Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

"More trouble with Facebook"

An article written with Salinger Privacy's Anna Johnston for the Privacy Law Bulletin.

"More trouble with Facebook"
Stephen Wilson, Lockstep Consulting
Anna Johnston, Salinger Privacy.

Privacy Law Bulletin, V7.2, October 2010

Extract

Indirect collection of a member’s contacts

One of the most significant Collections by Facebook is surely the e-mail address book of those members that elect to have the site help “find friends”. This facility provides Facebook with a copy of all contacts from the address book of the member’s nominated e-mail account. It’s the very first thing that a new user is invited to do as they register.

We are not in a position to judge how the typical or “average” Facebook member will understand the “find friends” feature. It is very briefly described as “Search your email for friends already on Facebook” and without any further elaboration, new users are invited to enter their e-mail address and password for an external mail account. A link labelled “Learn more” in fine print leads to the following additional explanation:

We will not store your password after we import your friends’ information. We may use the email addresses you upload through this importer to help you connect with friends, including using this information to generate Suggestions for you and your contacts on Facebook. If you don't want us to store this information, visit [remove uploads page].

It is entirely possible that casual users will not fully comprehend what is happening when they opt in to have Facebook ‘find friends’. Further, there is no indication that by default, imported contact details are shared with Everyone and are therefore visible to anyone on the Internet.

While it is important that Facebook promises not to retain a copy of the user’s e-mail password, this may be the least of the privacy problems. What concerns us more is that the importing of contacts represents an indirect collection by Facebook of personal information without the authorisation (or even knowledge) of the individuals concerned. Furthermore, the “disclosure” quoted above leaves the door open for Facebook to use imported contacts for other purposes unspecified.

Imported contacts are vaguely described in the Privacy Policy as “Friend information” or even more ambiguously as “relationships”. In any case, the Privacy Policy says very little about this information; in particular, Facebook imposes no limitations on itself as to how it may make use of imported contacts.

Facebook TroubleFacebook TroublePDF, 101Kb