Facebook shares personal information with developers who create games and quizzes in a way that breaches Canadian privacy law, the Office of the Privacy Commissioner of Canada has found.
The popular social networking site, which is used by 12 million Canadians, doesn’t have enough safeguards to prevent those third-party developers from getting unauthorized access to users’ personal information, says the report released Thursday by assistant privacy commissioner Elizabeth Denham.
‘For a hangman application … there is no use for the developer to know where the person lives or have their personal email address.’— Jordan Plener, CIPPIC
According to the report, Facebook does not ensure that users have given “meaningful consent” to allow their personal information to be disclosed to the developers.
The report also says that Facebook continues to breach the Personal Information Protection and Electronic Documents Act in three other ways:
* It keeps information from accounts deactivated by users indefinitely and does not make it clear that users can also choose to delete their accounts rather than just deactivate them. Nor does it explain the difference in its privacy policy.
* It keeps the profiles of deceased users for “memorial purposes,” including this in its terms of use. That means users cannot opt out. However, it does not make this clear by including the information in its privacy policy.
* It allows users to post personal information about non-users without their consent. For example, it allows them to tag photos and videos of non-users with their names, and provide Facebook with their email addresses to invite them to join the site. It keeps the addresses indefinitely.
Facebook declined interview requests Thursday, but issued a statement saying it is about to introduce new privacy features that it believes “will keep the site at the forefront of user privacy and address any remaining concerns the commission may have.” It added that in the meantime, it will continue to work with the commissioner’s office and to raise awareness about its privacy controls.
The investigation was launched by the privacy commissioner’s office in response to a complaint from the Canadian Internet Policy and Public Interest Clinic, which is based at the University of Ottawa.
Jordan Plener, a law student who initiated the complaint on behalf of CIPPIC, said he had a number of concerns about areas such as Facebook’s default privacy settings and the personal information available to developers.
“For a hangman application, for example, there is no use for the developer to know where the person lives or have their personal email address.”
The complaint cited allegations on 12 topics. Denham deemed allegations about four topics unfounded. Facebook accepted Denham’s recommendations and resolved problems in four other areas.
Plener said that was a good start. But he noted that so far, Facebook has refused to accept Denham’s other recommendations.
“They haven’t agreed to change the amount of information a developer will access in the user’s account when they sign up for an application … or let them know what information is going to be used,” he said.
With respect to the four remaining topics, the assistant privacy commissioner has asked Facebook to reconsider its recommendations to resolve the problems and said she will follow up in 30 days. If Facebook does not comply at that point, the privacy commissioner’s office can have its recommendations enforced by the Federal Court.