Facebook to tighten privacy after Canadian investigation

The changes call for stricter access to user data by third-party applications

Facebook will enhance its social-networking site's privacy features over the next 12 months as a result of a set of recommendations from the Canadian government.

Facebook will increase the information it provides to its users about its privacy features, as well as make technical changes to tighten privacy controls, the company said Thursday.

The changes come as a direct result of a review of Facebook's privacy policies and controls conducted by the Office of the Privacy Commissioner of Canada. Facebook cooperated with the Canadian agency's study, which lasted more than a year.

Specifically, Facebook will update its privacy policy so that it more clearly explains its privacy practices. Facebook will also reach out to users, prompting them to review their privacy settings.

For the tens of thousands of third-party applications built for the Facebook platform, Facebook will begin to require that they comply with a new set of permissions, specifying the types of information they want to access. "Express consent" from end users will also be required before their data and their friends' data is made available to external applications.

In a separate statement issued by her office, Privacy Commissioner of Canada Jennifer Stoddart said the changes to privacy policies and practices that Facebook has agreed to make will bring it into compliance with Canadian law.

"We're very pleased Facebook has been responsive to our recommendations," she said in the statement.

The Canadian agency's biggest concern has been what it called application developers' "virtually unrestricted access to Facebook users' personal information."

The new privacy requirements for third-party applications will take about a year to implement because they involve changes to the Facebook platform's API (application programming interface) and to the applications themselves. It will be interesting to see how Facebook developers react to the news that they will have to re-tool their applications to comply with these stricter privacy controls.

In a blog posting for its developer community, Facebook official Ethan Beard didn't sugar-coat the implications of the changes to the API.

"We have committed to making these enhancements over the next twelve months, and anticipate a lengthy beta period including opportunities for you to provide input, multiple blog posts, and updated documentation delivered well ahead of time. Understanding that this will likely require modifications to your code base, we want to give you the earliest heads up that these enhancements are on our road map," Beard wrote.

Ultimately, the goal is to make Facebook members better informed about how applications use their data, and to give them more control. "This should result in better informed users who are more eager to engage with applications on Facebook," he wrote.

Caroline Dangson, an IDC analyst, calls this move an important one because end-users usually don't distinguish between Facebook and its third-party applications. "This means that if users feel their privacy is breached by an application, Facebook will still get the blame," she said via e-mail.

Until now, end-users have had granular privacy options on Facebook itself, but not so much when it comes to the third-party applications, she said. "Information shared with third-party applications has remained too vague," Dangson said.

For Al Hilwa, another IDC analyst, privacy is a critical area in the maturation of the Internet, and bad privacy policies at the API level can lead to a multiplication of these types of problems.

This is why, in order to gain lasting trust from end-users, social-networking sites need to tighten up APIs and police their third-party applications, he said via e-mail.

"APIs amplify any privacy imperfections of a social network site by multiplying the problem to the extent that developers adopt them," Hilwa said.

The social networking industry has so far taken a cavalier and casual attitude toward privacy, often arguing that the younger generations are more relaxed about online privacy, Hilwa said. This is a mistake, he said.

"Privacy is an enduring value and becomes more critical and consequential with the proliferation of information in the information age. Younger generations place lower values on a lot of things but change their mind as they grow up -- that's probably the more durable pattern," he said.

In July, Facebook announced plans to simplify its privacy features, saying that they have become too numerous and complicated for end users to understand and apply.

Under pressure from Twitter, Facebook is also in the process of adding less restrictive privacy settings for end users who want to make their profiles, or at least portions of it, more public and thus more widely available to others on and off Facebook.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitysocial networkingFacebookprivacy

More about FacebookIDC Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Juan Carlos Perez

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts