Facebook privacy policies lacking: Report

Investigation of site’s privacy practices discovers sharing of information with developers and a lack of proper protection of users’ personal information

The Privacy Commissioner of Canada is calling on Facebook to be more cautious with the personal information of users or else it risks running afoul of Canadian privacy law.

Privacy Commission Jennifer Stoddart announced the results of an investigation into the social networking site’s privacy policies and practices, which revealed “serious privacy gaps” and identified several areas where it needs to better address privacy issues and come into compliance with Canadian law. The investigation was prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic.

One of the privacy commissioner’s major concerns is the way Facebook provides information about its privacy practices. The information is often incomplete, such as account settings that describe how to deactivate accounts, but not how to delete them. As a result, information users may think they’ve deleted is actually still in the system.

The report recommended more transparency, to ensure Facebook users have the information they need to make meaningful decisions about how widely they share personal information. Canadian privacy law stipulates organizations can only retain personal information for as long as necessary to meet appropriate purposes. To comply, the report recommended the site adopt a retention policy where personal information in deactivated accounts is deleted after a reasonable length of time.

Other concerns in the investigation were the sharing of users’ personal information with third-party developers creating applications such as games and quizzes. There are more than 950,000 developers in 180 countries and Facebook doesn’t have the safeguards to restrict outside developers from accessing profile information, the investigation found. To combat this, the report recommended Facebook introduce technological measures to ensure developers can only access information needed to run an application and block information on friends of the user who don’t sign up for the application.

Facebook agreed to adopt many of the recommendations in the report or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations it has not yet agreed to implement.

The Office of the Privacy Commissioner will review the actions Facebook takes to comply with the recommendations.

“The privacy issues stemming from social networking sites are still relatively new,” said Assistant Privacy Commissioner Elizabeth Dunham. “All of us — social networking sites, users and data protection authorities — are only beginning to develop the appropriate rules of engagement in this new world of online communicatinon.”

The assistant privacy commissioner also pointed out the nearly 12 million Canadian users of social networking sites should take some responsibility for their personal information and become familiar with Facebook’s privacy practices and use privacy controls to to control how there information appears and is shared on the site.

Latest stories