Privacy Complaint Filed Against Facebook

A Canadian university law clinic has filed a privacy complaint against Facebook, alleging that the social-networking site’s policies include 22 separate violations of a Canadian privacy law.

The complaint, from the Canadian Internet Policy and Public Interest Clinic (CIPPIC), based at the University of Ottawa Faculty of Law, says Facebook has failed to inform its members of how personal information is disclosed to third-party advertisers, and has failed to obtain permission from members to disclose their personal information. Facebook’s policies violate the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), CIPPIC said in its complaint, filed with the Office of the Privacy Commissioner.

CIPPIC targeted Facebook because the site is popular in Canada, with about 7 million members of the site in a nationwide population of 33 million, said clinic director Philippa Lawson. Social-networking sites are “proving to be a tremendous tool for community-building and social change, but at the same time, a minefield of privacy invasion,” Lawson said. “We chose to focus on Facebook … because it appeals to young teens who may not appreciate the risks involved in exposing their personal details online.”

Canadian Privacy Commissioner Jennifer Stoddart has a year to act on CIPPIC’s complaint. The commissioner’s office focuses on negotiation to resolve privacy disputes, but it can seek court injunctions if negotiations fail to resolve the issues.

Facebook, in a statement, said it prides itself on “industry-leading controls” that it offers users over their personal information.

“Weve reviewed the complaint and found it has serious factual errors — most notably its neglect of the fact that almost all Facebook data is willingly shared by users,” Facebook said. “The complaint also misinterprets PIPEDA in a manner that would effectively forbid voluntary online sharing of information and ignores key elements of Facebooks privacy policy and architecture.”

Facebook has taken several steps in recent months to resolve continuing privacy concerns. In mid-March, the site rolled out new privacy controls that allow users to choose which of their friends can see personal information, and in April, the site released a plug-in to allow users to monitor and delete cookies created by the controversial Facebook Beacon advertising system.

The complaint is based on Facebook’s privacy policies and controls as of March 27, Lawson said.

While Facebook says its users have a high level of control over their data, that’s “not entirely true,” said Harley Finkelstein, a law student who helped file the complaint. Even if a user has the highest privacy settings on Facebook, his information may be shared if his friends have lower privacy settings, he said. In addition, Facebook members using third-party applications on the site must share their personal information with the application developer, he said.

“If you and I are friends, and you are using one of these applications … the third-party developer will, by default, have access to my personal information,” Finkelstein said.

Finkelstein called Facebook a “great tool,” but he said he hopes the privacy complaint will prompt the company to make changes to its privacy policies.”They’ve got a lot of work to do,” he said. “I’d like to see them understand that they can’t remain silent on this issue.”

Among CIPPIC’s complaints are that Facebook fails to obtain express consent to share users’ sensitive information, and also does not allow users to deactivate their accounts to easily withdraw consent to share information. Facebook doesn’t limit the collection of personal information to that necessary for the site’s purposes, and has failed to safeguard users’ personal information from unauthorized access, the complaint said.