May 30, 2008, 1:46 PM — A Canadian university law clinic has filed a privacy complaint against Facebook,
alleging that the social-networking site's policies include 22 separate violations
of a Canadian privacy law.
The complaint, from the Canadian Internet Policy and Public Interest Clinic
(CIPPIC), based at the University of Ottawa Faculty of Law, says Facebook has
failed to inform its members of how personal information is disclosed to third-party
advertisers, and has failed to obtain permission from members to disclose their
personal information. Facebook's policies violate the Canadian Personal Information
Protection and Electronic Documents Act (PIPEDA), CIPPIC said
in its complaint, filed with the Office of the Privacy Commissioner.
CIPPIC targeted Facebook
because the site is popular in Canada, with about 7 million members of the site
in a nationwide population of 33 million, said clinic director Philippa Lawson.
Social-networking sites are "proving to be a tremendous tool for community-building
and social change, but at the same time, a minefield of privacy invasion,"
Lawson said. "We chose to focus on Facebook ... because it appeals to young
teens who may not appreciate the risks involved in exposing their personal details
online."
Canadian Privacy Commissioner Jennifer Stoddart has a year to act on CIPPIC's
complaint. The commissioner's office focuses on negotiation to resolve privacy
disputes, but it can seek court injunctions if negotiations fail to resolve
the issues.
Facebook, in a statement, said it prides itself on "industry-leading controls"
that it offers users over their personal information.
"We’ve reviewed the complaint and found it has serious factual errors
-- most notably its neglect of the fact that almost all Facebook data is willingly
shared by users," Facebook said. "The complaint also misinterprets
PIPEDA in a manner that would effectively forbid voluntary online sharing of
information and ignores key elements of Facebook’s privacy policy and architecture."
Facebook has taken several steps in recent months to resolve continuing privacy
concerns. In mid-March, the site rolled out new privacy controls that allow
users to choose which of their friends can see personal information, and in
April, the site released a plug-in to allow users to monitor and delete cookies
created by the controversial Facebook Beacon advertising system.
The complaint is based on Facebook's privacy policies and controls as of March
27, Lawson said.
While Facebook says its users have a high level of control over their data,
that's "not entirely true," said Harley Finkelstein, a law student
who helped file the complaint. Even if a user has the highest privacy settings
on Facebook, his information may be shared if his friends have lower privacy
settings, he said. In addition, Facebook members using third-party applications
on the site must share their personal information with the application developer,
he said.
"If you and I are friends, and you are using one of these applications
... the third-party developer will, by default, have access to my personal information,"
Finkelstein said.
Finkelstein called Facebook a "great tool," but he said he hopes
the privacy complaint will prompt the company to make changes to its privacy
policies."They've got a lot of work to do," he said. "I'd like
to see them understand that they can't remain silent on this issue."
Among CIPPIC's complaints are that Facebook fails to obtain express consent
to share users' sensitive information, and also does not allow users to deactivate
their accounts to easily withdraw consent to share information. Facebook doesn't
limit the collection of personal information to that necessary for the site's
purposes, and has failed to safeguard users' personal information from unauthorized
access, the complaint said.
