Update: Canada: Facebook Must Bolster Privacy Practices

(This post was updated July 16 at 6 p.m. ET)

The Privacy Commissioner of Canada has determined that Facebook does not meet Canada’s privacy legislation requirements. The ruling was issued following an investigation into the social network’s privacy practices by the Canadian government, which recommends that Facebook bolster its settings and simplify controls so users can make informed decisions about how much information they wish to share and know what happens to their information once it’s posted.

Facebook already determined on its own that its privacy settings were too complex and needed simplification. But it appears its efforts to quell concern haven’t been adequate for high-level Canadian government.

The investigation, prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic, determined that Facebook should become more transparent.

Also criticized were Facebook’s relationships with third-party developers of games, quizzes, and other entertainments. According to the report, Facebook lacks safeguards preventing third-parties from parsing profile information. Privacy Commissioner Jennifer Stoddart noted concern because Facebook doesn’t know exactly what information these developers can access, and that information may be used for intrusive purposes. The investigation resulted in a recommendation that apps use only what’s necessary to run the program.

The biggest problem noted was with deleting Facebook accounts. The “account settings” page details how to deactivate an account, but not how to delete it. This is a major concern after it was discovered that Facebook — and a variety of other social networking sites — keep data such as photographs on its servers long after an account is supposedly closed.

Facebook agreed to implement most recommendations. On some of them, it has proposed “reasonable alternatives.” Still, there are some recommendations Facebook has not agreed to implement. It is unclear as of now which ones these are.

“We urge Facebook to implement all of our recommendations to further enhance their site, ensure they are in compliance with privacy law, and ultimately show themselves as models of privacy,” Canada’s Assistant Commissioner Elizabeth Denham said.

* Update July 16, 6 p.m. ET *

Valerie Lawton of the Office of the Privacy Commissioner of Canada contacted PC World with the following additional information:

The four areas where we remain dissatisfied by Facebook’s response to our recommendations are the following.

Facebook should allow third-party application developers to access only the user information that is required to run a specific application. Facebook should allow no access at all to the information of users who are not themselves adding an application.

Facebook should implement a retention policy under which the personal information of users who have deactivated their accounts will be deleted from the site’s servers after a reasonable length of time.

People should have a better way to provide meaningful consent to have their account “memorialized” after their death. As such, Facebook should be clear in its Privacy Policy that it will keep a user’s profile online after death so that friends can post comments and pay tribute.

Facebook should better protect the privacy of non-users who are either identified in photographs or invited to join the site.

For additional information please see the official investigation report.