Discussions between Facebook Inc. and the Office of the Privacy Commissioner of Canada (OPC) over the social networking site’s compliance with Canadian federal privacy law are moving along smoothly, according to spokespersons from both sides.
The OPC released the findings of an extensive investigation into Facebook’s privacy policy and practices last month, which began as a response to a complaint filed by the Ottawa-based Canadian Internet Policy and Public Internet Clinic (CIPPIC) in May 2008.
Privacy Commissioner Jennifer Stoddart found Facebook in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA). Canada is now recognized as the first country in the world to issue legally binding recommendations to the social networking site.
Facebook’s 30-day period to review the OPC’s recommendations and submit a formal response outlining its plans for action ended on Aug. 17. Stoddart has 15 days to review the response and determine whether to refer the matter to Canada’s federal court.
“We received from [Facebook] their undertakings and we are in the midst of reviewing those undertakings to determine whether or not they are sufficient,” said Anne-Marie Hayden, spokesperson for the OPC.
Hayden indicated the discussions are going well. “We continue to have positive discussions with Facebook,” she said.
The OPC will make the outcomes of its discussions with Facebook public, but needs time to review and assess the undertakings first, she explained. “We need to do a thorough review and look at it carefully and once we’ve done so, we will determine the next steps,” said Hayden.
Talks began when the original complaint was filed and have carried on for 14 months now, said Facebook spokesperson Alexandra Brown. “They will continue for the next 15 days,” she said.
Further details on the discussions have not been provided, but an issued statement from Facebook to the press suggests minimal conflict lies ahead:
“From our many discussions with the OPC, it is clear that we share the same goals of ensuring people have control over their information and that they are able to make informed choices about privacy. Many of the recommendations in their Report provide an excellent opportunity to clarify and enhance our privacy practices in a way that is consistent with our company’s values and our users’ expectations.”
Tamir Israel, a staff lawyer at CIPPIC, doubts the matter will escalate to the federal court level. “Generally speaking, recommendations are fairly authoritative interpretations of the law. It’s very rare that these things get challenged,” he said.
CIPPIC supports the OPC’s decisions. “We are happy with it and we are hoping that Facebook does comply. We are pretty confident that the solutions they come up with will be reasonable and address the concerns of the Privacy Commissioner,” said Israel.
David Young, lawyer and co-chair of Lang Michener LLP’s privacy group in Toronto, expects both parties are interested in finding a “productive, constructive” result. “They seem to be in active negotiations and everything’s pointing to the fact that they probably will resolve them this week or next,” he said.
Tim Hickernell, lead analyst at Info-Tech Research Group Ltd., imagines Facebook would find a way to settle the issue, given the large number of Facebook users in Canada and the amount of associated advertising dollars.
While Canadians represent only 12 million of Facebook’s 250 million users around the world, with a national population of 33 million, we continue to rank among the top in terms of per capita use.
Hickernell suspects Facebook has a number of adjustments already in the works. “It wouldn’t surprise me if half the things they put in their response were citing things that they were already working on and planning to release,” he said.
But this is no run-of-the-mill privacy issue, Hickernell pointed out, and other larger countries may follow suit. “I think the most successful will be the European Union, for the simple reason that they have a large, well-organized, within-the-EU-level privacy organization,” he said.
“There’s a fine line here as to how much privacy officials are going to be able to push back globally. The larger countries with the larger advertising bases are obviously going to be the countries Facebook is more likely to deal with,” said Hickernell.
First-generation privacy regulations written before social networks became popular are trying to play catch-up, but they are “a bit behind the times in not really understanding that the entire value in social networking is the ability to intentionally see the demographics of a network at any given time,” he said.
“Being able to not just know about the person, but to know something about the person’s friends through their network – that’s where all the value is being derived from and why the advertising value as well as those who are building applications is different than they would get if they were doing say just a traditional Yahoo or MSN portal,” he said.
This is why it is necessary for applications to access people’s basic information, according to Hickernell. “To cut all that off at some point really diminishes the value of the social network,” he said.
“I would caution government not to try to treat these emerging technologies as they would traditional online portals circa 1996. They need to update the privacy laws as well as the technology,” said Hickernell.
Establishing a privacy policy that satisfies privacy laws in multiple countries is “quite doable,” according to Young. “There are cases where I’ve certainly advised on privacy policies that are international and sometimes there is something very specific to one country, but typically, the policies tend to cover applications in all countries,” he said.
As the Canadian federal government’s privacy regulations have the potential to effect an internal organization operating in a number of countries, Stoddart is in a unique position of power.
“You could argue to some extent that the Privacy Commissioner is having an impact on Facebook disproportionate to Canada’s place in the Facebook community, even though it is supposedly quite large,” said Young.
“The reason (is) that Facebook doesn’t want to be seen in its general international community as not according to standards that are set by a government regulatory in Canada, where there is a national privacy law,” he said.
The U.S., by contrast, doesn’t have a single federal privacy regulator, he said. “I think the Commissioner is having extra leverage in achieving a good result here,” said Young.
This isn’t the first time Canada has had an influence on Facebook privacy issues. The Office of the Privacy Commissioner of Ontario played a key role when the social networking site was just starting to circulate among the college student crowd.
Anne Cavoukian’s relationship with Facebook began five years ago when Chris Kelly and Mozelle Thompson called upon her for consultation in regards to Facebook’s privacy settings. “I was intrigued by the concept,” she said.
Cavoukian gathered a focus group of 20 students from universities across Canada to determine whether Facebook was an area of interest and growing concern. During the meeting, Cavoukian found several students had used other social networking sites and didn’t like them. All the students had used Facebook, she said.
“I was floored … they all loved Facebook,” said Cavoukian.
At the end of the discussion, Cavoukian asked the students if they were using the privacy settings available on Facebook at the time. “Zero, not one hand goes up,” she said. She also asked how many knew about the privacy settings. “Zero, not one hand goes up.”
Cavoukian’s suggestion to Kelly was to educate the public, especially kids, on what they should be concerned about and why they should care about their privacy online.
The Ontario Privacy Commissioner’s work with Facebook included reviewing the existing privacy settings, trying to strengthen them in certain areas and putting out publications. Two brochures, a DVD and tip sheet with a step-by-step guide on how to protect your privacy on Facebook were developed.
“The most important thing about working with Facebook has been their openness to be willing to educate their users about the privacy settings, and then of course it has to be the user’s decision to exercise control and set their privacy settings at what they think should be the right setting,” said Cavoukian.
“You’ve got privacy controls on Facebook, use them. I think that’s the most important message. Education is so important in this area and that’s where we play a role,” she said.
Social networking developed at a very rapid pace and wasn’t really on the horizon five years ago, Israel pointed out. “Because it is such a new medium, there are a lot of issues to be worked out, especially in the privacy realm,” he said.
Education is a component, said Israel. “Users just don’t have the right perception of what’s happening when they put information on Facebook,” he said.
The basis of CIPPIC’s complaint was to apply existing legislation norms to this new medium with the ultimate goal of “making sure Canadians have more control and knowledge of how their information is being used on the site,” said Israel.
Facebook is the first social networking site CIPPIC has filed a complaint against, partly because of its large exposure in Canada and partly because privacy is something Facebook seems to care about, said Israel.
“We thought they would be more responsible to these types of things and would actually make good efforts to address any concerns that were raised, but the ultimate goal was to start creating a set of standards that Facebook as well as other social networking sites could apply to the way that they run their applications,” he said.
The OPC’s 113-page report is one of the longest decisions by any privacy data body in the world, according to Israel. “I think the decision does set the framework, for a while at least,” he said.
Twelve issues were raised in CIPPIC’s original complaint. The OPC dismissed four as “not well founded,” considered another four resolved “after Facebook agreed to make specific changes to its policies or practices” and issued recommendations to address the remaining four “well founded” aspects.
Facebook’s current practice of keeping a database of e-mail addresses on individuals who don’t have a Facebook account and requiring non-users to sign up for an account in order to untag their name from a photo are in question.
Confusion over how to delete a Facebook account and how long Facebook retains user information are other areas of concern.
Facebook’s two-tier process includes the option of either deactivating or deleting an account, but doesn’t provide clear instructions on how to perform the second action. Facebook also retains user information on its servers for an indefinite period of time after an account is cancelled and reserves the right to keep a user’s profile active after their death.
But the main issue concerns third-party applications, according to Israel. These applications not only have access to a wide range of information from your Facebook account, but they also get access to all of your friends’ information, he said.
While users have the ability to choose whether or not they wish to add an application, they can’t control what applications their friends are adding, he pointed out. “The problem is, no one knows what these application developers are getting,” he said.
There are currently more than 950,000 Facebook developers in roughly 180 countries around the world.
The recommendations are more about giving more knowledge and control to users than taking anything way, according to Israel. “It’s the users that are concerned about privacy that are benefiting. The ones that aren’t, aren’t really losing anything,” he said.
Hickernell considers many aspects in the original complaint as “not Facebook’s problem.”
“They are what I would call dumb users – users that, despite the risks and despite having things thrown right in their face telling them what’s going to happen if they click ‘Accept,’ still do it … Most of the concerns I’ve read from the original report is the Commissioner trying to protect citizens from themselves,” he said.
Hickernell does suggest Facebook expose privacy options in real time when the opportunity arises. “Every time you do something or make a change or extend your network, if there is a privacy setting that can apply at that point, I think it would make sense for them to start exposing those settings at that time, in addition to having the master privacy settings console,” he said.
Chris Kelly, chief privacy officer at Facebook, announced upcoming changes to Facebook’s privacy features in early July. A new Publisher Privacy Control tool will allow users to control who sees what on a per-post basis, with options that range from limiting the post to a single friend up to an “everyone” option that reveals the post to audiences on the Web.
Other changes include removing regional networks and simplifying privacy settings by consolidating them all on a single page, standardizing options for each setting “so the choices are always the same” and removing overlapping settings.