The Office of the Privacy Commissioner of Canada has released their final agreement with Facebook, in which Facebook notably agrees to change the API to third-party applications, enabling much more granular control of the personal information you share with them.
News Release - Facebook agrees to address Privacy Commissioner’s concerns - August 27, 2009
(announced via the the @PrivacyPrivee Twitter feed, incidentally)
This is an issue that has concerned me for some time, so it's great to see it being resolved in a positive manner.
Here's a question I asked about Facebook in 2007, when I was blogging the OECD Participative Web forum
QUESTION: Hi, Richard Akerman from the National Science Library of Canada.and here's the panel discussion that ensued - the cast of characters is Mozelle Thompson from Facebook, John Lawford from the Public Interest Advocacy Centre, and Gary Davis from the Irish Internet Data Authority, with Hugh Stephenson from the U.S. Federal Trade Commission chairing.
One of the things that I've seen in the discussion is we are talking mostly about silos, but Web 2.0 is about mashing sites up, about linking sites together, about crossing between sites and combining them together.
Not to pick on Facebook, but Facebook has a fabulous feature, which is Facebook Applications. However, in order for me to give my informed consent, I have only one choice. To use this application, I share my information with a third party.
I think that is a valid option, but the question, the broader question, the policy question is: How do we deal with privacy when we expect that sites will want to interlink like this, that people will want to connect their information like this? How do we control the spread of the information?
Are there technological ways to do that? Are there policy ways to manage it? If I share with a third party, how do I stop the third party from sharing on?
So I'm interested obviously particularly in the Facebook experience but the broader panel as well.
MR. THOMPSON: I think that question is there for a reason. I mean, when I say that, when it warns you that in order to use this application, you have to share some information with that application, it's because if you don't want to share your information with that application, you should not download that application.from OECD transcript
One of the things, you are absolutely correct we have over 5,000 applications. And aside from the applications that are created by Facebook itself, it is very difficult to police every single other one for what everybody else does.
For example, if Amazon has an application that you can download on Facebook, then you are going to have to be guided by Amazon's policy.
That being said, do we have certain standards about data mining and other things? Absolutely.
We tell sites that if they want to create an application and they want to ask you for information, that's great. We are not going to give you information about our users. We leave it then up to the user to determine whether they want to use this application or not. And that has to do with a trusted site relationship.
MR. STEVENSON: Thank you.
John, I think you wanted to get on this, and then Gary, and then one more question.
MR. LAWFORD: The way you dealt with that in legislation, you just ask for someone's consent, right, and that should be the end of it. If you don't want to use that program, you don't consent, except that what you are getting for that application is they are asking for more personal information probably in your sign‑up than they need to to provide that application to you.
They've already got the fact that you have been referred from Facebook and now they are asking for additional personal information.
That's where we are saying that for a Web 2.0 type statute, whether internationally or nationally, you should be able to ask for the plain vanilla transaction. So you have name, address, if you need it, and I get my application, not all this other stuff.
MR. THOMPSON: That's a little bit misleading in the following sense: that is you are Amazon and you have an application on Facebook or some other company has an application on Facebook, if it's Expedia or Travelocity, they are going to need some information from you in order for them to do a transaction with you. That's your relationship with them.
We are not collecting that information. That third party is collecting that information. That's the purpose of the warning. Not because we need that information. We already know what we need to know because you are our user. You are absolutely right.
But we put the warning there so that if you are using a third party application, you know that they are collecting information about you. It's a benefit to consumers.
MR. STEVENSON: Thank you.
Let's give Gary a chance to intervene on this and then I think we have one more question.
MR. DAVIS: Just from a data protection perspective, I don't know the actual characteristics of Facebook applications and there could be anything else.
One of the principles is the purpose limitations. So if I give my information for one purpose, which is to sign up to that, the third party, then if they anything else with it other than the reason for which you gave it, then you would have a valid complaint to us as the Data Protection Commissioner's Office and we would investigate it.
Also, and again understanding the nature of the relationship that exists, if Facebook applications could be deemed to be handling the information on behalf of Facebook, well then there's a contractual obligation there. And one might say that a privacy standard would be that the contract that is entered into would specify between Facebook and whoever manages Facebook applications, that they may not use the information for any other purpose.
I would expect to see that. If you weren't seeing that going forward, well then that's a privacy point that one would expect to be articulated.
MR. STEVENSON: Thank you.