Facebook is “a minefield of privacy invasion”

Another week and another accusation that Facebook destroys people’s privacy. However, this accusation could end up changing Facebook in Canada. The Canadian Internet Policy and Public Interest Clinic (CIPPIC), run out of the University of Ottawa, has filed a complaint with the Privacy Commissioner of Canada that outlines 22 problems with Facebook.

The complaint that CIPPIC sent in lists the points succinctly:

We submit that Facebook is violating Principles 4.1, 4.2, 4.3, 4.4, 4.5, 4.7, and 4.8 of PIPEDA,
Schedule 1 by failing to:
• Identify all the purposes for which it collects Users’ personal information (Principle 4.2);
• Obtain informed consent from Users and non-Users to all uses and disclosures of their
personal information (Principle 4.3);
• Allow Users to use its service without consenting to supply unnecessary personal
information (Principle 4.3.3);
• Obtain express consent to share Users’ sensitive information (Principle 4.3.6);
• Allow Users who have deactivated their accounts to easily withdraw consent to share
information (Principle 4.3.8);
• Limit the collection of personal information to that which is necessary for its stated
purposes (Principle 4.4);
• Be upfront about its advertisers’ use of personal information and the level of Users’
control over their privacy settings (Principle 4.4.2);
• Destroy personal information of Users who terminate their use of Facebook services
(Principle 4.5);
• Safeguard Users’ personal information from unauthorized access (Principle 4.7); and
• Explain policies and procedures on the range of personal information that is disclosed to
third party advertisers and application developers (Principle 4.8).

Ars Technica has an article summarizing CIPPIC’s stance:

CIPPIC points out a number of other violations that have raised the eyebrows of users for some time now. Facebook fails to disclose why every third-party Facebook application must have access to every bit of a user’s personal data (this is something that annoys me, personally), and requires the submission of a user’s date of birth upon registration even though there are no age guidelines for using the service. Facebook also fails to obtain express consent to share users’ personal information by making all information partially public by default (users can change privacy settings after saving the information first). The same goes for photographs uploaded by the user, or photos uploaded and tagged by others that then show up on the user’s profile by default—whether they like it or not.

Read the report from CIPPIC (PDF)