Technology

How will the Data Protection Commissioner’s Facebook audit change the site for you?

Facebook's users' Connections
Credit: Facebook
1.39Kviews

The outcomes of an investigation by the Irish data protection authority into Facebook will bring major changes to the social network’s global privacy settings. The three month audit covered almost every aspect of Facebook’s data management and privacy settings, including facial recognition, tagging, deleted account, and advertising.

Facebook's users' Connections
Credit: Facebook

Because Facebook Ireland manages the privacy settings for users outside of the US and Canada the results of the investigation with be seen internationally.  Below we present the outcomes from the report, including the DPC’s findings, Facebook’s response, and the time required for a resolution (download the original Data Protection Commissioner’s report here as a PDF for even more information).  Read the DPC’s announcement of the report on their website.

Use the links below to see just what the outcomes of the investigation are, and how they will change Facebook for you.

Complexity & accessibility of user controls

Complexity & accessibility of user controls
Facebook Ireland must work towards:

  • Simpler explanations of its privacy policies
  • Easier accessibility and prominence of these policies during registration and subsequently
  • An enhanced ability for users to make their own informed choices based on the available information
Facebook Ireland  Response Facebook Ireland will work with the Office to achieve the objectives of simpler explanations of its Data Use Policy, identify a mechanism to provide users with a basis to exercise meaningful choice over how their personal data is used, easier accessibility and prominence of these policies during and subsequent to registration, including making use of test-groups of users and non-users as appropriate.
Target Implementation Date End Q1 2012 and routinely thereafter

Advertising use of user data

Advertising use of user data
There are limits to the extent to which user-generated personal data can be used for targeted advertising. Facebook must be transparent with users as to how they are targeted by advertisers
Facebook Ireland  Response Facebook Ireland will clarify its data use policy to ensure full transparency.
Target Implementation Date By the end of Q1 2012
Advertising use of user data
The current policy of retaining ad-click data indefinitely is unacceptable.
Facebook Ireland  Response Facebook Ireland will move immediately to a 2-year retention period which will be kept under review with a view to further reduction.
Target Implementation Date Review in July 2012

Access Requests

Access Requests
If identifiable personal data is held in relation to a user or non-user, it must be provided in response to an access request within 40 days, in the absence of a statutory exemption
Facebook Ireland  Response Facebook Ireland will fully comply with the right of access to personal data, as outlined in the schedule contained within the Access Section of the Report. It has additionally committed to a key transparency principle that users are entitled to have easy and effective access to their personal information.
Target Implementation Date In line with the schedule in relation to availability from the user’s profile, their activity log and the download tool. Data will be added to the various tools in phases, beginning in January 2012.

Retention of data

Retention of data
The information provided to users in relation to what happens to deleted or removed content, such as friend requests received, pokes, removed groups and tags, and deleted posts and messages should be improved.
Facebook Ireland  Response Facebook Ireland will comply with this recommendation in an updated Data use Policy.
Target Implementation Date By the end of Q1 2012.
Retention of data
Personal data collected must be deleted when the purpose for which it was collected has ceased
Facebook Ireland  Response Facebook Ireland will comply with requirements in relation to retention where the company no longer has a need for the data in relation to the purposes for which it was provided or received. Specifically it will:

  1. For people who are not Facebook users or who are Facebook users in a logged out state, Facebook Ireland will take two steps with respect to the data that it receives and records through social plugins within 10 days after such a person visits a website that contains a social plugin. First, Facebook Ireland will remove from social plugin impression logs the last octet of the IP address when this information is logged. Second, Facebook Ireland will delete from social plugin impression logs the browser cookie set when a person visits Facebook.com.
  2. For all people regardless of browser state (logged in, logged out, or non-Facebook users), Facebook Ireland will delete the information it receives and records through social plugin impressions within 90 days after a person visits a website that includes a social plugin.
  3. Anonymise all search data on the site within six months
  4. Anonymise all ad click data after 2 years
  5. Significantly shorten the retention period for log-in information to a period which was agreed with this Office
Target Implementation Date Immediate and ongoing, subject to any legal holds placed on the data by civil litigation or law enforcement. The continuing justification for these periods will be kept under continuous assessment and will be specifically re-assessed in our July 2012 review.
Retention of data
Data held in relation to inactive or de-activated accounts must be subject to a retention policy
Facebook Ireland  Response Facebook Ireland will work with this Office to identify an acceptable retention period
Target Implementation Date July 2012.

Cookies/Social Plug-Ins 

Cookies/Social Plug-Ins
It is not appropriate for Facebook to hold data collected from social plug-ins other than for a very short period and for very limited purposes
Facebook Ireland  Response Impression data received from social plugins will be anonymised within 10 days for logged-out and non-users and deleted within 90 days, and for logged-in users, the data will be aggregated and/or anonymised in 90 days.
Target Implementation Date Immediately and to be verified by this Office subject to any legal holds placed on the data by civil litigation

Third Party Apps 

Third Party Apps
It must be made easier for users to understand that their activation and use of an app will be visible to their friends as a default setting
Facebook Ireland  Response Facebook Ireland has recently changed its granular data permissions dialog box for apps where users can choose the audience (“audience selector”) for their app activity directly in the dialog box.
Target Implementation Date Assessed again in July 2012
Third Party Apps
We do not consider that reliance on developer adherence to best practice or stated policy in certain cases is sufficient to ensure security of user data. We do note however the proactive monitoring and action against apps which breach platform policies.However, this is not considered sufficient by this Office to assure users of the security of their data once they have third party apps enabled. We expect Facebook Ireland to take additional steps to prevent applications from accessing user information other than where the user has granted an appropriate permission.
Facebook Ireland  Response Facebook Ireland has proactive auditing and automated tools designed not just to detect abuse by developers, but to prevent it in the first place and the findings of the audit will be used to further refine the tools.
Target Implementation Date Progress review in July 2012.

Facial Recognition/Tag Suggest 

Facial Recognition/Tag Suggest
Facebook Ireland should have handled the implementation of this feature in a more appropriate manner and we recommended that it take additional steps from a best practice perspective to ensure the consent collected from users for this feature can be relied upon
Facebook Ireland  Response Facebook Ireland will provide an additional form of notification for Tag Suggest. It will appear at the top of the page when a user logs in. If the user interacts with it by selecting either option presented then it will disappear for the user.If the user does not interact with it then it will appear twice more for a total of 3 displays on the next successive log-ins. Before making a selection more detail about how the feature works will appear behind a Learn More link and will also be shown if a user clicks Adjust Your Settings.Facebook Ireland will discuss with this Office any plans to extend tag suggest to allow suggestions beyond confirmed Friends in advance of doing so.
Target Implementation Date First week January 2012 at the latest

Security 

Security
Many policies and procedures that are in operation are not formally documented. This should be remedied.
Facebook Ireland  Response Facebook Ireland will continue to document policies and procedures as required to maintain consistency in security practices.
Target Implementation Date Newly documented policies and procedures to be reviewed in July 2012.

Deletion of Accounts 

Deletion of Accounts
There must be a robust process in place to irrevocably delete user accounts and data upon request within 40 days of receipt of the request (not applicable to back-up data within this period.)
Facebook Ireland  Response Facebook Ireland had already devoted a substantial amount of engineering resources to progressing account deletion to an acceptable level and is committed to working towards the objectives outlined by this Office.
Target Implementation Date Review in July 2012

Friend Finder 

Friend Finder
We recommend that users be made aware that where they choose to synch their contact information from a mobile device, those contact details are transmitted in plain text and are therefore not secure during transmission. This is not an issue within Facebook’s control but users should nevertheless be made aware when choosing this option.
Facebook Ireland  Response It is not more risky to send data in plain text via the synchronization process than doing so by sending email using an internet email provider, which providers do not provide disclosures on security risks. Facebook Ireland will have further dialogue in order to work towards reviewing alternatives for reducing risk and addressing them through education or changes in the product.
Target Implementation Date End of Q1 2012.
Friend Finder
We established that the action of disabling synchronisation does not appear to delete any of the synchronised data. This requires an additional step via the “remove data” button within the app. We recommend that it should be clear to users that disabling synching is not sufficient to remove any previously synched data.
Facebook Ireland  Response It should be obvious to users that their synchronized data is still there after they disable synching but Facebook Ireland will add text to that effect within the app.
Target Implementation Date End of Q1 2012.

Tagging 

Tagging
There does not appear to be a compelling case as to why a member cannot decide to prevent tagging of them once they fully understand the potential loss of control and prior notification that comes with it.
Facebook Ireland  Response Facebook Ireland will examine the broader implications of this recommendation and will engage further on this issue in the July 2012 review
Target Implementation Date In advance of July 2012

Posting on Other Profiles 

Posting on Other Profiles
We recommend that Facebook Ireland introduce increased functionality to allow a poster to be informed prior to posting how broad an audience will be able to view their post and that they be notified should the settings on that profile be subsequently changed to make a post that was initially restricted available to a broader audience. We recommend the sending of a notification to the poster of any such change with an ability to immediately delete their post if they are unhappy.
Facebook Ireland  Response Facebook Ireland will examine the broader implications of the suggested approaches and having done so will engage further on this issue in the July 2012 review.
Target Implementation Date In advance of July 2012

Abuse Reporting 

Abuse Reporting
We are satisfied that Facebook Ireland has appropriate and accessible means in place for users and non-uses to report abuse on the site. We are also satisfied from our examination of the User Operations area that Facebook Ireland is committed to ensuring it meets its obligations in this respect.
Facebook Ireland  Response n/a
Target Implementation Date n/a

Compliance Management/ Governance

Compliance Management/ Governance
This Office requires that Irish data protection law and by extension European data protection laws be fully addressed when Facebook Ireland rolls-out a new product to its users. We recommend therefore that Facebook Ireland take additional measures in the first half of 2012 to put in place a more comprehensive mechanism, resourced as appropriate, for ensuring that the introduction of new products or uses of user data take full account of Irish data protection law.
Facebook Ireland  Response Facebook Ireland already fully considers and analyzes applicable laws, including Irish and EU laws, prior to product rollouts, but will implement this recommendation and consult with this Office during the process of improving and enhancing its existing mechanisms for ensuring that the introduction of new products or new uses of user data take full account of Irish data protection law.
Target Implementation Date We will fully assess the improvements made in this regard in July 2012 and will expect that by that time Facebook Ireland will have in place the procedures, practices and the capacity to comprehensively meet its obligations in this area.

 

3 Comments

Leave a Response

Piers Dillon Scott
Piers Dillon-Scott is co-editor of The Sociable and writes about stuff he finds. He likes technology, media, and using the Oxford comma (because it just makes sense).