Canadian Group Files Facebook Privacy Complaint

bergkamp writes "A Canadian public policy group filed a complaint charging Facebook with 22 separate violations of a Canadian personal information protection law. The Canadian Internet Policy and Public Interest Clinic, based at the University of Ottawa, asked the Privacy Commissioner of Canada to investigate what it describes as Facebook's failure to inform members (PDF) how their personal information is disclosed to third parties for advertising and other commercial purposes. The complaint also alleges that Facebook has failed to obtain permission from members for disclosure of their personal information. The claim is that that Facebook violates the Canadian Personal Information Protection and Electronics Documents Act, which Philippa Lawson, the clinic's director, said is much stricter than US personal information protection laws."

I don't get it

Facebook is free, and it's not mandatory.

It should be obvious to anyone with a level of intelligence higher then a chimp that Facebook shares information, it's an information sharing site!

If you don't like it, don't use it.

Re:I don't get it

The issue is that in order for a company to do business in Canada it must respect this nation's privacy laws. In this case, it's about notifying people how their information will be used. Check it out: "[PIPEDA is] an Act to support and promote electronic commerce by protecting personal information that is collected..." http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp [privcom.gc.ca] Facebook is being accused of not following the law of the land. The interesting legal test will be to see whether or not a US-hosted site is required to conform to this law, and how this will impact application developers inside and outside of Canada.

Re:I don't get it

The issue is that in order for a company to do business in Canada it must respect this nation's privacy laws. In this case, it's about notifying people how their information will be used. Check it out: "[PIPEDA is] an Act to support and promote electronic commerce by protecting personal information that is collected..." http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp [privcom.gc.ca] Facebook is being accused of not following the law of the land. The interesting legal test will be to see whether or not a US-hosted site is required to conform to this law, and how this will impact application developers inside and outside of Canada.

Actually, the question is, does Facebook do business in Canada, or does it merely do business with Canadians? If it is the former, it must follow Canadian law when doing business in Canada. If it is the latter, Canadian law does not apply. Or to put it another way, does Facebook have a physical presence in Canada?
If Facebook does not have a physical presence in Canada, exactly how will Canada enforce this law on them, should Canada rule that it does apply? I am pretty sure that the current U.S. Supreme Court would not rule in Canada's favor on this, considering that they still seem to support the ruling that state's cannot enforce their laws on businesses located in other states that do business with residents of said state (sales tax).

Re:

Actually, the question is, does Facebook do business in Canada, or does it merely do business with Canadians? If it is the former, it must follow Canadian law when doing business in Canada. If it is the latter, Canadian law does not apply. Or to put it another way, does Facebook have a physical presence in Canada?

While physical presence is one of the factors in a forum non conveniens motion, it is not determinative. In Rudder v. Microsoft Corp., 1999 CanLII 14923 (ON S.C.) [canlii.org], a Canadian court held that because the EULA required the dispute to be resolved in Washing

Re:I don't get it

It should be obvious to anyone with a level of intelligence higher then a chimp that Facebook shares information, it's an information sharing site!

The problem is not so much the information being shared by using the site as advertized, but the unintended consequences. Why does an application developer (read: everyone interested in your personal data) need to have access to all your data [slashdot.org]?

You are probably right that when posting on Facebook one should assume that the information will be essentially available to the general public. However, Facebook claims otherwise and therefore they should be liable for this.

Re:

I'm surprised that its also impossible to leave facebook and have your details deleted

When I'm going to leave it I'll just change the data first to nonsense, leave it for a few weeks to make sure it filters through the system, and then disable my account.

N

Re:

It should be obvious to anyone with a level of intelligence higher then a chimp that Facebook shares information, it's an information sharing site!

One of the points in the report is that Facebook presents itself as a social networking site and nothing else. The complainants argue that Facebook has other purposes (targeted advertising) which are not made clear. The law states that the use of personal

If you are on facebook and are concerned about

privacy, you are doing it wrong.

Re:

Facebook is great for keeping up to date on all those people from your past that you care enough to know what they're up to, but not enough to actually talk to them. High school classmates, ex-girlfriends, etc.

It's the new equivalent of "Hey, did you hear

Facebook privacy controls are disfunctional

On my privacy settings I disabled viewing of my videos on my "limited profile".
Yet I created myself a fake 2nd account and it as a friend to my real account but with "limited profile" and I could still look at my videos on my real account, from my fake account which had only a "limited profile" access.

Short version: Privacy control settings do not always take effect.

I am highly suspicious of Facebook's supposedly highly flexible "privacy settings".

Odd that Slashdot dosent understand

I am assuming this will hit the flametard mods. :) However, as being a Canadian, who feels reasonably well informed. I also did read the article, it did make sense. The laws are there to make for disclosure. Which according to many on this site, and others is a good thing. How many times is the battle cry 'how come they didn't open up this standard '. I would rather have this sort of law pushed internationally instead of that dread dmca, as well as many other entertainment industry issues, as well as setting international trade policies. At least this law is for the people. This is the same law that people are using to smack Bell with. Many people seemed to think that was also a good thing. In fact I believe that CPPIC was the same group that also lobbied the crtc with CAIP. I also for one would be using this law if I found out that some company decided to loose my credit card information. I think a few million dollars would do nicely to appease my pain and suffering.

Crazy

Facebook is not a good site for the privacy concious. My friend always maintained that the one thing that orwell didn't forsee is that people would pay for and maintain their own cameras.

Re:

It is ironic isn't it that during the Cold War the Soviet block governments employed armies of agents to compile and maintain paper dossiers on their citizens (particularly in the former East Germany) and now people do the government's work for them by pos

I am canadian but..

I don't really understand this. Is any part of Facebook based in Canada? If not, how are they subject to our tighter privacy laws?

I can't see how they would be.

Of course profit trumps privacy...

and why should Facebook tell you what they are doing? That would give away a competitive edge.

Stupid Canadians are so un-American.

Just cut out Canada...

If this 'noise' becomes a problem for Facebook Inc. I suspect the simplest solution for them will be to simply lock out Canada. The market here in Canada is pretty small (population 33 million) and probably not really worth the effort. You could just say that in we're 'not accepting new users from Canada and in 90 days all Canadian accounts will be deleted.'

Re:

So, need I actually abide by laws of other countries if my Website is hosted in the USA and I am a citizen of the USA living in the USA? If so, which countries? What happens if I don't and just ignore their BMCing.

My blogsite allows user registration a

Re:That's nice, and all

A couple of months ago, I noticed that Facebook started telling me that I needed to turn on Javascript, even though I had facebook.com in my allow list in NoScript. I noticed that there was now a second server required, http://www.fbcdn.net/ [fbcdn.net] (I checked CIRA's WhoIs and facebook.ca was snatched up by someone else in 2005). I was recently in the states, so I disallowed fbcdn.net in NoScript (just to see), and there were no complains about my Javascript setting until I returned north of the border.

This seems to imply that there are separate servers running for Canadians accessing Facebook, so at a minimum, that would give some leverage into forcing them to follow Canada's rules. Now, if those servers are physically located in Canada (no, I haven't bothered doing a traceroute to find out where fbcdn.net ends up), that would definitely force them to follow those rules.

Slightly OT, but in my current job and we recently went looking for a new hosting company to host our database (which has a fair amount of private data in it). Because my company gets a large amount of our budget for the federal and provincial governments (it's a non-profit) we like to abide by as many of the federal government rules when it comes to IT and data privacy. One of those rules is any private data must only be hosted in Canada and it can not leave the country. A few companies came to us as "the Canadian branch of hosting company X". The conversations went like this:
Me: Where are your datacenters?
Them: We have them all over the world.
Me: Ok, but in which of those datacenters is our data going to be physically hosted?
Them: We can do distributed hosting so it's in many different datacenters
Me: Yes or no, Are these datacenters in Canadian territory?
Them:
Me: So, I'll take that as a no, which means that you know we can't host with you because of the government ruling about hosting private data outside the country.
Them:
Me:

More and more Canadian companies are taking the approach of hosting only in Canada, if only to ensure that they know the rules for data privacy and know there won't be a conflict between Canada's and the other country's.

Re:That's nice, and all

Borders are a thing of the past.

LOL.

Be sure to email Lou Dobbs in case he didn't get the memo.

While you're at it, be sure to mention that you've found the solution to end all wars, territorial disputes, and cure the rising tide of nationalism in Russia, China, Kossovo and ... well, just about everywhere, and that fans attending football matches the world over can now settle down and share a quiet cup of tea.

Re:That's nice, and all

LOL.

In this context (legal action against a website which has a multinational presence), it is becoming more and more apparent that governments don't care where the website comes from. Sure there still are nominal borders but it's not like you can throw rubbish over the neighbour's fence and get away with it so easily on the Internet.

Re:That's nice, and all

it is becoming more and more apparent that governments don't care where the website comes from.

They might not like it, but there is not much that they can do about it unless they want to cut off trade, end normalized diplomatic relations, or go to war (not really a viable option anymore these days). They can block the website in question, but that will probably be the end of it.

but it's not like you can throw rubbish over the neighbour's fence and get away with it so easily on the Internet.

Sure you can. What are they going to do about it? Facebook is an American corporation with (as far as I know) no business operations in Canada. The Facebook executives just have to avoid entering Canada personally and never invest any capital there. The De Beers diamond cartel thumbed its nose at the United States for decades in just this way and their executives simply avoided visiting the United States. Canada can try and block Facebook, ala the great firewall of China, but that is about it.

Re:That's nice, and all

it's not like you can throw rubbish over the neighbour's fence and get away with it so easily on the Internet.

Have you ever seen Usenet?

Re:That's nice, and all

Borders are a thing of the past.

Tell that to the Missouri Highway Patol when you cross the Mississippi river from Illinois on your motorcycle when you're not wearning a helmet.

Yes, borders are a thing of the past. They're also a thing of the present and a thing of the future.

If Facebook has offices in Canada, servers in Canada, or workers who live in Canada then Canada has a valid point. If not then Facebook can tell Canada to fuck off.

Re:Don't use it then!

There are still privacy issues even if you don't use Facebook, as identified in the document. Facebook users can still tag non-Users in photos and videos, and invite them to events. Facebook collects and retains this information without the non-User providing any consent!

Here's one extract:

When Facebook collects non-Usersâ(TM) email addresses to send them invitations to Facebook, it collects this personal information from parties other than the individual in question. By retaining
such email addresses for its own purposes, Facebook is violating the âoeknowledge and consentâ principle outlined in Principle 4.3.3 of PIPEDA by not informing the individual why his or her email address is kept. The non-User has not consented to this retention of information, and is most likely unaware that it is taking place. The non-User only receives an automated email from
their friend via Facebook, which encourages the individual to join the Network. The email gives no indication to the receiver that their information will now be kept on file or that they must contact Facebook directly to remove themselves from the list. Furthermore, if the individual has received more than one invitation to join Facebook, all past invitations will reappear on the new invitation. This is a clear example of how Facebook retains non-Userâ(TM)s information.

Re:Don't use it then!

It was always the information collected from other users that bothered me about Facebook. I signed up briefly in the early days, keen to see what all the fuss was about. Despite deliberately giving them almost no personal information about me, within a few days they practically had half my life story, generously volunteered by my friends with no doubt the best of intentions but certainly not my permission or consent. I deleted my account soon after joining, only to discover later that they don't really delete the information anyway.

There doesn't seem to be much point suggesting on Slashdot that this is unreasonable, maybe even dangerous, behaviour, though: last time I just got heavily down-modded and told I should read some Ts&Cs page on an obscure URL that I was supposed to have found before signing up (which, as far as I could tell, was not even available to non-users at the time). I guess "information wants to be free" mentality trumps "identity theft can ruin your life" and "privacy is important" around here. :-(