Facebook is moving to address concerns raised by Canada's privacy commissioner and will soon implement measures that give users better control over their personal information.
The popular social-networking website, which has about 12 million Canadian members, will be filing its intended plan with commissioner Jennifer Stoddart by the end of Monday. The plan will address four key issues outlined by the commissioner last month. Along with Stoddart's recommended actions, they are:
- Facebook doesn't have enough safeguards to prevent 950,000 third-party developers around the world from getting unauthorized access to users' personal information, nor does it ensure users have given "meaningful consent" to allow their personal information to be disclosed to the developers. Recommendation: Developers should only get the information needed to run the application. Users would have to specifically consent to the release of that information after being told why it is needed. Information about anyone other than the user would not be disclosed.
- Facebook keeps information from accounts deactivated by users indefinitely. Recommendation: Facebook should have a policy to delete the information after a reasonable length of time, and users should be informed of the policy.
- Facebook allows users to provide personal information about non-users without their consent. For example, it allows them to tag photos and videos of non-users with their names, and provide Facebook with their email addresses to invite them to join the site. It keeps the addresses indefinitely. Recommendation: Facebook should only keep non-users’ email addresses for a reasonable, specific length of time and should make its users aware that they need to seek consent of non-users before posting information about them.
It is not yet clear to what extent Facebook will address these issues but David Fewer, acting director of the Canadian Internet Policy and Public Interest Clinic — which first brought the complaint against Facebook in May 2008 — said he was under the impression that the website will comply with the recommendations.
"They're going to satisfy, not just address, the privacy commissioner," he said.
The plan will be made public by the end of the month, Fewer said. Facebook had 45 days starting from July 16 to come up with a plan and implement it. After that period, the commissioner could choose to pursue legal action against the website if unsatisfied.
Facebook said it intends to satisfy the commissioner's concerns with its proposed plan.
"From our many discussions ... it is clear that we share the same goals of ensuring people have control over their information and that they are able to make informed choices about privacy," the California-based company said in a statement.
"Many of the recommendations in their report provide an excellent opportunity to clarify and enhance our privacy practices in a way that is consistent with our company's values and our users' expectations."
Fewer said CIPPIC will be turning its attention to other social-networking websites such as MySpace once Facebook's implementation period is up in 15 days.
"Without a doubt, the other social-networking sites are offside," he said.
MySpace has so far been ahead of Facebook on some privacy concerns, such as how it limits third-party developers' access to user information, but it has been considerably less transparent with its policies, Fewer said.
An earlier version of the story may have given the impression that Facebook had 45 days starting on Aug. 17 to come up with a plan that satisfied the commissioner. In fact, the 45-day period began with the commissioner's ruling on July 16.Aug 18, 2009 11:16 AM ET