information with third-party sites through “social plug-ins,” for example, the “Like” and “Recommend” buttons that you see on news websites, blogs and just about everywhere else. The complainant argued that the company was sharing his and other users’ information through these plug-ins, and without consent or knowledge.
The commissioner found that while Facebook collects certain personal information with its social plug-ins, it doesn’t share that information with the third party hosting the plug-in. The plug-in uses the site visitor’s Internet browser to contact Facebook, without going through the third-party host.
Facebook does share “metrics derived from the log level data it receives through social plug-ins,” but before sharing the information, Facebook anonymizes it to remove identifying content, and aggregates it to limit the possibility of connecting it with any individual user.
Given all of this, the privacy commissioner dismissed the complaint as not well-founded.
Is it reasonable for Facebook to require a user’s phone number in order to verify the user?
Also in 2011, the commissioner responded to a complaint that Facebook was requesting more information than it needed to give users access to their accounts. The complainant also argued that Facebook offered no means to challenge the company’s privacy practices.
Facebook requested the complainant’s mobile phone number to let her access her account. She had used her new account for a few days before the request, and afterward she could not access it without providing a phone number.
Facebook told the commissioner’s office that it usually only requests a user’s mobile number “when a Facebook account is flagged due to suspicious botnet or spam-related activity.” It uses phone numbers instead of email addresses because it is easier to commit fraud or transmit spam via email.
Moreover, Facebook offers users three ways to verify their identities in the event that an account has been compromised: by providing a mobile phone number, confirming the names of the user’s Facebook friends or uploading government-issued identification.
The commissioner found:
Facebook’s verification procedure responds to a need to confirm the identity of the user when Facebook finds suspicious activity on an account, and to provide a safe community experience. By offering a variety of choices for authentication, our office finds that Facebook does not require the user to consent to the collection of the user’s personal information beyond which is required to fulfil the purposes.
Without clearer evidence, the commissioner’s office couldn’t know whether she was offered only the mobile phone verification option or the others as well.
The commissioner also disagreed with the allegation that Facebook didn’t offer her a way to complain about the privacy policy, contrary to PIPEDA.
Facebook users can comment on the company’s privacy practices by several specific contact forms. These messages go to Facebook’s “user operations privacy team, which handles user comments, concerns, questions and complaints related to Facebook’s privacy policy and to privacy issues related to their platform.” They can contact TRUSTe—an industry privacy certification organization—via its Watchdog Dispute Resolution Process. TRUSTe accepts user reports of “violations of posted privacy statements and specific privacy concerns pertaining to TRUSTe member websites,” including Facebook.
Moreover, Facebook does not collect personal information unreasonably in its user authentication process, and it does not use the information beyond its stated purpose.
Therefore, the commissioner concluded that the complaint was not well-founded.
Besides clarifying how Facebook collects, uses and shares the social network’s users’ and non-users’ information, the case reports present valuable insight into the workings of the network and clearly explain various specific technical aspects of how the company uses information. Worth a read for the average person interested in learning more about a private system many Canadians interact with daily.
Adam Gorley
Internal Controls and Compliance Editor