From Friday’s Globe and Mail Last updated on Friday, Jul. 17, 2009 12:03PM EDT
Canada is striking at the heart of social media’s revenue model, ordering global giant Facebook to limit the personal information it gives to companies that make add-on programs for the site or face potential court action.
Privacy Commissioner Jennifer Stoddart ruled that Facebook had failed to adequately respond to four “well-founded” allegations about its practices that contravene federal privacy law.
She wants Facebook to disclose only the information necessary for the add-on programs to function. Currently, users must consent to share all information except for their contact information if they want to add one of the programs, such as interactive games that attract millions of players.
Facebook forbids the software developers who create the add-ons to keep information they don’t use, but that policy is hard to enforce.
The Privacy Commissioner also asked for better disclosure, transparency or protection around deactivating and deleting accounts; handling the accounts of users who have died; and collecting the personal information of non-users.
“It’s clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates,” Ms. Stoddart said.
The Canadian Internet Policy and Public Interest Clinic (CIPPIC) brought a complaint against the company in May of 2008. The finding is viewed by some experts as the most exhaustive investigation of Facebook privacy practices anywhere in the world.
The conflict hits directly at the Facebook model and user experience, where opportunities to throw sheep, play Scrabble or vote on celebrity likenesses have helped drive advertising and draw users.
There are more than 350,000 add-on Facebook applications. A few large add-on companies have created sophisticated ad delivery and targeting operations that may use personal data, said Gartner Inc. analyst Ray Valdes.
Facebook pledged to be co-operative. “There are many more controls in place than were noted in the report,” Facebook chief privacy officer Chris Kelly said. “We’ll continue our dialogue with the Canadian Privacy Commissioner to ensure that people are informed, while recognizing the people come to Facebook to share, not hide, information.”
The commissioner’s findings come despite Facebook’s knuckling to other demands to make policies more transparent and give users more control over their data.
Facebook is “a market leader in privacy protection,” said David Fewer of CIPPIC. “But I’m surprised that they haven’t made some of the reasonable accommodations” demanded by the commissioner.
The findings drew praise from the United States, which doesn’t have privacy legislation as sweeping as Canada’s.
“We’re jealous,” said Alissa Cooper of the Washington-based Center for Democracy and Technology. Former AOL chief privacy officer Jules Polentsky called the report “one of the best pieces of work we have seen from a data protection agency anywhere.”
Mr. Kelly said that Facebook’s new publisher privacy control tool, currently being tested, will be rolled out to all Facebook users in the coming weeks. But there’s no indication the tool will block data going to outside developers.
He played down the suggestion that the complaint before the Privacy Commissioner was the main driver behind this and other recent additions and disclosures.
Ms. Stoddart’s report said four aspects of the complaint were dismissed and four others were resolved after Facebook made changes to its practices or policies.
The commissioner gave Facebook a month to respond to the outstanding concerns.
Under the Personal Information Protection and Electronic Documents Act, the commissioner could ask the Federal Court of Canada to have her recommendations enforced, although there have been few such requests in the past.
Because Facebook operates globally, with 12 million Canadian users and 250 million worldwide, any protections extended in response to official Canadian concerns generally get extended to all users.
But implementing the recommendation around add-on programs may be technically difficult.
“That would require a huge amount of oversight from Facebook, and would incur resistance from developers,” said Mr. Valdes, the Gartner analyst.
Lisa Mallia, 36, has added both RunningAhead, a jogging tracker with 1,894 users, and Mafia Wars , a game with almost 14 million users that allows players to “run a criminal empire and fight to be the most powerful family.” She said when she doesn’t add a Facebook application a friend suggests, “it’s because that program is annoying, not because I’m worried about where the information is going.”