Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Facebook privacy paper printed in IEEE Technology & Society

Stephen's analysis of Facebook's privacy compliance problems -- jointly developed with Salinger's Anna Johnston -- has been published in the IEEE "Technology and Society" magazine. Pre-print copy attached.

Privacy Compliance Risks for Facebook
Anna Johnston & Stephen Wilson
IEEE Technology and Society Magazine, Vol. 31, No. 2. (Summer 2012), pp. 59-64.

Abstract

Facebook is an Internet and societal phenomenon. In just a few years it has claimed a significant proportion of the world’s population as regular users, becoming by far the most dominant Online Social Network (OSN). With its success has come a good deal of controversy, especially over privacy. Does Facebook and its kin herald a true shift in privacy values, or despite occasional reckless revelations, are most users actually as reserved as ever? We argue it’s too early to draw conclusions about society as a whole from the OSN experience to date, However, Facebook in particular brings a number of compliance risks in jurisdictions that have enacted modern Information Privacy Law.

Over 70 jurisdictions worldwide now have enacted data privacy laws around half of which are based on privacy principles articulated by the Organisation for Economic Cooperation and Development (OECD). Amongst these are the Collection Limitation Principle which requires data custodians to not gather more personal information than they need for the tasks at hand, and the Use Limitation Principle which dictates that personal information collected for one purpose not be arbitrarily used for others without consent.

In many jurisdictions, Facebook may not be complying with local data privacy laws. This article examines a number of areas of privacy compliance risk for Facebook. We focus on several ways in which Facebook collects personal inform-ation indirectly, through the import of members’ email address books for ‘finding friends’, and the tagging of friends as being in one’s company when using the ‘places’ feature. The ease of registration as a new member, combined with a lack of transparency about collection practices and permissive default privacy settings, lead to many opportunities for misadventure. Taking the National Privacy Principles from the Privacy Act 1988 (Cth) as our guide, we identify a number of potential breaches of privacy law, arising in part because Facebook administrators appear not to avail themselves of alternative means for managing personal information.