Virgil Cojocaru is a JD candidate at Osgoode Hall Law School.
You are shopping online, surfing on Blockbuster. The next day one of your friends on Facebook messages you, “hey Dave, nice choice in movies!” What has just happened here? Some might argue this is just amicable banter between close friends. Others might quickly point out that not everyone on Facebook are close friends. Whatever the case might be, it is reasonable to say that Dave’s online privacy has been breached. Keep in mind that Dave did not authorize anyone else to see his online purchases.
This is the meat behind the Facebook Beacon class action filed in California. Facebook tried to save this system by implementing an opt-in setup, where a user had to allow friends to see his/her online shopping activities. This stood in stark contrast to Beacon’s initial setup, where the system activated automatically not prompting a user for an opt-in. Beacon did not survive, as Facebook finally announced its dismantling following the well deserved ire of its online community.
What does this case mean for the countless denizens (myself included) using the Internet and various social networks? Privacy on the Net is a thin veil, perhaps even an illusion. Unless it is actively defended, it will be overstepped for whatever reason, be it increased sales, as in the case of Facebook’s Beacon, or the enforcement of intellectual property rights.
Facebook has also had trouble in Canada over online privacy concerns. During the summer months, the Office of the Privacy Commissioner of Canada (“Office”) has made it clear that Facebook did not meet Canada’s privacy laws, including principle 4.3 and subsection 5(3) of the federal Personal Information Protection and Electronic Documents Act. These cover such issues as disclosure of user information to third parties, such as developers, indefinite retention of information, such as emails of invited individuals, and deactivated user accounts.
On September 9, Facebook finally agreed to abide by the recommendations of the Office. Over the next year, it will implement measures that would mitigate privacy violations to third party developers by requiring the permission of users before disclosing any personal information. Deactivated accounts can now also be deleted permanently, instead of being maintained indefinitely; user information such as emails of invited persons who never signed up will be deleted.
At first glance, it looks like Facebook has stepped up to the plate. However, closer investigation reveals some inconsistencies. Facebook does not charge money for use, yet it is valued between 3.7 and 5 billion. This is because it has access to a copious amount of personal information, which can be put to use for commercial gain.
Even though Facebook Beacon has been taken offline, the social service has become much more sophisticated at using personal information. It is no longer about getting your friends to buy what you got; it is now about information management, processing, and predicting future consumer trends. This is available to whoever is able to pay.
One such application is the surveys conducted on Facebook. This information is collected by third party ‘developers’ who can use it in market studies to predict consumer trends. To get around recent commitments in Canada and other jurisdictions, these surveys are anonymous and purely voluntary. Perhaps by coincidence, this gets around the requirement of ‘developer’ third parties requiring permission from users before disclosing personal information (made earlier). If the survey process is anonymous, there is no personal information.
Still, how can a survey be anonymous when you opt in while logged in to your personal account? This becomes even more problematic, because Facebook likely provides the platform that collects and analyzes the results for the third party once the user has agreed to participate. Based on this set up it is always possible to connect the name and personal information of the user with his/her survey.
In the end, it is simply a question of trust.
On a broader scale, privacy concerns arise in the enforcement of intellectual property rights on the Net. Bell’s throttling is one example that has raised privacy concerns due to the nature of the process. On the other hand, throttling P2P applications might serve the rationale of at least slowing down illegal downloads that infringe copyright. It is important to note, that here too, it is a question of trust.
One Response
One important element you leave out of this is the complaint behind the class action — the action in California against Facebook was not based on a broad violation of “online privacy”, but rather a violation of the Video Privacy Protection Act, a 1988 statute introduced following the USSC confirmation hearings of Robert Bork, during which his video rental habits were made public. The class action against Facebook and Blockbuster was narrowly targeted only at this element of Beacon, in that it passed on the video rental or viewing habits of customers to third parties, in violation of the VPPA.
Indeed, Facebook’s replacement for Beacon (Facebook Connect), replicates an enormous amount of Beacon’s activities (including the posting of activities on third party websites, following authorization of Connect partners by a Facebook user). This suggests to me that much of the privacy furor around Beacon was its initial lack of a global opt-out mechanism, and a generally bungled launch.
I question whether PIPEDA or similar data protection laws are in fact of much use against systems like Facebook Connect, as they are based around the core concepts of knowledge and consent, rather than necessarily the intrinsic value of privacy. So long as users know what they are sharing and are willing to do so in exchange for some perceived benefit, PIPEDA has little to say.
Comments are closed.