Please Share

Friday, July 17, 2009

Canadian Privacy Czar Gives Harsh Assessment Of Facebook

Facebook keeps personal information indefinitely after users deactivate their accounts, contrary to the Personal Information Protection and Electronic Documents Act, according to a report released Thursday by Canada's assistant privacy commissioner Elizabeth Denham. 'Although Facebook provides information about privacy issues, it is often confusing or incomplete,' said Denham.

The Office of the Privacy Commissioner's report found that Facebook continues to breach the Personal Information Protection and Electronic Documents Act in four ways and it made recommendations to correct the problem. It found:

  • Facebook doesn't have enough safeguards to prevent 950,000 third-party developers around the world from getting unauthorized access to users' personal information, nor does it ensure users have given "meaningful consent" to allow their personal information to be disclosed to the developers. Recommendation: Developers should only get the information needed to run the application. Users would have to specifically consent to the release of that information after being told why it is needed. Information about anyone other than the user would not be disclosed.
  • Facebook keeps information from accounts deactivated by users indefinitely. Recommendation: Facebook should have a policy to delete the information after a reasonable length of time, and users should be informed of the policy.
  • Facebook keeps the profiles of deceased users for "memorial purposes" but does not make this clear. Recommendation: Information about use for memorial purposes should be in Facebook's privacy policy.
  • Facebook allows users to provide personal information about non-users without their consent. For example, it allows them to tag photos and videos of non-users with their names, and provide Facebook with their email addresses to invite them to join the site. It keeps the addresses indefinitely. Recommendation: Facebook should only keep non-users’ email addresses for a reasonable, specific length of time and should make its users aware that they need to seek consent of non-users before posting information about them.
Source: CBC