Two cases, released in April 2012, from the Office of the Privacy Commissioner of Canada (“OPC”) demonstrate the privacy challenges facing users of social networking websites.
The first allegation was made by a user who alleged that Facebook was collecting, using and disclosing his personal information without his knowledge or consent (OPC #2011-006). The case addressed the issue of third-party websites hosting Facebook social plug-ins such as the “Like” and “Recommend” buttons. Social plug-ins are defined by Facebook as “buttons and boxes designed to display certain Facebook functionality on third-party websites.” These buttons are shown on the user’s screen when they visit a third-party website. So, for instance, a Facebook member who is logged into her account may see an article highlighting a news website that her Facebook friends have recommended. A non- Facebook user, visiting the same site, will see how many members have recommended that certain article.
In order to assess the privacy implications of social plug-ins used on third-party websites the OPC examined the technical aspect of how this process of exchanging information between the end-user, the third-party and Facebook occurred. The OPC found that Facebook did not share personal information with third-party websites. It may have shared “metric” information that it received through the social plug-in, such as a log of anonymized user data, however, individual information was not identifiable.
The OPC found that Facebook sufficiently disclosed the use of the information on its Privacy FAQs. Facebook therefore had received informed consent from its Facebook users.
The OPC noted that Facebook does receive information any time that a user visits a website that hosts a social plug-in. There are presently over 2 million such websites. The “impression” data that Facebook receives is a log of [para 14-15]:
- the date and time a visitor visited the web page;
- the address of the webpage the visitor is visiting (url);
- the visitor’s general geographic location;
- the visitor’s browser cookie ID;
- the Internet Protocol (IP) address associated with the visitor’s computer;
- the browser and operating system being used by the visitor; and
- for Facebook users, their Facebook user ID.
While Facebook’s practice fell within the Personal Information Protection and Electronic Documents Act (PIPEDA), many users would likely be surprised that such detailed information about them was being logged every time they accessed participating third-party websites while logged into Facebook. Many users, once logged into Facebook, stay logged in all day through a checkbox that says “Keep me logged in” and so would hardly recognize that Facebook is still operating in the background. While users are becoming more savvy about the collection of their personal data, social networking sites are becoming more complex.
As a side-note, while investigating this complaint, the OPC had to examine some of the cookies that are used with social plug-ins. It found that one of the cookies was not working properly and, in fact, Facebook users who had already logged out of Facebook, were still being tracked. Facebook fixed this issue during the investigation stage. However, the OPC noted that its decision did not address the use of cookies for web tracking.
A second decision (OPC #2012-002) was filed by three complainants who had received email invitations to join Facebook with a list of “friend suggestions”. None of the complainants were Facebook users and yet the friend suggestions were surprisingly accurate. The complainants surmised that Facebook had inappropriately accessed their address books to determine what friends might be members of Facebook.
Facebook said that friend suggestions are generated through an algorithm that identifies other users who have [para 6]:
- imported the non-user’s email address;
- previously sent the non-user an invitation;
- invited the non-user to an event; or
- tagged the non-user in a photo.
Therefore, when a Facebook user invites a non-user to join, Facebook examines other Facebook accounts through this algorithm to determine what friends the non-user might have. The non-user’s email address may be in the Facebook user’s address book, might have been tagged in a photo on Facebook, or found in other event invitations. The matches are then sent to the non-user with the invitation that was initiated by a Facebook user. If the non-user did not reply to the initial invitation then more invitations were sent as follow-up.
The OPC did not find any evidence that Facebook had accessed the non-user’s email address books. An individual who invites a non-user is reminded to get the non-user’s consent to send an invite from Facebook. However, the OPC said that the concern of this particular complaint was whether the non-user had given permission to process their email address through Facebook’s algorithm in order to make friend suggestions. At no time had the non-user been given an opportunity to opt-out of the friend matching process, because the first invitation included the list of generated friends. Facebook agreed to remove the friend suggestion from the initial invitation and to provide the non-user with a more prominent opt-out mechanism.
The case also discussed whether Facebook could rely on a non-user using an “opt-out” procedure rather than an “opt-in” feature. Principle 4.3.6 of PIPEDA says that an organization should generally seek express consent when information that is being used is sensitive. The OPC discussed whether Facebook’s processing of a non-user’s email address could be considered the use of ‘sensitive’ information. The OPC commented that the social connections gained from that email could be considered sensitive. It is reasonable that non-users would not necessarily expect Facebook to be using their email when they had no previous relationship with Facebook. However, Facebook argued that an opt-in regime would be unworkable in the friend suggestion feature. Also, making a Canadian-only change to the friend suggestion process would be impossible. In addition, the results of the friend suggestions were only viewed by the non-user and no one else. Since PIPEDA calls for a reasonable and pragmatic approach, the OPC accepted Facebook’s submissions. It accepted the use of an opt-out procedure with certain conditions, including that it is only used for non-sensitive Privacy concerns will continue to follow social networking sites. Around the time that these cases were released, another lawsuit was filed regarding the placement of a Facebook user’s portrait and name next to third-party advertising. Plaintiff Deborah Douez had clicked the “like” button for an organization called “Cool Entrepreneurs”. She thought that it would show up in her news feed once, but her friends informed her that her name and photo were showing up in an ad for Cool Entrepreneurs.
Those people who are concerned with the collection, use and disclosure of personal information by social networking sites must be extra vigilant to explore how these sites will affect their privacy. Youth are particularly at risk since they do not always have an experience of a more private, less technologically-driven world, nor do they fully understand the implications of a loss of privacy. As the ability to share information on these websites increases, so does the complexity of how that information can be disseminated.