Facing the privacy leak: in light of recent controversy, is Facebook at fault?
Social media circles were shaken on Monday as private messages on Facebook sent between 2007 and 2009 were mysteriously appearing on users’ public timelines.
The website, is denying all instances of the leak, explaining that many users are mistaken and are confusing older public messages for private messages.
Numerous students are reporting otherwise.
Philip Savage, Assistant Professor of Communications Studies at McMaster University and researcher of communication law and policy, says that Canada has safeguards in place to combat digital privacy breaches.
“[There] is legislation in Canada to protect your rights as an individual in matters of privacy. PIPEDA sets out rules around the obligations of any government of commercial enterprise around collecting and sharing information on people,” said Savage.
PIPEDA, the Personal Information Protection and Electronic Documents Act, explicitly outlines the rules surrounding the collection and distribution of personal, private information.
Section 4.7.1 states that an organization’s “security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. Organizations shall protect personal information regardless of the format in which it is held.”
“You cannot have your private correspondence shared, regardless of the Terms of Service that you may have signed,” said Savage in reference to clause 16.3 in the Facebook terms of service.
The terms state, in part, “We do not guarantee that Facebook will always be safe, secure or error-free or that Facebook will always function without disruptions, delays or imperfections.”
An organization’s terms of service, accepted or otherwise, cannot supersede Canadian regulations as long as they operate within the country.
The personal information act does not differentiate between breaches of information as both technical fouls and ethical missteps, and clearly outlines that “an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances,” which would be employed, for example, in the case of releasing to police officers relevant information in a criminal investigation or about people who are at risk for suicide and abuse.
This is not the first breach of privacy in Facebook’s recent history, as the social media icon was involved in a lengthy investigation in May 2008 regarding “22 separate violations of PIPEDA,” surrounding the collection and disclosure of information on the site. The accusation was brought forward by the Canadian Internet Policy and Public Interest Clinic, CIPPIC, an organization spawned of the University of Ottawa’s Faculty of Law.
Leslie Regan Shade, Associate Professor of the Faculty of Information at the University of Toronto, provided her insights into a history rife with legal issues. “Facebook has always played a cat and mouse game with privacy laws and data commissioners. CIPPIC found that many of the issues that were brought to Facebook’s attention were resolved, and it set a global precedent for Facebook,” said Shade. While the issues were resolved within the one-year time limit set by the Assistant Privacy Commissioner, CIPPIC continued to have concerns with the default settings for users not being reflective of the intent behind the initial resolution.
“If you do not file a complaint, the Office of the Privacy Commissioner may not begin an official investigation in the near future,” said Shade.
Even more recently, Facebook underwent intense scrutiny by the Federal Trade Commission in the U.S. on their propensity to reveal private information that users were told would be kept private. The resulting case was settled on the premise that Facebook would undergo regular auditing every two years for the next twenty years as a countermeasure to their quickly shifting privacy atmosphere.
“I think whenever you have huge amounts of information gathered, that there will be mishaps,” said Savage. It is an organizations’ responsibility to have both technical protection in place and accountable individuals available when such a privacy breach is discovered, as outlined by PIPEDA.
Savage believes that this is an issue that needs to be investigated by the Office of the Privacy Commissioner of Canada, headed by Jennifer Stoddard, the Commissioner herself.
“The Office has been proactive in investigating breaches of privacy in the past, such as the photo tagging issue on Facebook where users were being tagged without their prior consent,” he said.
He then added that the Office was also instrumental in changing Google’s policy in their maps application to include the distortion of faces and sensitive addresses such as women’s shelters.
A statement released by the privacy commissioner’s office on Tuesday elaborated the minister’s current investigation into privacy leaks by popular websites. Research conducted by the office found that “approximately one in four of the sites tested,” had “significant privacy concerns.”
Stoddard has contacted eleven unnamed organizations to inquire into their privacy practices and work with them to ascertain their compliance with PIPEDA and related laws.
“It is time for a more considered, government-driven inquiry into protecting privacy. The means by which PIPEDA and other privacy safeguards are enforced are not resourced enough,” said Savage.
In the meantime, Savage urges students to read the nature of their agreements with organizations, and complain to their service providers if they feel their privacy has been violated.