You Might be Interested In

Our Commissioner, Jennifer Stoddart is worried that maybe they don’t. After conducting an investigation into Facebook’s privacy policies, we’re now turning our attention to youth as the school year gets underway. Because while they may be savvy about using social media, many of them still may not know how to create a secure online identity.

If you’re listening to the radio today you may hear a message from our office that we created especially for young Canadians. In case you miss it, we’ve provided clips from it for you here . The gist of it is that many young people are still jeopardizing their safety, and possibly compromising their futures, by sharing photos and information – some of it inappropriate – with people they don’t know… people who may not be who they say they are.

Young people – everyone, really –  need to always be aware that the personal information that they post online could be used in a variety of shady ways, from embarrassing them, to stealing their identities – even for finding out where they live, go to school, or their plans for the weekend. Our radio message urges young people (and their parents and teachers) to regularly visit youthprivacy.ca for information on safely using the Internet and social networking sites.

The message also reminds everyone that we’re inviting all young people, between the ages of 12 and 18, to participate in our second annual video contest. All they have to do is create a one- to two-minute public service announcement on the importance of privacy by Friday, December 11th and they could win some really cool prizes!

(from our backgrounder)

The Office of the Privacy Commissioner of Canada has completed an in-depth investigation into a wide-ranging complaint about the privacy practices and policies of Facebook, a social networking website. The complaint was filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC).

The investigation was conducted under PIPEDA, the Personal Information Protection and Electronic Documents Act, which is the federal private-sector privacy law.

Our investigation concluded that four aspects of the complaint were well founded. Another four were well founded but considered to be resolved after Facebook agreed to make specific changes to its policies or practices. The final four issues raised by the complaint were dismissed as not well founded.

Here are examples from each of the three categories of our findings.

Well-founded allegation of the complaint: Third-party applications

One key allegation of the complaint that we upheld as well founded related to Facebook’s disclosure of personal information to third-party developers who create applications, such as games, quizzes and classified ads, that run on the Facebook platform. There are more than 950,000 application developers in some 180 countries.

When users add an application, they consent to giving the application’s developer access to some of their personal information, as well as that of their “friends.”  Moreover, the only way that users can refuse to share personal information when their friends add applications is by opting completely out of all applications, or blocking specific applications.

Based on our investigation, we recommended that Facebook implement technological measures to restrict application developers’ access only to the user information essential to run a specific application. We also called on Facebook to ensure that users are informed of the specific information that an application requires, and what the purpose is.

We further recommended that users signing up for an application be asked for express consent to provide their personal information to third-party developers. Measures are needed to prohibit all disclosure of the personal information of users who are not themselves adding an application.

Facebook has not agreed to the recommendations.
Well-founded and Resolved allegation of the complaint: Facebook advertising

The complainant alleged that Facebook was not making a reasonable effort to notify users clearly that their personal information is used for advertising purposes.

Our Office examined the two types of ads on Facebook that use personal information – “Facebook ads,” which are targeted to demographic profiles or key words in a user’s profile, and “social ads,” which are triggered by actions such as becoming a fan of a page or joining a particular group.

Social ads are inherently intrusive because they use peoples’ actions, thumbnail photos and names to promote products and services. The ads give the appearance that a user is endorsing a particular product. Users can, however, opt out of this type of ads.

On the other hand, users cannot opt out of Facebook ads. But, because only users can see the ads being targeted at them, we considered them to be less invasive.

We accepted that, as a free service to users, Facebook needs to generate revenue, and that most Facebook users reasonably expect to receive advertisements. However, in light of the prominent role of advertising on the site, we recommended that Facebook explain the role of advertising more fully in its Privacy Policy, and inform users that their profile information is used for targeted advertising purposes.

Facebook agreed in principle to describe advertising more clearly and to configure its systems to allow users to more easily find information about advertising.
Not Well-founded allegation of the complaint: Deception and misrepresentation

The complainant alleged that Facebook was misrepresenting itself by claiming to be purely a social networking site when, in fact, it was engaged in other activities, such as advertising and third-party applications, and did not clearly explain this involvement. The complainant also alleged that Facebook was misrepresenting users’ level of control over their personal information.

We found no evidence that Facebook was willfully misleading or deceiving users about the purposes for which it collects information, or that it is obtaining consent through deception.
The Road Ahead

The Privacy Commissioner has given Facebook 30 days to comply with any unresolved recommendations. During that time, our Office will continue to work with the company to address any outstanding concerns.

Under PIPEDA, the Privacy Commissioner can apply to the Federal Court of Canada to have her recommendations enforced.

You may have noticed by now that we have a Twitter account. 260 of you have taken the step of following @privacyprivee – a remarkably optimistic and patient act on your part, as we haven’t been consistent or active in how we use that account.

Twitter poses an unusual problem for a federal agency charged with serving a country with two official languages. As a tool, it encourages the quick exchange of information, links and opinions. Most tweets look nothing like the traditional and often boring messages Canadians expect to get from the government, thanks to the use of #hashtags, @replies and shortened hyperlinks. A stream of tweets often looks like a thousand individual conversations taking place all at once, in public.

There are clear benefits in being active on Twitter. Among our 260 followers I can identify individual citizens, academics, journalists, privacy advocates, open government activists and others. Recent discussions categorized under hashtags like #privacy, #dpi, #dhsprivacy, and #crtc demonstrate that Twitter users share many of our concerns and are following many of the same issues. They are reacting quickly to developments in technology, changes in policy and the possible infringement of privacy rights the world over. Their Tweets often contain shortened hyperlinks to conventional reporting, first person accounts of events, copies of their formal testimony to legislative bodies, sophisticated technological analysis, and their personal observations.

Let’s be blunt. It’s hard for a federal agency to communicate this way. We’re not used to it. We don’t have the same freedom to comment on issues. We have to respect public service and parliamentary procedures. In our case, particular cases or issues brought up in the Twitter stream might be the subject of a formal investigation or an audit.

More importantly, it’s difficult for any organization to present a personal AND authoritative voice on Twitter. Many organizations choose to use Twitter as a broadcast tool, alerting their Twitter followers to the publication of relevant material on their other sites. Behind other @s, you will only find customer service staff or a lone communications staffer. Some organizations allow specialists to use Twitter and similar tools to communicate with their peers.

But how does an Office like ours represent itself well in such a fast moving medium? We’re advocates, but we also have legislated responsibilities. We are interested in a wide range of issues and policies, but recognize that there may be more authoritative voices than ours.

This brings us back to @privacyprivee. We’re still learning how to use Twitter. We’re trying to find a voice for the Office on Twitter that is reliable, authoritative AND respects government policies. We recognize that the tool is extremely useful, and that we should be using it more effectively. This will take some time. I thank you for your patience as we find this voice.

* A note on official languages: in order to respect our linguistic duality, our outgoing Tweets will be posted in both English and French. If a Canadian (or anyone else) decides to send @privacyprivee a message, we will respond in their language of choice. That’s to say, our official communications will be in both languages, our conversations will be in your chosen language (as long as it’s English or French. Otherwise, we’re turning to Babelfish)

We have exciting news that we hope you will share with your children, students, neighbours – whoever! We’re launching our 2009 My Privacy & Me National Video Competition for youth! Again, we’re asking 12- to 18-year-olds to create their own public service announcements on the issue of privacy. The videos should between 60 and 120 seconds long, and speak to other young people about how important privacy is. They can record the videos, animate them – present them however they like. And as long as the focus is on some aspect of personal privacy they can make it about whatever they want.

For inspiration, sit down with them and watch the 2008 winning and finalist videos. In our first-place video, A Lesson in Privacy, watch as Shelby the Snail teaches Timothy Turtle a lesson about Facebook etiquette.

In our second-place video, The Facebook Experiment, see why accepting someone you don’t know as a friend on a social networking site can have unsettling consequences.

And in our third-place video, Your Life, Your Privacy, find out how some young people put way too much faith in their computers.

They can watch the rest of the seven finalist videos here. Then, have them grab a video camera. Just think – one of them could be our next contest winner!

And if they need further inspiration, last year’s winners won some pretty cool prizes – an iPod Touch, gift cards to their favourite stores and we posted the videos on our web sites and YouTube channel – so they were seen by tonnes of kids. Plus, the top-participating schools won a top-of-the-line video editing software packages. Stay tuned for information about this year’s prizes!

Every opportunity I get, I question young Canadians on why they share so much information so freely and so widely when using online sites and services. Being an aged adult, I often frame my questioning by citing the negative consequences that over sharing can produce: job loss, identity theft, even physical risk.

What if we, as a society, simply have to get used to a greater frequency of inappropriate behaviour by people who, frankly, are still learning how relate to other humans in the wild?

Here’s a dose of reality and frank observation from Clay Shirky, writing in the New York Times as part of an exchange on privacy in an online world:

“ … Society has always carved out space for young people to misbehave. We used to do this by making a distinction between behavior we couldn’t see, because it was hidden, and behavior we could see, because it was public. That bargain is now broken, because social life increasingly includes a gray area that is publicly available, but not for public consumption.

Given this change, we need to find new ways to cut young people some slack. Privacy used to be enforced by inconvenience; you couldn’t just spy on anyone you wanted. Increasingly, though, privacy will have to be enforced by us grownups simply choosing not to look, since it’s none of our business.

This discipline isn’t just to protect them, it’s to protect us. If you’re considering a job applicant, and he has some louche photos on the Web, he has a problem. But if one applicant in 10 has similar pictures online, then you’ve got a problem, because you’ll be at a competitive disadvantage for talent, relative to firms that don’t spy.

People my age tut-tut at kids, telling them that we wouldn’t have put those photos up when we were young, but we’re lying. We’d have done it in a heartbeat, but no one ever offered us the chance … ”

As privacy advocates and concerned parents (or uncles, aunts, grandparents, even nosy and irritating siblings), we emphasize the physical or monetary risk that can build by revealing too much about yourself online. As Shirky points out, their behaviour isn’t any different from previous generations – they’re just given more opportunities to shout their strengths and weaknesses from the rooftops.

Maybe the answer is to identify issues that have an immediate effect on the life of young Canadians – like their dating habits.

Researchers at the University of Guelph have discovered that the more time young Canadians spend on a social network, the more likely they are to become jealous of their dating partner.

“It becomes a feedback loop,” [University of Guelph psychology grad student Emily] Christofides said. “Jealousy leads to increased surveillance of a partner’s Facebook page, which results in further exposure to jealousy-provoking information.”

“It fosters a vicious cycle,” Christofides said. “If one partner in a relationship discloses personal information, it increases the likelihood that the other person will do the same, which increases the likelihood of jealousy.”

Now THERE’S a consequence young Canadians will understand.

The Office recently issued a fact sheet on the use of online social networks in the workplace, and their impact on the privacy of employees and individuals.

We have tried to recognize the personal and professional value of belonging to one or more online social networks – but still warn of the possible impact these networks may have on an individual and the organization they work for.

This focus on workplace privacy is usually missing from discussions of social networking, but is becoming increasingly necessary as organizations and employees stumble their way through this new terrain.

Our fact sheet takes steps to discuss how employees and organizations should take a considered approach to their use of social networks – as an organization seeking to capitalize on a new form or communication, and as an employer sensitive to the privacy rights of its employees.

It is especially important that organizations have a consistent approach to how they monitor social networks, and how they integrate the information they might uncover into their everyday business processes.

Several private and public sector organizations have developed simple and clear guidelines for their employees on preferred behaviour when using an online social network. (For example: Sun, IBM, the New Zealand public service, and the U.K. public service)

The fact sheet suggests organizations take this process to its next logical step, by clarifying how they interact with online social networks in the workplace.

In particular, we suggest that organizations establish a policy explaining how they might collect information about existing or prospective employees participating in online social networks.

“Specifically, the policy should address:

- whether the organization permits the use of personal or employer-hosted SNS in the workplace;

- if SNS are permissible, in what context and for what purposes may they be used?

- whether the employer monitors SNS sites;

- what legislation applies to the collection, use or disclosure of personal information in the workplace;

- what other rules may apply to the use of SNS in the workplace (collective agreements; other relevant legislation);

- the consequences of non-compliance with the policy and,

- any other existing policies about the proper use of electronic networks with respect to employee privacy and handling confidential information.”

The process of writing and approving this policy will encourage an organization – at all levels – to give serious thought to how it monitors the activities of its employees and collects information about them.

It will also help employees assess the personal and professional consequences of their activities online, and anticipate the organization’s possible reaction.

In the end, principles of fair information management will be applied to both employees and employer.

We each have personal limits when sharing information online. Sometimes these limits can seem arbitrary or illogical, and sometimes they’re just funny.

This is an actual screenshot (edited to protect the individual’s privacy) from my Facebook feed this morning.

Did you know it’s Privacy Awareness Week in the Asia Pacific Region? If you’ve got young people in your life, who you’re trying to impart the privacy-awareness message to, have them check out the three-minute video, featured on our YouTube channel, that the Asia Pacific Privacy Authorities (APPA) launched to mark the week.

The video features a series of animated scenarios that highlight the potential consequences of posting personal information online. Would your child, niece, nephew or student want their grandma, coach or teacher to see what they’re posting online? If the answer is “no” they need to watch this video – and learn to think before they upload!

Once again, folks from the Office attended “Canada’s web conference”, MESH 2009, in Toronto – a place where flacks, marketers, hackers, people with money to spend, people looking for money, and activists gather and talk about how the web is “affecting media, marketing, business and society as a whole”.

Just ten minutes at this conference is a lesson in how much human communication has changed. People don’t generally put up their hands to ask questions – instead they send messages to the organizers through Twitter. When Toronto Mayor, David Miller (who is known for using the web to get information out to citizens) gave his keynote, and was subsequently interviewed onstage, he paused several times to either tweet or to read new messages he was receiving. And gone are the days of hanging around after a presentation to fill out a feedback form – at this conference people send tweets about the quality of a speaker or session as it’s unfolding, causing others to abandon simultaneously-running sessions to join the one that’s getting all the attention.

All it takes is a quick glance at some of the sessions that were offered (“managing your persona online”; how to integrate social media into your marketing plan”; and “using online word of mouth” are just a few examples) to see how privacy is intertwined with the new online reality. One keynote speaker, Jessica Jackley, co-founder of kiva.org, the world’s first peer-to-peer online micro-lending web site, is living proof of how the Internet can be used for good. But isn’t privacy also a theme here, what with the online financial transactions that make the whole thing possible, not to mention the protection of the personal details of both the lenders and entrepreneurs?

The MESH conference tagline is “connect, share and inspire” and one of the themes is while social media can be “a difficult reality for some companies, it also offers tremendous opportunities for both businesses and individuals to communicate, collaborate, entertain and inform”. These are exciting words and ideas – as long as we don’t forget the important privacy implications that go hand-in-hand with them.

A year ago, we asked a law student at the University of Ottawa to examine the virtual world Second Life, and report on what implications this type of environment may have for personal privacy and the protection of personal information.

We have been using Janet Lo’s research inside the Office, as we examine a range of online environments and social networks. We have finally translated her report and have posted it online in HTML.

Enjoy, and we’d be interested to hear your reactions.