[Image Source: http://flic.kr/p/86Q3gF]
Social networking websites have taken the Internet by storm in today’s organic society. One such website, Facebook, with over a billion users has often been referred to as the ‘third largest country’ of the world. The rise of Facebook to soaring heights can be credited to first, the intensive monitoring of its users which enables the company to provide them tailor made services, targeted advertising and second, of course to Metcalfe’s Law, which in common parlance means that the more users there are on a social networking site, the more attractive it will be to people who are contemplating joining. In this blog post, I have tried to analyze Facebook’s privacy policies along the lines of the National Privacy Principles. These principles have been comprehensively dealt with by Justice A.P. Shah in his ‘Report on Privacy’, published by the Planning Commission of India. They also closely tie to Organization for Economic Co-operation and Development (OECD)’s Privacy Principles and European Union’s Data Protection Directives.
Analysis along the lines of the National Privacy Principles
Notice – In Facebook’s Data Use Policy there is an appropriate notice given to the individual elucidating what information is obtained by the company, for what purposes or uses and to whom it may be disclosed. It has been explained in a very user-friendly manner, avoiding the legalese language. For instance, it states that Facebook receives information about an individual from even its advertising partners in order to understand the effectiveness or improve the quality of ads. The contentious issue here is that this notice is given after the data has been obtained. To understand this argument, let’s take an example of a person with a Facebook account since its inception. Now, the advertisements began on Facebook only in 2012. Thus, with almost a billion users, a considerable portion of them were not asked for their consent when Facebook changed its privacy policy. There was no notice of change in privacy policies provided to these particular strata of users. And this essentially violates the National Privacy Principles.
Choice and Consent – Before signing up for this social networking site, an appropriate notice is given to the individual. The user is expected to sign up only after going through the Data Use Policy and other privacy policies of the website. Thus, the individual is presented with a choice on whether to divulge his personal data. Also, throughout the time he/she uses the networking website, he can either opt in or out of the agreement. The question arises when the user decides to leave Facebook. Where does his data go? According to Facebook, when a user decides to delete his account on Facebook, his data remains with the company for one month. However, “…some information may remain in backup copies and logs for up to 90 days.” But then, who has access to this vital data during these 90 days? Is the data protected even after the user has virtually cut off all ties from the company? These basic questions make us ponder over this crucial situation.
Collection Limitation – Earlier this year, Mark Zuckerberg said, “Facebook historically has focused on friends and public content. Now, with Messenger and WhatsApp, we’re taking a couple of different approaches towards more private content as well.” Well, Facebook has taken intrusion on Internet to a whole new level by deciding to delve into private chats as well. It has also in the past tracked what users did not post in status updates, primarily for targeted advertising. Whereas, according to the Privacy Principles, the collection of the information should be limited and the data obtained should be relevant and necessary.
Purpose Limitation – Facebook introduced the concept of ‘News Feed’ in 2006. When a user logged into his account, he would instantly see live aggregated feeds on the top right hand side corner. They would keep getting updated with descriptions such as, who liked or commented on what, or who shared what. News Feed prioritizes around 300 stories out of available 1500 ones through its unique algorithm based on how the user ‘interacts’ with different stories. The major problems have been the psychological experiments conducted by Facebook on over half a million randomly selected users without their consent. They manipulated the users’ news feeds to display a number of positive or negative posts to study how emotions could be spread on social media. Another similar kind of experiment was conducted in the wake of the U.S. elections. The inclusion of such experiments in their ‘purpose’ to make ‘services safe and secure’ is in clear violation of the Privacy Principles.
In its Data Use Policy, Facebook also clarifies the purpose for which the information is used. It states that the company may use the information, “…as part of our efforts to keep Facebook products, services and integrations safe and secure.” This particular statement is too vague and ambiguous. It gives Facebook almost monarchical powers to do anything with the information and then justify its action by claiming that it’s for the safety and security of the company. There is effectively no limit on the information’s usage.
Access and Correction – Unlike other websites, Facebook allows its users to download a copy of their data. Changes in profiles can be made anytime by sending a mail to Facebook. One thing about Facebook is its ability to take prompt action and respond to individual mails. Also, one cannot make changes to anyone else’s profile or data. Thus, in this context, Facebook is not in violation of the Privacy Principles.
Disclosure of Information – The ‘sponsor program’ of Facebook has been a controversial issue since its inception. It can best be explained by an illustration. Suppose X ‘likes’ Colgate on Facebook. Later on, this particular information is showed to X’s friend Z i.e. “Colgate: The finest toothpaste in India – X likes this.” Now, Facebook no doubt claims that this data will be showed only to the X’s friends. But then, what if a user doesn’t want his friends to know that s/he ‘likes’ a particular product. Facebook never tackles this question. Another point here is that most of these so-called ‘likes’ are manipulated, in most cases by the advertisers themselves. The user is coaxed into clicking the ‘like’ button. There have been numerous cases where contests (photography etc.) are based on more ‘likes’ on the page. In a way, the whole concept of ‘likes’ is rigged. Thus, clicking the ‘like’ button does not always mean that the user actually likes the product.
Third parties are not accountable to the privacy policies of Facebook, i.e. some of them (apps and games) have their own privacy policies which the user is required to go through before giving his consent. A notice is always provided to the user asking for his permission. Facebook claims that it does not share the information which identifies the user unless a permission is given. Facebook also discloses user information on government requests but only after scrutinizing ‘each request for legal sufficiency under our terms and the strict letter of the law, and require a detailed description of the legal and factual bases for each request.’
Security – Facebook has consistently followed this principle on paper, though numerous cases of child abuse and unauthorized access to personal information have occurred.
Openness – The best thing about Facebook’s privacy policies is that they are easily comprehendible. In contrast to other websites, this one has plain and clear language usage. The user friendly interface makes even the long policies interesting. Superficially, it’s all good. However, after you probe further, you come across the various ambiguous and contradictory provisions. The terms in Facebook’s Statement of Rights and Responsibilities read, “…for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it…”. In clear contrast to this statement, it is stated in the ‘ads column’ within the account settings section, “We don’t sell your information to advertisers.” The comprehensive nature of Facebook’s policies poses another issue for an average user to understand them.
Accountability – Facebook’s dispute resolution mechanism is somewhat biased. First of all, in its Statement of Rights and Responsibilities, it is stated that any claim, dispute or cause of action will be resolved exclusively in the U.S. District Court for the Northern District of Court of California and also that “…you agree you agree to submit to the personal jurisdiction of such courts for the purpose of litigating all such claims.” Thus, practically a middle-class person in India will never even try resolving his disputes. This rule favors the powerful and the rich. There are no penalty provisions. There is also no external verification present.