Canada's privacy office puts Facebook back in the hot seat

One of the principal factors behind Facebook's revision of its privacy policies has been said to be a formal complaint filed by the office of Canada's Privacy Commissioner last July. That complaint alleged that the leading social network failed to properly disclose to its users the extent to which it could use personally identifiable information, including sharing that information with partners and advertisers. The following month, Facebook agreed to implement changes.

Those changes led to last December's overhaul of the Facebook privacy system, which many now consider to be more of a giveaway than ever before. With the guise of clear and straightforward explanation, users are now being asked to accept default settings that expressly give Facebook permission to share personal information with partners, and are even told that in the absence of such permission, there are ways in which it could be shared anyway.

That's prompted a second formal complaint from the Privacy Commission, announced Wednesday. As a spokesperson from Comm. Jennifer Stoddart's office told Betanews this morning, this second complaint could be the next step in attaining a federal court ruling that would force Facebook to implement more a more protective approach to private data, at least for users in Canada.

The text of the complaint itself, like that of complaints in other matters sent by European Commissioners to businesses worldwide, remains confidential at this time. But the gist of the complaint, we're told, is that Canadians are complaining that the social network doesn't appear to be concerned about the safety and privacy of its users.

A statement from Assistant Commissioner Elizabeth Denham Wednesday is about as close as what we're going to see for now: "The individual's complaint mirrors some of the concerns that our Office has heard and expressed to Facebook in recent months. Some Facebook users are disappointed by certain changes being made to the site ??" changes that were supposed to strengthen their privacy and the protection of their personal information."

Denham was the author of the original report to Parliament last July on its findings in the original Facebook matter, and could figure prominently in the debate to come. Her first report alleged privacy violations in several areas where Facebook's policy wasn't being forthcoming about what it was actually doing. For example, individuals leaving the service who wished to "Delete Account," thinking they were removing their personal information from Facebook's servers, weren't being told that information wasn't really being deleted at all -- just deactivated.

The report indicated that Facebook responded that it had thoroughly explained its privacy options at that time to all its users. That may be the case, Denham responded, but they needed to be in the right place: "I am of the view that, for ease of reference by interested users," she wrote, "privacy-related matters should be explained in the organization's privacy policy, regardless of where else they may be explained."

Facebook security was one of the main topics of Betanews' December 17, 2009 podcast, which includes excerpts from Facebook's recorded security policy explanation to users.

Another issue in the original complaint concerned the fact that Facebook apps have a way, through the API, to query not only users' data but the data of their friends, and their friends of friends -- a fact that hasn't actually changed even now, just made more transparent.

"Facebook maintains that, through its privacy settings, users have an extensive ability to choose whether or not they will interact with any particular Facebook application, and to block any particular application and opt out of all Facebook applications in a simple way. However true this statement may be in theory, I would note that users' 'ability to choose' would depend on their being knowledgeable about developers' practice of accessing and using third-party information when friends add applications. I would also note that the only way users can control the exposure of their personal information to application developers when their friends and fellow network members add applications, is either to opt out of all applications altogether or to block specific applications. Moreover, the latter option would effectively require them to guess which of the more than 350,000 applications their friends and fellow network members are likely to add," the Assistant Privacy Commissioner wrote.

The Commissioner's Office's next course of action, the spokesperson told Betanews, is to issue a full investigative report to Parliament, which we can expect to come from Dunham, and which may contain much of the same blunt language we heard before. But this time around, Comm. Stoddart may opt to file an appeal with Canada's Federal Court, which (unlike the EU) can enforce the findings of that report. Such a step was not taken after Facebook said last August that it would comply with the Privacy Office's first set of recommendations.