The Office of the Privacy Commissioner of Canada recently completed an in-depth investigation into Facebook. This investigation was prompted by a very wide ranging complaint made by the Canadian Internet Policy and Public Interest Clinic (CIPPIC). CIPPIC complained that Facebook was in violation of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). The complaint made twenty four specific allegations, which covered twelve major subject areas.

The Privacy Commissioner rejected four of these are being not well founded. They argued that four others were well founded, but Facebook has already taken steps to fix them. And finally, four complaints were deemed well founded and outstanding - in the Privacy Commissioner's opinion, Facebook is technically violating Canadian law in these four areas. In this paper, I would like to analyze the four areas in which Facebook is 'violating' the spirit of PIPEDA.

But first, to show you how incredibly far reaching this complaint (and the subsequent investigation was), I would like to list all twelve subject areas that the Privacy Commissioner looked into. The twelve subject areas are:

• Third Party Applications - well founded
• Account Deactivation/Deletion - well founded
• Accounts of Deceased Users - well founded
• Non-Users Personal Information - well founded
• Collection of Date of Birth - well founded and resolved
• Default Privacy Settings - well founded and resolved
• Facebook Advertising - well founded and resolved
• Monitoring for Anomalous Activity - well founded and resolved
• Collection of Personal Information From Sources Other Than Facebook - not well founded
• New Users of Personal Information - not well founded
• Deception and Misrepresentation - not well founded
• Facebook Mobile and Safeguards - not well founded

In my opinion, the four areas deemed 'well founded' are the most interesting part of the entire investigation. I believe that these four areas (and the analysis attached) demonstrate the mechanics behind Canadian Privacy laws and perhaps shed light on the future direction of Canadian public policy. Because of this, I would like to focus on these four areas.

Third Party Applications:

The Summary of Findings sums up this complaint by stating that, "Facebook is in effect telling users that whenever they add an application, they must consent to allowing access to almost anything and everything that the developer asks for." When a developer chooses to release an appliation on Facebook, that developer must agree to follow certain rules pertaining to user privacy. However, Facebook does not seem to have a mechanism to enforce these rules. It is wholly up to the developer to be ethical and to protect confidential user information.

Second, installing an application also gives the developer access to some of your friends' personal information. For example, if you are my friend on Facebook when I add an application, the developer of that application will gain access to some of your personal information. You are not given the opportunity to give consent in this situation!

This complaint seems to come down to two important tenets within PIPEDA. First, there must always be safeguards in place to protect personal information. And second, meaningful consent must be solicited and provided before anyone can access another's personal information. The Privacy Commissioner argues that Facebook's policy about Third Party Applications violates both tenets.

Account Deactivation/Deletion:

This complain relates to the fact that account deactivation and account deletion are two totally separate parts of Facebook. When an account is deactivated, it remains deactivated indefinitely - it is not automatically deleted after a set amount of time. The Assistant Privacy Commissioner of Canada explains this problem by stating, "The Act is clear that organizations must retain personal information only for as long as necessary to fulfil the organization’s purposes, that organizations should develop guidelines and implement procedures with respect to the retention of personal information, and that such guidelines should include minimum and maximum retention periods."

In Facebook's defense, they note that most people who deactivate end up reactivating their account. They also note that they provide the option to completely delete accounts (though they admit that they may not be able to delete all information about users c ompletely off of their site).

In light of Facebook's response, I think that this particular complaint is quite shakey. Facebook gives two options - you can either delete your account or deactivate your account. I am a firm believer that some onus must always rest on the user - if I want my account deleted, I should delete it. If, however, I just want to deactivate my account for a brief period of time, I should deactivate it. Why should a company be forced to account for a user's poor decision with his or her personal information?

Accounts of Deceased Users:

This one is absolutely baffling and I cannot understand why Facebook will not comply with the Assistant Privacy Commissioner's recommendation. When a Facebook user passes away, Facebook will disable certain features (like status updates), but keep the rest of the account up as memorial. The Assistant Privacy Commissioner likes this feature and appreciates having the opportunity to memorialize her friends. However, she would like Facebook to add a clause to its privacy policy that states that if you die, your account (and the information contained within) will be retained as a memorial.

For some reason, Facebook seems to be resisting adding a clause to their privacy policy. In their response, they said, “We still do not believe that retaining data for the purpose of allowing users to remember their friends constitutes another use under PIPEDA, and in any event users are perfectly capable of using other means to express their wishes in this area. We also believe that it would be inappropriate to create a standard for handling information in this case that would be at variance with existing legal norms for the disposition of estate property.”

The line, "in any event users are perfectly capable of using other means to express their wishes in this area" is particularly baffling. Are we supposed to add a Facebook clause into our wills? Should we give our executors access to our social networking passwords? Should we communicate from beyond the grave? "Woooooooooo........take down my profile.....woooooo....

This might be a great way to make money - social networking seances. "I sense a, a disturbance...someone whose first name starts with a letter...and there is a vowel in there someplace....someone is upset with their Facebook profile...take down the embarassing picture......"

Non Users Personal Information:

This part of the complaint is based around two parts of Facebook:

1. Users can post the personal information of non-users in their own profiles, as well as the profiles of other users through features such as “News Feed” and “Wall”. Also, users can tag images of non-users with their names in photos or videos. Non-users cannot 'untag' themselves unless they join Facebook.
2. Users can provide Facebook with the email addresses of non-users for the purpose of inviting them to join the site. Facebook keeps these email addresses indefinitely (unless the non-user asks Facebook to delete their email address).

The biggest problem is that Facebook's privacy policy does not raise the issue of non user consent. Facebook says that what you post on your account is your own responsibility - if you post information about a non-user, you are responsible for securing that non-user's consent. Facebook also says that if you tag a non-user in a photo, you have the option to fill in an email address so that they can contact the non-user, tell him/her that the photo exists and invite them to use Facebook. The Privacy Commissioner says that that does not go far enough - that Facebook should be responsible for making sure that the non-user consents to the use of their personal information.

Another problem is that Facebook keeps all email addresses for an indefinite amount of time. They say that they do so to make their service convenient. If I have a Facebook account and invite you, Facebook thinks that I should be one of your first friends - whenever you choose to join Facebook. To accomplish this, they have to keep your email address until you decide to join. They also state that you can email them and ask them to delete your email address anytime you like.

As you can see, those four areas seem to come down to knowledge and consent. Retention of personal information was another major area of contention. While the Office of the Privacy Commissioner makes some wonderful points, I am worried about how these points will be applied by a court of law. Consider those points from the perspective of a major search engine like Google. If I google my name, I may not like every result that comes up. Problem is, Google stores copies of every page in its cache. I don't recall ever giving Google consent to storing my personal information indefinitely. However, I accept this as a standard part of being alive in the internet era - if it is written, Google will find it!

Facebook has a period of 30 days to comply with these four areas. After that, the Privacy Commissioner can apply to the Government of Canada to have its recommendations enforced. I am interested to see how all of this plays out. I think we have an interesting month ahead of us!