Facebook and Online Privacy: A game of cat and mouse

Facebook and Online Privacy: A game of cat and mouse

Virgil Cojocaru is a JD candidate at Osgoode Hall Law School.

You are shopping online, surfing on Blockbuster. The next day one of your friends on Facebook messages you, “hey Dave, nice choice in movies!” What has just happened here? Some might argue this is just amicable banter between close friends. Others might quickly point out that not everyone on Facebook are close friends. Whatever the case might be, it is reasonable to say that Dave’s online privacy has been breached. Keep in mind that Dave did not authorize anyone else to see his online purchases.

This is the meat behind the Facebook Beacon class action filed in California. Facebook tried to save this system by implementing an opt-in setup, where a user had to allow friends to see his/her online shopping activities. This stood in stark contrast to Beacon's initial setup, where the system activated automatically not prompting a user for an opt-in. Beacon did not survive, as Facebook finally announced its dismantling following the well deserved ire of its online community.

What does this case mean for the countless denizens (myself included) using the Internet and various social networks? Privacy on the Net is a thin veil, perhaps even an illusion. Unless it is actively defended, it will be overstepped for whatever reason, be it increased sales, as in the case of Facebook’s Beacon, or the enforcement of intellectual property rights.

Facebook has also had trouble in Canada over online privacy concerns. During the summer months, the Office of the Privacy Commissioner of Canada (“Office”) has made it clear that Facebook did not meet Canada’s privacy laws, including principle 4.3 and subsection 5(3) of the federal Personal Information Protection and Electronic Documents Act. These cover such issues as disclosure of user information to third parties, such as developers, indefinite retention of information, such as emails of invited individuals, and deactivated user accounts.

On September 9, Facebook finally agreed to abide by the recommendations of the Office. Over the next year, it will implement measures that would mitigate privacy violations to third party developers by requiring the permission of users before disclosing any personal information. Deactivated accounts can now also be deleted permanently, instead of being maintained indefinitely; user information such as emails of invited persons who never signed up will be deleted.

At first glance, it looks like Facebook has stepped up to the plate. However, closer investigation reveals some inconsistencies. Facebook does not charge money for use, yet it is valued between 3.7 and 5 billion. This is because it has access to a copious amount of personal information, which can be put to use for commercial gain.

Even though Facebook Beacon has been taken offline, the social service has become much more sophisticated at using personal information. It is no longer about getting your friends to buy what you got; it is now about information management, processing, and predicting future consumer trends. This is available to whoever is able to pay.

One such application is the surveys conducted on Facebook. This information is collected by third party ‘developers’ who can use it in market studies to predict consumer trends. To get around recent commitments in Canada and other jurisdictions, these surveys are anonymous and purely voluntary. Perhaps by coincidence, this gets around the requirement of ‘developer’ third parties requiring permission from users before disclosing personal information (made earlier). If the survey process is anonymous, there is no personal information.

Still, how can a survey be anonymous when you opt in while logged in to your personal account? This becomes even more problematic, because Facebook likely provides the platform that collects and analyzes the results for the third party once the user has agreed to participate. Based on this set up it is always possible to connect the name and personal information of the user with his/her survey.

In the end, it is simply a question of trust.

On a broader scale, privacy concerns arise in the enforcement of intellectual property rights on the Net. Bell's throttling is one example that has raised privacy concerns due to the nature of the process. On the other hand, throttling P2P applications might serve the rationale of at least slowing down illegal downloads that infringe copyright. It is important to note, that here too, it is a question of trust.