User vote on Facebook privacy policies hasn't stemmed criticism

Privacy advocates say the company hasn't done enough to address concerns

Facebook is conducting a massive user referendum this week, asking its 900 million-plus users to approve or reject changes to its privacy policy that it first proposed on May 13.

Facebook says the result of the vote will be binding if at least 30 percent of active users participate, and "advisory" if that threshold isn't met. But rather than earning praise for turning to user-friendly bylaws for its so-called data use policy, the company has set off a new round of criticism about its alleged disdain for user privacy.

The unusual vote on proposed changes to Facebook's privacy policy stems from events that have unfolded in Europe. European law requirescorporations to disclose, upon request, any information they hold about individuals. Last year, 24-year-old Austrian law student Max Schrems petitioned Facebook to share with him all the information the company had about him. The dossier he received became the basis of a number of legal complaints he filed with the Irish Data Protection Commissioner's Office, which has jurisdiction over Facebook Ireland, the company's headquarters for operations outside North America.

According to Schrems, the dossier revealed that Facebook was violating European law.

The Irish office responded by auditing Facebook Ireland. Under pressure from the commissioner, Facebook agreed to make changes to its data use policy.

When Facebook announced the proposed changes last month, it said that if it received more than 7,000 substantive comments on them, it would hold a referendum. More than 40,000 comments came in, thanks largely to a campaign by the nonprofit that Schrems runs, Europe v Facebook. The nonprofit has amassed a significant following on social media, including more than 5,200 "likes" on Facebook itself, but the biggest influx of signatures came after Schrems appeared on a popular German television show.

Although the vote could be seen as a win for privacy advocates, Schrems described it as a sham.

Schrems said that in its handling of the vote, Facebook effectively "hid the polling center." The voting, he explained, is not prominently featured on the site. The company also demanded that huge numbers of users comment on its proposed changes in order to trigger a vote, but was then critical of the mass-organizing tactics that Europe v Facebook used to turn out the comments, he said.

Facebook defended its efforts to elicit user feedback.

"To promote the vote, Facebook has served nearly a billion impressions to users, including mobile-only users, and will continue to do so. Once someone votes they can choose to tell their friends they did so in their friends' News Feeds," a representative wrote in an email.

U.S.-based privacy advocate David Jacobs, the consumer protection counsel at the Electronic Privacy Information Center (EPIC), was also dismissive of the referendum.

"The notice has been seriously inadequate. As far as I can tell, only members of Site Governance and Facebook and Privacy pages were notified, and the vote is only open for a week," Jacobs said. "The procedure seems to be flawed, unless the goal is to have a vote that doesn't really mean much."

Both European and American privacy groups are advising users to vote against Facebook's proposed changes. Schrems said the changes don't do enough to address the potential illegalities flagged by the Irish data protection commissioner. He took a recent ZDNet interview as evidence that the commissioner's office will demand changes from Facebook even if users approve the new policy.

Gary Davis, deputy commissioner of the Irish data protection office, said in an email that the office was "satisfied with the version presented," but added, "the privacy policy is only one step in the consenting and engagement process with users, and it is recognized that a move towards the seeking of what we would term 'in-line' consent represents a better approach as it seeks a consent from a user for the use of their data at a time when it is relevant."

Schrems' group sees the vote as a way for users to communicate to Facebook that they want more privacy protections.

EPIC's Jacobs said users should vote against the new policies. Voter approval could just entrench practices that don't really safeguard user privacy, because the new policies are more explicit without offering more protection, he said. That would make them harder to fight. According to Jacobs and other privacy advocates, American laws mainly restrict companies from diverging from what they tell users about their practices with personal data.

Pro-privacy software vendor Abine, which points out a privacy advisory email, is also telling users to vote against Facebook's proposed changes. The company has suggested that users may lose privacy protections under the new policy.

Unless opponents pull off a last-minute media coup, it seems unlikely that the vote will amount to more than a measure of user sentiment. With voting scheduled to end at 9 a.m. Pacific time on Friday, the total number of voters as of late Wednesday afternoon had not reached even 10 percent of the number needed to make the vote binding. About 85 percent of voters were rejecting the new documents.

Cameron Scott covers search, web services and privacy for The IDG News Service. Follow Cameron on Twitter at CScott_IDG.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Cameron Scott

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place